diff --git a/bin/build-release.sh b/bin/build-release.sh
index 3e77c8841f429c8a8200cfbc91fbd3fcee5a174b..edcd7910e74b4f0e35b1277514703b80e72729e5 100755
--- a/bin/build-release.sh
+++ b/bin/build-release.sh
@@ -15,8 +15,6 @@ fi
cd /tmp
-REPOPATH="http://simplesamlphp.googlecode.com/svn/tags/$TAG/"
-
if [ -a "$TAG" ]; then
echo "$0: Destination already exists: $TAG" >&2
exit 1
@@ -24,7 +22,21 @@ fi
umask 0022
+REPOPATH="http://simplesamlphp.googlecode.com/svn/tags/$TAG/"
+
svn export "$REPOPATH"
+
+# Use composer only on newer versions that have a composer.json
+if [ -f "$TAG/composer.json" ]; then
+ if [ ! -x composer.phar ]; then
+ echo "$0: Composerfile detected, but Composer not installed?" >&2
+ exit 1
+ fi
+
+ # Install dependencies (without vcs history or dev tools)
+ php composer.phar install --no-dev --prefer-dist -o -d "$TAG"
+fi
+
mkdir -p "$TAG/config" "$TAG/metadata"
cp -rv "$TAG/config-templates/"* "$TAG/config/"
cp -rv "$TAG/metadata-templates/"* "$TAG/metadata/"
diff --git a/composer.json b/composer.json
new file mode 100644
index 0000000000000000000000000000000000000000..0d635c87278d880c768f09009ef7058d7cd95975
--- /dev/null
+++ b/composer.json
@@ -0,0 +1,50 @@
+{
+ "name": "simplesamlphp/simplesamlphp",
+ "description": "A PHP implementation of SAML 2.0 service provider and identity provider functionality. And is also compatible with Shibboleth 1.3 and 2.0.",
+ "type": "project",
+ "keywords": [ "saml2", "shibboleth","aselect","openid","oauth","ws-federation","sp","idp" ],
+ "homepage": "http://simplesamlphp.org",
+ "license": "LGPL-2.1",
+ "authors": [
+ {
+ "name": "Andreas Ă…kre Solberg",
+ "email": "andreas.solberg@uninett.no"
+ },
+ {
+ "name": "Olav Morken",
+ "email": "olav.morken@uninett.no"
+ }
+ ],
+ "autoload": {
+ "psr-0": {
+ "SimpleSAML_": "lib/"
+ },
+ "files": ["lib/_autoload_modules.php"]
+ },
+ "require": {
+ "php": ">=5.3.0",
+ "simplesamlphp/saml2": "0.2.0",
+ "openid/php-openid": "dev-master#ee669c6a9d4d95b58ecd9b6945627276807694fb as 2.2.2"
+ },
+ "support": {
+ "issues": "https://code.google.com/p/simplesamlphp/issues/list",
+ "source": "https://code.google.com/p/simplesamlphp"
+ },
+ "repositories": [
+ {
+ "type": "package",
+ "package": {
+ "name": "robrichards/xmlseclibs",
+ "version": "1.3.1",
+ "source": {
+ "type": "svn",
+ "url": "http://xmlseclibs.googlecode.com/svn",
+ "reference": "trunk@50"
+ },
+ "autoload": {
+ "files": ["xmlseclibs.php"]
+ }
+ }
+ }
+ ]
+}
diff --git a/composer.lock b/composer.lock
new file mode 100644
index 0000000000000000000000000000000000000000..92847032ea2faa21169c637bf7aa188ba5b260e7
--- /dev/null
+++ b/composer.lock
@@ -0,0 +1,225 @@
+{
+ "_readme": [
+ "This file locks the dependencies of your project to a known state",
+ "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file"
+ ],
+ "hash": "608aa8b969b50e691e090388b39a33be",
+ "packages": [
+ {
+ "name": "openid/php-openid",
+ "version": "dev-master",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/openid/php-openid.git",
+ "reference": "ee669c6a9d4d95b58ecd9b6945627276807694fb"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/openid/php-openid/zipball/ee669c6a9d4d95b58ecd9b6945627276807694fb",
+ "reference": "ee669c6a9d4d95b58ecd9b6945627276807694fb",
+ "shasum": ""
+ },
+ "require": {
+ "ext-curl": "*",
+ "ext-dom": "*",
+ "ext-gmp": "*",
+ "php": ">=4.3"
+ },
+ "type": "library",
+ "autoload": {
+ "classmap": [
+ "Auth"
+ ]
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "include-path": [
+ "."
+ ],
+ "license": [
+ "Apache-2.0"
+ ],
+ "authors": [
+ {
+ "name": "JanRain Inc.",
+ "homepage": "http://www.openidenabled.com"
+ }
+ ],
+ "description": "OpenID library for PHP5",
+ "homepage": "http://github.com/openid/php-openid",
+ "keywords": [
+ "Authentication",
+ "OpenId",
+ "auth",
+ "yadis"
+ ],
+ "time": "2013-10-03 21:21:20"
+ },
+ {
+ "name": "pimple/pimple",
+ "version": "v1.0.2",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/fabpot/Pimple.git",
+ "reference": "ae11e57e8c2bb414b2ff93396dbbfc0eb92feb94"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/fabpot/Pimple/zipball/ae11e57e8c2bb414b2ff93396dbbfc0eb92feb94",
+ "reference": "ae11e57e8c2bb414b2ff93396dbbfc0eb92feb94",
+ "shasum": ""
+ },
+ "require": {
+ "php": ">=5.3.0"
+ },
+ "type": "library",
+ "extra": {
+ "branch-alias": {
+ "dev-master": "1.0.x-dev"
+ }
+ },
+ "autoload": {
+ "psr-0": {
+ "Pimple": "lib/"
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "MIT"
+ ],
+ "authors": [
+ {
+ "name": "Fabien Potencier",
+ "email": "fabien@symfony.com"
+ }
+ ],
+ "description": "Pimple is a simple Dependency Injection Container for PHP 5.3",
+ "homepage": "http://pimple.sensiolabs.org",
+ "keywords": [
+ "container",
+ "dependency injection"
+ ],
+ "time": "2013-03-08 08:21:40"
+ },
+ {
+ "name": "psr/log",
+ "version": "1.0.0",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/php-fig/log.git",
+ "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/php-fig/log/zipball/fe0936ee26643249e916849d48e3a51d5f5e278b",
+ "reference": "fe0936ee26643249e916849d48e3a51d5f5e278b",
+ "shasum": ""
+ },
+ "type": "library",
+ "autoload": {
+ "psr-0": {
+ "Psr\\Log\\": ""
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "MIT"
+ ],
+ "authors": [
+ {
+ "name": "PHP-FIG",
+ "homepage": "http://www.php-fig.org/"
+ }
+ ],
+ "description": "Common interface for logging libraries",
+ "keywords": [
+ "log",
+ "psr",
+ "psr-3"
+ ],
+ "time": "2012-12-21 11:40:51"
+ },
+ {
+ "name": "robrichards/xmlseclibs",
+ "version": "1.3.1",
+ "source": {
+ "type": "svn",
+ "url": "http://xmlseclibs.googlecode.com/svn",
+ "reference": "trunk@50"
+ },
+ "type": "library",
+ "autoload": {
+ "files": [
+ "xmlseclibs.php"
+ ]
+ }
+ },
+ {
+ "name": "simplesamlphp/saml2",
+ "version": "v0.2.0",
+ "source": {
+ "type": "git",
+ "url": "https://github.com/simplesamlphp/saml2.git",
+ "reference": "d4b833edc6fcbd6948e79eacdfee1b6c257691b7"
+ },
+ "dist": {
+ "type": "zip",
+ "url": "https://api.github.com/repos/simplesamlphp/saml2/zipball/d4b833edc6fcbd6948e79eacdfee1b6c257691b7",
+ "reference": "d4b833edc6fcbd6948e79eacdfee1b6c257691b7",
+ "shasum": ""
+ },
+ "require": {
+ "ext-dom": "*",
+ "ext-openssl": "*",
+ "php": ">=5.3.3",
+ "psr/log": "1.0.0",
+ "robrichards/xmlseclibs": "1.3.*"
+ },
+ "require-dev": {
+ "phpmd/phpmd": "~1.5",
+ "phpunit/phpunit": "~3.7",
+ "sebastian/phpcpd": "~1.4",
+ "sensiolabs/security-checker": "~1.1",
+ "squizlabs/php_codesniffer": "~1.4"
+ },
+ "type": "library",
+ "autoload": {
+ "psr-0": {
+ "SAML2_": "src/"
+ }
+ },
+ "notification-url": "https://packagist.org/downloads/",
+ "license": [
+ "LGPL-2.1"
+ ],
+ "authors": [
+ {
+ "name": "Andreas Ă…kre Solberg",
+ "email": "andreas.solberg@uninett.no"
+ }
+ ],
+ "description": "SAML2 PHP library from SimpleSAMLphp",
+ "time": "2013-11-12 15:07:13"
+ }
+ ],
+ "packages-dev": [
+
+ ],
+ "aliases": [
+ {
+ "alias": "2.2.2",
+ "alias_normalized": "2.2.2.0",
+ "version": "9999999-dev",
+ "package": "openid/php-openid"
+ }
+ ],
+ "minimum-stability": "stable",
+ "stability-flags": {
+ "openid/php-openid": 20
+ },
+ "platform": {
+ "php": ">=5.3.0"
+ },
+ "platform-dev": [
+
+ ]
+}
diff --git a/docs/simplesamlphp-subversion.txt b/docs/simplesamlphp-subversion.txt
index 395e814da1ede9c57195ae5272d2cb10dca9cf30..840677df7bbae8b99a6d76ed1358bfe19d8ec77a 100644
--- a/docs/simplesamlphp-subversion.txt
+++ b/docs/simplesamlphp-subversion.txt
@@ -20,6 +20,10 @@ Initialize configuration and metadata:
cp -r config-templates/* config/
cp -r metadata-templates/* metadata/
+Install the external dependencies with Composer (http://getcomposer.org/):
+
+ php composer.phar install
+
Upgrading
---------
@@ -29,3 +33,6 @@ Go to the root directory of your simpleSAMLphp installation:
Ask subversion to update to the latest version:
svn update
+
+Install the external dependencies with Composer (http://getcomposer.org/):
+ php composer.phar install
diff --git a/lib/Auth/OpenID.php b/lib/Auth/OpenID.php
deleted file mode 100644
index c9d9779624dd13096f4ccc2dfc13c7aae623383b..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID.php
+++ /dev/null
@@ -1,563 +0,0 @@
-<?php
-
-/**
- * This is the PHP OpenID library by JanRain, Inc.
- *
- * This module contains core utility functionality used by the
- * library. See Consumer.php and Server.php for the consumer and
- * server implementations.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * The library version string
- */
-define('Auth_OpenID_VERSION', '2.2.2');
-
-/**
- * Require the fetcher code.
- */
-require_once "Auth/Yadis/PlainHTTPFetcher.php";
-require_once "Auth/Yadis/ParanoidHTTPFetcher.php";
-require_once "Auth/OpenID/BigMath.php";
-require_once "Auth/OpenID/URINorm.php";
-
-/**
- * Status code returned by the server when the only option is to show
- * an error page, since we do not have enough information to redirect
- * back to the consumer. The associated value is an error message that
- * should be displayed on an HTML error page.
- *
- * @see Auth_OpenID_Server
- */
-define('Auth_OpenID_LOCAL_ERROR', 'local_error');
-
-/**
- * Status code returned when there is an error to return in key-value
- * form to the consumer. The caller should return a 400 Bad Request
- * response with content-type text/plain and the value as the body.
- *
- * @see Auth_OpenID_Server
- */
-define('Auth_OpenID_REMOTE_ERROR', 'remote_error');
-
-/**
- * Status code returned when there is a key-value form OK response to
- * the consumer. The value associated with this code is the
- * response. The caller should return a 200 OK response with
- * content-type text/plain and the value as the body.
- *
- * @see Auth_OpenID_Server
- */
-define('Auth_OpenID_REMOTE_OK', 'remote_ok');
-
-/**
- * Status code returned when there is a redirect back to the
- * consumer. The value is the URL to redirect back to. The caller
- * should return a 302 Found redirect with a Location: header
- * containing the URL.
- *
- * @see Auth_OpenID_Server
- */
-define('Auth_OpenID_REDIRECT', 'redirect');
-
-/**
- * Status code returned when the caller needs to authenticate the
- * user. The associated value is a {@link Auth_OpenID_ServerRequest}
- * object that can be used to complete the authentication. If the user
- * has taken some authentication action, use the retry() method of the
- * {@link Auth_OpenID_ServerRequest} object to complete the request.
- *
- * @see Auth_OpenID_Server
- */
-define('Auth_OpenID_DO_AUTH', 'do_auth');
-
-/**
- * Status code returned when there were no OpenID arguments
- * passed. This code indicates that the caller should return a 200 OK
- * response and display an HTML page that says that this is an OpenID
- * server endpoint.
- *
- * @see Auth_OpenID_Server
- */
-define('Auth_OpenID_DO_ABOUT', 'do_about');
-
-/**
- * Defines for regexes and format checking.
- */
-define('Auth_OpenID_letters',
- "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ");
-
-define('Auth_OpenID_digits',
- "0123456789");
-
-define('Auth_OpenID_punct',
- "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~");
-
-Auth_OpenID_include_init();
-
-/**
- * The OpenID utility function class.
- *
- * @package OpenID
- * @access private
- */
-class Auth_OpenID {
-
- /**
- * Return true if $thing is an Auth_OpenID_FailureResponse object;
- * false if not.
- *
- * @access private
- */
- static function isFailure($thing)
- {
- return is_a($thing, 'Auth_OpenID_FailureResponse');
- }
-
- /**
- * Gets the query data from the server environment based on the
- * request method used. If GET was used, this looks at
- * $_SERVER['QUERY_STRING'] directly. If POST was used, this
- * fetches data from the special php://input file stream.
- *
- * Returns an associative array of the query arguments.
- *
- * Skips invalid key/value pairs (i.e. keys with no '=value'
- * portion).
- *
- * Returns an empty array if neither GET nor POST was used, or if
- * POST was used but php://input cannot be opened.
- *
- * See background:
- * http://lists.openidenabled.com/pipermail/dev/2007-March/000395.html
- *
- * @access private
- */
- static function getQuery($query_str=null)
- {
- $data = array();
-
- if ($query_str !== null) {
- $data = Auth_OpenID::params_from_string($query_str);
- } else if (!array_key_exists('REQUEST_METHOD', $_SERVER)) {
- // Do nothing.
- } else {
- // XXX HACK FIXME HORRIBLE.
- //
- // POSTing to a URL with query parameters is acceptable, but
- // we don't have a clean way to distinguish those parameters
- // when we need to do things like return_to verification
- // which only want to look at one kind of parameter. We're
- // going to emulate the behavior of some other environments
- // by defaulting to GET and overwriting with POST if POST
- // data is available.
- $data = Auth_OpenID::params_from_string($_SERVER['QUERY_STRING']);
-
- if ($_SERVER['REQUEST_METHOD'] == 'POST') {
- $str = file_get_contents('php://input');
-
- if ($str === false) {
- $post = array();
- } else {
- $post = Auth_OpenID::params_from_string($str);
- }
-
- $data = array_merge($data, $post);
- }
- }
-
- return $data;
- }
-
- static function params_from_string($str)
- {
- $chunks = explode("&", $str);
-
- $data = array();
- foreach ($chunks as $chunk) {
- $parts = explode("=", $chunk, 2);
-
- if (count($parts) != 2) {
- continue;
- }
-
- list($k, $v) = $parts;
- $data[urldecode($k)] = urldecode($v);
- }
-
- return $data;
- }
-
- /**
- * Create dir_name as a directory if it does not exist. If it
- * exists, make sure that it is, in fact, a directory. Returns
- * true if the operation succeeded; false if not.
- *
- * @access private
- */
- static function ensureDir($dir_name)
- {
- if (is_dir($dir_name) || @mkdir($dir_name)) {
- return true;
- } else {
- $parent_dir = dirname($dir_name);
-
- // Terminal case; there is no parent directory to create.
- if ($parent_dir == $dir_name) {
- return true;
- }
-
- return (Auth_OpenID::ensureDir($parent_dir) && @mkdir($dir_name));
- }
- }
-
- /**
- * Adds a string prefix to all values of an array. Returns a new
- * array containing the prefixed values.
- *
- * @access private
- */
- static function addPrefix($values, $prefix)
- {
- $new_values = array();
- foreach ($values as $s) {
- $new_values[] = $prefix . $s;
- }
- return $new_values;
- }
-
- /**
- * Convenience function for getting array values. Given an array
- * $arr and a key $key, get the corresponding value from the array
- * or return $default if the key is absent.
- *
- * @access private
- */
- static function arrayGet($arr, $key, $fallback = null)
- {
- if (is_array($arr)) {
- if (array_key_exists($key, $arr)) {
- return $arr[$key];
- } else {
- return $fallback;
- }
- } else {
- trigger_error("Auth_OpenID::arrayGet (key = ".$key.") expected " .
- "array as first parameter, got " .
- gettype($arr), E_USER_WARNING);
-
- return false;
- }
- }
-
- /**
- * Replacement for PHP's broken parse_str.
- */
- static function parse_str($query)
- {
- if ($query === null) {
- return null;
- }
-
- $parts = explode('&', $query);
-
- $new_parts = array();
- for ($i = 0; $i < count($parts); $i++) {
- $pair = explode('=', $parts[$i]);
-
- if (count($pair) != 2) {
- continue;
- }
-
- list($key, $value) = $pair;
- $new_parts[urldecode($key)] = urldecode($value);
- }
-
- return $new_parts;
- }
-
- /**
- * Implements the PHP 5 'http_build_query' functionality.
- *
- * @access private
- * @param array $data Either an array key/value pairs or an array
- * of arrays, each of which holding two values: a key and a value,
- * sequentially.
- * @return string $result The result of url-encoding the key/value
- * pairs from $data into a URL query string
- * (e.g. "username=bob&id=56").
- */
- static function httpBuildQuery($data)
- {
- $pairs = array();
- foreach ($data as $key => $value) {
- if (is_array($value)) {
- $pairs[] = urlencode($value[0])."=".urlencode($value[1]);
- } else {
- $pairs[] = urlencode($key)."=".urlencode($value);
- }
- }
- return implode("&", $pairs);
- }
-
- /**
- * "Appends" query arguments onto a URL. The URL may or may not
- * already have arguments (following a question mark).
- *
- * @access private
- * @param string $url A URL, which may or may not already have
- * arguments.
- * @param array $args Either an array key/value pairs or an array of
- * arrays, each of which holding two values: a key and a value,
- * sequentially. If $args is an ordinary key/value array, the
- * parameters will be added to the URL in sorted alphabetical order;
- * if $args is an array of arrays, their order will be preserved.
- * @return string $url The original URL with the new parameters added.
- *
- */
- static function appendArgs($url, $args)
- {
- if (count($args) == 0) {
- return $url;
- }
-
- // Non-empty array; if it is an array of arrays, use
- // multisort; otherwise use sort.
- if (array_key_exists(0, $args) &&
- is_array($args[0])) {
- // Do nothing here.
- } else {
- $keys = array_keys($args);
- sort($keys);
- $new_args = array();
- foreach ($keys as $key) {
- $new_args[] = array($key, $args[$key]);
- }
- $args = $new_args;
- }
-
- $sep = '?';
- if (strpos($url, '?') !== false) {
- $sep = '&';
- }
-
- return $url . $sep . Auth_OpenID::httpBuildQuery($args);
- }
-
- /**
- * Implements python's urlunparse, which is not available in PHP.
- * Given the specified components of a URL, this function rebuilds
- * and returns the URL.
- *
- * @access private
- * @param string $scheme The scheme (e.g. 'http'). Defaults to 'http'.
- * @param string $host The host. Required.
- * @param string $port The port.
- * @param string $path The path.
- * @param string $query The query.
- * @param string $fragment The fragment.
- * @return string $url The URL resulting from assembling the
- * specified components.
- */
- static function urlunparse($scheme, $host, $port = null, $path = '/',
- $query = '', $fragment = '')
- {
-
- if (!$scheme) {
- $scheme = 'http';
- }
-
- if (!$host) {
- return false;
- }
-
- if (!$path) {
- $path = '';
- }
-
- $result = $scheme . "://" . $host;
-
- if ($port) {
- $result .= ":" . $port;
- }
-
- $result .= $path;
-
- if ($query) {
- $result .= "?" . $query;
- }
-
- if ($fragment) {
- $result .= "#" . $fragment;
- }
-
- return $result;
- }
-
- /**
- * Given a URL, this "normalizes" it by adding a trailing slash
- * and / or a leading http:// scheme where necessary. Returns
- * null if the original URL is malformed and cannot be normalized.
- *
- * @access private
- * @param string $url The URL to be normalized.
- * @return mixed $new_url The URL after normalization, or null if
- * $url was malformed.
- */
- static function normalizeUrl($url)
- {
- @$parsed = parse_url($url);
-
- if (!$parsed) {
- return null;
- }
-
- if (isset($parsed['scheme']) &&
- isset($parsed['host'])) {
- $scheme = strtolower($parsed['scheme']);
- if (!in_array($scheme, array('http', 'https'))) {
- return null;
- }
- } else {
- $url = 'http://' . $url;
- }
-
- $normalized = Auth_OpenID_urinorm($url);
- if ($normalized === null) {
- return null;
- }
- list($defragged, $frag) = Auth_OpenID::urldefrag($normalized);
- return $defragged;
- }
-
- /**
- * Replacement (wrapper) for PHP's intval() because it's broken.
- *
- * @access private
- */
- static function intval($value)
- {
- $re = "/^\\d+$/";
-
- if (!preg_match($re, $value)) {
- return false;
- }
-
- return intval($value);
- }
-
- /**
- * Count the number of bytes in a string independently of
- * multibyte support conditions.
- *
- * @param string $str The string of bytes to count.
- * @return int The number of bytes in $str.
- */
- static function bytes($str)
- {
- return strlen(bin2hex($str)) / 2;
- }
-
- /**
- * Get the bytes in a string independently of multibyte support
- * conditions.
- */
- static function toBytes($str)
- {
- $hex = bin2hex($str);
-
- if (!$hex) {
- return array();
- }
-
- $b = array();
- for ($i = 0; $i < strlen($hex); $i += 2) {
- $b[] = chr(base_convert(substr($hex, $i, 2), 16, 10));
- }
-
- return $b;
- }
-
- static function urldefrag($url)
- {
- $parts = explode("#", $url, 2);
-
- if (count($parts) == 1) {
- return array($parts[0], "");
- } else {
- return $parts;
- }
- }
-
- static function filter($callback, &$sequence)
- {
- $result = array();
-
- foreach ($sequence as $item) {
- if (call_user_func_array($callback, array($item))) {
- $result[] = $item;
- }
- }
-
- return $result;
- }
-
- static function update(&$dest, &$src)
- {
- foreach ($src as $k => $v) {
- $dest[$k] = $v;
- }
- }
-
- /**
- * Wrap PHP's standard error_log functionality. Use this to
- * perform all logging. It will interpolate any additional
- * arguments into the format string before logging.
- *
- * @param string $format_string The sprintf format for the message
- */
- static function log($format_string)
- {
- $args = func_get_args();
- $message = call_user_func_array('sprintf', $args);
- error_log($message);
- }
-
- static function autoSubmitHTML($form, $title="OpenId transaction in progress")
- {
- return("<html>".
- "<head><title>".
- $title .
- "</title></head>".
- "<body onload='document.forms[0].submit();'>".
- $form .
- "<script>".
- "var elements = document.forms[0].elements;".
- "for (var i = 0; i < elements.length; i++) {".
- " elements[i].style.display = \"none\";".
- "}".
- "</script>".
- "</body>".
- "</html>");
- }
-}
-
-/*
- * Function to run when this file is included.
- * Abstracted to a function to make life easier
- * for some PHP optimizers.
- */
-function Auth_OpenID_include_init() {
- if (Auth_OpenID_getMathLib() === null) {
- Auth_OpenID_setNoMathSupport();
- }
-}
diff --git a/lib/Auth/OpenID/AX.php b/lib/Auth/OpenID/AX.php
deleted file mode 100644
index 7370715e3a016ad11d19a18a14bb665996728bbc..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/AX.php
+++ /dev/null
@@ -1,1022 +0,0 @@
-<?php
-
-/**
- * Implements the OpenID attribute exchange specification, version 1.0
- * as of svn revision 370 from openid.net svn.
- *
- * @package OpenID
- */
-
-/**
- * Require utility classes and functions for the consumer.
- */
-require_once "Auth/OpenID/Extension.php";
-require_once "Auth/OpenID/Message.php";
-require_once "Auth/OpenID/TrustRoot.php";
-
-define('Auth_OpenID_AX_NS_URI',
- 'http://openid.net/srv/ax/1.0');
-
-// Use this as the 'count' value for an attribute in a FetchRequest to
-// ask for as many values as the OP can provide.
-define('Auth_OpenID_AX_UNLIMITED_VALUES', 'unlimited');
-
-// Minimum supported alias length in characters. Here for
-// completeness.
-define('Auth_OpenID_AX_MINIMUM_SUPPORTED_ALIAS_LENGTH', 32);
-
-/**
- * AX utility class.
- *
- * @package OpenID
- */
-class Auth_OpenID_AX {
- /**
- * @param mixed $thing Any object which may be an
- * Auth_OpenID_AX_Error object.
- *
- * @return bool true if $thing is an Auth_OpenID_AX_Error; false
- * if not.
- */
- static function isError($thing)
- {
- return is_a($thing, 'Auth_OpenID_AX_Error');
- }
-}
-
-/**
- * Check an alias for invalid characters; raise AXError if any are
- * found. Return None if the alias is valid.
- */
-function Auth_OpenID_AX_checkAlias($alias)
-{
- if (strpos($alias, ',') !== false) {
- return new Auth_OpenID_AX_Error(sprintf(
- "Alias %s must not contain comma", $alias));
- }
- if (strpos($alias, '.') !== false) {
- return new Auth_OpenID_AX_Error(sprintf(
- "Alias %s must not contain period", $alias));
- }
-
- return true;
-}
-
-/**
- * Results from data that does not meet the attribute exchange 1.0
- * specification
- *
- * @package OpenID
- */
-class Auth_OpenID_AX_Error {
- function Auth_OpenID_AX_Error($message=null)
- {
- $this->message = $message;
- }
-}
-
-/**
- * Abstract class containing common code for attribute exchange
- * messages.
- *
- * @package OpenID
- */
-class Auth_OpenID_AX_Message extends Auth_OpenID_Extension {
- /**
- * ns_alias: The preferred namespace alias for attribute exchange
- * messages
- */
- var $ns_alias = 'ax';
-
- /**
- * mode: The type of this attribute exchange message. This must be
- * overridden in subclasses.
- */
- var $mode = null;
-
- var $ns_uri = Auth_OpenID_AX_NS_URI;
-
- /**
- * Return Auth_OpenID_AX_Error if the mode in the attribute
- * exchange arguments does not match what is expected for this
- * class; true otherwise.
- *
- * @access private
- */
- function _checkMode($ax_args)
- {
- $mode = Auth_OpenID::arrayGet($ax_args, 'mode');
- if ($mode != $this->mode) {
- return new Auth_OpenID_AX_Error(
- sprintf(
- "Expected mode '%s'; got '%s'",
- $this->mode, $mode));
- }
-
- return true;
- }
-
- /**
- * Return a set of attribute exchange arguments containing the
- * basic information that must be in every attribute exchange
- * message.
- *
- * @access private
- */
- function _newArgs()
- {
- return array('mode' => $this->mode);
- }
-}
-
-/**
- * Represents a single attribute in an attribute exchange
- * request. This should be added to an AXRequest object in order to
- * request the attribute.
- *
- * @package OpenID
- */
-class Auth_OpenID_AX_AttrInfo {
- /**
- * Construct an attribute information object. Do not call this
- * directly; call make(...) instead.
- *
- * @param string $type_uri The type URI for this attribute.
- *
- * @param int $count The number of values of this type to request.
- *
- * @param bool $required Whether the attribute will be marked as
- * required in the request.
- *
- * @param string $alias The name that should be given to this
- * attribute in the request.
- */
- function Auth_OpenID_AX_AttrInfo($type_uri, $count, $required,
- $alias)
- {
- /**
- * required: Whether the attribute will be marked as required
- * when presented to the subject of the attribute exchange
- * request.
- */
- $this->required = $required;
-
- /**
- * count: How many values of this type to request from the
- * subject. Defaults to one.
- */
- $this->count = $count;
-
- /**
- * type_uri: The identifier that determines what the attribute
- * represents and how it is serialized. For example, one type
- * URI representing dates could represent a Unix timestamp in
- * base 10 and another could represent a human-readable
- * string.
- */
- $this->type_uri = $type_uri;
-
- /**
- * alias: The name that should be given to this attribute in
- * the request. If it is not supplied, a generic name will be
- * assigned. For example, if you want to call a Unix timestamp
- * value 'tstamp', set its alias to that value. If two
- * attributes in the same message request to use the same
- * alias, the request will fail to be generated.
- */
- $this->alias = $alias;
- }
-
- /**
- * Construct an attribute information object. For parameter
- * details, see the constructor.
- */
- static function make($type_uri, $count=1, $required=false,
- $alias=null)
- {
- if ($alias !== null) {
- $result = Auth_OpenID_AX_checkAlias($alias);
-
- if (Auth_OpenID_AX::isError($result)) {
- return $result;
- }
- }
-
- return new Auth_OpenID_AX_AttrInfo($type_uri, $count, $required,
- $alias);
- }
-
- /**
- * When processing a request for this attribute, the OP should
- * call this method to determine whether all available attribute
- * values were requested. If self.count == UNLIMITED_VALUES, this
- * returns True. Otherwise this returns False, in which case
- * self.count is an integer.
- */
- function wantsUnlimitedValues()
- {
- return $this->count === Auth_OpenID_AX_UNLIMITED_VALUES;
- }
-}
-
-/**
- * Given a namespace mapping and a string containing a comma-separated
- * list of namespace aliases, return a list of type URIs that
- * correspond to those aliases.
- *
- * @param $namespace_map The mapping from namespace URI to alias
- * @param $alias_list_s The string containing the comma-separated
- * list of aliases. May also be None for convenience.
- *
- * @return $seq The list of namespace URIs that corresponds to the
- * supplied list of aliases. If the string was zero-length or None, an
- * empty list will be returned.
- *
- * return null If an alias is present in the list of aliases but
- * is not present in the namespace map.
- */
-function Auth_OpenID_AX_toTypeURIs($namespace_map, $alias_list_s)
-{
- $uris = array();
-
- if ($alias_list_s) {
- foreach (explode(',', $alias_list_s) as $alias) {
- $type_uri = $namespace_map->getNamespaceURI($alias);
- if ($type_uri === null) {
- // raise KeyError(
- // 'No type is defined for attribute name %r' % (alias,))
- return new Auth_OpenID_AX_Error(
- sprintf('No type is defined for attribute name %s',
- $alias)
- );
- } else {
- $uris[] = $type_uri;
- }
- }
- }
-
- return $uris;
-}
-
-/**
- * An attribute exchange 'fetch_request' message. This message is sent
- * by a relying party when it wishes to obtain attributes about the
- * subject of an OpenID authentication request.
- *
- * @package OpenID
- */
-class Auth_OpenID_AX_FetchRequest extends Auth_OpenID_AX_Message {
-
- var $mode = 'fetch_request';
-
- function Auth_OpenID_AX_FetchRequest($update_url=null)
- {
- /**
- * requested_attributes: The attributes that have been
- * requested thus far, indexed by the type URI.
- */
- $this->requested_attributes = array();
-
- /**
- * update_url: A URL that will accept responses for this
- * attribute exchange request, even in the absence of the user
- * who made this request.
- */
- $this->update_url = $update_url;
- }
-
- /**
- * Add an attribute to this attribute exchange request.
- *
- * @param attribute: The attribute that is being requested
- * @return true on success, false when the requested attribute is
- * already present in this fetch request.
- */
- function add($attribute)
- {
- if ($this->contains($attribute->type_uri)) {
- return new Auth_OpenID_AX_Error(
- sprintf("The attribute %s has already been requested",
- $attribute->type_uri));
- }
-
- $this->requested_attributes[$attribute->type_uri] = $attribute;
-
- return true;
- }
-
- /**
- * Get the serialized form of this attribute fetch request.
- *
- * @returns Auth_OpenID_AX_FetchRequest The fetch request message parameters
- */
- function getExtensionArgs()
- {
- $aliases = new Auth_OpenID_NamespaceMap();
-
- $required = array();
- $if_available = array();
-
- $ax_args = $this->_newArgs();
-
- foreach ($this->requested_attributes as $type_uri => $attribute) {
- if ($attribute->alias === null) {
- $alias = $aliases->add($type_uri);
- } else {
- $alias = $aliases->addAlias($type_uri, $attribute->alias);
-
- if ($alias === null) {
- return new Auth_OpenID_AX_Error(
- sprintf("Could not add alias %s for URI %s",
- $attribute->alias, $type_uri
- ));
- }
- }
-
- if ($attribute->required) {
- $required[] = $alias;
- } else {
- $if_available[] = $alias;
- }
-
- if ($attribute->count != 1) {
- $ax_args['count.' . $alias] = strval($attribute->count);
- }
-
- $ax_args['type.' . $alias] = $type_uri;
- }
-
- if ($required) {
- $ax_args['required'] = implode(',', $required);
- }
-
- if ($if_available) {
- $ax_args['if_available'] = implode(',', $if_available);
- }
-
- return $ax_args;
- }
-
- /**
- * Get the type URIs for all attributes that have been marked as
- * required.
- *
- * @return A list of the type URIs for attributes that have been
- * marked as required.
- */
- function getRequiredAttrs()
- {
- $required = array();
- foreach ($this->requested_attributes as $type_uri => $attribute) {
- if ($attribute->required) {
- $required[] = $type_uri;
- }
- }
-
- return $required;
- }
-
- /**
- * Extract a FetchRequest from an OpenID message
- *
- * @param request: The OpenID request containing the attribute
- * fetch request
- *
- * @returns mixed An Auth_OpenID_AX_Error or the
- * Auth_OpenID_AX_FetchRequest extracted from the request message if
- * successful
- */
- static function fromOpenIDRequest($request)
- {
- $m = $request->message;
- $obj = new Auth_OpenID_AX_FetchRequest();
- $ax_args = $m->getArgs($obj->ns_uri);
-
- $result = $obj->parseExtensionArgs($ax_args);
-
- if (Auth_OpenID_AX::isError($result)) {
- return $result;
- }
-
- if ($obj->update_url) {
- // Update URL must match the openid.realm of the
- // underlying OpenID 2 message.
- $realm = $m->getArg(Auth_OpenID_OPENID_NS, 'realm',
- $m->getArg(
- Auth_OpenID_OPENID_NS,
- 'return_to'));
-
- if (!$realm) {
- $obj = new Auth_OpenID_AX_Error(
- sprintf("Cannot validate update_url %s " .
- "against absent realm", $obj->update_url));
- } else if (!Auth_OpenID_TrustRoot::match($realm,
- $obj->update_url)) {
- $obj = new Auth_OpenID_AX_Error(
- sprintf("Update URL %s failed validation against realm %s",
- $obj->update_url, $realm));
- }
- }
-
- return $obj;
- }
-
- /**
- * Given attribute exchange arguments, populate this FetchRequest.
- *
- * @return $result Auth_OpenID_AX_Error if the data to be parsed
- * does not follow the attribute exchange specification. At least
- * when 'if_available' or 'required' is not specified for a
- * particular attribute type. Returns true otherwise.
- */
- function parseExtensionArgs($ax_args)
- {
- $result = $this->_checkMode($ax_args);
- if (Auth_OpenID_AX::isError($result)) {
- return $result;
- }
-
- $aliases = new Auth_OpenID_NamespaceMap();
-
- foreach ($ax_args as $key => $value) {
- if (strpos($key, 'type.') === 0) {
- $alias = substr($key, 5);
- $type_uri = $value;
-
- $alias = $aliases->addAlias($type_uri, $alias);
-
- if ($alias === null) {
- return new Auth_OpenID_AX_Error(
- sprintf("Could not add alias %s for URI %s",
- $alias, $type_uri)
- );
- }
-
- $count_s = Auth_OpenID::arrayGet($ax_args, 'count.' . $alias);
- if ($count_s) {
- $count = Auth_OpenID::intval($count_s);
- if (($count === false) &&
- ($count_s === Auth_OpenID_AX_UNLIMITED_VALUES)) {
- $count = $count_s;
- }
- } else {
- $count = 1;
- }
-
- if ($count === false) {
- return new Auth_OpenID_AX_Error(
- sprintf("Integer value expected for %s, got %s",
- 'count.' . $alias, $count_s));
- }
-
- $attrinfo = Auth_OpenID_AX_AttrInfo::make($type_uri, $count,
- false, $alias);
-
- if (Auth_OpenID_AX::isError($attrinfo)) {
- return $attrinfo;
- }
-
- $this->add($attrinfo);
- }
- }
-
- $required = Auth_OpenID_AX_toTypeURIs($aliases,
- Auth_OpenID::arrayGet($ax_args, 'required'));
-
- foreach ($required as $type_uri) {
- $attrib = $this->requested_attributes[$type_uri];
- $attrib->required = true;
- }
-
- $if_available = Auth_OpenID_AX_toTypeURIs($aliases,
- Auth_OpenID::arrayGet($ax_args, 'if_available'));
-
- $all_type_uris = array_merge($required, $if_available);
-
- foreach ($aliases->iterNamespaceURIs() as $type_uri) {
- if (!in_array($type_uri, $all_type_uris)) {
- return new Auth_OpenID_AX_Error(
- sprintf('Type URI %s was in the request but not ' .
- 'present in "required" or "if_available"',
- $type_uri));
-
- }
- }
-
- $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url');
-
- return true;
- }
-
- /**
- * Iterate over the AttrInfo objects that are contained in this
- * fetch_request.
- */
- function iterAttrs()
- {
- return array_values($this->requested_attributes);
- }
-
- function iterTypes()
- {
- return array_keys($this->requested_attributes);
- }
-
- /**
- * Is the given type URI present in this fetch_request?
- */
- function contains($type_uri)
- {
- return in_array($type_uri, $this->iterTypes());
- }
-}
-
-/**
- * An abstract class that implements a message that has attribute keys
- * and values. It contains the common code between fetch_response and
- * store_request.
- *
- * @package OpenID
- */
-class Auth_OpenID_AX_KeyValueMessage extends Auth_OpenID_AX_Message {
-
- function Auth_OpenID_AX_KeyValueMessage()
- {
- $this->data = array();
- }
-
- /**
- * Add a single value for the given attribute type to the
- * message. If there are already values specified for this type,
- * this value will be sent in addition to the values already
- * specified.
- *
- * @param type_uri: The URI for the attribute
- * @param value: The value to add to the response to the relying
- * party for this attribute
- * @return null
- */
- function addValue($type_uri, $value)
- {
- if (!array_key_exists($type_uri, $this->data)) {
- $this->data[$type_uri] = array();
- }
-
- $values =& $this->data[$type_uri];
- $values[] = $value;
- }
-
- /**
- * Set the values for the given attribute type. This replaces any
- * values that have already been set for this attribute.
- *
- * @param type_uri: The URI for the attribute
- * @param values: A list of values to send for this attribute.
- */
- function setValues($type_uri, &$values)
- {
- $this->data[$type_uri] =& $values;
- }
-
- /**
- * Get the extension arguments for the key/value pairs contained
- * in this message.
- *
- * @param aliases: An alias mapping. Set to None if you don't care
- * about the aliases for this request.
- *
- * @access private
- */
- function _getExtensionKVArgs($aliases)
- {
- if ($aliases === null) {
- $aliases = new Auth_OpenID_NamespaceMap();
- }
-
- $ax_args = array();
-
- foreach ($this->data as $type_uri => $values) {
- $alias = $aliases->add($type_uri);
-
- $ax_args['type.' . $alias] = $type_uri;
- $ax_args['count.' . $alias] = strval(count($values));
-
- foreach ($values as $i => $value) {
- $key = sprintf('value.%s.%d', $alias, $i + 1);
- $ax_args[$key] = $value;
- }
- }
-
- return $ax_args;
- }
-
- /**
- * Parse attribute exchange key/value arguments into this object.
- *
- * @param ax_args: The attribute exchange fetch_response
- * arguments, with namespacing removed.
- *
- * @return Auth_OpenID_AX_Error or true
- */
- function parseExtensionArgs($ax_args)
- {
- $result = $this->_checkMode($ax_args);
- if (Auth_OpenID_AX::isError($result)) {
- return $result;
- }
-
- $aliases = new Auth_OpenID_NamespaceMap();
-
- foreach ($ax_args as $key => $value) {
- if (strpos($key, 'type.') === 0) {
- $type_uri = $value;
- $alias = substr($key, 5);
-
- $result = Auth_OpenID_AX_checkAlias($alias);
-
- if (Auth_OpenID_AX::isError($result)) {
- return $result;
- }
-
- $alias = $aliases->addAlias($type_uri, $alias);
-
- if ($alias === null) {
- return new Auth_OpenID_AX_Error(
- sprintf("Could not add alias %s for URI %s",
- $alias, $type_uri)
- );
- }
- }
- }
-
- foreach ($aliases->iteritems() as $pair) {
- list($type_uri, $alias) = $pair;
-
- if (array_key_exists('count.' . $alias, $ax_args) && ($ax_args['count.' . $alias] !== Auth_OpenID_AX_UNLIMITED_VALUES)) {
-
- $count_key = 'count.' . $alias;
- $count_s = $ax_args[$count_key];
-
- $count = Auth_OpenID::intval($count_s);
-
- if ($count === false) {
- return new Auth_OpenID_AX_Error(
- sprintf("Integer value expected for %s, got %s",
- 'count. %s' . $alias, $count_s,
- Auth_OpenID_AX_UNLIMITED_VALUES)
- );
- }
-
- $values = array();
- for ($i = 1; $i < $count + 1; $i++) {
- $value_key = sprintf('value.%s.%d', $alias, $i);
-
- if (!array_key_exists($value_key, $ax_args)) {
- return new Auth_OpenID_AX_Error(
- sprintf(
- "No value found for key %s",
- $value_key));
- }
-
- $value = $ax_args[$value_key];
- $values[] = $value;
- }
- } else {
- $key = 'value.' . $alias;
-
- if (!array_key_exists($key, $ax_args)) {
- return new Auth_OpenID_AX_Error(
- sprintf(
- "No value found for key %s",
- $key));
- }
-
- $value = $ax_args['value.' . $alias];
-
- if ($value == '') {
- $values = array();
- } else {
- $values = array($value);
- }
- }
-
- $this->data[$type_uri] = $values;
- }
-
- return true;
- }
-
- /**
- * Get a single value for an attribute. If no value was sent for
- * this attribute, use the supplied default. If there is more than
- * one value for this attribute, this method will fail.
- *
- * @param type_uri: The URI for the attribute
- * @param default: The value to return if the attribute was not
- * sent in the fetch_response.
- *
- * @return $value Auth_OpenID_AX_Error on failure or the value of
- * the attribute in the fetch_response message, or the default
- * supplied
- */
- function getSingle($type_uri, $default=null)
- {
- $values = Auth_OpenID::arrayGet($this->data, $type_uri);
- if (!$values) {
- return $default;
- } else if (count($values) == 1) {
- return $values[0];
- } else {
- return new Auth_OpenID_AX_Error(
- sprintf('More than one value present for %s',
- $type_uri)
- );
- }
- }
-
- /**
- * Get the list of values for this attribute in the
- * fetch_response.
- *
- * XXX: what to do if the values are not present? default
- * parameter? this is funny because it's always supposed to return
- * a list, so the default may break that, though it's provided by
- * the user's code, so it might be okay. If no default is
- * supplied, should the return be None or []?
- *
- * @param type_uri: The URI of the attribute
- *
- * @return $values The list of values for this attribute in the
- * response. May be an empty list. If the attribute was not sent
- * in the response, returns Auth_OpenID_AX_Error.
- */
- function get($type_uri)
- {
- if (array_key_exists($type_uri, $this->data)) {
- return $this->data[$type_uri];
- } else {
- return new Auth_OpenID_AX_Error(
- sprintf("Type URI %s not found in response",
- $type_uri)
- );
- }
- }
-
- /**
- * Get the number of responses for a particular attribute in this
- * fetch_response message.
- *
- * @param type_uri: The URI of the attribute
- *
- * @returns int The number of values sent for this attribute. If
- * the attribute was not sent in the response, returns
- * Auth_OpenID_AX_Error.
- */
- function count($type_uri)
- {
- if (array_key_exists($type_uri, $this->data)) {
- return count($this->get($type_uri));
- } else {
- return new Auth_OpenID_AX_Error(
- sprintf("Type URI %s not found in response",
- $type_uri)
- );
- }
- }
-}
-
-/**
- * A fetch_response attribute exchange message.
- *
- * @package OpenID
- */
-class Auth_OpenID_AX_FetchResponse extends Auth_OpenID_AX_KeyValueMessage {
- var $mode = 'fetch_response';
-
- function Auth_OpenID_AX_FetchResponse($update_url=null)
- {
- $this->Auth_OpenID_AX_KeyValueMessage();
- $this->update_url = $update_url;
- }
-
- /**
- * Serialize this object into arguments in the attribute exchange
- * namespace
- *
- * @return $args The dictionary of unqualified attribute exchange
- * arguments that represent this fetch_response, or
- * Auth_OpenID_AX_Error on error.
- */
- function getExtensionArgs($request=null)
- {
- $aliases = new Auth_OpenID_NamespaceMap();
-
- $zero_value_types = array();
-
- if ($request !== null) {
- // Validate the data in the context of the request (the
- // same attributes should be present in each, and the
- // counts in the response must be no more than the counts
- // in the request)
-
- foreach ($this->data as $type_uri => $unused) {
- if (!$request->contains($type_uri)) {
- return new Auth_OpenID_AX_Error(
- sprintf("Response attribute not present in request: %s",
- $type_uri)
- );
- }
- }
-
- foreach ($request->iterAttrs() as $attr_info) {
- // Copy the aliases from the request so that reading
- // the response in light of the request is easier
- if ($attr_info->alias === null) {
- $aliases->add($attr_info->type_uri);
- } else {
- $alias = $aliases->addAlias($attr_info->type_uri,
- $attr_info->alias);
-
- if ($alias === null) {
- return new Auth_OpenID_AX_Error(
- sprintf("Could not add alias %s for URI %s",
- $attr_info->alias, $attr_info->type_uri)
- );
- }
- }
-
- if (array_key_exists($attr_info->type_uri, $this->data)) {
- $values = $this->data[$attr_info->type_uri];
- } else {
- $values = array();
- $zero_value_types[] = $attr_info;
- }
-
- if (($attr_info->count != Auth_OpenID_AX_UNLIMITED_VALUES) &&
- ($attr_info->count < count($values))) {
- return new Auth_OpenID_AX_Error(
- sprintf("More than the number of requested values " .
- "were specified for %s",
- $attr_info->type_uri)
- );
- }
- }
- }
-
- $kv_args = $this->_getExtensionKVArgs($aliases);
-
- // Add the KV args into the response with the args that are
- // unique to the fetch_response
- $ax_args = $this->_newArgs();
-
- // For each requested attribute, put its type/alias and count
- // into the response even if no data were returned.
- foreach ($zero_value_types as $attr_info) {
- $alias = $aliases->getAlias($attr_info->type_uri);
- $kv_args['type.' . $alias] = $attr_info->type_uri;
- $kv_args['count.' . $alias] = '0';
- }
-
- $update_url = null;
- if ($request) {
- $update_url = $request->update_url;
- } else {
- $update_url = $this->update_url;
- }
-
- if ($update_url) {
- $ax_args['update_url'] = $update_url;
- }
-
- Auth_OpenID::update($ax_args, $kv_args);
-
- return $ax_args;
- }
-
- /**
- * @return $result Auth_OpenID_AX_Error on failure or true on
- * success.
- */
- function parseExtensionArgs($ax_args)
- {
- $result = parent::parseExtensionArgs($ax_args);
-
- if (Auth_OpenID_AX::isError($result)) {
- return $result;
- }
-
- $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url');
-
- return true;
- }
-
- /**
- * Construct a FetchResponse object from an OpenID library
- * SuccessResponse object.
- *
- * @param success_response: A successful id_res response object
- *
- * @param signed: Whether non-signed args should be processsed. If
- * True (the default), only signed arguments will be processsed.
- *
- * @return $response A FetchResponse containing the data from the
- * OpenID message
- */
- static function fromSuccessResponse($success_response, $signed=true)
- {
- $obj = new Auth_OpenID_AX_FetchResponse();
- if ($signed) {
- $ax_args = $success_response->getSignedNS($obj->ns_uri);
- } else {
- $ax_args = $success_response->message->getArgs($obj->ns_uri);
- }
- if ($ax_args === null || Auth_OpenID::isFailure($ax_args) ||
- sizeof($ax_args) == 0) {
- return null;
- }
-
- $result = $obj->parseExtensionArgs($ax_args);
- if (Auth_OpenID_AX::isError($result)) {
- #XXX log me
- return null;
- }
- return $obj;
- }
-}
-
-/**
- * A store request attribute exchange message representation.
- *
- * @package OpenID
- */
-class Auth_OpenID_AX_StoreRequest extends Auth_OpenID_AX_KeyValueMessage {
- var $mode = 'store_request';
-
- /**
- * @param array $aliases The namespace aliases to use when making
- * this store response. Leave as None to use defaults.
- */
- function getExtensionArgs($aliases=null)
- {
- $ax_args = $this->_newArgs();
- $kv_args = $this->_getExtensionKVArgs($aliases);
- Auth_OpenID::update($ax_args, $kv_args);
- return $ax_args;
- }
-}
-
-/**
- * An indication that the store request was processed along with this
- * OpenID transaction. Use make(), NOT the constructor, to create
- * response objects.
- *
- * @package OpenID
- */
-class Auth_OpenID_AX_StoreResponse extends Auth_OpenID_AX_Message {
- var $SUCCESS_MODE = 'store_response_success';
- var $FAILURE_MODE = 'store_response_failure';
-
- /**
- * Returns Auth_OpenID_AX_Error on error or an
- * Auth_OpenID_AX_StoreResponse object on success.
- */
- function make($succeeded=true, $error_message=null)
- {
- if (($succeeded) && ($error_message !== null)) {
- return new Auth_OpenID_AX_Error('An error message may only be '.
- 'included in a failing fetch response');
- }
-
- return new Auth_OpenID_AX_StoreResponse($succeeded, $error_message);
- }
-
- function Auth_OpenID_AX_StoreResponse($succeeded=true, $error_message=null)
- {
- if ($succeeded) {
- $this->mode = $this->SUCCESS_MODE;
- } else {
- $this->mode = $this->FAILURE_MODE;
- }
-
- $this->error_message = $error_message;
- }
-
- /**
- * Was this response a success response?
- */
- function succeeded()
- {
- return $this->mode == $this->SUCCESS_MODE;
- }
-
- function getExtensionArgs()
- {
- $ax_args = $this->_newArgs();
- if ((!$this->succeeded()) && $this->error_message) {
- $ax_args['error'] = $this->error_message;
- }
-
- return $ax_args;
- }
-}
-
diff --git a/lib/Auth/OpenID/Association.php b/lib/Auth/OpenID/Association.php
deleted file mode 100644
index 2729138ebb1ee5886a956dfe810e037e2683f436..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/Association.php
+++ /dev/null
@@ -1,610 +0,0 @@
-<?php
-
-/**
- * This module contains code for dealing with associations between
- * consumers and servers.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * @access private
- */
-require_once 'Auth/OpenID/CryptUtil.php';
-
-/**
- * @access private
- */
-require_once 'Auth/OpenID/KVForm.php';
-
-/**
- * @access private
- */
-require_once 'Auth/OpenID/HMAC.php';
-
-/**
- * This class represents an association between a server and a
- * consumer. In general, users of this library will never see
- * instances of this object. The only exception is if you implement a
- * custom {@link Auth_OpenID_OpenIDStore}.
- *
- * If you do implement such a store, it will need to store the values
- * of the handle, secret, issued, lifetime, and assoc_type instance
- * variables.
- *
- * @package OpenID
- */
-class Auth_OpenID_Association {
-
- /**
- * This is a HMAC-SHA1 specific value.
- *
- * @access private
- */
- var $SIG_LENGTH = 20;
-
- /**
- * The ordering and name of keys as stored by serialize.
- *
- * @access private
- */
- var $assoc_keys = array(
- 'version',
- 'handle',
- 'secret',
- 'issued',
- 'lifetime',
- 'assoc_type'
- );
-
- var $_macs = array(
- 'HMAC-SHA1' => 'Auth_OpenID_HMACSHA1',
- 'HMAC-SHA256' => 'Auth_OpenID_HMACSHA256'
- );
-
- /**
- * This is an alternate constructor (factory method) used by the
- * OpenID consumer library to create associations. OpenID store
- * implementations shouldn't use this constructor.
- *
- * @access private
- *
- * @param integer $expires_in This is the amount of time this
- * association is good for, measured in seconds since the
- * association was issued.
- *
- * @param string $handle This is the handle the server gave this
- * association.
- *
- * @param string secret This is the shared secret the server
- * generated for this association.
- *
- * @param assoc_type This is the type of association this
- * instance represents. The only valid values of this field at
- * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may
- * be defined in the future.
- *
- * @return association An {@link Auth_OpenID_Association}
- * instance.
- */
- static function fromExpiresIn($expires_in, $handle, $secret, $assoc_type)
- {
- $issued = time();
- $lifetime = $expires_in;
- return new Auth_OpenID_Association($handle, $secret,
- $issued, $lifetime, $assoc_type);
- }
-
- /**
- * This is the standard constructor for creating an association.
- * The library should create all of the necessary associations, so
- * this constructor is not part of the external API.
- *
- * @access private
- *
- * @param string $handle This is the handle the server gave this
- * association.
- *
- * @param string $secret This is the shared secret the server
- * generated for this association.
- *
- * @param integer $issued This is the time this association was
- * issued, in seconds since 00:00 GMT, January 1, 1970. (ie, a
- * unix timestamp)
- *
- * @param integer $lifetime This is the amount of time this
- * association is good for, measured in seconds since the
- * association was issued.
- *
- * @param string $assoc_type This is the type of association this
- * instance represents. The only valid values of this field at
- * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may
- * be defined in the future.
- */
- function Auth_OpenID_Association(
- $handle, $secret, $issued, $lifetime, $assoc_type)
- {
- if (!in_array($assoc_type,
- Auth_OpenID_getSupportedAssociationTypes(), true)) {
- $fmt = 'Unsupported association type (%s)';
- trigger_error(sprintf($fmt, $assoc_type), E_USER_ERROR);
- }
-
- $this->handle = $handle;
- $this->secret = $secret;
- $this->issued = $issued;
- $this->lifetime = $lifetime;
- $this->assoc_type = $assoc_type;
- }
-
- /**
- * This returns the number of seconds this association is still
- * valid for, or 0 if the association is no longer valid.
- *
- * @return integer $seconds The number of seconds this association
- * is still valid for, or 0 if the association is no longer valid.
- */
- function getExpiresIn($now = null)
- {
- if ($now == null) {
- $now = time();
- }
-
- return max(0, $this->issued + $this->lifetime - $now);
- }
-
- /**
- * This checks to see if two {@link Auth_OpenID_Association}
- * instances represent the same association.
- *
- * @return bool $result true if the two instances represent the
- * same association, false otherwise.
- */
- function equal($other)
- {
- return ((gettype($this) == gettype($other))
- && ($this->handle == $other->handle)
- && ($this->secret == $other->secret)
- && ($this->issued == $other->issued)
- && ($this->lifetime == $other->lifetime)
- && ($this->assoc_type == $other->assoc_type));
- }
-
- /**
- * Convert an association to KV form.
- *
- * @return string $result String in KV form suitable for
- * deserialization by deserialize.
- */
- function serialize()
- {
- $data = array(
- 'version' => '2',
- 'handle' => $this->handle,
- 'secret' => base64_encode($this->secret),
- 'issued' => strval(intval($this->issued)),
- 'lifetime' => strval(intval($this->lifetime)),
- 'assoc_type' => $this->assoc_type
- );
-
- assert(array_keys($data) == $this->assoc_keys);
-
- return Auth_OpenID_KVForm::fromArray($data, $strict = true);
- }
-
- /**
- * Parse an association as stored by serialize(). This is the
- * inverse of serialize.
- *
- * @param string $assoc_s Association as serialized by serialize()
- * @return Auth_OpenID_Association $result instance of this class
- */
- static function deserialize($class_name, $assoc_s)
- {
- $pairs = Auth_OpenID_KVForm::toArray($assoc_s, $strict = true);
- $keys = array();
- $values = array();
- foreach ($pairs as $key => $value) {
- if (is_array($value)) {
- list($key, $value) = $value;
- }
- $keys[] = $key;
- $values[] = $value;
- }
-
- $class_vars = get_class_vars($class_name);
- $class_assoc_keys = $class_vars['assoc_keys'];
-
- sort($keys);
- sort($class_assoc_keys);
-
- if ($keys != $class_assoc_keys) {
- trigger_error('Unexpected key values: ' . var_export($keys, true),
- E_USER_WARNING);
- return null;
- }
-
- $version = $pairs['version'];
- $handle = $pairs['handle'];
- $secret = $pairs['secret'];
- $issued = $pairs['issued'];
- $lifetime = $pairs['lifetime'];
- $assoc_type = $pairs['assoc_type'];
-
- if ($version != '2') {
- trigger_error('Unknown version: ' . $version, E_USER_WARNING);
- return null;
- }
-
- $issued = intval($issued);
- $lifetime = intval($lifetime);
- $secret = base64_decode($secret);
-
- return new $class_name(
- $handle, $secret, $issued, $lifetime, $assoc_type);
- }
-
- /**
- * Generate a signature for a sequence of (key, value) pairs
- *
- * @access private
- * @param array $pairs The pairs to sign, in order. This is an
- * array of two-tuples.
- * @return string $signature The binary signature of this sequence
- * of pairs
- */
- function sign($pairs)
- {
- $kv = Auth_OpenID_KVForm::fromArray($pairs);
-
- /* Invalid association types should be caught at constructor */
- $callback = $this->_macs[$this->assoc_type];
-
- return call_user_func_array($callback, array($this->secret, $kv));
- }
-
- /**
- * Generate a signature for some fields in a dictionary
- *
- * @access private
- * @param array $fields The fields to sign, in order; this is an
- * array of strings.
- * @param array $data Dictionary of values to sign (an array of
- * string => string pairs).
- * @return string $signature The signature, base64 encoded
- */
- function signMessage($message)
- {
- if ($message->hasKey(Auth_OpenID_OPENID_NS, 'sig') ||
- $message->hasKey(Auth_OpenID_OPENID_NS, 'signed')) {
- // Already has a sig
- return null;
- }
-
- $extant_handle = $message->getArg(Auth_OpenID_OPENID_NS,
- 'assoc_handle');
-
- if ($extant_handle && ($extant_handle != $this->handle)) {
- // raise ValueError("Message has a different association handle")
- return null;
- }
-
- $signed_message = $message;
- $signed_message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle',
- $this->handle);
-
- $message_keys = array_keys($signed_message->toPostArgs());
- $signed_list = array();
- $signed_prefix = 'openid.';
-
- foreach ($message_keys as $k) {
- if (strpos($k, $signed_prefix) === 0) {
- $signed_list[] = substr($k, strlen($signed_prefix));
- }
- }
-
- $signed_list[] = 'signed';
- sort($signed_list);
-
- $signed_message->setArg(Auth_OpenID_OPENID_NS, 'signed',
- implode(',', $signed_list));
- $sig = $this->getMessageSignature($signed_message);
- $signed_message->setArg(Auth_OpenID_OPENID_NS, 'sig', $sig);
- return $signed_message;
- }
-
- /**
- * Given a {@link Auth_OpenID_Message}, return the key/value pairs
- * to be signed according to the signed list in the message. If
- * the message lacks a signed list, return null.
- *
- * @access private
- */
- function _makePairs($message)
- {
- $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
- if (!$signed || Auth_OpenID::isFailure($signed)) {
- // raise ValueError('Message has no signed list: %s' % (message,))
- return null;
- }
-
- $signed_list = explode(',', $signed);
- $pairs = array();
- $data = $message->toPostArgs();
- foreach ($signed_list as $field) {
- $pairs[] = array($field, Auth_OpenID::arrayGet($data,
- 'openid.' .
- $field, ''));
- }
- return $pairs;
- }
-
- /**
- * Given an {@link Auth_OpenID_Message}, return the signature for
- * the signed list in the message.
- *
- * @access private
- */
- function getMessageSignature($message)
- {
- $pairs = $this->_makePairs($message);
- return base64_encode($this->sign($pairs));
- }
-
- /**
- * Confirm that the signature of these fields matches the
- * signature contained in the data.
- *
- * @access private
- */
- function checkMessageSignature($message)
- {
- $sig = $message->getArg(Auth_OpenID_OPENID_NS,
- 'sig');
-
- if (!$sig || Auth_OpenID::isFailure($sig)) {
- return false;
- }
-
- $calculated_sig = $this->getMessageSignature($message);
- return Auth_OpenID_CryptUtil::constEq($calculated_sig, $sig);
- }
-}
-
-function Auth_OpenID_getSecretSize($assoc_type)
-{
- if ($assoc_type == 'HMAC-SHA1') {
- return 20;
- } else if ($assoc_type == 'HMAC-SHA256') {
- return 32;
- } else {
- return null;
- }
-}
-
-function Auth_OpenID_getAllAssociationTypes()
-{
- return array('HMAC-SHA1', 'HMAC-SHA256');
-}
-
-function Auth_OpenID_getSupportedAssociationTypes()
-{
- $a = array('HMAC-SHA1');
-
- if (Auth_OpenID_HMACSHA256_SUPPORTED) {
- $a[] = 'HMAC-SHA256';
- }
-
- return $a;
-}
-
-function Auth_OpenID_getSessionTypes($assoc_type)
-{
- $assoc_to_session = array(
- 'HMAC-SHA1' => array('DH-SHA1', 'no-encryption'));
-
- if (Auth_OpenID_HMACSHA256_SUPPORTED) {
- $assoc_to_session['HMAC-SHA256'] =
- array('DH-SHA256', 'no-encryption');
- }
-
- return Auth_OpenID::arrayGet($assoc_to_session, $assoc_type, array());
-}
-
-function Auth_OpenID_checkSessionType($assoc_type, $session_type)
-{
- if (!in_array($session_type,
- Auth_OpenID_getSessionTypes($assoc_type))) {
- return false;
- }
-
- return true;
-}
-
-function Auth_OpenID_getDefaultAssociationOrder()
-{
- $order = array();
-
- if (!Auth_OpenID_noMathSupport()) {
- $order[] = array('HMAC-SHA1', 'DH-SHA1');
-
- if (Auth_OpenID_HMACSHA256_SUPPORTED) {
- $order[] = array('HMAC-SHA256', 'DH-SHA256');
- }
- }
-
- $order[] = array('HMAC-SHA1', 'no-encryption');
-
- if (Auth_OpenID_HMACSHA256_SUPPORTED) {
- $order[] = array('HMAC-SHA256', 'no-encryption');
- }
-
- return $order;
-}
-
-function Auth_OpenID_getOnlyEncryptedOrder()
-{
- $result = array();
-
- foreach (Auth_OpenID_getDefaultAssociationOrder() as $pair) {
- list($assoc, $session) = $pair;
-
- if ($session != 'no-encryption') {
- if (Auth_OpenID_HMACSHA256_SUPPORTED &&
- ($assoc == 'HMAC-SHA256')) {
- $result[] = $pair;
- } else if ($assoc != 'HMAC-SHA256') {
- $result[] = $pair;
- }
- }
- }
-
- return $result;
-}
-
-function Auth_OpenID_getDefaultNegotiator()
-{
- return new Auth_OpenID_SessionNegotiator(
- Auth_OpenID_getDefaultAssociationOrder());
-}
-
-function Auth_OpenID_getEncryptedNegotiator()
-{
- return new Auth_OpenID_SessionNegotiator(
- Auth_OpenID_getOnlyEncryptedOrder());
-}
-
-/**
- * A session negotiator controls the allowed and preferred association
- * types and association session types. Both the {@link
- * Auth_OpenID_Consumer} and {@link Auth_OpenID_Server} use
- * negotiators when creating associations.
- *
- * You can create and use negotiators if you:
-
- * - Do not want to do Diffie-Hellman key exchange because you use
- * transport-layer encryption (e.g. SSL)
- *
- * - Want to use only SHA-256 associations
- *
- * - Do not want to support plain-text associations over a non-secure
- * channel
- *
- * It is up to you to set a policy for what kinds of associations to
- * accept. By default, the library will make any kind of association
- * that is allowed in the OpenID 2.0 specification.
- *
- * Use of negotiators in the library
- * =================================
- *
- * When a consumer makes an association request, it calls {@link
- * getAllowedType} to get the preferred association type and
- * association session type.
- *
- * The server gets a request for a particular association/session type
- * and calls {@link isAllowed} to determine if it should create an
- * association. If it is supported, negotiation is complete. If it is
- * not, the server calls {@link getAllowedType} to get an allowed
- * association type to return to the consumer.
- *
- * If the consumer gets an error response indicating that the
- * requested association/session type is not supported by the server
- * that contains an assocation/session type to try, it calls {@link
- * isAllowed} to determine if it should try again with the given
- * combination of association/session type.
- *
- * @package OpenID
- */
-class Auth_OpenID_SessionNegotiator {
- function Auth_OpenID_SessionNegotiator($allowed_types)
- {
- $this->allowed_types = array();
- $this->setAllowedTypes($allowed_types);
- }
-
- /**
- * Set the allowed association types, checking to make sure each
- * combination is valid.
- *
- * @access private
- */
- function setAllowedTypes($allowed_types)
- {
- foreach ($allowed_types as $pair) {
- list($assoc_type, $session_type) = $pair;
- if (!Auth_OpenID_checkSessionType($assoc_type, $session_type)) {
- return false;
- }
- }
-
- $this->allowed_types = $allowed_types;
- return true;
- }
-
- /**
- * Add an association type and session type to the allowed types
- * list. The assocation/session pairs are tried in the order that
- * they are added.
- *
- * @access private
- */
- function addAllowedType($assoc_type, $session_type = null)
- {
- if ($this->allowed_types === null) {
- $this->allowed_types = array();
- }
-
- if ($session_type === null) {
- $available = Auth_OpenID_getSessionTypes($assoc_type);
-
- if (!$available) {
- return false;
- }
-
- foreach ($available as $session_type) {
- $this->addAllowedType($assoc_type, $session_type);
- }
- } else {
- if (Auth_OpenID_checkSessionType($assoc_type, $session_type)) {
- $this->allowed_types[] = array($assoc_type, $session_type);
- } else {
- return false;
- }
- }
-
- return true;
- }
-
- // Is this combination of association type and session type allowed?
- function isAllowed($assoc_type, $session_type)
- {
- $assoc_good = in_array(array($assoc_type, $session_type),
- $this->allowed_types);
-
- $matches = in_array($session_type,
- Auth_OpenID_getSessionTypes($assoc_type));
-
- return ($assoc_good && $matches);
- }
-
- /**
- * Get a pair of assocation type and session type that are
- * supported.
- */
- function getAllowedType()
- {
- if (!$this->allowed_types) {
- return array(null, null);
- }
-
- return $this->allowed_types[0];
- }
-}
-
diff --git a/lib/Auth/OpenID/BigMath.php b/lib/Auth/OpenID/BigMath.php
deleted file mode 100644
index 58b46bf27b24bdfdf39225a3f19a3ea025e355d4..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/BigMath.php
+++ /dev/null
@@ -1,451 +0,0 @@
-<?php
-
-/**
- * BigMath: A math library wrapper that abstracts out the underlying
- * long integer library.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @access private
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Needed for random number generation
- */
-require_once 'Auth/OpenID/CryptUtil.php';
-
-/**
- * Need Auth_OpenID::bytes().
- */
-require_once 'Auth/OpenID.php';
-
-/**
- * The superclass of all big-integer math implementations
- * @access private
- * @package OpenID
- */
-class Auth_OpenID_MathLibrary {
- /**
- * Given a long integer, returns the number converted to a binary
- * string. This function accepts long integer values of arbitrary
- * magnitude and uses the local large-number math library when
- * available.
- *
- * @param integer $long The long number (can be a normal PHP
- * integer or a number created by one of the available long number
- * libraries)
- * @return string $binary The binary version of $long
- */
- function longToBinary($long)
- {
- $cmp = $this->cmp($long, 0);
- if ($cmp < 0) {
- $msg = __FUNCTION__ . " takes only positive integers.";
- trigger_error($msg, E_USER_ERROR);
- return null;
- }
-
- if ($cmp == 0) {
- return "\x00";
- }
-
- $bytes = array();
-
- while ($this->cmp($long, 0) > 0) {
- array_unshift($bytes, $this->mod($long, 256));
- $long = $this->div($long, pow(2, 8));
- }
-
- if ($bytes && ($bytes[0] > 127)) {
- array_unshift($bytes, 0);
- }
-
- $string = '';
- foreach ($bytes as $byte) {
- $string .= pack('C', $byte);
- }
-
- return $string;
- }
-
- /**
- * Given a binary string, returns the binary string converted to a
- * long number.
- *
- * @param string $binary The binary version of a long number,
- * probably as a result of calling longToBinary
- * @return integer $long The long number equivalent of the binary
- * string $str
- */
- function binaryToLong($str)
- {
- if ($str === null) {
- return null;
- }
-
- // Use array_merge to return a zero-indexed array instead of a
- // one-indexed array.
- $bytes = array_merge(unpack('C*', $str));
-
- $n = $this->init(0);
-
- if ($bytes && ($bytes[0] > 127)) {
- trigger_error("bytesToNum works only for positive integers.",
- E_USER_WARNING);
- return null;
- }
-
- foreach ($bytes as $byte) {
- $n = $this->mul($n, pow(2, 8));
- $n = $this->add($n, $byte);
- }
-
- return $n;
- }
-
- function base64ToLong($str)
- {
- $b64 = base64_decode($str);
-
- if ($b64 === false) {
- return false;
- }
-
- return $this->binaryToLong($b64);
- }
-
- function longToBase64($str)
- {
- return base64_encode($this->longToBinary($str));
- }
-
- /**
- * Returns a random number in the specified range. This function
- * accepts $start, $stop, and $step values of arbitrary magnitude
- * and will utilize the local large-number math library when
- * available.
- *
- * @param integer $start The start of the range, or the minimum
- * random number to return
- * @param integer $stop The end of the range, or the maximum
- * random number to return
- * @param integer $step The step size, such that $result - ($step
- * * N) = $start for some N
- * @return integer $result The resulting randomly-generated number
- */
- function rand($stop)
- {
- static $duplicate_cache = array();
-
- // Used as the key for the duplicate cache
- $rbytes = $this->longToBinary($stop);
-
- if (array_key_exists($rbytes, $duplicate_cache)) {
- list($duplicate, $nbytes) = $duplicate_cache[$rbytes];
- } else {
- if ($rbytes[0] == "\x00") {
- $nbytes = Auth_OpenID::bytes($rbytes) - 1;
- } else {
- $nbytes = Auth_OpenID::bytes($rbytes);
- }
-
- $mxrand = $this->pow(256, $nbytes);
-
- // If we get a number less than this, then it is in the
- // duplicated range.
- $duplicate = $this->mod($mxrand, $stop);
-
- if (count($duplicate_cache) > 10) {
- $duplicate_cache = array();
- }
-
- $duplicate_cache[$rbytes] = array($duplicate, $nbytes);
- }
-
- do {
- $bytes = "\x00" . Auth_OpenID_CryptUtil::getBytes($nbytes);
- $n = $this->binaryToLong($bytes);
- // Keep looping if this value is in the low duplicated range
- } while ($this->cmp($n, $duplicate) < 0);
-
- return $this->mod($n, $stop);
- }
-}
-
-/**
- * Exposes BCmath math library functionality.
- *
- * {@link Auth_OpenID_BcMathWrapper} wraps the functionality provided
- * by the BCMath extension.
- *
- * @access private
- * @package OpenID
- */
-class Auth_OpenID_BcMathWrapper extends Auth_OpenID_MathLibrary{
- var $type = 'bcmath';
-
- function add($x, $y)
- {
- return bcadd($x, $y);
- }
-
- function sub($x, $y)
- {
- return bcsub($x, $y);
- }
-
- function pow($base, $exponent)
- {
- return bcpow($base, $exponent);
- }
-
- function cmp($x, $y)
- {
- return bccomp($x, $y);
- }
-
- function init($number, $base = 10)
- {
- return $number;
- }
-
- function mod($base, $modulus)
- {
- return bcmod($base, $modulus);
- }
-
- function mul($x, $y)
- {
- return bcmul($x, $y);
- }
-
- function div($x, $y)
- {
- return bcdiv($x, $y);
- }
-
- /**
- * Same as bcpowmod when bcpowmod is missing
- *
- * @access private
- */
- function _powmod($base, $exponent, $modulus)
- {
- $square = $this->mod($base, $modulus);
- $result = 1;
- while($this->cmp($exponent, 0) > 0) {
- if ($this->mod($exponent, 2)) {
- $result = $this->mod($this->mul($result, $square), $modulus);
- }
- $square = $this->mod($this->mul($square, $square), $modulus);
- $exponent = $this->div($exponent, 2);
- }
- return $result;
- }
-
- function powmod($base, $exponent, $modulus)
- {
- if (function_exists('bcpowmod')) {
- return bcpowmod($base, $exponent, $modulus);
- } else {
- return $this->_powmod($base, $exponent, $modulus);
- }
- }
-
- function toString($num)
- {
- return $num;
- }
-}
-
-/**
- * Exposes GMP math library functionality.
- *
- * {@link Auth_OpenID_GmpMathWrapper} wraps the functionality provided
- * by the GMP extension.
- *
- * @access private
- * @package OpenID
- */
-class Auth_OpenID_GmpMathWrapper extends Auth_OpenID_MathLibrary{
- var $type = 'gmp';
-
- function add($x, $y)
- {
- return gmp_add($x, $y);
- }
-
- function sub($x, $y)
- {
- return gmp_sub($x, $y);
- }
-
- function pow($base, $exponent)
- {
- return gmp_pow($base, $exponent);
- }
-
- function cmp($x, $y)
- {
- return gmp_cmp($x, $y);
- }
-
- function init($number, $base = 10)
- {
- return gmp_init($number, $base);
- }
-
- function mod($base, $modulus)
- {
- return gmp_mod($base, $modulus);
- }
-
- function mul($x, $y)
- {
- return gmp_mul($x, $y);
- }
-
- function div($x, $y)
- {
- return gmp_div_q($x, $y);
- }
-
- function powmod($base, $exponent, $modulus)
- {
- return gmp_powm($base, $exponent, $modulus);
- }
-
- function toString($num)
- {
- return gmp_strval($num);
- }
-}
-
-/**
- * Define the supported extensions. An extension array has keys
- * 'modules', 'extension', and 'class'. 'modules' is an array of PHP
- * module names which the loading code will attempt to load. These
- * values will be suffixed with a library file extension (e.g. ".so").
- * 'extension' is the name of a PHP extension which will be tested
- * before 'modules' are loaded. 'class' is the string name of a
- * {@link Auth_OpenID_MathWrapper} subclass which should be
- * instantiated if a given extension is present.
- *
- * You can define new math library implementations and add them to
- * this array.
- */
-function Auth_OpenID_math_extensions()
-{
- $result = array();
-
- if (!defined('Auth_OpenID_BUGGY_GMP')) {
- $result[] =
- array('modules' => array('gmp', 'php_gmp'),
- 'extension' => 'gmp',
- 'class' => 'Auth_OpenID_GmpMathWrapper');
- }
-
- $result[] = array('modules' => array('bcmath', 'php_bcmath'),
- 'extension' => 'bcmath',
- 'class' => 'Auth_OpenID_BcMathWrapper');
-
- return $result;
-}
-
-/**
- * Detect which (if any) math library is available
- */
-function Auth_OpenID_detectMathLibrary($exts)
-{
- $loaded = false;
-
- foreach ($exts as $extension) {
- if (extension_loaded($extension['extension'])) {
- return $extension;
- }
- }
-
- return false;
-}
-
-/**
- * {@link Auth_OpenID_getMathLib} checks for the presence of long
- * number extension modules and returns an instance of
- * {@link Auth_OpenID_MathWrapper} which exposes the module's
- * functionality.
- *
- * Checks for the existence of an extension module described by the
- * result of {@link Auth_OpenID_math_extensions()} and returns an
- * instance of a wrapper for that extension module. If no extension
- * module is found, an instance of {@link Auth_OpenID_MathWrapper} is
- * returned, which wraps the native PHP integer implementation. The
- * proper calling convention for this method is $lib =
- * Auth_OpenID_getMathLib().
- *
- * This function checks for the existence of specific long number
- * implementations in the following order: GMP followed by BCmath.
- *
- * @return Auth_OpenID_MathWrapper $instance An instance of
- * {@link Auth_OpenID_MathWrapper} or one of its subclasses
- *
- * @package OpenID
- */
-function Auth_OpenID_getMathLib()
-{
- // The instance of Auth_OpenID_MathWrapper that we choose to
- // supply will be stored here, so that subseqent calls to this
- // method will return a reference to the same object.
- static $lib = null;
-
- if (isset($lib)) {
- return $lib;
- }
-
- if (Auth_OpenID_noMathSupport()) {
- $null = null;
- return $null;
- }
-
- // If this method has not been called before, look at
- // Auth_OpenID_math_extensions and try to find an extension that
- // works.
- $ext = Auth_OpenID_detectMathLibrary(Auth_OpenID_math_extensions());
- if ($ext === false) {
- $tried = array();
- foreach (Auth_OpenID_math_extensions() as $extinfo) {
- $tried[] = $extinfo['extension'];
- }
- $triedstr = implode(", ", $tried);
-
- Auth_OpenID_setNoMathSupport();
-
- $result = null;
- return $result;
- }
-
- // Instantiate a new wrapper
- $class = $ext['class'];
- $lib = new $class();
-
- return $lib;
-}
-
-function Auth_OpenID_setNoMathSupport()
-{
- if (!defined('Auth_OpenID_NO_MATH_SUPPORT')) {
- define('Auth_OpenID_NO_MATH_SUPPORT', true);
- }
-}
-
-function Auth_OpenID_noMathSupport()
-{
- return defined('Auth_OpenID_NO_MATH_SUPPORT');
-}
-
-
diff --git a/lib/Auth/OpenID/Consumer.php b/lib/Auth/OpenID/Consumer.php
deleted file mode 100644
index d562e33f354823498e55109b8670256e92672093..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/Consumer.php
+++ /dev/null
@@ -1,2236 +0,0 @@
-<?php
-
-/**
- * This module documents the main interface with the OpenID consumer
- * library. The only part of the library which has to be used and
- * isn't documented in full here is the store required to create an
- * Auth_OpenID_Consumer instance. More on the abstract store type and
- * concrete implementations of it that are provided in the
- * documentation for the Auth_OpenID_Consumer constructor.
- *
- * OVERVIEW
- *
- * The OpenID identity verification process most commonly uses the
- * following steps, as visible to the user of this library:
- *
- * 1. The user enters their OpenID into a field on the consumer's
- * site, and hits a login button.
- * 2. The consumer site discovers the user's OpenID server using the
- * YADIS protocol.
- * 3. The consumer site sends the browser a redirect to the identity
- * server. This is the authentication request as described in
- * the OpenID specification.
- * 4. The identity server's site sends the browser a redirect back
- * to the consumer site. This redirect contains the server's
- * response to the authentication request.
- *
- * The most important part of the flow to note is the consumer's site
- * must handle two separate HTTP requests in order to perform the full
- * identity check.
- *
- * LIBRARY DESIGN
- *
- * This consumer library is designed with that flow in mind. The goal
- * is to make it as easy as possible to perform the above steps
- * securely.
- *
- * At a high level, there are two important parts in the consumer
- * library. The first important part is this module, which contains
- * the interface to actually use this library. The second is the
- * Auth_OpenID_Interface class, which describes the interface to use
- * if you need to create a custom method for storing the state this
- * library needs to maintain between requests.
- *
- * In general, the second part is less important for users of the
- * library to know about, as several implementations are provided
- * which cover a wide variety of situations in which consumers may use
- * the library.
- *
- * This module contains a class, Auth_OpenID_Consumer, with methods
- * corresponding to the actions necessary in each of steps 2, 3, and 4
- * described in the overview. Use of this library should be as easy
- * as creating an Auth_OpenID_Consumer instance and calling the
- * methods appropriate for the action the site wants to take.
- *
- * STORES AND DUMB MODE
- *
- * OpenID is a protocol that works best when the consumer site is able
- * to store some state. This is the normal mode of operation for the
- * protocol, and is sometimes referred to as smart mode. There is
- * also a fallback mode, known as dumb mode, which is available when
- * the consumer site is not able to store state. This mode should be
- * avoided when possible, as it leaves the implementation more
- * vulnerable to replay attacks.
- *
- * The mode the library works in for normal operation is determined by
- * the store that it is given. The store is an abstraction that
- * handles the data that the consumer needs to manage between http
- * requests in order to operate efficiently and securely.
- *
- * Several store implementation are provided, and the interface is
- * fully documented so that custom stores can be used as well. See
- * the documentation for the Auth_OpenID_Consumer class for more
- * information on the interface for stores. The implementations that
- * are provided allow the consumer site to store the necessary data in
- * several different ways, including several SQL databases and normal
- * files on disk.
- *
- * There is an additional concrete store provided that puts the system
- * in dumb mode. This is not recommended, as it removes the library's
- * ability to stop replay attacks reliably. It still uses time-based
- * checking to make replay attacks only possible within a small
- * window, but they remain possible within that window. This store
- * should only be used if the consumer site has no way to retain data
- * between requests at all.
- *
- * IMMEDIATE MODE
- *
- * In the flow described above, the user may need to confirm to the
- * lidentity server that it's ok to authorize his or her identity.
- * The server may draw pages asking for information from the user
- * before it redirects the browser back to the consumer's site. This
- * is generally transparent to the consumer site, so it is typically
- * ignored as an implementation detail.
- *
- * There can be times, however, where the consumer site wants to get a
- * response immediately. When this is the case, the consumer can put
- * the library in immediate mode. In immediate mode, there is an
- * extra response possible from the server, which is essentially the
- * server reporting that it doesn't have enough information to answer
- * the question yet.
- *
- * USING THIS LIBRARY
- *
- * Integrating this library into an application is usually a
- * relatively straightforward process. The process should basically
- * follow this plan:
- *
- * Add an OpenID login field somewhere on your site. When an OpenID
- * is entered in that field and the form is submitted, it should make
- * a request to the your site which includes that OpenID URL.
- *
- * First, the application should instantiate the Auth_OpenID_Consumer
- * class using the store of choice (Auth_OpenID_FileStore or one of
- * the SQL-based stores). If the application has a custom
- * session-management implementation, an object implementing the
- * {@link Auth_Yadis_PHPSession} interface should be passed as the
- * second parameter. Otherwise, the default uses $_SESSION.
- *
- * Next, the application should call the Auth_OpenID_Consumer object's
- * 'begin' method. This method takes the OpenID URL. The 'begin'
- * method returns an Auth_OpenID_AuthRequest object.
- *
- * Next, the application should call the 'redirectURL' method of the
- * Auth_OpenID_AuthRequest object. The 'return_to' URL parameter is
- * the URL that the OpenID server will send the user back to after
- * attempting to verify his or her identity. The 'trust_root' is the
- * URL (or URL pattern) that identifies your web site to the user when
- * he or she is authorizing it. Send a redirect to the resulting URL
- * to the user's browser.
- *
- * That's the first half of the authentication process. The second
- * half of the process is done after the user's ID server sends the
- * user's browser a redirect back to your site to complete their
- * login.
- *
- * When that happens, the user will contact your site at the URL given
- * as the 'return_to' URL to the Auth_OpenID_AuthRequest::redirectURL
- * call made above. The request will have several query parameters
- * added to the URL by the identity server as the information
- * necessary to finish the request.
- *
- * Lastly, instantiate an Auth_OpenID_Consumer instance as above and
- * call its 'complete' method, passing in all the received query
- * arguments.
- *
- * There are multiple possible return types possible from that
- * method. These indicate the whether or not the login was successful,
- * and include any additional information appropriate for their type.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Require utility classes and functions for the consumer.
- */
-require_once "Auth/OpenID.php";
-require_once "Auth/OpenID/Message.php";
-require_once "Auth/OpenID/HMAC.php";
-require_once "Auth/OpenID/Association.php";
-require_once "Auth/OpenID/CryptUtil.php";
-require_once "Auth/OpenID/DiffieHellman.php";
-require_once "Auth/OpenID/KVForm.php";
-require_once "Auth/OpenID/Nonce.php";
-require_once "Auth/OpenID/Discover.php";
-require_once "Auth/OpenID/URINorm.php";
-require_once "Auth/Yadis/Manager.php";
-require_once "Auth/Yadis/XRI.php";
-
-/**
- * This is the status code returned when the complete method returns
- * successfully.
- */
-define('Auth_OpenID_SUCCESS', 'success');
-
-/**
- * Status to indicate cancellation of OpenID authentication.
- */
-define('Auth_OpenID_CANCEL', 'cancel');
-
-/**
- * This is the status code completeAuth returns when the value it
- * received indicated an invalid login.
- */
-define('Auth_OpenID_FAILURE', 'failure');
-
-/**
- * This is the status code completeAuth returns when the
- * {@link Auth_OpenID_Consumer} instance is in immediate mode, and the
- * identity server sends back a URL to send the user to to complete his
- * or her login.
- */
-define('Auth_OpenID_SETUP_NEEDED', 'setup needed');
-
-/**
- * This is the status code beginAuth returns when the page fetched
- * from the entered OpenID URL doesn't contain the necessary link tags
- * to function as an identity page.
- */
-define('Auth_OpenID_PARSE_ERROR', 'parse error');
-
-/**
- * An OpenID consumer implementation that performs discovery and does
- * session management. See the Consumer.php file documentation for
- * more information.
- *
- * @package OpenID
- */
-class Auth_OpenID_Consumer {
-
- /**
- * @access private
- */
- var $discoverMethod = 'Auth_OpenID_discover';
-
- /**
- * @access private
- */
- var $session_key_prefix = "_openid_consumer_";
-
- /**
- * @access private
- */
- var $_token_suffix = "last_token";
-
- /**
- * Initialize a Consumer instance.
- *
- * You should create a new instance of the Consumer object with
- * every HTTP request that handles OpenID transactions.
- *
- * @param Auth_OpenID_OpenIDStore $store This must be an object
- * that implements the interface in {@link
- * Auth_OpenID_OpenIDStore}. Several concrete implementations are
- * provided, to cover most common use cases. For stores backed by
- * MySQL, PostgreSQL, or SQLite, see the {@link
- * Auth_OpenID_SQLStore} class and its sublcasses. For a
- * filesystem-backed store, see the {@link Auth_OpenID_FileStore}
- * module. As a last resort, if it isn't possible for the server
- * to store state at all, an instance of {@link
- * Auth_OpenID_DumbStore} can be used.
- *
- * @param mixed $session An object which implements the interface
- * of the {@link Auth_Yadis_PHPSession} class. Particularly, this
- * object is expected to have these methods: get($key), set($key),
- * $value), and del($key). This defaults to a session object
- * which wraps PHP's native session machinery. You should only
- * need to pass something here if you have your own sessioning
- * implementation.
- *
- * @param str $consumer_cls The name of the class to instantiate
- * when creating the internal consumer object. This is used for
- * testing.
- */
- function Auth_OpenID_Consumer($store, $session = null,
- $consumer_cls = null)
- {
- if ($session === null) {
- $session = new Auth_Yadis_PHPSession();
- }
-
- $this->session = $session;
-
- if ($consumer_cls !== null) {
- $this->consumer = new $consumer_cls($store);
- } else {
- $this->consumer = new Auth_OpenID_GenericConsumer($store);
- }
-
- $this->_token_key = $this->session_key_prefix . $this->_token_suffix;
- }
-
- /**
- * Used in testing to define the discovery mechanism.
- *
- * @access private
- */
- function getDiscoveryObject($session, $openid_url,
- $session_key_prefix)
- {
- return new Auth_Yadis_Discovery($session, $openid_url,
- $session_key_prefix);
- }
-
- /**
- * Start the OpenID authentication process. See steps 1-2 in the
- * overview at the top of this file.
- *
- * @param string $user_url Identity URL given by the user. This
- * method performs a textual transformation of the URL to try and
- * make sure it is normalized. For example, a user_url of
- * example.com will be normalized to http://example.com/
- * normalizing and resolving any redirects the server might issue.
- *
- * @param bool $anonymous True if the OpenID request is to be sent
- * to the server without any identifier information. Use this
- * when you want to transport data but don't want to do OpenID
- * authentication with identifiers.
- *
- * @return Auth_OpenID_AuthRequest $auth_request An object
- * containing the discovered information will be returned, with a
- * method for building a redirect URL to the server, as described
- * in step 3 of the overview. This object may also be used to add
- * extension arguments to the request, using its 'addExtensionArg'
- * method.
- */
- function begin($user_url, $anonymous=false)
- {
- $openid_url = $user_url;
-
- $disco = $this->getDiscoveryObject($this->session,
- $openid_url,
- $this->session_key_prefix);
-
- // Set the 'stale' attribute of the manager. If discovery
- // fails in a fatal way, the stale flag will cause the manager
- // to be cleaned up next time discovery is attempted.
-
- $m = $disco->getManager();
- $loader = new Auth_Yadis_ManagerLoader();
-
- if ($m) {
- if ($m->stale) {
- $disco->destroyManager();
- } else {
- $m->stale = true;
- $disco->session->set($disco->session_key,
- serialize($loader->toSession($m)));
- }
- }
-
- $endpoint = $disco->getNextService($this->discoverMethod,
- $this->consumer->fetcher);
-
- // Reset the 'stale' attribute of the manager.
- $m = $disco->getManager();
- if ($m) {
- $m->stale = false;
- $disco->session->set($disco->session_key,
- serialize($loader->toSession($m)));
- }
-
- if ($endpoint === null) {
- return null;
- } else {
- return $this->beginWithoutDiscovery($endpoint,
- $anonymous);
- }
- }
-
- /**
- * Start OpenID verification without doing OpenID server
- * discovery. This method is used internally by Consumer.begin
- * after discovery is performed, and exists to provide an
- * interface for library users needing to perform their own
- * discovery.
- *
- * @param Auth_OpenID_ServiceEndpoint $endpoint an OpenID service
- * endpoint descriptor.
- *
- * @param bool anonymous Set to true if you want to perform OpenID
- * without identifiers.
- *
- * @return Auth_OpenID_AuthRequest $auth_request An OpenID
- * authentication request object.
- */
- function beginWithoutDiscovery($endpoint, $anonymous=false)
- {
- $loader = new Auth_OpenID_ServiceEndpointLoader();
- $auth_req = $this->consumer->begin($endpoint);
- $this->session->set($this->_token_key,
- $loader->toSession($auth_req->endpoint));
- if (!$auth_req->setAnonymous($anonymous)) {
- return new Auth_OpenID_FailureResponse(null,
- "OpenID 1 requests MUST include the identifier " .
- "in the request.");
- }
- return $auth_req;
- }
-
- /**
- * Called to interpret the server's response to an OpenID
- * request. It is called in step 4 of the flow described in the
- * consumer overview.
- *
- * @param string $current_url The URL used to invoke the application.
- * Extract the URL from your application's web
- * request framework and specify it here to have it checked
- * against the openid.current_url value in the response. If
- * the current_url URL check fails, the status of the
- * completion will be FAILURE.
- *
- * @param array $query An array of the query parameters (key =>
- * value pairs) for this HTTP request. Defaults to null. If
- * null, the GET or POST data are automatically gotten from the
- * PHP environment. It is only useful to override $query for
- * testing.
- *
- * @return Auth_OpenID_ConsumerResponse $response A instance of an
- * Auth_OpenID_ConsumerResponse subclass. The type of response is
- * indicated by the status attribute, which will be one of
- * SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED.
- */
- function complete($current_url, $query=null)
- {
- if ($current_url && !is_string($current_url)) {
- // This is ugly, but we need to complain loudly when
- // someone uses the API incorrectly.
- trigger_error("current_url must be a string; see NEWS file " .
- "for upgrading notes.",
- E_USER_ERROR);
- }
-
- if ($query === null) {
- $query = Auth_OpenID::getQuery();
- }
-
- $loader = new Auth_OpenID_ServiceEndpointLoader();
- $endpoint_data = $this->session->get($this->_token_key);
- $endpoint =
- $loader->fromSession($endpoint_data);
-
- $message = Auth_OpenID_Message::fromPostArgs($query);
- $response = $this->consumer->complete($message, $endpoint,
- $current_url);
- $this->session->del($this->_token_key);
-
- if (in_array($response->status, array(Auth_OpenID_SUCCESS,
- Auth_OpenID_CANCEL))) {
- if ($response->identity_url !== null) {
- $disco = $this->getDiscoveryObject($this->session,
- $response->identity_url,
- $this->session_key_prefix);
- $disco->cleanup(true);
- }
- }
-
- return $response;
- }
-}
-
-/**
- * A class implementing HMAC/DH-SHA1 consumer sessions.
- *
- * @package OpenID
- */
-class Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
- var $session_type = 'DH-SHA1';
- var $hash_func = 'Auth_OpenID_SHA1';
- var $secret_size = 20;
- var $allowed_assoc_types = array('HMAC-SHA1');
-
- function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null)
- {
- if ($dh === null) {
- $dh = new Auth_OpenID_DiffieHellman();
- }
-
- $this->dh = $dh;
- }
-
- function getRequest()
- {
- $math = Auth_OpenID_getMathLib();
-
- $cpub = $math->longToBase64($this->dh->public);
-
- $args = array('dh_consumer_public' => $cpub);
-
- if (!$this->dh->usingDefaultValues()) {
- $args = array_merge($args, array(
- 'dh_modulus' =>
- $math->longToBase64($this->dh->mod),
- 'dh_gen' =>
- $math->longToBase64($this->dh->gen)));
- }
-
- return $args;
- }
-
- function extractSecret($response)
- {
- if (!$response->hasKey(Auth_OpenID_OPENID_NS,
- 'dh_server_public')) {
- return null;
- }
-
- if (!$response->hasKey(Auth_OpenID_OPENID_NS,
- 'enc_mac_key')) {
- return null;
- }
-
- $math = Auth_OpenID_getMathLib();
-
- $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS,
- 'dh_server_public'));
- $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
- 'enc_mac_key'));
-
- return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func);
- }
-}
-
-/**
- * A class implementing HMAC/DH-SHA256 consumer sessions.
- *
- * @package OpenID
- */
-class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends
- Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
- var $session_type = 'DH-SHA256';
- var $hash_func = 'Auth_OpenID_SHA256';
- var $secret_size = 32;
- var $allowed_assoc_types = array('HMAC-SHA256');
-}
-
-/**
- * A class implementing plaintext consumer sessions.
- *
- * @package OpenID
- */
-class Auth_OpenID_PlainTextConsumerSession {
- var $session_type = 'no-encryption';
- var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256');
-
- function getRequest()
- {
- return array();
- }
-
- function extractSecret($response)
- {
- if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) {
- return null;
- }
-
- return base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
- 'mac_key'));
- }
-}
-
-/**
- * Returns available session types.
- */
-function Auth_OpenID_getAvailableSessionTypes()
-{
- $types = array(
- 'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession',
- 'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession',
- 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession');
-
- return $types;
-}
-
-/**
- * This class is the interface to the OpenID consumer logic.
- * Instances of it maintain no per-request state, so they can be
- * reused (or even used by multiple threads concurrently) as needed.
- *
- * @package OpenID
- */
-class Auth_OpenID_GenericConsumer {
- /**
- * @access private
- */
- var $discoverMethod = 'Auth_OpenID_discover';
-
- /**
- * This consumer's store object.
- */
- var $store;
-
- /**
- * @access private
- */
- var $_use_assocs;
-
- /**
- * @access private
- */
- var $openid1_nonce_query_arg_name = 'janrain_nonce';
-
- /**
- * Another query parameter that gets added to the return_to for
- * OpenID 1; if the user's session state is lost, use this claimed
- * identifier to do discovery when verifying the response.
- */
- var $openid1_return_to_identifier_name = 'openid1_claimed_id';
-
- /**
- * This method initializes a new {@link Auth_OpenID_Consumer}
- * instance to access the library.
- *
- * @param Auth_OpenID_OpenIDStore $store This must be an object
- * that implements the interface in {@link Auth_OpenID_OpenIDStore}.
- * Several concrete implementations are provided, to cover most common use
- * cases. For stores backed by MySQL, PostgreSQL, or SQLite, see
- * the {@link Auth_OpenID_SQLStore} class and its sublcasses. For a
- * filesystem-backed store, see the {@link Auth_OpenID_FileStore} module.
- * As a last resort, if it isn't possible for the server to store
- * state at all, an instance of {@link Auth_OpenID_DumbStore} can be used.
- *
- * @param bool $immediate This is an optional boolean value. It
- * controls whether the library uses immediate mode, as explained
- * in the module description. The default value is False, which
- * disables immediate mode.
- */
- function Auth_OpenID_GenericConsumer($store)
- {
- $this->store = $store;
- $this->negotiator = Auth_OpenID_getDefaultNegotiator();
- $this->_use_assocs = (is_null($this->store) ? false : true);
-
- $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
-
- $this->session_types = Auth_OpenID_getAvailableSessionTypes();
- }
-
- /**
- * Called to begin OpenID authentication using the specified
- * {@link Auth_OpenID_ServiceEndpoint}.
- *
- * @access private
- */
- function begin($service_endpoint)
- {
- $assoc = $this->_getAssociation($service_endpoint);
- $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc);
- $r->return_to_args[$this->openid1_nonce_query_arg_name] =
- Auth_OpenID_mkNonce();
-
- if ($r->message->isOpenID1()) {
- $r->return_to_args[$this->openid1_return_to_identifier_name] =
- $r->endpoint->claimed_id;
- }
-
- return $r;
- }
-
- /**
- * Given an {@link Auth_OpenID_Message}, {@link
- * Auth_OpenID_ServiceEndpoint} and optional return_to URL,
- * complete OpenID authentication.
- *
- * @access private
- */
- function complete($message, $endpoint, $return_to)
- {
- $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
- '<no mode set>');
-
- $mode_methods = array(
- 'cancel' => '_complete_cancel',
- 'error' => '_complete_error',
- 'setup_needed' => '_complete_setup_needed',
- 'id_res' => '_complete_id_res',
- );
-
- $method = Auth_OpenID::arrayGet($mode_methods, $mode,
- '_completeInvalid');
-
- return call_user_func_array(array($this, $method),
- array($message, &$endpoint, $return_to));
- }
-
- /**
- * @access private
- */
- function _completeInvalid($message, $endpoint, $unused)
- {
- $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
- '<No mode set>');
-
- return new Auth_OpenID_FailureResponse($endpoint,
- sprintf("Invalid openid.mode '%s'", $mode));
- }
-
- /**
- * @access private
- */
- function _complete_cancel($message, $endpoint, $unused)
- {
- return new Auth_OpenID_CancelResponse($endpoint);
- }
-
- /**
- * @access private
- */
- function _complete_error($message, $endpoint, $unused)
- {
- $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error');
- $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact');
- $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference');
-
- return new Auth_OpenID_FailureResponse($endpoint, $error,
- $contact, $reference);
- }
-
- /**
- * @access private
- */
- function _complete_setup_needed($message, $endpoint, $unused)
- {
- if (!$message->isOpenID2()) {
- return $this->_completeInvalid($message, $endpoint);
- }
-
- $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS,
- 'user_setup_url');
- return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url);
- }
-
- /**
- * @access private
- */
- function _complete_id_res($message, $endpoint, $return_to)
- {
- $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
- 'user_setup_url');
-
- if ($this->_checkSetupNeeded($message)) {
- return new Auth_OpenID_SetupNeededResponse(
- $endpoint, $user_setup_url);
- } else {
- return $this->_doIdRes($message, $endpoint, $return_to);
- }
- }
-
- /**
- * @access private
- */
- function _checkSetupNeeded($message)
- {
- // In OpenID 1, we check to see if this is a cancel from
- // immediate mode by the presence of the user_setup_url
- // parameter.
- if ($message->isOpenID1()) {
- $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
- 'user_setup_url');
- if ($user_setup_url !== null) {
- return true;
- }
- }
-
- return false;
- }
-
- /**
- * @access private
- */
- function _doIdRes($message, $endpoint, $return_to)
- {
- // Checks for presence of appropriate fields (and checks
- // signed list fields)
- $result = $this->_idResCheckForFields($message);
-
- if (Auth_OpenID::isFailure($result)) {
- return $result;
- }
-
- if (!$this->_checkReturnTo($message, $return_to)) {
- return new Auth_OpenID_FailureResponse(null,
- sprintf("return_to does not match return URL. Expected %s, got %s",
- $return_to,
- $message->getArg(Auth_OpenID_OPENID_NS, 'return_to')));
- }
-
- // Verify discovery information:
- $result = $this->_verifyDiscoveryResults($message, $endpoint);
-
- if (Auth_OpenID::isFailure($result)) {
- return $result;
- }
-
- $endpoint = $result;
-
- $result = $this->_idResCheckSignature($message,
- $endpoint->server_url);
-
- if (Auth_OpenID::isFailure($result)) {
- return $result;
- }
-
- $result = $this->_idResCheckNonce($message, $endpoint);
-
- if (Auth_OpenID::isFailure($result)) {
- return $result;
- }
-
- $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed',
- Auth_OpenID_NO_DEFAULT);
- if (Auth_OpenID::isFailure($signed_list_str)) {
- return $signed_list_str;
- }
- $signed_list = explode(',', $signed_list_str);
-
- $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");
-
- return new Auth_OpenID_SuccessResponse($endpoint, $message,
- $signed_fields);
-
- }
-
- /**
- * @access private
- */
- function _checkReturnTo($message, $return_to)
- {
- // Check an OpenID message and its openid.return_to value
- // against a return_to URL from an application. Return True
- // on success, False on failure.
-
- // Check the openid.return_to args against args in the
- // original message.
- $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs(
- $message->toPostArgs());
- if (Auth_OpenID::isFailure($result)) {
- return false;
- }
-
- // Check the return_to base URL against the one in the
- // message.
- $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS,
- 'return_to');
- if (Auth_OpenID::isFailure($return_to)) {
- // XXX log me
- return false;
- }
-
- $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to));
- $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to));
-
- // If port is absent from both, add it so it's equal in the
- // check below.
- if ((!array_key_exists('port', $return_to_parts)) &&
- (!array_key_exists('port', $msg_return_to_parts))) {
- $return_to_parts['port'] = null;
- $msg_return_to_parts['port'] = null;
- }
-
- // If path is absent from both, add it so it's equal in the
- // check below.
- if ((!array_key_exists('path', $return_to_parts)) &&
- (!array_key_exists('path', $msg_return_to_parts))) {
- $return_to_parts['path'] = null;
- $msg_return_to_parts['path'] = null;
- }
-
- // The URL scheme, authority, and path MUST be the same
- // between the two URLs.
- foreach (array('scheme', 'host', 'port', 'path') as $component) {
- // If the url component is absent in either URL, fail.
- // There should always be a scheme, host, port, and path.
- if (!array_key_exists($component, $return_to_parts)) {
- return false;
- }
-
- if (!array_key_exists($component, $msg_return_to_parts)) {
- return false;
- }
-
- if (Auth_OpenID::arrayGet($return_to_parts, $component) !==
- Auth_OpenID::arrayGet($msg_return_to_parts, $component)) {
- return false;
- }
- }
-
- return true;
- }
-
- /**
- * @access private
- */
- function _verifyReturnToArgs($query)
- {
- // Verify that the arguments in the return_to URL are present in this
- // response.
-
- $message = Auth_OpenID_Message::fromPostArgs($query);
- $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');
-
- if (Auth_OpenID::isFailure($return_to)) {
- return $return_to;
- }
- // XXX: this should be checked by _idResCheckForFields
- if (!$return_to) {
- return new Auth_OpenID_FailureResponse(null,
- "Response has no return_to");
- }
-
- $parsed_url = parse_url($return_to);
-
- $q = array();
- if (array_key_exists('query', $parsed_url)) {
- $rt_query = $parsed_url['query'];
- $q = Auth_OpenID::parse_str($rt_query);
- }
-
- foreach ($q as $rt_key => $rt_value) {
- if (!array_key_exists($rt_key, $query)) {
- return new Auth_OpenID_FailureResponse(null,
- sprintf("return_to parameter %s absent from query", $rt_key));
- } else {
- $value = $query[$rt_key];
- if ($rt_value != $value) {
- return new Auth_OpenID_FailureResponse(null,
- sprintf("parameter %s value %s does not match " .
- "return_to value %s", $rt_key,
- $value, $rt_value));
- }
- }
- }
-
- // Make sure all non-OpenID arguments in the response are also
- // in the signed return_to.
- $bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
- foreach ($bare_args as $key => $value) {
- if (Auth_OpenID::arrayGet($q, $key) != $value) {
- return new Auth_OpenID_FailureResponse(null,
- sprintf("Parameter %s = %s not in return_to URL",
- $key, $value));
- }
- }
-
- return true;
- }
-
- /**
- * @access private
- */
- function _idResCheckSignature($message, $server_url)
- {
- $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
- 'assoc_handle');
- if (Auth_OpenID::isFailure($assoc_handle)) {
- return $assoc_handle;
- }
-
- $assoc = $this->store->getAssociation($server_url, $assoc_handle);
-
- if ($assoc) {
- if ($assoc->getExpiresIn() <= 0) {
- // XXX: It might be a good idea sometimes to re-start
- // the authentication with a new association. Doing it
- // automatically opens the possibility for
- // denial-of-service by a server that just returns
- // expired associations (or really short-lived
- // associations)
- return new Auth_OpenID_FailureResponse(null,
- 'Association with ' . $server_url . ' expired');
- }
-
- if (!$assoc->checkMessageSignature($message)) {
- // If we get a "bad signature" here, it means that the association
- // is unrecoverabley corrupted in some way. Any futher attempts
- // to login with this association is likely to fail. Drop it.
- $this->store->removeAssociation($server_url, $assoc_handle);
- return new Auth_OpenID_FailureResponse(null,
- "Bad signature");
- }
- } else {
- // It's not an association we know about. Stateless mode
- // is our only possible path for recovery. XXX - async
- // framework will not want to block on this call to
- // _checkAuth.
- if (!$this->_checkAuth($message, $server_url)) {
- return new Auth_OpenID_FailureResponse(null,
- "Server denied check_authentication");
- }
- }
-
- return null;
- }
-
- /**
- * @access private
- */
- function _verifyDiscoveryResults($message, $endpoint=null)
- {
- if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) {
- return $this->_verifyDiscoveryResultsOpenID2($message,
- $endpoint);
- } else {
- return $this->_verifyDiscoveryResultsOpenID1($message,
- $endpoint);
- }
- }
-
- /**
- * @access private
- */
- function _verifyDiscoveryResultsOpenID1($message, $endpoint)
- {
- $claimed_id = $message->getArg(Auth_OpenID_BARE_NS,
- $this->openid1_return_to_identifier_name);
-
- if (($endpoint === null) && ($claimed_id === null)) {
- return new Auth_OpenID_FailureResponse($endpoint,
- 'When using OpenID 1, the claimed ID must be supplied, ' .
- 'either by passing it through as a return_to parameter ' .
- 'or by using a session, and supplied to the GenericConsumer ' .
- 'as the argument to complete()');
- } else if (($endpoint !== null) && ($claimed_id === null)) {
- $claimed_id = $endpoint->claimed_id;
- }
-
- $to_match = new Auth_OpenID_ServiceEndpoint();
- $to_match->type_uris = array(Auth_OpenID_TYPE_1_1);
- $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS,
- 'identity');
-
- // Restore delegate information from the initiation phase
- $to_match->claimed_id = $claimed_id;
-
- if ($to_match->local_id === null) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "Missing required field openid.identity");
- }
-
- $to_match_1_0 = $to_match->copy();
- $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0);
-
- if ($endpoint !== null) {
- $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
-
- if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) {
- $result = $this->_verifyDiscoverySingle($endpoint,
- $to_match_1_0);
- }
-
- if (Auth_OpenID::isFailure($result)) {
- // oidutil.log("Error attempting to use stored
- // discovery information: " + str(e))
- // oidutil.log("Attempting discovery to
- // verify endpoint")
- } else {
- return $endpoint;
- }
- }
-
- // Endpoint is either bad (failed verification) or None
- return $this->_discoverAndVerify($to_match->claimed_id,
- array($to_match, $to_match_1_0));
- }
-
- /**
- * @access private
- */
- function _verifyDiscoverySingle($endpoint, $to_match)
- {
- // Every type URI that's in the to_match endpoint has to be
- // present in the discovered endpoint.
- foreach ($to_match->type_uris as $type_uri) {
- if (!$endpoint->usesExtension($type_uri)) {
- return new Auth_OpenID_TypeURIMismatch($endpoint,
- "Required type ".$type_uri." not present");
- }
- }
-
- // Fragments do not influence discovery, so we can't compare a
- // claimed identifier with a fragment to discovered
- // information.
- list($defragged_claimed_id, $_) =
- Auth_OpenID::urldefrag($to_match->claimed_id);
-
- if ($defragged_claimed_id != $endpoint->claimed_id) {
- return new Auth_OpenID_FailureResponse($endpoint,
- sprintf('Claimed ID does not match (different subjects!), ' .
- 'Expected %s, got %s', $defragged_claimed_id,
- $endpoint->claimed_id));
- }
-
- if ($to_match->getLocalID() != $endpoint->getLocalID()) {
- return new Auth_OpenID_FailureResponse($endpoint,
- sprintf('local_id mismatch. Expected %s, got %s',
- $to_match->getLocalID(), $endpoint->getLocalID()));
- }
-
- // If the server URL is None, this must be an OpenID 1
- // response, because op_endpoint is a required parameter in
- // OpenID 2. In that case, we don't actually care what the
- // discovered server_url is, because signature checking or
- // check_auth should take care of that check for us.
- if ($to_match->server_url === null) {
- if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "Preferred namespace mismatch (bug)");
- }
- } else if ($to_match->server_url != $endpoint->server_url) {
- return new Auth_OpenID_FailureResponse($endpoint,
- sprintf('OP Endpoint mismatch. Expected %s, got %s',
- $to_match->server_url, $endpoint->server_url));
- }
-
- return null;
- }
-
- /**
- * @access private
- */
- function _verifyDiscoveryResultsOpenID2($message, $endpoint)
- {
- $to_match = new Auth_OpenID_ServiceEndpoint();
- $to_match->type_uris = array(Auth_OpenID_TYPE_2_0);
- $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS,
- 'claimed_id');
-
- $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS,
- 'identity');
-
- $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS,
- 'op_endpoint');
-
- if ($to_match->server_url === null) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "OP Endpoint URL missing");
- }
-
- // claimed_id and identifier must both be present or both be
- // absent
- if (($to_match->claimed_id === null) &&
- ($to_match->local_id !== null)) {
- return new Auth_OpenID_FailureResponse($endpoint,
- 'openid.identity is present without openid.claimed_id');
- }
-
- if (($to_match->claimed_id !== null) &&
- ($to_match->local_id === null)) {
- return new Auth_OpenID_FailureResponse($endpoint,
- 'openid.claimed_id is present without openid.identity');
- }
-
- if ($to_match->claimed_id === null) {
- // This is a response without identifiers, so there's
- // really no checking that we can do, so return an
- // endpoint that's for the specified `openid.op_endpoint'
- return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL(
- $to_match->server_url);
- }
-
- if (!$endpoint) {
- // The claimed ID doesn't match, so we have to do
- // discovery again. This covers not using sessions, OP
- // identifier endpoints and responses that didn't match
- // the original request.
- // oidutil.log('No pre-discovered information supplied.')
- return $this->_discoverAndVerify($to_match->claimed_id,
- array($to_match));
- } else {
-
- // The claimed ID matches, so we use the endpoint that we
- // discovered in initiation. This should be the most
- // common case.
- $result = $this->_verifyDiscoverySingle($endpoint, $to_match);
-
- if (Auth_OpenID::isFailure($result)) {
- $endpoint = $this->_discoverAndVerify($to_match->claimed_id,
- array($to_match));
- if (Auth_OpenID::isFailure($endpoint)) {
- return $endpoint;
- }
- }
- }
-
- // The endpoint we return should have the claimed ID from the
- // message we just verified, fragment and all.
- if ($endpoint->claimed_id != $to_match->claimed_id) {
- $endpoint->claimed_id = $to_match->claimed_id;
- }
-
- return $endpoint;
- }
-
- /**
- * @access private
- */
- function _discoverAndVerify($claimed_id, $to_match_endpoints)
- {
- // oidutil.log('Performing discovery on %s' % (claimed_id,))
- list($unused, $services) = call_user_func_array($this->discoverMethod,
- array(
- $claimed_id,
- &$this->fetcher,
- ));
-
- if (!$services) {
- return new Auth_OpenID_FailureResponse(null,
- sprintf("No OpenID information found at %s",
- $claimed_id));
- }
-
- return $this->_verifyDiscoveryServices($claimed_id, $services,
- $to_match_endpoints);
- }
-
- /**
- * @access private
- */
- function _verifyDiscoveryServices($claimed_id,
- $services, $to_match_endpoints)
- {
- // Search the services resulting from discovery to find one
- // that matches the information from the assertion
-
- foreach ($services as $endpoint) {
- foreach ($to_match_endpoints as $to_match_endpoint) {
- $result = $this->_verifyDiscoverySingle($endpoint,
- $to_match_endpoint);
-
- if (!Auth_OpenID::isFailure($result)) {
- // It matches, so discover verification has
- // succeeded. Return this endpoint.
- return $endpoint;
- }
- }
- }
-
- return new Auth_OpenID_FailureResponse(null,
- sprintf('No matching endpoint found after discovering %s: %s',
- $claimed_id, $result->message));
- }
-
- /**
- * Extract the nonce from an OpenID 1 response. Return the nonce
- * from the BARE_NS since we independently check the return_to
- * arguments are the same as those in the response message.
- *
- * See the openid1_nonce_query_arg_name class variable
- *
- * @returns $nonce The nonce as a string or null
- *
- * @access private
- */
- function _idResGetNonceOpenID1($message, $endpoint)
- {
- return $message->getArg(Auth_OpenID_BARE_NS,
- $this->openid1_nonce_query_arg_name);
- }
-
- /**
- * @access private
- */
- function _idResCheckNonce($message, $endpoint)
- {
- if ($message->isOpenID1()) {
- // This indicates that the nonce was generated by the consumer
- $nonce = $this->_idResGetNonceOpenID1($message, $endpoint);
- $server_url = '';
- } else {
- $nonce = $message->getArg(Auth_OpenID_OPENID2_NS,
- 'response_nonce');
-
- $server_url = $endpoint->server_url;
- }
-
- if ($nonce === null) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "Nonce missing from response");
- }
-
- $parts = Auth_OpenID_splitNonce($nonce);
-
- if ($parts === null) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "Malformed nonce in response");
- }
-
- list($timestamp, $salt) = $parts;
-
- if (!$this->store->useNonce($server_url, $timestamp, $salt)) {
- return new Auth_OpenID_FailureResponse($endpoint,
- "Nonce already used or out of range");
- }
-
- return null;
- }
-
- /**
- * @access private
- */
- function _idResCheckForFields($message)
- {
- $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed');
- $basic_sig_fields = array('return_to', 'identity');
-
- $require_fields = array(
- Auth_OpenID_OPENID2_NS => array_merge($basic_fields,
- array('op_endpoint')),
-
- Auth_OpenID_OPENID1_NS => array_merge($basic_fields,
- array('identity'))
- );
-
- $require_sigs = array(
- Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields,
- array('response_nonce',
- 'claimed_id',
- 'assoc_handle',
- 'op_endpoint')),
- Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields,
- array('nonce'))
- );
-
- foreach ($require_fields[$message->getOpenIDNamespace()] as $field) {
- if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) {
- return new Auth_OpenID_FailureResponse(null,
- "Missing required field '".$field."'");
- }
- }
-
- $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS,
- 'signed',
- Auth_OpenID_NO_DEFAULT);
- if (Auth_OpenID::isFailure($signed_list_str)) {
- return $signed_list_str;
- }
- $signed_list = explode(',', $signed_list_str);
-
- foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) {
- // Field is present and not in signed list
- if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) &&
- (!in_array($field, $signed_list))) {
- return new Auth_OpenID_FailureResponse(null,
- "'".$field."' not signed");
- }
- }
-
- return null;
- }
-
- /**
- * @access private
- */
- function _checkAuth($message, $server_url)
- {
- $request = $this->_createCheckAuthRequest($message);
- if ($request === null) {
- return false;
- }
-
- $resp_message = $this->_makeKVPost($request, $server_url);
- if (($resp_message === null) ||
- (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) {
- return false;
- }
-
- return $this->_processCheckAuthResponse($resp_message, $server_url);
- }
-
- /**
- * @access private
- */
- function _createCheckAuthRequest($message)
- {
- $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
- if ($signed) {
- foreach (explode(',', $signed) as $k) {
- $value = $message->getAliasedArg($k);
- if ($value === null) {
- return null;
- }
- }
- }
- $ca_message = $message->copy();
- $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode',
- 'check_authentication');
- return $ca_message;
- }
-
- /**
- * @access private
- */
- function _processCheckAuthResponse($response, $server_url)
- {
- $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid',
- 'false');
-
- $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS,
- 'invalidate_handle');
-
- if ($invalidate_handle !== null) {
- $this->store->removeAssociation($server_url,
- $invalidate_handle);
- }
-
- if ($is_valid == 'true') {
- return true;
- }
-
- return false;
- }
-
- /**
- * Adapt a POST response to a Message.
- *
- * @param $response Result of a POST to an OpenID endpoint.
- *
- * @access private
- */
- static function _httpResponseToMessage($response, $server_url)
- {
- // Should this function be named Message.fromHTTPResponse instead?
- $response_message = Auth_OpenID_Message::fromKVForm($response->body);
-
- if ($response->status == 400) {
- return Auth_OpenID_ServerErrorContainer::fromMessage(
- $response_message);
- } else if ($response->status != 200 and $response->status != 206) {
- return null;
- }
-
- return $response_message;
- }
-
- /**
- * @access private
- */
- function _makeKVPost($message, $server_url)
- {
- $body = $message->toURLEncoded();
- $resp = $this->fetcher->post($server_url, $body);
-
- if ($resp === null) {
- return null;
- }
-
- return $this->_httpResponseToMessage($resp, $server_url);
- }
-
- /**
- * @access private
- */
- function _getAssociation($endpoint)
- {
- if (!$this->_use_assocs) {
- return null;
- }
-
- $assoc = $this->store->getAssociation($endpoint->server_url);
-
- if (($assoc === null) ||
- ($assoc->getExpiresIn() <= 0)) {
-
- $assoc = $this->_negotiateAssociation($endpoint);
-
- if ($assoc !== null) {
- $this->store->storeAssociation($endpoint->server_url,
- $assoc);
- }
- }
-
- return $assoc;
- }
-
- /**
- * Handle ServerErrors resulting from association requests.
- *
- * @return $result If server replied with an C{unsupported-type}
- * error, return a tuple of supported C{association_type},
- * C{session_type}. Otherwise logs the error and returns null.
- *
- * @access private
- */
- function _extractSupportedAssociationType($server_error, $endpoint,
- $assoc_type)
- {
- // Any error message whose code is not 'unsupported-type'
- // should be considered a total failure.
- if (($server_error->error_code != 'unsupported-type') ||
- ($server_error->message->isOpenID1())) {
- return null;
- }
-
- // The server didn't like the association/session type that we
- // sent, and it sent us back a message that might tell us how
- // to handle it.
-
- // Extract the session_type and assoc_type from the error
- // message
- $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
- 'assoc_type');
-
- $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
- 'session_type');
-
- if (($assoc_type === null) || ($session_type === null)) {
- return null;
- } else if (!$this->negotiator->isAllowed($assoc_type,
- $session_type)) {
- return null;
- } else {
- return array($assoc_type, $session_type);
- }
- }
-
- /**
- * @access private
- */
- function _negotiateAssociation($endpoint)
- {
- // Get our preferred session/association type from the negotiatior.
- list($assoc_type, $session_type) = $this->negotiator->getAllowedType();
-
- $assoc = $this->_requestAssociation(
- $endpoint, $assoc_type, $session_type);
-
- if (Auth_OpenID::isFailure($assoc)) {
- return null;
- }
-
- if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
- $why = $assoc;
-
- $supportedTypes = $this->_extractSupportedAssociationType(
- $why, $endpoint, $assoc_type);
-
- if ($supportedTypes !== null) {
- list($assoc_type, $session_type) = $supportedTypes;
-
- // Attempt to create an association from the assoc_type
- // and session_type that the server told us it
- // supported.
- $assoc = $this->_requestAssociation(
- $endpoint, $assoc_type, $session_type);
-
- if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
- // Do not keep trying, since it rejected the
- // association type that it told us to use.
- // oidutil.log('Server %s refused its suggested association
- // 'type: session_type=%s, assoc_type=%s'
- // % (endpoint.server_url, session_type,
- // assoc_type))
- return null;
- } else {
- return $assoc;
- }
- } else {
- return null;
- }
- } else {
- return $assoc;
- }
- }
-
- /**
- * @access private
- */
- function _requestAssociation($endpoint, $assoc_type, $session_type)
- {
- list($assoc_session, $args) = $this->_createAssociateRequest(
- $endpoint, $assoc_type, $session_type);
-
- $response_message = $this->_makeKVPost($args, $endpoint->server_url);
-
- if ($response_message === null) {
- // oidutil.log('openid.associate request failed: %s' % (why[0],))
- return null;
- } else if (is_a($response_message,
- 'Auth_OpenID_ServerErrorContainer')) {
- return $response_message;
- }
-
- return $this->_extractAssociation($response_message, $assoc_session);
- }
-
- /**
- * @access private
- */
- function _extractAssociation($assoc_response, $assoc_session)
- {
- // Extract the common fields from the response, raising an
- // exception if they are not found
- $assoc_type = $assoc_response->getArg(
- Auth_OpenID_OPENID_NS, 'assoc_type',
- Auth_OpenID_NO_DEFAULT);
-
- if (Auth_OpenID::isFailure($assoc_type)) {
- return $assoc_type;
- }
-
- $assoc_handle = $assoc_response->getArg(
- Auth_OpenID_OPENID_NS, 'assoc_handle',
- Auth_OpenID_NO_DEFAULT);
-
- if (Auth_OpenID::isFailure($assoc_handle)) {
- return $assoc_handle;
- }
-
- // expires_in is a base-10 string. The Python parsing will
- // accept literals that have whitespace around them and will
- // accept negative values. Neither of these are really in-spec,
- // but we think it's OK to accept them.
- $expires_in_str = $assoc_response->getArg(
- Auth_OpenID_OPENID_NS, 'expires_in',
- Auth_OpenID_NO_DEFAULT);
-
- if (Auth_OpenID::isFailure($expires_in_str)) {
- return $expires_in_str;
- }
-
- $expires_in = Auth_OpenID::intval($expires_in_str);
- if ($expires_in === false) {
-
- $err = sprintf("Could not parse expires_in from association ".
- "response %s", print_r($assoc_response, true));
- return new Auth_OpenID_FailureResponse(null, $err);
- }
-
- // OpenID 1 has funny association session behaviour.
- if ($assoc_response->isOpenID1()) {
- $session_type = $this->_getOpenID1SessionType($assoc_response);
- } else {
- $session_type = $assoc_response->getArg(
- Auth_OpenID_OPENID2_NS, 'session_type',
- Auth_OpenID_NO_DEFAULT);
-
- if (Auth_OpenID::isFailure($session_type)) {
- return $session_type;
- }
- }
-
- // Session type mismatch
- if ($assoc_session->session_type != $session_type) {
- if ($assoc_response->isOpenID1() &&
- ($session_type == 'no-encryption')) {
- // In OpenID 1, any association request can result in
- // a 'no-encryption' association response. Setting
- // assoc_session to a new no-encryption session should
- // make the rest of this function work properly for
- // that case.
- $assoc_session = new Auth_OpenID_PlainTextConsumerSession();
- } else {
- // Any other mismatch, regardless of protocol version
- // results in the failure of the association session
- // altogether.
- return null;
- }
- }
-
- // Make sure assoc_type is valid for session_type
- if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) {
- return null;
- }
-
- // Delegate to the association session to extract the secret
- // from the response, however is appropriate for that session
- // type.
- $secret = $assoc_session->extractSecret($assoc_response);
-
- if ($secret === null) {
- return null;
- }
-
- return Auth_OpenID_Association::fromExpiresIn(
- $expires_in, $assoc_handle, $secret, $assoc_type);
- }
-
- /**
- * @access private
- */
- function _createAssociateRequest($endpoint, $assoc_type, $session_type)
- {
- if (array_key_exists($session_type, $this->session_types)) {
- $session_type_class = $this->session_types[$session_type];
-
- if (is_callable($session_type_class)) {
- $assoc_session = $session_type_class();
- } else {
- $assoc_session = new $session_type_class();
- }
- } else {
- return null;
- }
-
- $args = array(
- 'mode' => 'associate',
- 'assoc_type' => $assoc_type);
-
- if (!$endpoint->compatibilityMode()) {
- $args['ns'] = Auth_OpenID_OPENID2_NS;
- }
-
- // Leave out the session type if we're in compatibility mode
- // *and* it's no-encryption.
- if ((!$endpoint->compatibilityMode()) ||
- ($assoc_session->session_type != 'no-encryption')) {
- $args['session_type'] = $assoc_session->session_type;
- }
-
- $args = array_merge($args, $assoc_session->getRequest());
- $message = Auth_OpenID_Message::fromOpenIDArgs($args);
- return array($assoc_session, $message);
- }
-
- /**
- * Given an association response message, extract the OpenID 1.X
- * session type.
- *
- * This function mostly takes care of the 'no-encryption' default
- * behavior in OpenID 1.
- *
- * If the association type is plain-text, this function will
- * return 'no-encryption'
- *
- * @access private
- * @return $typ The association type for this message
- */
- function _getOpenID1SessionType($assoc_response)
- {
- // If it's an OpenID 1 message, allow session_type to default
- // to None (which signifies "no-encryption")
- $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS,
- 'session_type');
-
- // Handle the differences between no-encryption association
- // respones in OpenID 1 and 2:
-
- // no-encryption is not really a valid session type for OpenID
- // 1, but we'll accept it anyway, while issuing a warning.
- if ($session_type == 'no-encryption') {
- // oidutil.log('WARNING: OpenID server sent "no-encryption"'
- // 'for OpenID 1.X')
- } else if (($session_type == '') || ($session_type === null)) {
- // Missing or empty session type is the way to flag a
- // 'no-encryption' response. Change the session type to
- // 'no-encryption' so that it can be handled in the same
- // way as OpenID 2 'no-encryption' respones.
- $session_type = 'no-encryption';
- }
-
- return $session_type;
- }
-}
-
-/**
- * This class represents an authentication request from a consumer to
- * an OpenID server.
- *
- * @package OpenID
- */
-class Auth_OpenID_AuthRequest {
-
- /**
- * Initialize an authentication request with the specified token,
- * association, and endpoint.
- *
- * Users of this library should not create instances of this
- * class. Instances of this class are created by the library when
- * needed.
- */
- function Auth_OpenID_AuthRequest($endpoint, $assoc)
- {
- $this->assoc = $assoc;
- $this->endpoint = $endpoint;
- $this->return_to_args = array();
- $this->message = new Auth_OpenID_Message(
- $endpoint->preferredNamespace());
- $this->_anonymous = false;
- }
-
- /**
- * Add an extension to this checkid request.
- *
- * $extension_request: An object that implements the extension
- * request interface for adding arguments to an OpenID message.
- */
- function addExtension($extension_request)
- {
- $extension_request->toMessage($this->message);
- }
-
- /**
- * Add an extension argument to this OpenID authentication
- * request.
- *
- * Use caution when adding arguments, because they will be
- * URL-escaped and appended to the redirect URL, which can easily
- * get quite long.
- *
- * @param string $namespace The namespace for the extension. For
- * example, the simple registration extension uses the namespace
- * 'sreg'.
- *
- * @param string $key The key within the extension namespace. For
- * example, the nickname field in the simple registration
- * extension's key is 'nickname'.
- *
- * @param string $value The value to provide to the server for
- * this argument.
- */
- function addExtensionArg($namespace, $key, $value)
- {
- return $this->message->setArg($namespace, $key, $value);
- }
-
- /**
- * Set whether this request should be made anonymously. If a
- * request is anonymous, the identifier will not be sent in the
- * request. This is only useful if you are making another kind of
- * request with an extension in this request.
- *
- * Anonymous requests are not allowed when the request is made
- * with OpenID 1.
- */
- function setAnonymous($is_anonymous)
- {
- if ($is_anonymous && $this->message->isOpenID1()) {
- return false;
- } else {
- $this->_anonymous = $is_anonymous;
- return true;
- }
- }
-
- /**
- * Produce a {@link Auth_OpenID_Message} representing this
- * request.
- *
- * @param string $realm The URL (or URL pattern) that identifies
- * your web site to the user when she is authorizing it.
- *
- * @param string $return_to The URL that the OpenID provider will
- * send the user back to after attempting to verify her identity.
- *
- * Not specifying a return_to URL means that the user will not be
- * returned to the site issuing the request upon its completion.
- *
- * @param bool $immediate If true, the OpenID provider is to send
- * back a response immediately, useful for behind-the-scenes
- * authentication attempts. Otherwise the OpenID provider may
- * engage the user before providing a response. This is the
- * default case, as the user may need to provide credentials or
- * approve the request before a positive response can be sent.
- */
- function getMessage($realm, $return_to=null, $immediate=false)
- {
- if ($return_to) {
- $return_to = Auth_OpenID::appendArgs($return_to,
- $this->return_to_args);
- } else if ($immediate) {
- // raise ValueError(
- // '"return_to" is mandatory when
- //using "checkid_immediate"')
- return new Auth_OpenID_FailureResponse(null,
- "'return_to' is mandatory when using checkid_immediate");
- } else if ($this->message->isOpenID1()) {
- // raise ValueError('"return_to" is
- // mandatory for OpenID 1 requests')
- return new Auth_OpenID_FailureResponse(null,
- "'return_to' is mandatory for OpenID 1 requests");
- } else if ($this->return_to_args) {
- // raise ValueError('extra "return_to" arguments
- // were specified, but no return_to was specified')
- return new Auth_OpenID_FailureResponse(null,
- "extra 'return_to' arguments where specified, " .
- "but no return_to was specified");
- }
-
- if ($immediate) {
- $mode = 'checkid_immediate';
- } else {
- $mode = 'checkid_setup';
- }
-
- $message = $this->message->copy();
- if ($message->isOpenID1()) {
- $realm_key = 'trust_root';
- } else {
- $realm_key = 'realm';
- }
-
- $message->updateArgs(Auth_OpenID_OPENID_NS,
- array(
- $realm_key => $realm,
- 'mode' => $mode,
- 'return_to' => $return_to));
-
- if (!$this->_anonymous) {
- if ($this->endpoint->isOPIdentifier()) {
- // This will never happen when we're in compatibility
- // mode, as long as isOPIdentifier() returns False
- // whenever preferredNamespace() returns OPENID1_NS.
- $claimed_id = $request_identity =
- Auth_OpenID_IDENTIFIER_SELECT;
- } else {
- $request_identity = $this->endpoint->getLocalID();
- $claimed_id = $this->endpoint->claimed_id;
- }
-
- // This is true for both OpenID 1 and 2
- $message->setArg(Auth_OpenID_OPENID_NS, 'identity',
- $request_identity);
-
- if ($message->isOpenID2()) {
- $message->setArg(Auth_OpenID_OPENID2_NS, 'claimed_id',
- $claimed_id);
- }
- }
-
- if ($this->assoc) {
- $message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle',
- $this->assoc->handle);
- }
-
- return $message;
- }
-
- function redirectURL($realm, $return_to = null,
- $immediate = false)
- {
- $message = $this->getMessage($realm, $return_to, $immediate);
-
- if (Auth_OpenID::isFailure($message)) {
- return $message;
- }
-
- return $message->toURL($this->endpoint->server_url);
- }
-
- /**
- * Get html for a form to submit this request to the IDP.
- *
- * form_tag_attrs: An array of attributes to be added to the form
- * tag. 'accept-charset' and 'enctype' have defaults that can be
- * overridden. If a value is supplied for 'action' or 'method', it
- * will be replaced.
- */
- function formMarkup($realm, $return_to=null, $immediate=false,
- $form_tag_attrs=null)
- {
- $message = $this->getMessage($realm, $return_to, $immediate);
-
- if (Auth_OpenID::isFailure($message)) {
- return $message;
- }
-
- return $message->toFormMarkup($this->endpoint->server_url,
- $form_tag_attrs);
- }
-
- /**
- * Get a complete html document that will autosubmit the request
- * to the IDP.
- *
- * Wraps formMarkup. See the documentation for that function.
- */
- function htmlMarkup($realm, $return_to=null, $immediate=false,
- $form_tag_attrs=null)
- {
- $form = $this->formMarkup($realm, $return_to, $immediate,
- $form_tag_attrs);
-
- if (Auth_OpenID::isFailure($form)) {
- return $form;
- }
- return Auth_OpenID::autoSubmitHTML($form);
- }
-
- function shouldSendRedirect()
- {
- return $this->endpoint->compatibilityMode();
- }
-}
-
-/**
- * The base class for responses from the Auth_OpenID_Consumer.
- *
- * @package OpenID
- */
-class Auth_OpenID_ConsumerResponse {
- var $status = null;
-
- function setEndpoint($endpoint)
- {
- $this->endpoint = $endpoint;
- if ($endpoint === null) {
- $this->identity_url = null;
- } else {
- $this->identity_url = $endpoint->claimed_id;
- }
- }
-
- /**
- * Return the display identifier for this response.
- *
- * The display identifier is related to the Claimed Identifier, but the
- * two are not always identical. The display identifier is something the
- * user should recognize as what they entered, whereas the response's
- * claimed identifier (in the identity_url attribute) may have extra
- * information for better persistence.
- *
- * URLs will be stripped of their fragments for display. XRIs will
- * display the human-readable identifier (i-name) instead of the
- * persistent identifier (i-number).
- *
- * Use the display identifier in your user interface. Use
- * identity_url for querying your database or authorization server.
- *
- */
- function getDisplayIdentifier()
- {
- if ($this->endpoint !== null) {
- return $this->endpoint->getDisplayIdentifier();
- }
- return null;
- }
-}
-
-/**
- * A response with a status of Auth_OpenID_SUCCESS. Indicates that
- * this request is a successful acknowledgement from the OpenID server
- * that the supplied URL is, indeed controlled by the requesting
- * agent. This has three relevant attributes:
- *
- * claimed_id - The identity URL that has been authenticated
- *
- * signed_args - The arguments in the server's response that were
- * signed and verified.
- *
- * status - Auth_OpenID_SUCCESS.
- *
- * @package OpenID
- */
-class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse {
- var $status = Auth_OpenID_SUCCESS;
-
- /**
- * @access private
- */
- function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null)
- {
- $this->endpoint = $endpoint;
- $this->identity_url = $endpoint->claimed_id;
- $this->signed_args = $signed_args;
- $this->message = $message;
-
- if ($this->signed_args === null) {
- $this->signed_args = array();
- }
- }
-
- /**
- * Extract signed extension data from the server's response.
- *
- * @param string $prefix The extension namespace from which to
- * extract the extension data.
- */
- function extensionResponse($namespace_uri, $require_signed)
- {
- if ($require_signed) {
- return $this->getSignedNS($namespace_uri);
- } else {
- return $this->message->getArgs($namespace_uri);
- }
- }
-
- function isOpenID1()
- {
- return $this->message->isOpenID1();
- }
-
- function isSigned($ns_uri, $ns_key)
- {
- // Return whether a particular key is signed, regardless of
- // its namespace alias
- return in_array($this->message->getKey($ns_uri, $ns_key),
- $this->signed_args);
- }
-
- function getSigned($ns_uri, $ns_key, $default = null)
- {
- // Return the specified signed field if available, otherwise
- // return default
- if ($this->isSigned($ns_uri, $ns_key)) {
- return $this->message->getArg($ns_uri, $ns_key, $default);
- } else {
- return $default;
- }
- }
-
- function getSignedNS($ns_uri)
- {
- $args = array();
-
- $msg_args = $this->message->getArgs($ns_uri);
- if (Auth_OpenID::isFailure($msg_args)) {
- return null;
- }
-
- foreach ($msg_args as $key => $value) {
- if (!$this->isSigned($ns_uri, $key)) {
- unset($msg_args[$key]);
- }
- }
-
- return $msg_args;
- }
-
- /**
- * Get the openid.return_to argument from this response.
- *
- * This is useful for verifying that this request was initiated by
- * this consumer.
- *
- * @return string $return_to The return_to URL supplied to the
- * server on the initial request, or null if the response did not
- * contain an 'openid.return_to' argument.
- */
- function getReturnTo()
- {
- return $this->getSigned(Auth_OpenID_OPENID_NS, 'return_to');
- }
-}
-
-/**
- * A response with a status of Auth_OpenID_FAILURE. Indicates that the
- * OpenID protocol has failed. This could be locally or remotely
- * triggered. This has three relevant attributes:
- *
- * claimed_id - The identity URL for which authentication was
- * attempted, if it can be determined. Otherwise, null.
- *
- * message - A message indicating why the request failed, if one is
- * supplied. Otherwise, null.
- *
- * status - Auth_OpenID_FAILURE.
- *
- * @package OpenID
- */
-class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse {
- var $status = Auth_OpenID_FAILURE;
-
- function Auth_OpenID_FailureResponse($endpoint, $message = null,
- $contact = null, $reference = null)
- {
- $this->setEndpoint($endpoint);
- $this->message = $message;
- $this->contact = $contact;
- $this->reference = $reference;
- }
-}
-
-/**
- * A specific, internal failure used to detect type URI mismatch.
- *
- * @package OpenID
- */
-class Auth_OpenID_TypeURIMismatch extends Auth_OpenID_FailureResponse {
-}
-
-/**
- * Exception that is raised when the server returns a 400 response
- * code to a direct request.
- *
- * @package OpenID
- */
-class Auth_OpenID_ServerErrorContainer {
- function Auth_OpenID_ServerErrorContainer($error_text,
- $error_code,
- $message)
- {
- $this->error_text = $error_text;
- $this->error_code = $error_code;
- $this->message = $message;
- }
-
- /**
- * @access private
- */
- static function fromMessage($message)
- {
- $error_text = $message->getArg(
- Auth_OpenID_OPENID_NS, 'error', '<no error message supplied>');
- $error_code = $message->getArg(Auth_OpenID_OPENID_NS, 'error_code');
- return new Auth_OpenID_ServerErrorContainer($error_text,
- $error_code,
- $message);
- }
-}
-
-/**
- * A response with a status of Auth_OpenID_CANCEL. Indicates that the
- * user cancelled the OpenID authentication request. This has two
- * relevant attributes:
- *
- * claimed_id - The identity URL for which authentication was
- * attempted, if it can be determined. Otherwise, null.
- *
- * status - Auth_OpenID_SUCCESS.
- *
- * @package OpenID
- */
-class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse {
- var $status = Auth_OpenID_CANCEL;
-
- function Auth_OpenID_CancelResponse($endpoint)
- {
- $this->setEndpoint($endpoint);
- }
-}
-
-/**
- * A response with a status of Auth_OpenID_SETUP_NEEDED. Indicates
- * that the request was in immediate mode, and the server is unable to
- * authenticate the user without further interaction.
- *
- * claimed_id - The identity URL for which authentication was
- * attempted.
- *
- * setup_url - A URL that can be used to send the user to the server
- * to set up for authentication. The user should be redirected in to
- * the setup_url, either in the current window or in a new browser
- * window. Null in OpenID 2.
- *
- * status - Auth_OpenID_SETUP_NEEDED.
- *
- * @package OpenID
- */
-class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse {
- var $status = Auth_OpenID_SETUP_NEEDED;
-
- function Auth_OpenID_SetupNeededResponse($endpoint,
- $setup_url = null)
- {
- $this->setEndpoint($endpoint);
- $this->setup_url = $setup_url;
- }
-}
-
-
diff --git a/lib/Auth/OpenID/CryptUtil.php b/lib/Auth/OpenID/CryptUtil.php
deleted file mode 100644
index 3c60cea170037da51154ac871e75ce7c8daf2c0f..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/CryptUtil.php
+++ /dev/null
@@ -1,122 +0,0 @@
-<?php
-
-/**
- * CryptUtil: A suite of wrapper utility functions for the OpenID
- * library.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @access private
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-if (!defined('Auth_OpenID_RAND_SOURCE')) {
- /**
- * The filename for a source of random bytes. Define this yourself
- * if you have a different source of randomness.
- */
- define('Auth_OpenID_RAND_SOURCE', '/dev/urandom');
-}
-
-class Auth_OpenID_CryptUtil {
- /**
- * Get the specified number of random bytes.
- *
- * Attempts to use a cryptographically secure (not predictable)
- * source of randomness if available. If there is no high-entropy
- * randomness source available, it will fail. As a last resort,
- * for non-critical systems, define
- * <code>Auth_OpenID_RAND_SOURCE</code> as <code>null</code>, and
- * the code will fall back on a pseudo-random number generator.
- *
- * @param int $num_bytes The length of the return value
- * @return string $bytes random bytes
- */
- static function getBytes($num_bytes)
- {
- static $f = null;
- $bytes = '';
- if ($f === null) {
- if (Auth_OpenID_RAND_SOURCE === null) {
- $f = false;
- } else {
- $f = @fopen(Auth_OpenID_RAND_SOURCE, "r");
- if ($f === false) {
- $msg = 'Define Auth_OpenID_RAND_SOURCE as null to ' .
- ' continue with an insecure random number generator.';
- trigger_error($msg, E_USER_ERROR);
- }
- }
- }
- if ($f === false) {
- // pseudorandom used
- $bytes = '';
- for ($i = 0; $i < $num_bytes; $i += 4) {
- $bytes .= pack('L', mt_rand());
- }
- $bytes = substr($bytes, 0, $num_bytes);
- } else {
- $bytes = fread($f, $num_bytes);
- }
- return $bytes;
- }
-
- /**
- * Produce a string of length random bytes, chosen from chrs. If
- * $chrs is null, the resulting string may contain any characters.
- *
- * @param integer $length The length of the resulting
- * randomly-generated string
- * @param string $chrs A string of characters from which to choose
- * to build the new string
- * @return string $result A string of randomly-chosen characters
- * from $chrs
- */
- static function randomString($length, $population = null)
- {
- if ($population === null) {
- return Auth_OpenID_CryptUtil::getBytes($length);
- }
-
- $popsize = strlen($population);
-
- if ($popsize > 256) {
- $msg = 'More than 256 characters supplied to ' . __FUNCTION__;
- trigger_error($msg, E_USER_ERROR);
- }
-
- $duplicate = 256 % $popsize;
-
- $str = "";
- for ($i = 0; $i < $length; $i++) {
- do {
- $n = ord(Auth_OpenID_CryptUtil::getBytes(1));
- } while ($n < $duplicate);
-
- $n %= $popsize;
- $str .= $population[$n];
- }
-
- return $str;
- }
-
- static function constEq($s1, $s2)
- {
- if (strlen($s1) != strlen($s2)) {
- return false;
- }
-
- $result = true;
- $length = strlen($s1);
- for ($i = 0; $i < $length; $i++) {
- $result &= ($s1[$i] == $s2[$i]);
- }
- return $result;
- }
-}
-
diff --git a/lib/Auth/OpenID/DatabaseConnection.php b/lib/Auth/OpenID/DatabaseConnection.php
deleted file mode 100644
index 0c7d08f9168fc459fc28b8cd3afc7345d2dde6ef..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/DatabaseConnection.php
+++ /dev/null
@@ -1,130 +0,0 @@
-<?php
-
-/**
- * The Auth_OpenID_DatabaseConnection class, which is used to emulate
- * a PEAR database connection.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * An empty base class intended to emulate PEAR connection
- * functionality in applications that supply their own database
- * abstraction mechanisms. See {@link Auth_OpenID_SQLStore} for more
- * information. You should subclass this class if you need to create
- * an SQL store that needs to access its database using an
- * application's database abstraction layer instead of a PEAR database
- * connection. Any subclass of Auth_OpenID_DatabaseConnection MUST
- * adhere to the interface specified here.
- *
- * @package OpenID
- */
-class Auth_OpenID_DatabaseConnection {
- /**
- * Sets auto-commit mode on this database connection.
- *
- * @param bool $mode True if auto-commit is to be used; false if
- * not.
- */
- function autoCommit($mode)
- {
- }
-
- /**
- * Run an SQL query with the specified parameters, if any.
- *
- * @param string $sql An SQL string with placeholders. The
- * placeholders are assumed to be specific to the database engine
- * for this connection.
- *
- * @param array $params An array of parameters to insert into the
- * SQL string using this connection's escaping mechanism.
- *
- * @return mixed $result The result of calling this connection's
- * internal query function. The type of result depends on the
- * underlying database engine. This method is usually used when
- * the result of a query is not important, like a DDL query.
- */
- function query($sql, $params = array())
- {
- }
-
- /**
- * Starts a transaction on this connection, if supported.
- */
- function begin()
- {
- }
-
- /**
- * Commits a transaction on this connection, if supported.
- */
- function commit()
- {
- }
-
- /**
- * Performs a rollback on this connection, if supported.
- */
- function rollback()
- {
- }
-
- /**
- * Run an SQL query and return the first column of the first row
- * of the result set, if any.
- *
- * @param string $sql An SQL string with placeholders. The
- * placeholders are assumed to be specific to the database engine
- * for this connection.
- *
- * @param array $params An array of parameters to insert into the
- * SQL string using this connection's escaping mechanism.
- *
- * @return mixed $result The value of the first column of the
- * first row of the result set. False if no such result was
- * found.
- */
- function getOne($sql, $params = array())
- {
- }
-
- /**
- * Run an SQL query and return the first row of the result set, if
- * any.
- *
- * @param string $sql An SQL string with placeholders. The
- * placeholders are assumed to be specific to the database engine
- * for this connection.
- *
- * @param array $params An array of parameters to insert into the
- * SQL string using this connection's escaping mechanism.
- *
- * @return array $result The first row of the result set, if any,
- * keyed on column name. False if no such result was found.
- */
- function getRow($sql, $params = array())
- {
- }
-
- /**
- * Run an SQL query with the specified parameters, if any.
- *
- * @param string $sql An SQL string with placeholders. The
- * placeholders are assumed to be specific to the database engine
- * for this connection.
- *
- * @param array $params An array of parameters to insert into the
- * SQL string using this connection's escaping mechanism.
- *
- * @return array $result An array of arrays representing the
- * result of the query; each array is keyed on column name.
- */
- function getAll($sql, $params = array())
- {
- }
-}
-
diff --git a/lib/Auth/OpenID/DiffieHellman.php b/lib/Auth/OpenID/DiffieHellman.php
deleted file mode 100644
index 3e25b7dbbb69b891867fc5de4ce884f2398ab219..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/DiffieHellman.php
+++ /dev/null
@@ -1,113 +0,0 @@
-<?php
-
-/**
- * The OpenID library's Diffie-Hellman implementation.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @access private
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-require_once 'Auth/OpenID.php';
-require_once 'Auth/OpenID/BigMath.php';
-
-function Auth_OpenID_getDefaultMod()
-{
- return '155172898181473697471232257763715539915724801'.
- '966915404479707795314057629378541917580651227423'.
- '698188993727816152646631438561595825688188889951'.
- '272158842675419950341258706556549803580104870537'.
- '681476726513255747040765857479291291572334510643'.
- '245094715007229621094194349783925984760375594985'.
- '848253359305585439638443';
-}
-
-function Auth_OpenID_getDefaultGen()
-{
- return '2';
-}
-
-/**
- * The Diffie-Hellman key exchange class. This class relies on
- * {@link Auth_OpenID_MathLibrary} to perform large number operations.
- *
- * @access private
- * @package OpenID
- */
-class Auth_OpenID_DiffieHellman {
-
- var $mod;
- var $gen;
- var $private;
- var $lib = null;
-
- function Auth_OpenID_DiffieHellman($mod = null, $gen = null,
- $private = null, $lib = null)
- {
- if ($lib === null) {
- $this->lib = Auth_OpenID_getMathLib();
- } else {
- $this->lib = $lib;
- }
-
- if ($mod === null) {
- $this->mod = $this->lib->init(Auth_OpenID_getDefaultMod());
- } else {
- $this->mod = $mod;
- }
-
- if ($gen === null) {
- $this->gen = $this->lib->init(Auth_OpenID_getDefaultGen());
- } else {
- $this->gen = $gen;
- }
-
- if ($private === null) {
- $r = $this->lib->rand($this->mod);
- $this->private = $this->lib->add($r, 1);
- } else {
- $this->private = $private;
- }
-
- $this->public = $this->lib->powmod($this->gen, $this->private,
- $this->mod);
- }
-
- function getSharedSecret($composite)
- {
- return $this->lib->powmod($composite, $this->private, $this->mod);
- }
-
- function getPublicKey()
- {
- return $this->public;
- }
-
- function usingDefaultValues()
- {
- return ($this->mod == Auth_OpenID_getDefaultMod() &&
- $this->gen == Auth_OpenID_getDefaultGen());
- }
-
- function xorSecret($composite, $secret, $hash_func)
- {
- $dh_shared = $this->getSharedSecret($composite);
- $dh_shared_str = $this->lib->longToBinary($dh_shared);
- $hash_dh_shared = $hash_func($dh_shared_str);
-
- $xsecret = "";
- for ($i = 0; $i < Auth_OpenID::bytes($secret); $i++) {
- $xsecret .= chr(ord($secret[$i]) ^ ord($hash_dh_shared[$i]));
- }
-
- return $xsecret;
- }
-}
-
-
diff --git a/lib/Auth/OpenID/Discover.php b/lib/Auth/OpenID/Discover.php
deleted file mode 100644
index 7b0c640c5893768ea9c8537380f42599ffe7d94d..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/Discover.php
+++ /dev/null
@@ -1,606 +0,0 @@
-<?php
-
-/**
- * The OpenID and Yadis discovery implementation for OpenID 1.2.
- */
-
-require_once "Auth/OpenID.php";
-require_once "Auth/OpenID/Parse.php";
-require_once "Auth/OpenID/Message.php";
-require_once "Auth/Yadis/XRIRes.php";
-require_once "Auth/Yadis/Yadis.php";
-
-// XML namespace value
-define('Auth_OpenID_XMLNS_1_0', 'http://openid.net/xmlns/1.0');
-
-// Yadis service types
-define('Auth_OpenID_TYPE_1_2', 'http://openid.net/signon/1.2');
-define('Auth_OpenID_TYPE_1_1', 'http://openid.net/signon/1.1');
-define('Auth_OpenID_TYPE_1_0', 'http://openid.net/signon/1.0');
-define('Auth_OpenID_TYPE_2_0_IDP', 'http://specs.openid.net/auth/2.0/server');
-define('Auth_OpenID_TYPE_2_0', 'http://specs.openid.net/auth/2.0/signon');
-define('Auth_OpenID_RP_RETURN_TO_URL_TYPE',
- 'http://specs.openid.net/auth/2.0/return_to');
-
-function Auth_OpenID_getOpenIDTypeURIs()
-{
- return array(Auth_OpenID_TYPE_2_0_IDP,
- Auth_OpenID_TYPE_2_0,
- Auth_OpenID_TYPE_1_2,
- Auth_OpenID_TYPE_1_1,
- Auth_OpenID_TYPE_1_0);
-}
-
-function Auth_OpenID_getOpenIDConsumerTypeURIs()
-{
- return array(Auth_OpenID_RP_RETURN_TO_URL_TYPE);
-}
-
-
-/*
- * Provides a user-readable interpretation of a type uri.
- * Useful for error messages.
- */
-function Auth_OpenID_getOpenIDTypeName($type_uri) {
- switch ($type_uri) {
- case Auth_OpenID_TYPE_2_0_IDP:
- return 'OpenID 2.0 IDP';
- case Auth_OpenID_TYPE_2_0:
- return 'OpenID 2.0';
- case Auth_OpenID_TYPE_1_2:
- return 'OpenID 1.2';
- case Auth_OpenID_TYPE_1_1:
- return 'OpenID 1.1';
- case Auth_OpenID_TYPE_1_0:
- return 'OpenID 1.0';
- case Auth_OpenID_RP_RETURN_TO_URL_TYPE:
- return 'OpenID relying party';
- }
-}
-
-/**
- * Object representing an OpenID service endpoint.
- */
-class Auth_OpenID_ServiceEndpoint {
- function Auth_OpenID_ServiceEndpoint()
- {
- $this->claimed_id = null;
- $this->server_url = null;
- $this->type_uris = array();
- $this->local_id = null;
- $this->canonicalID = null;
- $this->used_yadis = false; // whether this came from an XRDS
- $this->display_identifier = null;
- }
-
- function getDisplayIdentifier()
- {
- if ($this->display_identifier) {
- return $this->display_identifier;
- }
- if (! $this->claimed_id) {
- return $this->claimed_id;
- }
- $parsed = parse_url($this->claimed_id);
- $scheme = $parsed['scheme'];
- $host = $parsed['host'];
- $path = $parsed['path'];
- if (array_key_exists('query', $parsed)) {
- $query = $parsed['query'];
- $no_frag = "$scheme://$host$path?$query";
- } else {
- $no_frag = "$scheme://$host$path";
- }
- return $no_frag;
- }
-
- function usesExtension($extension_uri)
- {
- return in_array($extension_uri, $this->type_uris);
- }
-
- function preferredNamespace()
- {
- if (in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris) ||
- in_array(Auth_OpenID_TYPE_2_0, $this->type_uris)) {
- return Auth_OpenID_OPENID2_NS;
- } else {
- return Auth_OpenID_OPENID1_NS;
- }
- }
-
- /*
- * Query this endpoint to see if it has any of the given type
- * URIs. This is useful for implementing other endpoint classes
- * that e.g. need to check for the presence of multiple versions
- * of a single protocol.
- *
- * @param $type_uris The URIs that you wish to check
- *
- * @return all types that are in both in type_uris and
- * $this->type_uris
- */
- function matchTypes($type_uris)
- {
- $result = array();
- foreach ($type_uris as $test_uri) {
- if ($this->supportsType($test_uri)) {
- $result[] = $test_uri;
- }
- }
-
- return $result;
- }
-
- function supportsType($type_uri)
- {
- // Does this endpoint support this type?
- return ((in_array($type_uri, $this->type_uris)) ||
- (($type_uri == Auth_OpenID_TYPE_2_0) &&
- $this->isOPIdentifier()));
- }
-
- function compatibilityMode()
- {
- return $this->preferredNamespace() != Auth_OpenID_OPENID2_NS;
- }
-
- function isOPIdentifier()
- {
- return in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris);
- }
-
- static function fromOPEndpointURL($op_endpoint_url)
- {
- // Construct an OP-Identifier OpenIDServiceEndpoint object for
- // a given OP Endpoint URL
- $obj = new Auth_OpenID_ServiceEndpoint();
- $obj->server_url = $op_endpoint_url;
- $obj->type_uris = array(Auth_OpenID_TYPE_2_0_IDP);
- return $obj;
- }
-
- function parseService($yadis_url, $uri, $type_uris, $service_element)
- {
- // Set the state of this object based on the contents of the
- // service element. Return true if successful, false if not
- // (if findOPLocalIdentifier returns false).
- $this->type_uris = $type_uris;
- $this->server_url = $uri;
- $this->used_yadis = true;
-
- if (!$this->isOPIdentifier()) {
- $this->claimed_id = $yadis_url;
- $this->local_id = Auth_OpenID_findOPLocalIdentifier(
- $service_element,
- $this->type_uris);
- if ($this->local_id === false) {
- return false;
- }
- }
-
- return true;
- }
-
- function getLocalID()
- {
- // Return the identifier that should be sent as the
- // openid.identity_url parameter to the server.
- if ($this->local_id === null && $this->canonicalID === null) {
- return $this->claimed_id;
- } else {
- if ($this->local_id) {
- return $this->local_id;
- } else {
- return $this->canonicalID;
- }
- }
- }
-
- /*
- * Parse the given document as XRDS looking for OpenID consumer services.
- *
- * @return array of Auth_OpenID_ServiceEndpoint or null if the
- * document cannot be parsed.
- */
- function consumerFromXRDS($uri, $xrds_text)
- {
- $xrds =& Auth_Yadis_XRDS::parseXRDS($xrds_text);
-
- if ($xrds) {
- $yadis_services =
- $xrds->services(array('filter_MatchesAnyOpenIDConsumerType'));
- return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services);
- }
-
- return null;
- }
-
- /*
- * Parse the given document as XRDS looking for OpenID services.
- *
- * @return array of Auth_OpenID_ServiceEndpoint or null if the
- * document cannot be parsed.
- */
- static function fromXRDS($uri, $xrds_text)
- {
- $xrds = Auth_Yadis_XRDS::parseXRDS($xrds_text);
-
- if ($xrds) {
- $yadis_services =
- $xrds->services(array('filter_MatchesAnyOpenIDType'));
- return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services);
- }
-
- return null;
- }
-
- /*
- * Create endpoints from a DiscoveryResult.
- *
- * @param discoveryResult Auth_Yadis_DiscoveryResult
- * @return array of Auth_OpenID_ServiceEndpoint or null if
- * endpoints cannot be created.
- */
- static function fromDiscoveryResult($discoveryResult)
- {
- if ($discoveryResult->isXRDS()) {
- return Auth_OpenID_ServiceEndpoint::fromXRDS(
- $discoveryResult->normalized_uri,
- $discoveryResult->response_text);
- } else {
- return Auth_OpenID_ServiceEndpoint::fromHTML(
- $discoveryResult->normalized_uri,
- $discoveryResult->response_text);
- }
- }
-
- static function fromHTML($uri, $html)
- {
- $discovery_types = array(
- array(Auth_OpenID_TYPE_2_0,
- 'openid2.provider', 'openid2.local_id'),
- array(Auth_OpenID_TYPE_1_1,
- 'openid.server', 'openid.delegate')
- );
-
- $services = array();
-
- foreach ($discovery_types as $triple) {
- list($type_uri, $server_rel, $delegate_rel) = $triple;
-
- $urls = Auth_OpenID_legacy_discover($html, $server_rel,
- $delegate_rel);
-
- if ($urls === false) {
- continue;
- }
-
- list($delegate_url, $server_url) = $urls;
-
- $service = new Auth_OpenID_ServiceEndpoint();
- $service->claimed_id = $uri;
- $service->local_id = $delegate_url;
- $service->server_url = $server_url;
- $service->type_uris = array($type_uri);
-
- $services[] = $service;
- }
-
- return $services;
- }
-
- function copy()
- {
- $x = new Auth_OpenID_ServiceEndpoint();
-
- $x->claimed_id = $this->claimed_id;
- $x->server_url = $this->server_url;
- $x->type_uris = $this->type_uris;
- $x->local_id = $this->local_id;
- $x->canonicalID = $this->canonicalID;
- $x->used_yadis = $this->used_yadis;
-
- return $x;
- }
-}
-
-function Auth_OpenID_findOPLocalIdentifier($service, $type_uris)
-{
- // Extract a openid:Delegate value from a Yadis Service element.
- // If no delegate is found, returns null. Returns false on
- // discovery failure (when multiple delegate/localID tags have
- // different values).
-
- $service->parser->registerNamespace('openid',
- Auth_OpenID_XMLNS_1_0);
-
- $service->parser->registerNamespace('xrd',
- Auth_Yadis_XMLNS_XRD_2_0);
-
- $parser = $service->parser;
-
- $permitted_tags = array();
-
- if (in_array(Auth_OpenID_TYPE_1_1, $type_uris) ||
- in_array(Auth_OpenID_TYPE_1_0, $type_uris)) {
- $permitted_tags[] = 'openid:Delegate';
- }
-
- if (in_array(Auth_OpenID_TYPE_2_0, $type_uris)) {
- $permitted_tags[] = 'xrd:LocalID';
- }
-
- $local_id = null;
-
- foreach ($permitted_tags as $tag_name) {
- $tags = $service->getElements($tag_name);
-
- foreach ($tags as $tag) {
- $content = $parser->content($tag);
-
- if ($local_id === null) {
- $local_id = $content;
- } else if ($local_id != $content) {
- return false;
- }
- }
- }
-
- return $local_id;
-}
-
-function filter_MatchesAnyOpenIDType($service)
-{
- $uris = $service->getTypes();
-
- foreach ($uris as $uri) {
- if (in_array($uri, Auth_OpenID_getOpenIDTypeURIs())) {
- return true;
- }
- }
-
- return false;
-}
-
-function filter_MatchesAnyOpenIDConsumerType(&$service)
-{
- $uris = $service->getTypes();
-
- foreach ($uris as $uri) {
- if (in_array($uri, Auth_OpenID_getOpenIDConsumerTypeURIs())) {
- return true;
- }
- }
-
- return false;
-}
-
-function Auth_OpenID_bestMatchingService($service, $preferred_types)
-{
- // Return the index of the first matching type, or something
- // higher if no type matches.
- //
- // This provides an ordering in which service elements that
- // contain a type that comes earlier in the preferred types list
- // come before service elements that come later. If a service
- // element has more than one type, the most preferred one wins.
-
- foreach ($preferred_types as $index => $typ) {
- if (in_array($typ, $service->type_uris)) {
- return $index;
- }
- }
-
- return count($preferred_types);
-}
-
-function Auth_OpenID_arrangeByType($service_list, $preferred_types)
-{
- // Rearrange service_list in a new list so services are ordered by
- // types listed in preferred_types. Return the new list.
-
- // Build a list with the service elements in tuples whose
- // comparison will prefer the one with the best matching service
- $prio_services = array();
- foreach ($service_list as $index => $service) {
- $prio_services[] = array(Auth_OpenID_bestMatchingService($service,
- $preferred_types),
- $index, $service);
- }
-
- sort($prio_services);
-
- // Now that the services are sorted by priority, remove the sort
- // keys from the list.
- foreach ($prio_services as $index => $s) {
- $prio_services[$index] = $prio_services[$index][2];
- }
-
- return $prio_services;
-}
-
-// Extract OP Identifier services. If none found, return the rest,
-// sorted with most preferred first according to
-// OpenIDServiceEndpoint.openid_type_uris.
-//
-// openid_services is a list of OpenIDServiceEndpoint objects.
-//
-// Returns a list of OpenIDServiceEndpoint objects."""
-function Auth_OpenID_getOPOrUserServices($openid_services)
-{
- $op_services = Auth_OpenID_arrangeByType($openid_services,
- array(Auth_OpenID_TYPE_2_0_IDP));
-
- $openid_services = Auth_OpenID_arrangeByType($openid_services,
- Auth_OpenID_getOpenIDTypeURIs());
-
- if ($op_services) {
- return $op_services;
- } else {
- return $openid_services;
- }
-}
-
-function Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services)
-{
- $s = array();
-
- if (!$yadis_services) {
- return $s;
- }
-
- foreach ($yadis_services as $service) {
- $type_uris = $service->getTypes();
- $uris = $service->getURIs();
-
- // If any Type URIs match and there is an endpoint URI
- // specified, then this is an OpenID endpoint
- if ($type_uris &&
- $uris) {
- foreach ($uris as $service_uri) {
- $openid_endpoint = new Auth_OpenID_ServiceEndpoint();
- if ($openid_endpoint->parseService($uri,
- $service_uri,
- $type_uris,
- $service)) {
- $s[] = $openid_endpoint;
- }
- }
- }
- }
-
- return $s;
-}
-
-function Auth_OpenID_discoverWithYadis($uri, $fetcher,
- $endpoint_filter='Auth_OpenID_getOPOrUserServices',
- $discover_function=null)
-{
- // Discover OpenID services for a URI. Tries Yadis and falls back
- // on old-style <link rel='...'> discovery if Yadis fails.
-
- // Might raise a yadis.discover.DiscoveryFailure if no document
- // came back for that URI at all. I don't think falling back to
- // OpenID 1.0 discovery on the same URL will help, so don't bother
- // to catch it.
- if ($discover_function === null) {
- $discover_function = array('Auth_Yadis_Yadis', 'discover');
- }
-
- $openid_services = array();
-
- $response = call_user_func_array($discover_function,
- array($uri, $fetcher));
-
- $yadis_url = $response->normalized_uri;
- $yadis_services = array();
-
- if ($response->isFailure() && !$response->isXRDS()) {
- return array($uri, array());
- }
-
- $openid_services = Auth_OpenID_ServiceEndpoint::fromXRDS(
- $yadis_url,
- $response->response_text);
-
- if (!$openid_services) {
- if ($response->isXRDS()) {
- return Auth_OpenID_discoverWithoutYadis($uri,
- $fetcher);
- }
-
- // Try to parse the response as HTML to get OpenID 1.0/1.1
- // <link rel="...">
- $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML(
- $yadis_url,
- $response->response_text);
- }
-
- $openid_services = call_user_func_array($endpoint_filter,
- array($openid_services));
-
- return array($yadis_url, $openid_services);
-}
-
-function Auth_OpenID_discoverURI($uri, $fetcher)
-{
- $uri = Auth_OpenID::normalizeUrl($uri);
- return Auth_OpenID_discoverWithYadis($uri, $fetcher);
-}
-
-function Auth_OpenID_discoverWithoutYadis($uri, $fetcher)
-{
- $http_resp = @$fetcher->get($uri);
-
- if ($http_resp->status != 200 and $http_resp->status != 206) {
- return array($uri, array());
- }
-
- $identity_url = $http_resp->final_url;
-
- // Try to parse the response as HTML to get OpenID 1.0/1.1 <link
- // rel="...">
- $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML(
- $identity_url,
- $http_resp->body);
-
- return array($identity_url, $openid_services);
-}
-
-function Auth_OpenID_discoverXRI($iname, $fetcher)
-{
- $resolver = new Auth_Yadis_ProxyResolver($fetcher);
- list($canonicalID, $yadis_services) =
- $resolver->query($iname,
- Auth_OpenID_getOpenIDTypeURIs(),
- array('filter_MatchesAnyOpenIDType'));
-
- $openid_services = Auth_OpenID_makeOpenIDEndpoints($iname,
- $yadis_services);
-
- $openid_services = Auth_OpenID_getOPOrUserServices($openid_services);
-
- for ($i = 0; $i < count($openid_services); $i++) {
- $openid_services[$i]->canonicalID = $canonicalID;
- $openid_services[$i]->claimed_id = $canonicalID;
- $openid_services[$i]->display_identifier = $iname;
- }
-
- // FIXME: returned xri should probably be in some normal form
- return array($iname, $openid_services);
-}
-
-function Auth_OpenID_discover($uri, $fetcher)
-{
- // If the fetcher (i.e., PHP) doesn't support SSL, we can't do
- // discovery on an HTTPS URL.
- if ($fetcher->isHTTPS($uri) && !$fetcher->supportsSSL()) {
- return array($uri, array());
- }
-
- if (Auth_Yadis_identifierScheme($uri) == 'XRI') {
- $result = Auth_OpenID_discoverXRI($uri, $fetcher);
- } else {
- $result = Auth_OpenID_discoverURI($uri, $fetcher);
- }
-
- // If the fetcher doesn't support SSL, we can't interact with
- // HTTPS server URLs; remove those endpoints from the list.
- if (!$fetcher->supportsSSL()) {
- $http_endpoints = array();
- list($new_uri, $endpoints) = $result;
-
- foreach ($endpoints as $e) {
- if (!$fetcher->isHTTPS($e->server_url)) {
- $http_endpoints[] = $e;
- }
- }
-
- $result = array($new_uri, $http_endpoints);
- }
-
- return $result;
-}
-
-
diff --git a/lib/Auth/OpenID/DumbStore.php b/lib/Auth/OpenID/DumbStore.php
deleted file mode 100644
index e8f29ace55cc0c207eeba54979667e02af0c9d82..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/DumbStore.php
+++ /dev/null
@@ -1,99 +0,0 @@
-<?php
-
-/**
- * This file supplies a dumb store backend for OpenID servers and
- * consumers.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Import the interface for creating a new store class.
- */
-require_once 'Auth/OpenID/Interface.php';
-require_once 'Auth/OpenID/HMAC.php';
-
-/**
- * This is a store for use in the worst case, when you have no way of
- * saving state on the consumer site. Using this store makes the
- * consumer vulnerable to replay attacks, as it's unable to use
- * nonces. Avoid using this store if it is at all possible.
- *
- * Most of the methods of this class are implementation details.
- * Users of this class need to worry only about the constructor.
- *
- * @package OpenID
- */
-class Auth_OpenID_DumbStore extends Auth_OpenID_OpenIDStore {
-
- /**
- * Creates a new {@link Auth_OpenID_DumbStore} instance. For the security
- * of the tokens generated by the library, this class attempts to
- * at least have a secure implementation of getAuthKey.
- *
- * When you create an instance of this class, pass in a secret
- * phrase. The phrase is hashed with sha1 to make it the correct
- * length and form for an auth key. That allows you to use a long
- * string as the secret phrase, which means you can make it very
- * difficult to guess.
- *
- * Each {@link Auth_OpenID_DumbStore} instance that is created for use by
- * your consumer site needs to use the same $secret_phrase.
- *
- * @param string secret_phrase The phrase used to create the auth
- * key returned by getAuthKey
- */
- function Auth_OpenID_DumbStore($secret_phrase)
- {
- $this->auth_key = Auth_OpenID_SHA1($secret_phrase);
- }
-
- /**
- * This implementation does nothing.
- */
- function storeAssociation($server_url, $association)
- {
- }
-
- /**
- * This implementation always returns null.
- */
- function getAssociation($server_url, $handle = null)
- {
- return null;
- }
-
- /**
- * This implementation always returns false.
- */
- function removeAssociation($server_url, $handle)
- {
- return false;
- }
-
- /**
- * In a system truly limited to dumb mode, nonces must all be
- * accepted. This therefore always returns true, which makes
- * replay attacks feasible.
- */
- function useNonce($server_url, $timestamp, $salt)
- {
- return true;
- }
-
- /**
- * This method returns the auth key generated by the constructor.
- */
- function getAuthKey()
- {
- return $this->auth_key;
- }
-}
-
diff --git a/lib/Auth/OpenID/Extension.php b/lib/Auth/OpenID/Extension.php
deleted file mode 100644
index c4e38c0380bbf8a5fa25b40885f0442e9f30063b..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/Extension.php
+++ /dev/null
@@ -1,61 +0,0 @@
-<?php
-
-/**
- * An interface for OpenID extensions.
- *
- * @package OpenID
- */
-
-/**
- * Require the Message implementation.
- */
-require_once 'Auth/OpenID/Message.php';
-
-/**
- * A base class for accessing extension request and response data for
- * the OpenID 2 protocol.
- *
- * @package OpenID
- */
-class Auth_OpenID_Extension {
- /**
- * ns_uri: The namespace to which to add the arguments for this
- * extension
- */
- var $ns_uri = null;
- var $ns_alias = null;
-
- /**
- * Get the string arguments that should be added to an OpenID
- * message for this extension.
- */
- function getExtensionArgs()
- {
- return null;
- }
-
- /**
- * Add the arguments from this extension to the provided message.
- *
- * Returns the message with the extension arguments added.
- */
- function toMessage($message)
- {
- $implicit = $message->isOpenID1();
- $added = $message->namespaces->addAlias($this->ns_uri,
- $this->ns_alias,
- $implicit);
-
- if ($added === null) {
- if ($message->namespaces->getAlias($this->ns_uri) !=
- $this->ns_alias) {
- return null;
- }
- }
-
- $message->updateArgs($this->ns_uri,
- $this->getExtensionArgs());
- return $message;
- }
-}
-
diff --git a/lib/Auth/OpenID/FileStore.php b/lib/Auth/OpenID/FileStore.php
deleted file mode 100644
index 074421a0bb3d504c946127f6efed686c4e6d6079..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/FileStore.php
+++ /dev/null
@@ -1,618 +0,0 @@
-<?php
-
-/**
- * This file supplies a Memcached store backend for OpenID servers and
- * consumers.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Require base class for creating a new interface.
- */
-require_once 'Auth/OpenID.php';
-require_once 'Auth/OpenID/Interface.php';
-require_once 'Auth/OpenID/HMAC.php';
-require_once 'Auth/OpenID/Nonce.php';
-
-/**
- * This is a filesystem-based store for OpenID associations and
- * nonces. This store should be safe for use in concurrent systems on
- * both windows and unix (excluding NFS filesystems). There are a
- * couple race conditions in the system, but those failure cases have
- * been set up in such a way that the worst-case behavior is someone
- * having to try to log in a second time.
- *
- * Most of the methods of this class are implementation details.
- * People wishing to just use this store need only pay attention to
- * the constructor.
- *
- * @package OpenID
- */
-class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore {
-
- /**
- * Initializes a new {@link Auth_OpenID_FileStore}. This
- * initializes the nonce and association directories, which are
- * subdirectories of the directory passed in.
- *
- * @param string $directory This is the directory to put the store
- * directories in.
- */
- function Auth_OpenID_FileStore($directory)
- {
- if (!Auth_OpenID::ensureDir($directory)) {
- trigger_error('Not a directory and failed to create: '
- . $directory, E_USER_ERROR);
- }
- $directory = realpath($directory);
-
- $this->directory = $directory;
- $this->active = true;
-
- $this->nonce_dir = $directory . DIRECTORY_SEPARATOR . 'nonces';
-
- $this->association_dir = $directory . DIRECTORY_SEPARATOR .
- 'associations';
-
- // Temp dir must be on the same filesystem as the assciations
- // $directory.
- $this->temp_dir = $directory . DIRECTORY_SEPARATOR . 'temp';
-
- $this->max_nonce_age = 6 * 60 * 60; // Six hours, in seconds
-
- if (!$this->_setup()) {
- trigger_error('Failed to initialize OpenID file store in ' .
- $directory, E_USER_ERROR);
- }
- }
-
- function destroy()
- {
- Auth_OpenID_FileStore::_rmtree($this->directory);
- $this->active = false;
- }
-
- /**
- * Make sure that the directories in which we store our data
- * exist.
- *
- * @access private
- */
- function _setup()
- {
- return (Auth_OpenID::ensureDir($this->nonce_dir) &&
- Auth_OpenID::ensureDir($this->association_dir) &&
- Auth_OpenID::ensureDir($this->temp_dir));
- }
-
- /**
- * Create a temporary file on the same filesystem as
- * $this->association_dir.
- *
- * The temporary directory should not be cleaned if there are any
- * processes using the store. If there is no active process using
- * the store, it is safe to remove all of the files in the
- * temporary directory.
- *
- * @return array ($fd, $filename)
- * @access private
- */
- function _mktemp()
- {
- $name = Auth_OpenID_FileStore::_mkstemp($dir = $this->temp_dir);
- $file_obj = @fopen($name, 'wb');
- if ($file_obj !== false) {
- return array($file_obj, $name);
- } else {
- Auth_OpenID_FileStore::_removeIfPresent($name);
- }
- }
-
- function cleanupNonces()
- {
- global $Auth_OpenID_SKEW;
-
- $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir);
- $now = time();
-
- $removed = 0;
- // Check all nonces for expiry
- foreach ($nonces as $nonce_fname) {
- $base = basename($nonce_fname);
- $parts = explode('-', $base, 2);
- $timestamp = $parts[0];
- $timestamp = intval($timestamp, 16);
- if (abs($timestamp - $now) > $Auth_OpenID_SKEW) {
- Auth_OpenID_FileStore::_removeIfPresent($nonce_fname);
- $removed += 1;
- }
- }
- return $removed;
- }
-
- /**
- * Create a unique filename for a given server url and
- * handle. This implementation does not assume anything about the
- * format of the handle. The filename that is returned will
- * contain the domain name from the server URL for ease of human
- * inspection of the data directory.
- *
- * @return string $filename
- */
- function getAssociationFilename($server_url, $handle)
- {
- if (!$this->active) {
- trigger_error("FileStore no longer active", E_USER_ERROR);
- return null;
- }
-
- if (strpos($server_url, '://') === false) {
- trigger_error(sprintf("Bad server URL: %s", $server_url),
- E_USER_WARNING);
- return null;
- }
-
- list($proto, $rest) = explode('://', $server_url, 2);
- $parts = explode('/', $rest);
- $domain = Auth_OpenID_FileStore::_filenameEscape($parts[0]);
- $url_hash = Auth_OpenID_FileStore::_safe64($server_url);
- if ($handle) {
- $handle_hash = Auth_OpenID_FileStore::_safe64($handle);
- } else {
- $handle_hash = '';
- }
-
- $filename = sprintf('%s-%s-%s-%s', $proto, $domain, $url_hash,
- $handle_hash);
-
- return $this->association_dir. DIRECTORY_SEPARATOR . $filename;
- }
-
- /**
- * Store an association in the association directory.
- */
- function storeAssociation($server_url, $association)
- {
- if (!$this->active) {
- trigger_error("FileStore no longer active", E_USER_ERROR);
- return false;
- }
-
- $association_s = $association->serialize();
- $filename = $this->getAssociationFilename($server_url,
- $association->handle);
- list($tmp_file, $tmp) = $this->_mktemp();
-
- if (!$tmp_file) {
- trigger_error("_mktemp didn't return a valid file descriptor",
- E_USER_WARNING);
- return false;
- }
-
- fwrite($tmp_file, $association_s);
-
- fflush($tmp_file);
-
- fclose($tmp_file);
-
- if (@rename($tmp, $filename)) {
- return true;
- } else {
- // In case we are running on Windows, try unlinking the
- // file in case it exists.
- @unlink($filename);
-
- // Now the target should not exist. Try renaming again,
- // giving up if it fails.
- if (@rename($tmp, $filename)) {
- return true;
- }
- }
-
- // If there was an error, don't leave the temporary file
- // around.
- Auth_OpenID_FileStore::_removeIfPresent($tmp);
- return false;
- }
-
- /**
- * Retrieve an association. If no handle is specified, return the
- * association with the most recent issue time.
- *
- * @return mixed $association
- */
- function getAssociation($server_url, $handle = null)
- {
- if (!$this->active) {
- trigger_error("FileStore no longer active", E_USER_ERROR);
- return null;
- }
-
- if ($handle === null) {
- $handle = '';
- }
-
- // The filename with the empty handle is a prefix of all other
- // associations for the given server URL.
- $filename = $this->getAssociationFilename($server_url, $handle);
-
- if ($handle) {
- return $this->_getAssociation($filename);
- } else {
- $association_files =
- Auth_OpenID_FileStore::_listdir($this->association_dir);
- $matching_files = array();
-
- // strip off the path to do the comparison
- $name = basename($filename);
- foreach ($association_files as $association_file) {
- $base = basename($association_file);
- if (strpos($base, $name) === 0) {
- $matching_files[] = $association_file;
- }
- }
-
- $matching_associations = array();
- // read the matching files and sort by time issued
- foreach ($matching_files as $full_name) {
- $association = $this->_getAssociation($full_name);
- if ($association !== null) {
- $matching_associations[] = array($association->issued,
- $association);
- }
- }
-
- $issued = array();
- $assocs = array();
- foreach ($matching_associations as $key => $assoc) {
- $issued[$key] = $assoc[0];
- $assocs[$key] = $assoc[1];
- }
-
- array_multisort($issued, SORT_DESC, $assocs, SORT_DESC,
- $matching_associations);
-
- // return the most recently issued one.
- if ($matching_associations) {
- list($issued, $assoc) = $matching_associations[0];
- return $assoc;
- } else {
- return null;
- }
- }
- }
-
- /**
- * @access private
- */
- function _getAssociation($filename)
- {
- if (!$this->active) {
- trigger_error("FileStore no longer active", E_USER_ERROR);
- return null;
- }
-
- $assoc_file = @fopen($filename, 'rb');
-
- if ($assoc_file === false) {
- return null;
- }
-
- $assoc_s = fread($assoc_file, filesize($filename));
- fclose($assoc_file);
-
- if (!$assoc_s) {
- return null;
- }
-
- $association =
- Auth_OpenID_Association::deserialize('Auth_OpenID_Association',
- $assoc_s);
-
- if (!$association) {
- Auth_OpenID_FileStore::_removeIfPresent($filename);
- return null;
- }
-
- if ($association->getExpiresIn() == 0) {
- Auth_OpenID_FileStore::_removeIfPresent($filename);
- return null;
- } else {
- return $association;
- }
- }
-
- /**
- * Remove an association if it exists. Do nothing if it does not.
- *
- * @return bool $success
- */
- function removeAssociation($server_url, $handle)
- {
- if (!$this->active) {
- trigger_error("FileStore no longer active", E_USER_ERROR);
- return null;
- }
-
- $assoc = $this->getAssociation($server_url, $handle);
- if ($assoc === null) {
- return false;
- } else {
- $filename = $this->getAssociationFilename($server_url, $handle);
- return Auth_OpenID_FileStore::_removeIfPresent($filename);
- }
- }
-
- /**
- * Return whether this nonce is present. As a side effect, mark it
- * as no longer present.
- *
- * @return bool $present
- */
- function useNonce($server_url, $timestamp, $salt)
- {
- global $Auth_OpenID_SKEW;
-
- if (!$this->active) {
- trigger_error("FileStore no longer active", E_USER_ERROR);
- return null;
- }
-
- if ( abs($timestamp - time()) > $Auth_OpenID_SKEW ) {
- return false;
- }
-
- if ($server_url) {
- list($proto, $rest) = explode('://', $server_url, 2);
- } else {
- $proto = '';
- $rest = '';
- }
-
- $parts = explode('/', $rest, 2);
- $domain = $this->_filenameEscape($parts[0]);
- $url_hash = $this->_safe64($server_url);
- $salt_hash = $this->_safe64($salt);
-
- $filename = sprintf('%08x-%s-%s-%s-%s', $timestamp, $proto,
- $domain, $url_hash, $salt_hash);
- $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $filename;
-
- $result = @fopen($filename, 'x');
-
- if ($result === false) {
- return false;
- } else {
- fclose($result);
- return true;
- }
- }
-
- /**
- * Remove expired entries from the database. This is potentially
- * expensive, so only run when it is acceptable to take time.
- *
- * @access private
- */
- function _allAssocs()
- {
- $all_associations = array();
-
- $association_filenames =
- Auth_OpenID_FileStore::_listdir($this->association_dir);
-
- foreach ($association_filenames as $association_filename) {
- $association_file = fopen($association_filename, 'rb');
-
- if ($association_file !== false) {
- $assoc_s = fread($association_file,
- filesize($association_filename));
- fclose($association_file);
-
- // Remove expired or corrupted associations
- $association =
- Auth_OpenID_Association::deserialize(
- 'Auth_OpenID_Association', $assoc_s);
-
- if ($association === null) {
- Auth_OpenID_FileStore::_removeIfPresent(
- $association_filename);
- } else {
- if ($association->getExpiresIn() == 0) {
- $all_associations[] = array($association_filename,
- $association);
- }
- }
- }
- }
-
- return $all_associations;
- }
-
- function clean()
- {
- if (!$this->active) {
- trigger_error("FileStore no longer active", E_USER_ERROR);
- return null;
- }
-
- $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir);
- $now = time();
-
- // Check all nonces for expiry
- foreach ($nonces as $nonce) {
- if (!Auth_OpenID_checkTimestamp($nonce, $now)) {
- $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $nonce;
- Auth_OpenID_FileStore::_removeIfPresent($filename);
- }
- }
-
- foreach ($this->_allAssocs() as $pair) {
- list($assoc_filename, $assoc) = $pair;
- if ($assoc->getExpiresIn() == 0) {
- Auth_OpenID_FileStore::_removeIfPresent($assoc_filename);
- }
- }
- }
-
- /**
- * @access private
- */
- function _rmtree($dir)
- {
- if ($dir[strlen($dir) - 1] != DIRECTORY_SEPARATOR) {
- $dir .= DIRECTORY_SEPARATOR;
- }
-
- if ($handle = opendir($dir)) {
- while ($item = readdir($handle)) {
- if (!in_array($item, array('.', '..'))) {
- if (is_dir($dir . $item)) {
-
- if (!Auth_OpenID_FileStore::_rmtree($dir . $item)) {
- return false;
- }
- } else if (is_file($dir . $item)) {
- if (!unlink($dir . $item)) {
- return false;
- }
- }
- }
- }
-
- closedir($handle);
-
- if (!@rmdir($dir)) {
- return false;
- }
-
- return true;
- } else {
- // Couldn't open directory.
- return false;
- }
- }
-
- /**
- * @access private
- */
- function _mkstemp($dir)
- {
- foreach (range(0, 4) as $i) {
- $name = tempnam($dir, "php_openid_filestore_");
-
- if ($name !== false) {
- return $name;
- }
- }
- return false;
- }
-
- /**
- * @access private
- */
- static function _mkdtemp($dir)
- {
- foreach (range(0, 4) as $i) {
- $name = $dir . strval(DIRECTORY_SEPARATOR) . strval(getmypid()) .
- "-" . strval(rand(1, time()));
- if (!mkdir($name, 0700)) {
- return false;
- } else {
- return $name;
- }
- }
- return false;
- }
-
- /**
- * @access private
- */
- function _listdir($dir)
- {
- $handle = opendir($dir);
- $files = array();
- while (false !== ($filename = readdir($handle))) {
- if (!in_array($filename, array('.', '..'))) {
- $files[] = $dir . DIRECTORY_SEPARATOR . $filename;
- }
- }
- return $files;
- }
-
- /**
- * @access private
- */
- function _isFilenameSafe($char)
- {
- $_Auth_OpenID_filename_allowed = Auth_OpenID_letters .
- Auth_OpenID_digits . ".";
- return (strpos($_Auth_OpenID_filename_allowed, $char) !== false);
- }
-
- /**
- * @access private
- */
- function _safe64($str)
- {
- $h64 = base64_encode(Auth_OpenID_SHA1($str));
- $h64 = str_replace('+', '_', $h64);
- $h64 = str_replace('/', '.', $h64);
- $h64 = str_replace('=', '', $h64);
- return $h64;
- }
-
- /**
- * @access private
- */
- function _filenameEscape($str)
- {
- $filename = "";
- $b = Auth_OpenID::toBytes($str);
-
- for ($i = 0; $i < count($b); $i++) {
- $c = $b[$i];
- if (Auth_OpenID_FileStore::_isFilenameSafe($c)) {
- $filename .= $c;
- } else {
- $filename .= sprintf("_%02X", ord($c));
- }
- }
- return $filename;
- }
-
- /**
- * Attempt to remove a file, returning whether the file existed at
- * the time of the call.
- *
- * @access private
- * @return bool $result True if the file was present, false if not.
- */
- function _removeIfPresent($filename)
- {
- return @unlink($filename);
- }
-
- function cleanupAssociations()
- {
- $removed = 0;
- foreach ($this->_allAssocs() as $pair) {
- list($assoc_filename, $assoc) = $pair;
- if ($assoc->getExpiresIn() == 0) {
- $this->_removeIfPresent($assoc_filename);
- $removed += 1;
- }
- }
- return $removed;
- }
-}
-
-
diff --git a/lib/Auth/OpenID/HMAC.php b/lib/Auth/OpenID/HMAC.php
deleted file mode 100644
index e6c4bdfd9dc81dfe5b11cd6022358486a134331a..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/HMAC.php
+++ /dev/null
@@ -1,105 +0,0 @@
-<?php
-
-/**
- * This is the HMACSHA1 implementation for the OpenID library.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @access private
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-require_once 'Auth/OpenID.php';
-
-/**
- * SHA1_BLOCKSIZE is this module's SHA1 blocksize used by the fallback
- * implementation.
- */
-define('Auth_OpenID_SHA1_BLOCKSIZE', 64);
-
-function Auth_OpenID_SHA1($text)
-{
- if (function_exists('hash') &&
- function_exists('hash_algos') &&
- (in_array('sha1', hash_algos()))) {
- // PHP 5 case (sometimes): 'hash' available and 'sha1' algo
- // supported.
- return hash('sha1', $text, true);
- } else if (function_exists('sha1')) {
- // PHP 4 case: 'sha1' available.
- $hex = sha1($text);
- $raw = '';
- for ($i = 0; $i < 40; $i += 2) {
- $hexcode = substr($hex, $i, 2);
- $charcode = (int)base_convert($hexcode, 16, 10);
- $raw .= chr($charcode);
- }
- return $raw;
- } else {
- // Explode.
- trigger_error('No SHA1 function found', E_USER_ERROR);
- }
-}
-
-/**
- * Compute an HMAC/SHA1 hash.
- *
- * @access private
- * @param string $key The HMAC key
- * @param string $text The message text to hash
- * @return string $mac The MAC
- */
-function Auth_OpenID_HMACSHA1($key, $text)
-{
- if (Auth_OpenID::bytes($key) > Auth_OpenID_SHA1_BLOCKSIZE) {
- $key = Auth_OpenID_SHA1($key, true);
- }
-
- if (function_exists('hash_hmac') &&
- function_exists('hash_algos') &&
- (in_array('sha1', hash_algos()))) {
- return hash_hmac('sha1', $text, $key, true);
- }
- // Home-made solution
-
- $key = str_pad($key, Auth_OpenID_SHA1_BLOCKSIZE, chr(0x00));
- $ipad = str_repeat(chr(0x36), Auth_OpenID_SHA1_BLOCKSIZE);
- $opad = str_repeat(chr(0x5c), Auth_OpenID_SHA1_BLOCKSIZE);
- $hash1 = Auth_OpenID_SHA1(($key ^ $ipad) . $text, true);
- $hmac = Auth_OpenID_SHA1(($key ^ $opad) . $hash1, true);
- return $hmac;
-}
-
-if (function_exists('hash') &&
- function_exists('hash_algos') &&
- (in_array('sha256', hash_algos()))) {
- function Auth_OpenID_SHA256($text)
- {
- // PHP 5 case: 'hash' available and 'sha256' algo supported.
- return hash('sha256', $text, true);
- }
- define('Auth_OpenID_SHA256_SUPPORTED', true);
-} else {
- define('Auth_OpenID_SHA256_SUPPORTED', false);
-}
-
-if (function_exists('hash_hmac') &&
- function_exists('hash_algos') &&
- (in_array('sha256', hash_algos()))) {
-
- function Auth_OpenID_HMACSHA256($key, $text)
- {
- // Return raw MAC (not hex string).
- return hash_hmac('sha256', $text, $key, true);
- }
-
- define('Auth_OpenID_HMACSHA256_SUPPORTED', true);
-} else {
- define('Auth_OpenID_HMACSHA256_SUPPORTED', false);
-}
-
diff --git a/lib/Auth/OpenID/Interface.php b/lib/Auth/OpenID/Interface.php
deleted file mode 100644
index eca6b9c50f554d7927a3160c161a23cc6094a679..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/Interface.php
+++ /dev/null
@@ -1,196 +0,0 @@
-<?php
-
-/**
- * This file specifies the interface for PHP OpenID store implementations.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * This is the interface for the store objects the OpenID library
- * uses. It is a single class that provides all of the persistence
- * mechanisms that the OpenID library needs, for both servers and
- * consumers. If you want to create an SQL-driven store, please see
- * then {@link Auth_OpenID_SQLStore} class.
- *
- * Change: Version 2.0 removed the storeNonce, getAuthKey, and isDumb
- * methods, and changed the behavior of the useNonce method to support
- * one-way nonces.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- */
-class Auth_OpenID_OpenIDStore {
- /**
- * This method puts an Association object into storage,
- * retrievable by server URL and handle.
- *
- * @param string $server_url The URL of the identity server that
- * this association is with. Because of the way the server portion
- * of the library uses this interface, don't assume there are any
- * limitations on the character set of the input string. In
- * particular, expect to see unescaped non-url-safe characters in
- * the server_url field.
- *
- * @param Association $association The Association to store.
- */
- function storeAssociation($server_url, $association)
- {
- trigger_error("Auth_OpenID_OpenIDStore::storeAssociation ".
- "not implemented", E_USER_ERROR);
- }
-
- /*
- * Remove expired nonces from the store.
- *
- * Discards any nonce from storage that is old enough that its
- * timestamp would not pass useNonce().
- *
- * This method is not called in the normal operation of the
- * library. It provides a way for store admins to keep their
- * storage from filling up with expired data.
- *
- * @return the number of nonces expired
- */
- function cleanupNonces()
- {
- trigger_error("Auth_OpenID_OpenIDStore::cleanupNonces ".
- "not implemented", E_USER_ERROR);
- }
-
- /*
- * Remove expired associations from the store.
- *
- * This method is not called in the normal operation of the
- * library. It provides a way for store admins to keep their
- * storage from filling up with expired data.
- *
- * @return the number of associations expired.
- */
- function cleanupAssociations()
- {
- trigger_error("Auth_OpenID_OpenIDStore::cleanupAssociations ".
- "not implemented", E_USER_ERROR);
- }
-
- /*
- * Shortcut for cleanupNonces(), cleanupAssociations().
- *
- * This method is not called in the normal operation of the
- * library. It provides a way for store admins to keep their
- * storage from filling up with expired data.
- */
- function cleanup()
- {
- return array($this->cleanupNonces(),
- $this->cleanupAssociations());
- }
-
- /**
- * Report whether this storage supports cleanup
- */
- function supportsCleanup()
- {
- return true;
- }
-
- /**
- * This method returns an Association object from storage that
- * matches the server URL and, if specified, handle. It returns
- * null if no such association is found or if the matching
- * association is expired.
- *
- * If no handle is specified, the store may return any association
- * which matches the server URL. If multiple associations are
- * valid, the recommended return value for this method is the one
- * most recently issued.
- *
- * This method is allowed (and encouraged) to garbage collect
- * expired associations when found. This method must not return
- * expired associations.
- *
- * @param string $server_url The URL of the identity server to get
- * the association for. Because of the way the server portion of
- * the library uses this interface, don't assume there are any
- * limitations on the character set of the input string. In
- * particular, expect to see unescaped non-url-safe characters in
- * the server_url field.
- *
- * @param mixed $handle This optional parameter is the handle of
- * the specific association to get. If no specific handle is
- * provided, any valid association matching the server URL is
- * returned.
- *
- * @return Association The Association for the given identity
- * server.
- */
- function getAssociation($server_url, $handle = null)
- {
- trigger_error("Auth_OpenID_OpenIDStore::getAssociation ".
- "not implemented", E_USER_ERROR);
- }
-
- /**
- * This method removes the matching association if it's found, and
- * returns whether the association was removed or not.
- *
- * @param string $server_url The URL of the identity server the
- * association to remove belongs to. Because of the way the server
- * portion of the library uses this interface, don't assume there
- * are any limitations on the character set of the input
- * string. In particular, expect to see unescaped non-url-safe
- * characters in the server_url field.
- *
- * @param string $handle This is the handle of the association to
- * remove. If there isn't an association found that matches both
- * the given URL and handle, then there was no matching handle
- * found.
- *
- * @return mixed Returns whether or not the given association existed.
- */
- function removeAssociation($server_url, $handle)
- {
- trigger_error("Auth_OpenID_OpenIDStore::removeAssociation ".
- "not implemented", E_USER_ERROR);
- }
-
- /**
- * Called when using a nonce.
- *
- * This method should return C{True} if the nonce has not been
- * used before, and store it for a while to make sure nobody
- * tries to use the same value again. If the nonce has already
- * been used, return C{False}.
- *
- * Change: In earlier versions, round-trip nonces were used and a
- * nonce was only valid if it had been previously stored with
- * storeNonce. Version 2.0 uses one-way nonces, requiring a
- * different implementation here that does not depend on a
- * storeNonce call. (storeNonce is no longer part of the
- * interface.
- *
- * @param string $nonce The nonce to use.
- *
- * @return bool Whether or not the nonce was valid.
- */
- function useNonce($server_url, $timestamp, $salt)
- {
- trigger_error("Auth_OpenID_OpenIDStore::useNonce ".
- "not implemented", E_USER_ERROR);
- }
-
- /**
- * Removes all entries from the store; implementation is optional.
- */
- function reset()
- {
- }
-
-}
diff --git a/lib/Auth/OpenID/KVForm.php b/lib/Auth/OpenID/KVForm.php
deleted file mode 100644
index dd02661d882f953f17907ae4a8963f9f9b73ec88..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/KVForm.php
+++ /dev/null
@@ -1,111 +0,0 @@
-<?php
-
-/**
- * OpenID protocol key-value/comma-newline format parsing and
- * serialization
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @access private
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Container for key-value/comma-newline OpenID format and parsing
- */
-class Auth_OpenID_KVForm {
- /**
- * Convert an OpenID colon/newline separated string into an
- * associative array
- *
- * @static
- * @access private
- */
- static function toArray($kvs, $strict=false)
- {
- $lines = explode("\n", $kvs);
-
- $last = array_pop($lines);
- if ($last !== '') {
- array_push($lines, $last);
- if ($strict) {
- return false;
- }
- }
-
- $values = array();
-
- for ($lineno = 0; $lineno < count($lines); $lineno++) {
- $line = $lines[$lineno];
- $kv = explode(':', $line, 2);
- if (count($kv) != 2) {
- if ($strict) {
- return false;
- }
- continue;
- }
-
- $key = $kv[0];
- $tkey = trim($key);
- if ($tkey != $key) {
- if ($strict) {
- return false;
- }
- }
-
- $value = $kv[1];
- $tval = trim($value);
- if ($tval != $value) {
- if ($strict) {
- return false;
- }
- }
-
- $values[$tkey] = $tval;
- }
-
- return $values;
- }
-
- /**
- * Convert an array into an OpenID colon/newline separated string
- *
- * @static
- * @access private
- */
- static function fromArray($values)
- {
- if ($values === null) {
- return null;
- }
-
- ksort($values);
-
- $serialized = '';
- foreach ($values as $key => $value) {
- if (is_array($value)) {
- list($key, $value) = array($value[0], $value[1]);
- }
-
- if (strpos($key, ':') !== false) {
- return null;
- }
-
- if (strpos($key, "\n") !== false) {
- return null;
- }
-
- if (strpos($value, "\n") !== false) {
- return null;
- }
- $serialized .= "$key:$value\n";
- }
- return $serialized;
- }
-}
-
diff --git a/lib/Auth/OpenID/MDB2Store.php b/lib/Auth/OpenID/MDB2Store.php
deleted file mode 100644
index 80024badaf81762480a3c0d8960b02bb94737921..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/MDB2Store.php
+++ /dev/null
@@ -1,413 +0,0 @@
-<?php
-
-/**
- * SQL-backed OpenID stores for use with PEAR::MDB2.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005 Janrain, Inc.
- * @license http://www.gnu.org/copyleft/lesser.html LGPL
- */
-
-require_once 'MDB2.php';
-
-/**
- * @access private
- */
-require_once 'Auth/OpenID/Interface.php';
-
-/**
- * @access private
- */
-require_once 'Auth/OpenID.php';
-
-/**
- * @access private
- */
-require_once 'Auth/OpenID/Nonce.php';
-
-/**
- * This store uses a PEAR::MDB2 connection to store persistence
- * information.
- *
- * The table names used are determined by the class variables
- * associations_table_name and nonces_table_name. To change the name
- * of the tables used, pass new table names into the constructor.
- *
- * To create the tables with the proper schema, see the createTables
- * method.
- *
- * @package OpenID
- */
-class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore {
- /**
- * This creates a new MDB2Store instance. It requires an
- * established database connection be given to it, and it allows
- * overriding the default table names.
- *
- * @param connection $connection This must be an established
- * connection to a database of the correct type for the SQLStore
- * subclass you're using. This must be a PEAR::MDB2 connection
- * handle.
- *
- * @param associations_table: This is an optional parameter to
- * specify the name of the table used for storing associations.
- * The default value is 'oid_associations'.
- *
- * @param nonces_table: This is an optional parameter to specify
- * the name of the table used for storing nonces. The default
- * value is 'oid_nonces'.
- */
- function Auth_OpenID_MDB2Store($connection,
- $associations_table = null,
- $nonces_table = null)
- {
- $this->associations_table_name = "oid_associations";
- $this->nonces_table_name = "oid_nonces";
-
- // Check the connection object type to be sure it's a PEAR
- // database connection.
- if (!is_object($connection) ||
- !is_subclass_of($connection, 'mdb2_driver_common')) {
- trigger_error("Auth_OpenID_MDB2Store expected PEAR connection " .
- "object (got ".get_class($connection).")",
- E_USER_ERROR);
- return;
- }
-
- $this->connection = $connection;
-
- // Be sure to set the fetch mode so the results are keyed on
- // column name instead of column index.
- $this->connection->setFetchMode(MDB2_FETCHMODE_ASSOC);
-
- if (PEAR::isError($this->connection->loadModule('Extended'))) {
- trigger_error("Unable to load MDB2_Extended module", E_USER_ERROR);
- return;
- }
-
- if ($associations_table) {
- $this->associations_table_name = $associations_table;
- }
-
- if ($nonces_table) {
- $this->nonces_table_name = $nonces_table;
- }
-
- $this->max_nonce_age = 6 * 60 * 60;
- }
-
- function tableExists($table_name)
- {
- return !PEAR::isError($this->connection->query(
- sprintf("SELECT * FROM %s LIMIT 0",
- $table_name)));
- }
-
- function createTables()
- {
- $n = $this->create_nonce_table();
- $a = $this->create_assoc_table();
-
- if (!$n || !$a) {
- return false;
- }
- return true;
- }
-
- function create_nonce_table()
- {
- if (!$this->tableExists($this->nonces_table_name)) {
- switch ($this->connection->phptype) {
- case "mysql":
- case "mysqli":
- // Custom SQL for MySQL to use InnoDB and variable-
- // length keys
- $r = $this->connection->exec(
- sprintf("CREATE TABLE %s (\n".
- " server_url VARCHAR(2047) NOT NULL DEFAULT '',\n".
- " timestamp INTEGER NOT NULL,\n".
- " salt CHAR(40) NOT NULL,\n".
- " UNIQUE (server_url(255), timestamp, salt)\n".
- ") TYPE=InnoDB",
- $this->nonces_table_name));
- if (PEAR::isError($r)) {
- return false;
- }
- break;
- default:
- if (PEAR::isError(
- $this->connection->loadModule('Manager'))) {
- return false;
- }
- $fields = array(
- "server_url" => array(
- "type" => "text",
- "length" => 2047,
- "notnull" => true
- ),
- "timestamp" => array(
- "type" => "integer",
- "notnull" => true
- ),
- "salt" => array(
- "type" => "text",
- "length" => 40,
- "fixed" => true,
- "notnull" => true
- )
- );
- $constraint = array(
- "unique" => 1,
- "fields" => array(
- "server_url" => true,
- "timestamp" => true,
- "salt" => true
- )
- );
-
- $r = $this->connection->createTable($this->nonces_table_name,
- $fields);
- if (PEAR::isError($r)) {
- return false;
- }
-
- $r = $this->connection->createConstraint(
- $this->nonces_table_name,
- $this->nonces_table_name . "_constraint",
- $constraint);
- if (PEAR::isError($r)) {
- return false;
- }
- break;
- }
- }
- return true;
- }
-
- function create_assoc_table()
- {
- if (!$this->tableExists($this->associations_table_name)) {
- switch ($this->connection->phptype) {
- case "mysql":
- case "mysqli":
- // Custom SQL for MySQL to use InnoDB and variable-
- // length keys
- $r = $this->connection->exec(
- sprintf("CREATE TABLE %s(\n".
- " server_url VARCHAR(2047) NOT NULL DEFAULT '',\n".
- " handle VARCHAR(255) NOT NULL,\n".
- " secret BLOB NOT NULL,\n".
- " issued INTEGER NOT NULL,\n".
- " lifetime INTEGER NOT NULL,\n".
- " assoc_type VARCHAR(64) NOT NULL,\n".
- " PRIMARY KEY (server_url(255), handle)\n".
- ") TYPE=InnoDB",
- $this->associations_table_name));
- if (PEAR::isError($r)) {
- return false;
- }
- break;
- default:
- if (PEAR::isError(
- $this->connection->loadModule('Manager'))) {
- return false;
- }
- $fields = array(
- "server_url" => array(
- "type" => "text",
- "length" => 2047,
- "notnull" => true
- ),
- "handle" => array(
- "type" => "text",
- "length" => 255,
- "notnull" => true
- ),
- "secret" => array(
- "type" => "blob",
- "length" => "255",
- "notnull" => true
- ),
- "issued" => array(
- "type" => "integer",
- "notnull" => true
- ),
- "lifetime" => array(
- "type" => "integer",
- "notnull" => true
- ),
- "assoc_type" => array(
- "type" => "text",
- "length" => 64,
- "notnull" => true
- )
- );
- $options = array(
- "primary" => array(
- "server_url" => true,
- "handle" => true
- )
- );
-
- $r = $this->connection->createTable(
- $this->associations_table_name,
- $fields,
- $options);
- if (PEAR::isError($r)) {
- return false;
- }
- break;
- }
- }
- return true;
- }
-
- function storeAssociation($server_url, $association)
- {
- $fields = array(
- "server_url" => array(
- "value" => $server_url,
- "key" => true
- ),
- "handle" => array(
- "value" => $association->handle,
- "key" => true
- ),
- "secret" => array(
- "value" => $association->secret,
- "type" => "blob"
- ),
- "issued" => array(
- "value" => $association->issued
- ),
- "lifetime" => array(
- "value" => $association->lifetime
- ),
- "assoc_type" => array(
- "value" => $association->assoc_type
- )
- );
-
- return !PEAR::isError($this->connection->replace(
- $this->associations_table_name,
- $fields));
- }
-
- function cleanupNonces()
- {
- global $Auth_OpenID_SKEW;
- $v = time() - $Auth_OpenID_SKEW;
-
- return $this->connection->exec(
- sprintf("DELETE FROM %s WHERE timestamp < %d",
- $this->nonces_table_name, $v));
- }
-
- function cleanupAssociations()
- {
- return $this->connection->exec(
- sprintf("DELETE FROM %s WHERE issued + lifetime < %d",
- $this->associations_table_name, time()));
- }
-
- function getAssociation($server_url, $handle = null)
- {
- $sql = "";
- $params = null;
- $types = array(
- "text",
- "blob",
- "integer",
- "integer",
- "text"
- );
- if ($handle !== null) {
- $sql = sprintf("SELECT handle, secret, issued, lifetime, assoc_type " .
- "FROM %s WHERE server_url = ? AND handle = ?",
- $this->associations_table_name);
- $params = array($server_url, $handle);
- } else {
- $sql = sprintf("SELECT handle, secret, issued, lifetime, assoc_type " .
- "FROM %s WHERE server_url = ? ORDER BY issued DESC",
- $this->associations_table_name);
- $params = array($server_url);
- }
-
- $assoc = $this->connection->getRow($sql, $types, $params);
-
- if (!$assoc || PEAR::isError($assoc)) {
- return null;
- } else {
- $association = new Auth_OpenID_Association($assoc['handle'],
- stream_get_contents(
- $assoc['secret']),
- $assoc['issued'],
- $assoc['lifetime'],
- $assoc['assoc_type']);
- fclose($assoc['secret']);
- return $association;
- }
- }
-
- function removeAssociation($server_url, $handle)
- {
- $r = $this->connection->execParam(
- sprintf("DELETE FROM %s WHERE server_url = ? AND handle = ?",
- $this->associations_table_name),
- array($server_url, $handle));
-
- if (PEAR::isError($r) || $r == 0) {
- return false;
- }
- return true;
- }
-
- function useNonce($server_url, $timestamp, $salt)
- {
- global $Auth_OpenID_SKEW;
-
- if (abs($timestamp - time()) > $Auth_OpenID_SKEW ) {
- return false;
- }
-
- $fields = array(
- "timestamp" => $timestamp,
- "salt" => $salt
- );
-
- if (!empty($server_url)) {
- $fields["server_url"] = $server_url;
- }
-
- $r = $this->connection->autoExecute(
- $this->nonces_table_name,
- $fields,
- MDB2_AUTOQUERY_INSERT);
-
- if (PEAR::isError($r)) {
- return false;
- }
- return true;
- }
-
- /**
- * Resets the store by removing all records from the store's
- * tables.
- */
- function reset()
- {
- $this->connection->query(sprintf("DELETE FROM %s",
- $this->associations_table_name));
-
- $this->connection->query(sprintf("DELETE FROM %s",
- $this->nonces_table_name));
- }
-
-}
-
-?>
diff --git a/lib/Auth/OpenID/MemcachedStore.php b/lib/Auth/OpenID/MemcachedStore.php
deleted file mode 100644
index fc10800b1c0f28f6af937c58e0b28cdd6b3003e8..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/MemcachedStore.php
+++ /dev/null
@@ -1,207 +0,0 @@
-<?php
-
-/**
- * This file supplies a memcached store backend for OpenID servers and
- * consumers.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author Artemy Tregubenko <me@arty.name>
- * @copyright 2008 JanRain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- * Contributed by Open Web Technologies <http://openwebtech.ru/>
- */
-
-/**
- * Import the interface for creating a new store class.
- */
-require_once 'Auth/OpenID/Interface.php';
-
-/**
- * This is a memcached-based store for OpenID associations and
- * nonces.
- *
- * As memcache has limit of 250 chars for key length,
- * server_url, handle and salt are hashed with sha1().
- *
- * Most of the methods of this class are implementation details.
- * People wishing to just use this store need only pay attention to
- * the constructor.
- *
- * @package OpenID
- */
-class Auth_OpenID_MemcachedStore extends Auth_OpenID_OpenIDStore {
-
- /**
- * Initializes a new {@link Auth_OpenID_MemcachedStore} instance.
- * Just saves memcached object as property.
- *
- * @param resource connection Memcache connection resourse
- */
- function Auth_OpenID_MemcachedStore($connection, $compress = false)
- {
- $this->connection = $connection;
- $this->compress = $compress ? MEMCACHE_COMPRESSED : 0;
- }
-
- /**
- * Store association until its expiration time in memcached.
- * Overwrites any existing association with same server_url and
- * handle. Handles list of associations for every server.
- */
- function storeAssociation($server_url, $association)
- {
- // create memcached keys for association itself
- // and list of associations for this server
- $associationKey = $this->associationKey($server_url,
- $association->handle);
- $serverKey = $this->associationServerKey($server_url);
-
- // get list of associations
- $serverAssociations = $this->connection->get($serverKey);
-
- // if no such list, initialize it with empty array
- if (!$serverAssociations) {
- $serverAssociations = array();
- }
- // and store given association key in it
- $serverAssociations[$association->issued] = $associationKey;
-
- // save associations' keys list
- $this->connection->set(
- $serverKey,
- $serverAssociations,
- $this->compress
- );
- // save association itself
- $this->connection->set(
- $associationKey,
- $association,
- $this->compress,
- $association->issued + $association->lifetime);
- }
-
- /**
- * Read association from memcached. If no handle given
- * and multiple associations found, returns latest issued
- */
- function getAssociation($server_url, $handle = null)
- {
- // simple case: handle given
- if ($handle !== null) {
- // get association, return null if failed
- $association = $this->connection->get(
- $this->associationKey($server_url, $handle));
- return $association ? $association : null;
- }
-
- // no handle given, working with list
- // create key for list of associations
- $serverKey = $this->associationServerKey($server_url);
-
- // get list of associations
- $serverAssociations = $this->connection->get($serverKey);
- // return null if failed or got empty list
- if (!$serverAssociations) {
- return null;
- }
-
- // get key of most recently issued association
- $keys = array_keys($serverAssociations);
- sort($keys);
- $lastKey = $serverAssociations[array_pop($keys)];
-
- // get association, return null if failed
- $association = $this->connection->get($lastKey);
- return $association ? $association : null;
- }
-
- /**
- * Immediately delete association from memcache.
- */
- function removeAssociation($server_url, $handle)
- {
- // create memcached keys for association itself
- // and list of associations for this server
- $serverKey = $this->associationServerKey($server_url);
- $associationKey = $this->associationKey($server_url,
- $handle);
-
- // get list of associations
- $serverAssociations = $this->connection->get($serverKey);
- // return null if failed or got empty list
- if (!$serverAssociations) {
- return false;
- }
-
- // ensure that given association key exists in list
- $serverAssociations = array_flip($serverAssociations);
- if (!array_key_exists($associationKey, $serverAssociations)) {
- return false;
- }
-
- // remove given association key from list
- unset($serverAssociations[$associationKey]);
- $serverAssociations = array_flip($serverAssociations);
-
- // save updated list
- $this->connection->set(
- $serverKey,
- $serverAssociations,
- $this->compress
- );
-
- // delete association
- return $this->connection->delete($associationKey);
- }
-
- /**
- * Create nonce for server and salt, expiring after
- * $Auth_OpenID_SKEW seconds.
- */
- function useNonce($server_url, $timestamp, $salt)
- {
- global $Auth_OpenID_SKEW;
-
- // save one request to memcache when nonce obviously expired
- if (abs($timestamp - time()) > $Auth_OpenID_SKEW) {
- return false;
- }
-
- // returns false when nonce already exists
- // otherwise adds nonce
- return $this->connection->add(
- 'openid_nonce_' . sha1($server_url) . '_' . sha1($salt),
- 1, // any value here
- $this->compress,
- $Auth_OpenID_SKEW);
- }
-
- /**
- * Memcache key is prefixed with 'openid_association_' string.
- */
- function associationKey($server_url, $handle = null)
- {
- return 'openid_association_' . sha1($server_url) . '_' . sha1($handle);
- }
-
- /**
- * Memcache key is prefixed with 'openid_association_' string.
- */
- function associationServerKey($server_url)
- {
- return 'openid_association_server_' . sha1($server_url);
- }
-
- /**
- * Report that this storage doesn't support cleanup
- */
- function supportsCleanup()
- {
- return false;
- }
-}
-
diff --git a/lib/Auth/OpenID/Message.php b/lib/Auth/OpenID/Message.php
deleted file mode 100644
index 9aa1fa4684ad71c1ed83602a413cb9b7e8ece43d..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/Message.php
+++ /dev/null
@@ -1,920 +0,0 @@
-<?php
-
-/**
- * Extension argument processing code
- *
- * @package OpenID
- */
-
-/**
- * Import tools needed to deal with messages.
- */
-require_once 'Auth/OpenID.php';
-require_once 'Auth/OpenID/KVForm.php';
-require_once 'Auth/Yadis/XML.php';
-require_once 'Auth/OpenID/Consumer.php'; // For Auth_OpenID_FailureResponse
-
-// This doesn't REALLY belong here, but where is better?
-define('Auth_OpenID_IDENTIFIER_SELECT',
- "http://specs.openid.net/auth/2.0/identifier_select");
-
-// URI for Simple Registration extension, the only commonly deployed
-// OpenID 1.x extension, and so a special case
-define('Auth_OpenID_SREG_URI', 'http://openid.net/sreg/1.0');
-
-// The OpenID 1.X namespace URI
-define('Auth_OpenID_OPENID1_NS', 'http://openid.net/signon/1.0');
-define('Auth_OpenID_THE_OTHER_OPENID1_NS', 'http://openid.net/signon/1.1');
-
-function Auth_OpenID_isOpenID1($ns)
-{
- return ($ns == Auth_OpenID_THE_OTHER_OPENID1_NS) ||
- ($ns == Auth_OpenID_OPENID1_NS);
-}
-
-// The OpenID 2.0 namespace URI
-define('Auth_OpenID_OPENID2_NS', 'http://specs.openid.net/auth/2.0');
-
-// The namespace consisting of pairs with keys that are prefixed with
-// "openid." but not in another namespace.
-define('Auth_OpenID_NULL_NAMESPACE', 'Null namespace');
-
-// The null namespace, when it is an allowed OpenID namespace
-define('Auth_OpenID_OPENID_NS', 'OpenID namespace');
-
-// The top-level namespace, excluding all pairs with keys that start
-// with "openid."
-define('Auth_OpenID_BARE_NS', 'Bare namespace');
-
-// Sentinel for Message implementation to indicate that getArg should
-// return null instead of returning a default.
-define('Auth_OpenID_NO_DEFAULT', 'NO DEFAULT ALLOWED');
-
-// Limit, in bytes, of identity provider and return_to URLs, including
-// response payload. See OpenID 1.1 specification, Appendix D.
-define('Auth_OpenID_OPENID1_URL_LIMIT', 2047);
-
-// All OpenID protocol fields. Used to check namespace aliases.
-global $Auth_OpenID_OPENID_PROTOCOL_FIELDS;
-$Auth_OpenID_OPENID_PROTOCOL_FIELDS = array(
- 'ns', 'mode', 'error', 'return_to', 'contact', 'reference',
- 'signed', 'assoc_type', 'session_type', 'dh_modulus', 'dh_gen',
- 'dh_consumer_public', 'claimed_id', 'identity', 'realm',
- 'invalidate_handle', 'op_endpoint', 'response_nonce', 'sig',
- 'assoc_handle', 'trust_root', 'openid');
-
-// Global namespace / alias registration map. See
-// Auth_OpenID_registerNamespaceAlias.
-global $Auth_OpenID_registered_aliases;
-$Auth_OpenID_registered_aliases = array();
-
-/**
- * Registers a (namespace URI, alias) mapping in a global namespace
- * alias map. Raises NamespaceAliasRegistrationError if either the
- * namespace URI or alias has already been registered with a different
- * value. This function is required if you want to use a namespace
- * with an OpenID 1 message.
- */
-function Auth_OpenID_registerNamespaceAlias($namespace_uri, $alias)
-{
- global $Auth_OpenID_registered_aliases;
-
- if (Auth_OpenID::arrayGet($Auth_OpenID_registered_aliases,
- $alias) == $namespace_uri) {
- return true;
- }
-
- if (in_array($namespace_uri,
- array_values($Auth_OpenID_registered_aliases))) {
- return false;
- }
-
- if (in_array($alias, array_keys($Auth_OpenID_registered_aliases))) {
- return false;
- }
-
- $Auth_OpenID_registered_aliases[$alias] = $namespace_uri;
- return true;
-}
-
-/**
- * Removes a (namespace_uri, alias) registration from the global
- * namespace alias map. Returns true if the removal succeeded; false
- * if not (if the mapping did not exist).
- */
-function Auth_OpenID_removeNamespaceAlias($namespace_uri, $alias)
-{
- global $Auth_OpenID_registered_aliases;
-
- if (Auth_OpenID::arrayGet($Auth_OpenID_registered_aliases,
- $alias) === $namespace_uri) {
- unset($Auth_OpenID_registered_aliases[$alias]);
- return true;
- }
-
- return false;
-}
-
-/**
- * An Auth_OpenID_Mapping maintains a mapping from arbitrary keys to
- * arbitrary values. (This is unlike an ordinary PHP array, whose
- * keys may be only simple scalars.)
- *
- * @package OpenID
- */
-class Auth_OpenID_Mapping {
- /**
- * Initialize a mapping. If $classic_array is specified, its keys
- * and values are used to populate the mapping.
- */
- function Auth_OpenID_Mapping($classic_array = null)
- {
- $this->keys = array();
- $this->values = array();
-
- if (is_array($classic_array)) {
- foreach ($classic_array as $key => $value) {
- $this->set($key, $value);
- }
- }
- }
-
- /**
- * Returns true if $thing is an Auth_OpenID_Mapping object; false
- * if not.
- */
- static function isA($thing)
- {
- return (is_object($thing) &&
- strtolower(get_class($thing)) == 'auth_openid_mapping');
- }
-
- /**
- * Returns an array of the keys in the mapping.
- */
- function keys()
- {
- return $this->keys;
- }
-
- /**
- * Returns an array of values in the mapping.
- */
- function values()
- {
- return $this->values;
- }
-
- /**
- * Returns an array of (key, value) pairs in the mapping.
- */
- function items()
- {
- $temp = array();
-
- for ($i = 0; $i < count($this->keys); $i++) {
- $temp[] = array($this->keys[$i],
- $this->values[$i]);
- }
- return $temp;
- }
-
- /**
- * Returns the "length" of the mapping, or the number of keys.
- */
- function len()
- {
- return count($this->keys);
- }
-
- /**
- * Sets a key-value pair in the mapping. If the key already
- * exists, its value is replaced with the new value.
- */
- function set($key, $value)
- {
- $index = array_search($key, $this->keys);
-
- if ($index !== false) {
- $this->values[$index] = $value;
- } else {
- $this->keys[] = $key;
- $this->values[] = $value;
- }
- }
-
- /**
- * Gets a specified value from the mapping, associated with the
- * specified key. If the key does not exist in the mapping,
- * $default is returned instead.
- */
- function get($key, $default = null)
- {
- $index = array_search($key, $this->keys);
-
- if ($index !== false) {
- return $this->values[$index];
- } else {
- return $default;
- }
- }
-
- /**
- * @access private
- */
- function _reflow()
- {
- // PHP is broken yet again. Sort the arrays to remove the
- // hole in the numeric indexes that make up the array.
- $old_keys = $this->keys;
- $old_values = $this->values;
-
- $this->keys = array();
- $this->values = array();
-
- foreach ($old_keys as $k) {
- $this->keys[] = $k;
- }
-
- foreach ($old_values as $v) {
- $this->values[] = $v;
- }
- }
-
- /**
- * Deletes a key-value pair from the mapping with the specified
- * key.
- */
- function del($key)
- {
- $index = array_search($key, $this->keys);
-
- if ($index !== false) {
- unset($this->keys[$index]);
- unset($this->values[$index]);
- $this->_reflow();
- return true;
- }
- return false;
- }
-
- /**
- * Returns true if the specified value has a key in the mapping;
- * false if not.
- */
- function contains($value)
- {
- return (array_search($value, $this->keys) !== false);
- }
-}
-
-/**
- * Maintains a bijective map between namespace uris and aliases.
- *
- * @package OpenID
- */
-class Auth_OpenID_NamespaceMap {
- function Auth_OpenID_NamespaceMap()
- {
- $this->alias_to_namespace = new Auth_OpenID_Mapping();
- $this->namespace_to_alias = new Auth_OpenID_Mapping();
- $this->implicit_namespaces = array();
- }
-
- function getAlias($namespace_uri)
- {
- return $this->namespace_to_alias->get($namespace_uri);
- }
-
- function getNamespaceURI($alias)
- {
- return $this->alias_to_namespace->get($alias);
- }
-
- function iterNamespaceURIs()
- {
- // Return an iterator over the namespace URIs
- return $this->namespace_to_alias->keys();
- }
-
- function iterAliases()
- {
- // Return an iterator over the aliases"""
- return $this->alias_to_namespace->keys();
- }
-
- function iteritems()
- {
- return $this->namespace_to_alias->items();
- }
-
- function isImplicit($namespace_uri)
- {
- return in_array($namespace_uri, $this->implicit_namespaces);
- }
-
- function addAlias($namespace_uri, $desired_alias, $implicit=false)
- {
- // Add an alias from this namespace URI to the desired alias
- global $Auth_OpenID_OPENID_PROTOCOL_FIELDS;
-
- // Check that desired_alias is not an openid protocol field as
- // per the spec.
- if (in_array($desired_alias, $Auth_OpenID_OPENID_PROTOCOL_FIELDS)) {
- Auth_OpenID::log("\"%s\" is not an allowed namespace alias",
- $desired_alias);
- return null;
- }
-
- // Check that desired_alias does not contain a period as per
- // the spec.
- if (strpos($desired_alias, '.') !== false) {
- Auth_OpenID::log('"%s" must not contain a dot', $desired_alias);
- return null;
- }
-
- // Check that there is not a namespace already defined for the
- // desired alias
- $current_namespace_uri =
- $this->alias_to_namespace->get($desired_alias);
-
- if (($current_namespace_uri !== null) &&
- ($current_namespace_uri != $namespace_uri)) {
- Auth_OpenID::log('Cannot map "%s" because previous mapping exists',
- $namespace_uri);
- return null;
- }
-
- // Check that there is not already a (different) alias for
- // this namespace URI
- $alias = $this->namespace_to_alias->get($namespace_uri);
-
- if (($alias !== null) && ($alias != $desired_alias)) {
- Auth_OpenID::log('Cannot map %s to alias %s. ' .
- 'It is already mapped to alias %s',
- $namespace_uri, $desired_alias, $alias);
- return null;
- }
-
- assert((Auth_OpenID_NULL_NAMESPACE === $desired_alias) ||
- is_string($desired_alias));
-
- $this->alias_to_namespace->set($desired_alias, $namespace_uri);
- $this->namespace_to_alias->set($namespace_uri, $desired_alias);
- if ($implicit) {
- array_push($this->implicit_namespaces, $namespace_uri);
- }
-
- return $desired_alias;
- }
-
- function add($namespace_uri)
- {
- // Add this namespace URI to the mapping, without caring what
- // alias it ends up with
-
- // See if this namespace is already mapped to an alias
- $alias = $this->namespace_to_alias->get($namespace_uri);
-
- if ($alias !== null) {
- return $alias;
- }
-
- // Fall back to generating a numerical alias
- $i = 0;
- while (1) {
- $alias = 'ext' . strval($i);
- if ($this->addAlias($namespace_uri, $alias) === null) {
- $i += 1;
- } else {
- return $alias;
- }
- }
-
- // Should NEVER be reached!
- return null;
- }
-
- function contains($namespace_uri)
- {
- return $this->isDefined($namespace_uri);
- }
-
- function isDefined($namespace_uri)
- {
- return $this->namespace_to_alias->contains($namespace_uri);
- }
-}
-
-/**
- * In the implementation of this object, null represents the global
- * namespace as well as a namespace with no key.
- *
- * @package OpenID
- */
-class Auth_OpenID_Message {
-
- function Auth_OpenID_Message($openid_namespace = null)
- {
- // Create an empty Message
- $this->allowed_openid_namespaces = array(
- Auth_OpenID_OPENID1_NS,
- Auth_OpenID_THE_OTHER_OPENID1_NS,
- Auth_OpenID_OPENID2_NS);
-
- $this->args = new Auth_OpenID_Mapping();
- $this->namespaces = new Auth_OpenID_NamespaceMap();
- if ($openid_namespace === null) {
- $this->_openid_ns_uri = null;
- } else {
- $implicit = Auth_OpenID_isOpenID1($openid_namespace);
- $this->setOpenIDNamespace($openid_namespace, $implicit);
- }
- }
-
- function isOpenID1()
- {
- return Auth_OpenID_isOpenID1($this->getOpenIDNamespace());
- }
-
- function isOpenID2()
- {
- return $this->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS;
- }
-
- static function fromPostArgs($args)
- {
- // Construct a Message containing a set of POST arguments
- $obj = new Auth_OpenID_Message();
-
- // Partition into "openid." args and bare args
- $openid_args = array();
- foreach ($args as $key => $value) {
-
- if (is_array($value)) {
- return null;
- }
-
- $parts = explode('.', $key, 2);
-
- if (count($parts) == 2) {
- list($prefix, $rest) = $parts;
- } else {
- $prefix = null;
- }
-
- if ($prefix != 'openid') {
- $obj->args->set(array(Auth_OpenID_BARE_NS, $key), $value);
- } else {
- $openid_args[$rest] = $value;
- }
- }
-
- if ($obj->_fromOpenIDArgs($openid_args)) {
- return $obj;
- } else {
- return null;
- }
- }
-
- static function fromOpenIDArgs($openid_args)
- {
- // Takes an array.
-
- // Construct a Message from a parsed KVForm message
- $obj = new Auth_OpenID_Message();
- if ($obj->_fromOpenIDArgs($openid_args)) {
- return $obj;
- } else {
- return null;
- }
- }
-
- /**
- * @access private
- */
- function _fromOpenIDArgs($openid_args)
- {
- global $Auth_OpenID_registered_aliases;
-
- // Takes an Auth_OpenID_Mapping instance OR an array.
-
- if (!Auth_OpenID_Mapping::isA($openid_args)) {
- $openid_args = new Auth_OpenID_Mapping($openid_args);
- }
-
- $ns_args = array();
-
- // Resolve namespaces
- foreach ($openid_args->items() as $pair) {
- list($rest, $value) = $pair;
-
- $parts = explode('.', $rest, 2);
-
- if (count($parts) == 2) {
- list($ns_alias, $ns_key) = $parts;
- } else {
- $ns_alias = Auth_OpenID_NULL_NAMESPACE;
- $ns_key = $rest;
- }
-
- if ($ns_alias == 'ns') {
- if ($this->namespaces->addAlias($value, $ns_key) === null) {
- return false;
- }
- } else if (($ns_alias == Auth_OpenID_NULL_NAMESPACE) &&
- ($ns_key == 'ns')) {
- // null namespace
- if ($this->setOpenIDNamespace($value, false) === false) {
- return false;
- }
- } else {
- $ns_args[] = array($ns_alias, $ns_key, $value);
- }
- }
-
- if (!$this->getOpenIDNamespace()) {
- if ($this->setOpenIDNamespace(Auth_OpenID_OPENID1_NS, true) ===
- false) {
- return false;
- }
- }
-
- // Actually put the pairs into the appropriate namespaces
- foreach ($ns_args as $triple) {
- list($ns_alias, $ns_key, $value) = $triple;
- $ns_uri = $this->namespaces->getNamespaceURI($ns_alias);
- if ($ns_uri === null) {
- $ns_uri = $this->_getDefaultNamespace($ns_alias);
- if ($ns_uri === null) {
-
- $ns_uri = Auth_OpenID_OPENID_NS;
- $ns_key = sprintf('%s.%s', $ns_alias, $ns_key);
- } else {
- $this->namespaces->addAlias($ns_uri, $ns_alias, true);
- }
- }
-
- $this->setArg($ns_uri, $ns_key, $value);
- }
-
- return true;
- }
-
- function _getDefaultNamespace($mystery_alias)
- {
- global $Auth_OpenID_registered_aliases;
- if ($this->isOpenID1()) {
- return @$Auth_OpenID_registered_aliases[$mystery_alias];
- }
- return null;
- }
-
- function setOpenIDNamespace($openid_ns_uri, $implicit)
- {
- if (!in_array($openid_ns_uri, $this->allowed_openid_namespaces)) {
- Auth_OpenID::log('Invalid null namespace: "%s"', $openid_ns_uri);
- return false;
- }
-
- $succeeded = $this->namespaces->addAlias($openid_ns_uri,
- Auth_OpenID_NULL_NAMESPACE,
- $implicit);
- if ($succeeded === false) {
- return false;
- }
-
- $this->_openid_ns_uri = $openid_ns_uri;
-
- return true;
- }
-
- function getOpenIDNamespace()
- {
- return $this->_openid_ns_uri;
- }
-
- static function fromKVForm($kvform_string)
- {
- // Create a Message from a KVForm string
- return Auth_OpenID_Message::fromOpenIDArgs(
- Auth_OpenID_KVForm::toArray($kvform_string));
- }
-
- function copy()
- {
- return $this;
- }
-
- function toPostArgs()
- {
- // Return all arguments with openid. in front of namespaced
- // arguments.
-
- $args = array();
-
- // Add namespace definitions to the output
- foreach ($this->namespaces->iteritems() as $pair) {
- list($ns_uri, $alias) = $pair;
- if ($this->namespaces->isImplicit($ns_uri)) {
- continue;
- }
- if ($alias == Auth_OpenID_NULL_NAMESPACE) {
- $ns_key = 'openid.ns';
- } else {
- $ns_key = 'openid.ns.' . $alias;
- }
- $args[$ns_key] = $ns_uri;
- }
-
- foreach ($this->args->items() as $pair) {
- list($ns_parts, $value) = $pair;
- list($ns_uri, $ns_key) = $ns_parts;
- $key = $this->getKey($ns_uri, $ns_key);
- $args[$key] = $value;
- }
-
- return $args;
- }
-
- function toArgs()
- {
- // Return all namespaced arguments, failing if any
- // non-namespaced arguments exist.
- $post_args = $this->toPostArgs();
- $kvargs = array();
- foreach ($post_args as $k => $v) {
- if (strpos($k, 'openid.') !== 0) {
- // raise ValueError(
- // 'This message can only be encoded as a POST, because it '
- // 'contains arguments that are not prefixed with "openid."')
- return null;
- } else {
- $kvargs[substr($k, 7)] = $v;
- }
- }
-
- return $kvargs;
- }
-
- function toFormMarkup($action_url, $form_tag_attrs = null,
- $submit_text = "Continue")
- {
- $form = "<form accept-charset=\"UTF-8\" ".
- "enctype=\"application/x-www-form-urlencoded\"";
-
- if (!$form_tag_attrs) {
- $form_tag_attrs = array();
- }
-
- $form_tag_attrs['action'] = $action_url;
- $form_tag_attrs['method'] = 'post';
-
- unset($form_tag_attrs['enctype']);
- unset($form_tag_attrs['accept-charset']);
-
- if ($form_tag_attrs) {
- foreach ($form_tag_attrs as $name => $attr) {
- $form .= sprintf(" %s=\"%s\"", $name, $attr);
- }
- }
-
- $form .= ">\n";
-
- foreach ($this->toPostArgs() as $name => $value) {
- $form .= sprintf(
- "<input type=\"hidden\" name=\"%s\" value=\"%s\" />\n",
- $name, $value);
- }
-
- $form .= sprintf("<input type=\"submit\" value=\"%s\" />\n",
- $submit_text);
-
- $form .= "</form>\n";
-
- return $form;
- }
-
- function toURL($base_url)
- {
- // Generate a GET URL with the parameters in this message
- // attached as query parameters.
- return Auth_OpenID::appendArgs($base_url, $this->toPostArgs());
- }
-
- function toKVForm()
- {
- // Generate a KVForm string that contains the parameters in
- // this message. This will fail if the message contains
- // arguments outside of the 'openid.' prefix.
- return Auth_OpenID_KVForm::fromArray($this->toArgs());
- }
-
- function toURLEncoded()
- {
- // Generate an x-www-urlencoded string
- $args = array();
-
- foreach ($this->toPostArgs() as $k => $v) {
- $args[] = array($k, $v);
- }
-
- sort($args);
- return Auth_OpenID::httpBuildQuery($args);
- }
-
- /**
- * @access private
- */
- function _fixNS($namespace)
- {
- // Convert an input value into the internally used values of
- // this object
-
- if ($namespace == Auth_OpenID_OPENID_NS) {
- if ($this->_openid_ns_uri === null) {
- return new Auth_OpenID_FailureResponse(null,
- 'OpenID namespace not set');
- } else {
- $namespace = $this->_openid_ns_uri;
- }
- }
-
- if (($namespace != Auth_OpenID_BARE_NS) &&
- (!is_string($namespace))) {
- //TypeError
- $err_msg = sprintf("Namespace must be Auth_OpenID_BARE_NS, ".
- "Auth_OpenID_OPENID_NS or a string. got %s",
- print_r($namespace, true));
- return new Auth_OpenID_FailureResponse(null, $err_msg);
- }
-
- if (($namespace != Auth_OpenID_BARE_NS) &&
- (strpos($namespace, ':') === false)) {
- // fmt = 'OpenID 2.0 namespace identifiers SHOULD be URIs. Got %r'
- // warnings.warn(fmt % (namespace,), DeprecationWarning)
-
- if ($namespace == 'sreg') {
- // fmt = 'Using %r instead of "sreg" as namespace'
- // warnings.warn(fmt % (SREG_URI,), DeprecationWarning,)
- return Auth_OpenID_SREG_URI;
- }
- }
-
- return $namespace;
- }
-
- function hasKey($namespace, $ns_key)
- {
- $namespace = $this->_fixNS($namespace);
- if (Auth_OpenID::isFailure($namespace)) {
- // XXX log me
- return false;
- } else {
- return $this->args->contains(array($namespace, $ns_key));
- }
- }
-
- function getKey($namespace, $ns_key)
- {
- // Get the key for a particular namespaced argument
- $namespace = $this->_fixNS($namespace);
- if (Auth_OpenID::isFailure($namespace)) {
- return $namespace;
- }
- if ($namespace == Auth_OpenID_BARE_NS) {
- return $ns_key;
- }
-
- $ns_alias = $this->namespaces->getAlias($namespace);
-
- // No alias is defined, so no key can exist
- if ($ns_alias === null) {
- return null;
- }
-
- if ($ns_alias == Auth_OpenID_NULL_NAMESPACE) {
- $tail = $ns_key;
- } else {
- $tail = sprintf('%s.%s', $ns_alias, $ns_key);
- }
-
- return 'openid.' . $tail;
- }
-
- function getArg($namespace, $key, $default = null)
- {
- // Get a value for a namespaced key.
- $namespace = $this->_fixNS($namespace);
-
- if (Auth_OpenID::isFailure($namespace)) {
- return $namespace;
- } else {
- if ((!$this->args->contains(array($namespace, $key))) &&
- ($default == Auth_OpenID_NO_DEFAULT)) {
- $err_msg = sprintf("Namespace %s missing required field %s",
- $namespace, $key);
- return new Auth_OpenID_FailureResponse(null, $err_msg);
- } else {
- return $this->args->get(array($namespace, $key), $default);
- }
- }
- }
-
- function getArgs($namespace)
- {
- // Get the arguments that are defined for this namespace URI
-
- $namespace = $this->_fixNS($namespace);
- if (Auth_OpenID::isFailure($namespace)) {
- return $namespace;
- } else {
- $stuff = array();
- foreach ($this->args->items() as $pair) {
- list($key, $value) = $pair;
- list($pair_ns, $ns_key) = $key;
- if ($pair_ns == $namespace) {
- $stuff[$ns_key] = $value;
- }
- }
-
- return $stuff;
- }
- }
-
- function updateArgs($namespace, $updates)
- {
- // Set multiple key/value pairs in one call
-
- $namespace = $this->_fixNS($namespace);
-
- if (Auth_OpenID::isFailure($namespace)) {
- return $namespace;
- } else {
- foreach ($updates as $k => $v) {
- $this->setArg($namespace, $k, $v);
- }
- return true;
- }
- }
-
- function setArg($namespace, $key, $value)
- {
- // Set a single argument in this namespace
- $namespace = $this->_fixNS($namespace);
-
- if (Auth_OpenID::isFailure($namespace)) {
- return $namespace;
- } else {
- $this->args->set(array($namespace, $key), $value);
- if ($namespace !== Auth_OpenID_BARE_NS) {
- $this->namespaces->add($namespace);
- }
- return true;
- }
- }
-
- function delArg($namespace, $key)
- {
- $namespace = $this->_fixNS($namespace);
-
- if (Auth_OpenID::isFailure($namespace)) {
- return $namespace;
- } else {
- return $this->args->del(array($namespace, $key));
- }
- }
-
- function getAliasedArg($aliased_key, $default = null)
- {
- if ($aliased_key == 'ns') {
- // Return the namespace URI for the OpenID namespace
- return $this->getOpenIDNamespace();
- }
-
- $parts = explode('.', $aliased_key, 2);
-
- if (count($parts) != 2) {
- $ns = null;
- } else {
- list($alias, $key) = $parts;
-
- if ($alias == 'ns') {
- // Return the namespace URI for a namespace alias
- // parameter.
- return $this->namespaces->getNamespaceURI($key);
- } else {
- $ns = $this->namespaces->getNamespaceURI($alias);
- }
- }
-
- if ($ns === null) {
- $key = $aliased_key;
- $ns = $this->getOpenIDNamespace();
- }
-
- return $this->getArg($ns, $key, $default);
- }
-}
-
-
diff --git a/lib/Auth/OpenID/MySQLStore.php b/lib/Auth/OpenID/MySQLStore.php
deleted file mode 100644
index a5299b3a5cdce35f9265f7b8109044ad265cd454..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/MySQLStore.php
+++ /dev/null
@@ -1,77 +0,0 @@
-<?php
-
-/**
- * A MySQL store.
- *
- * @package OpenID
- */
-
-/**
- * Require the base class file.
- */
-require_once "Auth/OpenID/SQLStore.php";
-
-/**
- * An SQL store that uses MySQL as its backend.
- *
- * @package OpenID
- */
-class Auth_OpenID_MySQLStore extends Auth_OpenID_SQLStore {
- /**
- * @access private
- */
- function setSQL()
- {
- $this->sql['nonce_table'] =
- "CREATE TABLE %s (\n".
- " server_url VARCHAR(2047) NOT NULL,\n".
- " timestamp INTEGER NOT NULL,\n".
- " salt CHAR(40) NOT NULL,\n".
- " UNIQUE (server_url(255), timestamp, salt)\n".
- ") ENGINE=InnoDB";
-
- $this->sql['assoc_table'] =
- "CREATE TABLE %s (\n".
- " server_url VARCHAR(2047) NOT NULL,\n".
- " handle VARCHAR(255) NOT NULL,\n".
- " secret BLOB NOT NULL,\n".
- " issued INTEGER NOT NULL,\n".
- " lifetime INTEGER NOT NULL,\n".
- " assoc_type VARCHAR(64) NOT NULL,\n".
- " PRIMARY KEY (server_url(255), handle)\n".
- ") ENGINE=InnoDB";
-
- $this->sql['set_assoc'] =
- "REPLACE INTO %s (server_url, handle, secret, issued,\n".
- " lifetime, assoc_type) VALUES (?, ?, !, ?, ?, ?)";
-
- $this->sql['get_assocs'] =
- "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ".
- "WHERE server_url = ?";
-
- $this->sql['get_assoc'] =
- "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ".
- "WHERE server_url = ? AND handle = ?";
-
- $this->sql['remove_assoc'] =
- "DELETE FROM %s WHERE server_url = ? AND handle = ?";
-
- $this->sql['add_nonce'] =
- "INSERT INTO %s (server_url, timestamp, salt) VALUES (?, ?, ?)";
-
- $this->sql['clean_nonce'] =
- "DELETE FROM %s WHERE timestamp < ?";
-
- $this->sql['clean_assoc'] =
- "DELETE FROM %s WHERE issued + lifetime < ?";
- }
-
- /**
- * @access private
- */
- function blobEncode($blob)
- {
- return "0x" . bin2hex($blob);
- }
-}
-
diff --git a/lib/Auth/OpenID/Nonce.php b/lib/Auth/OpenID/Nonce.php
deleted file mode 100644
index b83c5911f80386aff14f5737f1b9085cac2d7bd9..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/Nonce.php
+++ /dev/null
@@ -1,108 +0,0 @@
-<?php
-
-/**
- * Nonce-related functionality.
- *
- * @package OpenID
- */
-
-/**
- * Need CryptUtil to generate random strings.
- */
-require_once 'Auth/OpenID/CryptUtil.php';
-
-/**
- * This is the characters that the nonces are made from.
- */
-define('Auth_OpenID_Nonce_CHRS',"abcdefghijklmnopqrstuvwxyz" .
- "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789");
-
-// Keep nonces for five hours (allow five hours for the combination of
-// request time and clock skew). This is probably way more than is
-// necessary, but there is not much overhead in storing nonces.
-global $Auth_OpenID_SKEW;
-$Auth_OpenID_SKEW = 60 * 60 * 5;
-
-define('Auth_OpenID_Nonce_REGEX',
- '/(\d{4})-(\d\d)-(\d\d)T(\d\d):(\d\d):(\d\d)Z(.*)/');
-
-define('Auth_OpenID_Nonce_TIME_FMT',
- '%Y-%m-%dT%H:%M:%SZ');
-
-function Auth_OpenID_splitNonce($nonce_string)
-{
- // Extract a timestamp from the given nonce string
- $result = preg_match(Auth_OpenID_Nonce_REGEX, $nonce_string, $matches);
- if ($result != 1 || count($matches) != 8) {
- return null;
- }
-
- list($unused,
- $tm_year,
- $tm_mon,
- $tm_mday,
- $tm_hour,
- $tm_min,
- $tm_sec,
- $uniquifier) = $matches;
-
- $timestamp =
- @gmmktime($tm_hour, $tm_min, $tm_sec, $tm_mon, $tm_mday, $tm_year);
-
- if ($timestamp === false || $timestamp < 0) {
- return null;
- }
-
- return array($timestamp, $uniquifier);
-}
-
-function Auth_OpenID_checkTimestamp($nonce_string,
- $allowed_skew = null,
- $now = null)
-{
- // Is the timestamp that is part of the specified nonce string
- // within the allowed clock-skew of the current time?
- global $Auth_OpenID_SKEW;
-
- if ($allowed_skew === null) {
- $allowed_skew = $Auth_OpenID_SKEW;
- }
-
- $parts = Auth_OpenID_splitNonce($nonce_string);
- if ($parts == null) {
- return false;
- }
-
- if ($now === null) {
- $now = time();
- }
-
- $stamp = $parts[0];
-
- // Time after which we should not use the nonce
- $past = $now - $allowed_skew;
-
- // Time that is too far in the future for us to allow
- $future = $now + $allowed_skew;
-
- // the stamp is not too far in the future and is not too far
- // in the past
- return (($past <= $stamp) && ($stamp <= $future));
-}
-
-function Auth_OpenID_mkNonce($when = null)
-{
- // Generate a nonce with the current timestamp
- $salt = Auth_OpenID_CryptUtil::randomString(
- 6, Auth_OpenID_Nonce_CHRS);
- if ($when === null) {
- // It's safe to call time() with no arguments; it returns a
- // GMT unix timestamp on PHP 4 and PHP 5. gmmktime() with no
- // args returns a local unix timestamp on PHP 4, so don't use
- // that.
- $when = time();
- }
- $time_str = gmstrftime(Auth_OpenID_Nonce_TIME_FMT, $when);
- return $time_str . $salt;
-}
-
diff --git a/lib/Auth/OpenID/PAPE.php b/lib/Auth/OpenID/PAPE.php
deleted file mode 100644
index f08ca8bd0b21e358e976d790bb11af91c718fb9e..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/PAPE.php
+++ /dev/null
@@ -1,300 +0,0 @@
-<?php
-
-/**
- * An implementation of the OpenID Provider Authentication Policy
- * Extension 1.0
- *
- * See:
- * http://openid.net/developers/specs/
- */
-
-require_once "Auth/OpenID/Extension.php";
-
-define('Auth_OpenID_PAPE_NS_URI',
- "http://specs.openid.net/extensions/pape/1.0");
-
-define('PAPE_AUTH_MULTI_FACTOR_PHYSICAL',
- 'http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical');
-define('PAPE_AUTH_MULTI_FACTOR',
- 'http://schemas.openid.net/pape/policies/2007/06/multi-factor');
-define('PAPE_AUTH_PHISHING_RESISTANT',
- 'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant');
-
-define('PAPE_TIME_VALIDATOR',
- '/^[0-9]{4,4}-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9]Z$/');
-/**
- * A Provider Authentication Policy request, sent from a relying party
- * to a provider
- *
- * preferred_auth_policies: The authentication policies that
- * the relying party prefers
- *
- * max_auth_age: The maximum time, in seconds, that the relying party
- * wants to allow to have elapsed before the user must re-authenticate
- */
-class Auth_OpenID_PAPE_Request extends Auth_OpenID_Extension {
-
- var $ns_alias = 'pape';
- var $ns_uri = Auth_OpenID_PAPE_NS_URI;
-
- function Auth_OpenID_PAPE_Request($preferred_auth_policies=null,
- $max_auth_age=null)
- {
- if ($preferred_auth_policies === null) {
- $preferred_auth_policies = array();
- }
-
- $this->preferred_auth_policies = $preferred_auth_policies;
- $this->max_auth_age = $max_auth_age;
- }
-
- /**
- * Add an acceptable authentication policy URI to this request
- *
- * This method is intended to be used by the relying party to add
- * acceptable authentication types to the request.
- *
- * policy_uri: The identifier for the preferred type of
- * authentication.
- */
- function addPolicyURI($policy_uri)
- {
- if (!in_array($policy_uri, $this->preferred_auth_policies)) {
- $this->preferred_auth_policies[] = $policy_uri;
- }
- }
-
- function getExtensionArgs()
- {
- $ns_args = array(
- 'preferred_auth_policies' =>
- implode(' ', $this->preferred_auth_policies)
- );
-
- if ($this->max_auth_age !== null) {
- $ns_args['max_auth_age'] = strval($this->max_auth_age);
- }
-
- return $ns_args;
- }
-
- /**
- * Instantiate a Request object from the arguments in a checkid_*
- * OpenID message
- */
- static function fromOpenIDRequest($request)
- {
- $obj = new Auth_OpenID_PAPE_Request();
- $args = $request->message->getArgs(Auth_OpenID_PAPE_NS_URI);
-
- if ($args === null || $args === array()) {
- return null;
- }
-
- $obj->parseExtensionArgs($args);
- return $obj;
- }
-
- /**
- * Set the state of this request to be that expressed in these
- * PAPE arguments
- *
- * @param args: The PAPE arguments without a namespace
- */
- function parseExtensionArgs($args)
- {
- // preferred_auth_policies is a space-separated list of policy
- // URIs
- $this->preferred_auth_policies = array();
-
- $policies_str = Auth_OpenID::arrayGet($args, 'preferred_auth_policies');
- if ($policies_str) {
- foreach (explode(' ', $policies_str) as $uri) {
- if (!in_array($uri, $this->preferred_auth_policies)) {
- $this->preferred_auth_policies[] = $uri;
- }
- }
- }
-
- // max_auth_age is base-10 integer number of seconds
- $max_auth_age_str = Auth_OpenID::arrayGet($args, 'max_auth_age');
- if ($max_auth_age_str) {
- $this->max_auth_age = Auth_OpenID::intval($max_auth_age_str);
- } else {
- $this->max_auth_age = null;
- }
- }
-
- /**
- * Given a list of authentication policy URIs that a provider
- * supports, this method returns the subsequence of those types
- * that are preferred by the relying party.
- *
- * @param supported_types: A sequence of authentication policy
- * type URIs that are supported by a provider
- *
- * @return array The sub-sequence of the supported types that are
- * preferred by the relying party. This list will be ordered in
- * the order that the types appear in the supported_types
- * sequence, and may be empty if the provider does not prefer any
- * of the supported authentication types.
- */
- function preferredTypes($supported_types)
- {
- $result = array();
-
- foreach ($supported_types as $st) {
- if (in_array($st, $this->preferred_auth_policies)) {
- $result[] = $st;
- }
- }
- return $result;
- }
-}
-
-/**
- * A Provider Authentication Policy response, sent from a provider to
- * a relying party
- */
-class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension {
-
- var $ns_alias = 'pape';
- var $ns_uri = Auth_OpenID_PAPE_NS_URI;
-
- function Auth_OpenID_PAPE_Response($auth_policies=null, $auth_time=null,
- $nist_auth_level=null)
- {
- if ($auth_policies) {
- $this->auth_policies = $auth_policies;
- } else {
- $this->auth_policies = array();
- }
-
- $this->auth_time = $auth_time;
- $this->nist_auth_level = $nist_auth_level;
- }
-
- /**
- * Add a authentication policy to this response
- *
- * This method is intended to be used by the provider to add a
- * policy that the provider conformed to when authenticating the
- * user.
- *
- * @param policy_uri: The identifier for the preferred type of
- * authentication.
- */
- function addPolicyURI($policy_uri)
- {
- if (!in_array($policy_uri, $this->auth_policies)) {
- $this->auth_policies[] = $policy_uri;
- }
- }
-
- /**
- * Create an Auth_OpenID_PAPE_Response object from a successful
- * OpenID library response.
- *
- * @param success_response $success_response A SuccessResponse
- * from Auth_OpenID_Consumer::complete()
- *
- * @returns: A provider authentication policy response from the
- * data that was supplied with the id_res response.
- */
- static function fromSuccessResponse($success_response)
- {
- $obj = new Auth_OpenID_PAPE_Response();
-
- // PAPE requires that the args be signed.
- $args = $success_response->getSignedNS(Auth_OpenID_PAPE_NS_URI);
-
- if ($args === null || $args === array()) {
- return null;
- }
-
- $result = $obj->parseExtensionArgs($args);
-
- if ($result === false) {
- return null;
- } else {
- return $obj;
- }
- }
-
- /**
- * Parse the provider authentication policy arguments into the
- * internal state of this object
- *
- * @param args: unqualified provider authentication policy
- * arguments
- *
- * @param strict: Whether to return false when bad data is
- * encountered
- *
- * @return null The data is parsed into the internal fields of
- * this object.
- */
- function parseExtensionArgs($args, $strict=false)
- {
- $policies_str = Auth_OpenID::arrayGet($args, 'auth_policies');
- if ($policies_str && $policies_str != "none") {
- $this->auth_policies = explode(" ", $policies_str);
- }
-
- $nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level');
- if ($nist_level_str !== null) {
- $nist_level = Auth_OpenID::intval($nist_level_str);
-
- if ($nist_level === false) {
- if ($strict) {
- return false;
- } else {
- $nist_level = null;
- }
- }
-
- if (0 <= $nist_level && $nist_level < 5) {
- $this->nist_auth_level = $nist_level;
- } else if ($strict) {
- return false;
- }
- }
-
- $auth_time = Auth_OpenID::arrayGet($args, 'auth_time');
- if ($auth_time !== null) {
- if (preg_match(PAPE_TIME_VALIDATOR, $auth_time)) {
- $this->auth_time = $auth_time;
- } else if ($strict) {
- return false;
- }
- }
- }
-
- function getExtensionArgs()
- {
- $ns_args = array();
- if (count($this->auth_policies) > 0) {
- $ns_args['auth_policies'] = implode(' ', $this->auth_policies);
- } else {
- $ns_args['auth_policies'] = 'none';
- }
-
- if ($this->nist_auth_level !== null) {
- if (!in_array($this->nist_auth_level, range(0, 4), true)) {
- return false;
- }
- $ns_args['nist_auth_level'] = strval($this->nist_auth_level);
- }
-
- if ($this->auth_time !== null) {
- if (!preg_match(PAPE_TIME_VALIDATOR, $this->auth_time)) {
- return false;
- }
-
- $ns_args['auth_time'] = $this->auth_time;
- }
-
- return $ns_args;
- }
-}
-
diff --git a/lib/Auth/OpenID/Parse.php b/lib/Auth/OpenID/Parse.php
deleted file mode 100644
index 0461bdcff7a065078b684c779ba88c6e02d4245b..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/Parse.php
+++ /dev/null
@@ -1,381 +0,0 @@
-<?php
-
-/**
- * This module implements a VERY limited parser that finds <link> tags
- * in the head of HTML or XHTML documents and parses out their
- * attributes according to the OpenID spec. It is a liberal parser,
- * but it requires these things from the data in order to work:
- *
- * - There must be an open <html> tag
- *
- * - There must be an open <head> tag inside of the <html> tag
- *
- * - Only <link>s that are found inside of the <head> tag are parsed
- * (this is by design)
- *
- * - The parser follows the OpenID specification in resolving the
- * attributes of the link tags. This means that the attributes DO
- * NOT get resolved as they would by an XML or HTML parser. In
- * particular, only certain entities get replaced, and href
- * attributes do not get resolved relative to a base URL.
- *
- * From http://openid.net/specs.bml:
- *
- * - The openid.server URL MUST be an absolute URL. OpenID consumers
- * MUST NOT attempt to resolve relative URLs.
- *
- * - The openid.server URL MUST NOT include entities other than &,
- * <, >, and ".
- *
- * The parser ignores SGML comments and <![CDATA[blocks]]>. Both kinds
- * of quoting are allowed for attributes.
- *
- * The parser deals with invalid markup in these ways:
- *
- * - Tag names are not case-sensitive
- *
- * - The <html> tag is accepted even when it is not at the top level
- *
- * - The <head> tag is accepted even when it is not a direct child of
- * the <html> tag, but a <html> tag must be an ancestor of the
- * <head> tag
- *
- * - <link> tags are accepted even when they are not direct children
- * of the <head> tag, but a <head> tag must be an ancestor of the
- * <link> tag
- *
- * - If there is no closing tag for an open <html> or <head> tag, the
- * remainder of the document is viewed as being inside of the
- * tag. If there is no closing tag for a <link> tag, the link tag is
- * treated as a short tag. Exceptions to this rule are that <html>
- * closes <html> and <body> or <head> closes <head>
- *
- * - Attributes of the <link> tag are not required to be quoted.
- *
- * - In the case of duplicated attribute names, the attribute coming
- * last in the tag will be the value returned.
- *
- * - Any text that does not parse as an attribute within a link tag
- * will be ignored. (e.g. <link pumpkin rel='openid.server' /> will
- * ignore pumpkin)
- *
- * - If there are more than one <html> or <head> tag, the parser only
- * looks inside of the first one.
- *
- * - The contents of <script> tags are ignored entirely, except
- * unclosed <script> tags. Unclosed <script> tags are ignored.
- *
- * - Any other invalid markup is ignored, including unclosed SGML
- * comments and unclosed <![CDATA[blocks.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @access private
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Require Auth_OpenID::arrayGet().
- */
-require_once "Auth/OpenID.php";
-
-class Auth_OpenID_Parse {
-
- /**
- * Specify some flags for use with regex matching.
- */
- var $_re_flags = "si";
-
- /**
- * Stuff to remove before we start looking for tags
- */
- var $_removed_re =
- "<!--.*?-->|<!\[CDATA\[.*?\]\]>|<script\b(?!:)[^>]*>.*?<\/script>";
-
- /**
- * Starts with the tag name at a word boundary, where the tag name
- * is not a namespace
- */
- var $_tag_expr = "<%s\b(?!:)([^>]*?)(?:\/>|>(.*)(?:<\/?%s\s*>|\Z))";
-
- var $_attr_find = '\b(\w+)=("[^"]*"|\'[^\']*\'|[^\'"\s\/<>]+)';
-
- var $_open_tag_expr = "<%s\b";
- var $_close_tag_expr = "<((\/%s\b)|(%s[^>\/]*\/))>";
-
- function Auth_OpenID_Parse()
- {
- $this->_link_find = sprintf("/<link\b(?!:)([^>]*)(?!<)>/%s",
- $this->_re_flags);
-
- $this->_entity_replacements = array(
- 'amp' => '&',
- 'lt' => '<',
- 'gt' => '>',
- 'quot' => '"'
- );
-
- $this->_attr_find = sprintf("/%s/%s",
- $this->_attr_find,
- $this->_re_flags);
-
- $this->_removed_re = sprintf("/%s/%s",
- $this->_removed_re,
- $this->_re_flags);
-
- $this->_ent_replace =
- sprintf("&(%s);", implode("|",
- $this->_entity_replacements));
- }
-
- /**
- * Returns a regular expression that will match a given tag in an
- * SGML string.
- */
- function tagMatcher($tag_name, $close_tags = null)
- {
- $expr = $this->_tag_expr;
-
- if ($close_tags) {
- $options = implode("|", array_merge(array($tag_name), $close_tags));
- $closer = sprintf("(?:%s)", $options);
- } else {
- $closer = $tag_name;
- }
-
- $expr = sprintf($expr, $tag_name, $closer);
- return sprintf("/%s/%s", $expr, $this->_re_flags);
- }
-
- function openTag($tag_name)
- {
- $expr = sprintf($this->_open_tag_expr, $tag_name);
- return sprintf("/%s/%s", $expr, $this->_re_flags);
- }
-
- function closeTag($tag_name)
- {
- $expr = sprintf($this->_close_tag_expr, $tag_name, $tag_name);
- return sprintf("/%s/%s", $expr, $this->_re_flags);
- }
-
- function htmlBegin($s)
- {
- $matches = array();
- $result = preg_match($this->openTag('html'), $s,
- $matches, PREG_OFFSET_CAPTURE);
- if ($result === false || !$matches) {
- return false;
- }
- // Return the offset of the first match.
- return $matches[0][1];
- }
-
- function htmlEnd($s)
- {
- $matches = array();
- $result = preg_match($this->closeTag('html'), $s,
- $matches, PREG_OFFSET_CAPTURE);
- if ($result === false || !$matches) {
- return false;
- }
- // Return the offset of the first match.
- return $matches[count($matches) - 1][1];
- }
-
- function headFind()
- {
- return $this->tagMatcher('head', array('body', 'html'));
- }
-
- function replaceEntities($str)
- {
- foreach ($this->_entity_replacements as $old => $new) {
- $str = preg_replace(sprintf("/&%s;/", $old), $new, $str);
- }
- return $str;
- }
-
- function removeQuotes($str)
- {
- $matches = array();
- $double = '/^"(.*)"$/';
- $single = "/^\'(.*)\'$/";
-
- if (preg_match($double, $str, $matches)) {
- return $matches[1];
- } else if (preg_match($single, $str, $matches)) {
- return $matches[1];
- } else {
- return $str;
- }
- }
-
- function match($regexp, $text, &$match)
- {
- if (!is_callable('mb_ereg_search_init')) {
- if (!preg_match($regexp, $text, $match)) {
- return false;
- }
- $match = $match[0];
- return true;
- }
-
- $regexp = substr($regexp, 1, strlen($regexp) - 2 - strlen($this->_re_flags));
- mb_ereg_search_init($text);
- if (!mb_ereg_search($regexp)) {
- return false;
- }
- $match = mb_ereg_search_getregs();
- return true;
- }
-
- /**
- * Find all link tags in a string representing a HTML document and
- * return a list of their attributes.
- *
- * @todo This is quite ineffective and may fail with the default
- * pcre.backtrack_limit of 100000 in PHP 5.2, if $html is big.
- * It should rather use stripos (in PHP5) or strpos()+strtoupper()
- * in PHP4 to manage this.
- *
- * @param string $html The text to parse
- * @return array $list An array of arrays of attributes, one for each
- * link tag
- */
- function parseLinkAttrs($html)
- {
- $stripped = preg_replace($this->_removed_re,
- "",
- $html);
-
- $html_begin = $this->htmlBegin($stripped);
- $html_end = $this->htmlEnd($stripped);
-
- if ($html_begin === false) {
- return array();
- }
-
- if ($html_end === false) {
- $html_end = strlen($stripped);
- }
-
- $stripped = substr($stripped, $html_begin,
- $html_end - $html_begin);
-
- // Workaround to prevent PREG_BACKTRACK_LIMIT_ERROR:
- $old_btlimit = ini_set( 'pcre.backtrack_limit', -1 );
-
- // Try to find the <HEAD> tag.
- $head_re = $this->headFind();
- $head_match = array();
- if (!$this->match($head_re, $stripped, $head_match)) {
- ini_set( 'pcre.backtrack_limit', $old_btlimit );
- return array();
- }
-
- $link_data = array();
- $link_matches = array();
-
- if (!preg_match_all($this->_link_find, $head_match[0],
- $link_matches)) {
- ini_set( 'pcre.backtrack_limit', $old_btlimit );
- return array();
- }
-
- foreach ($link_matches[0] as $link) {
- $attr_matches = array();
- preg_match_all($this->_attr_find, $link, $attr_matches);
- $link_attrs = array();
- foreach ($attr_matches[0] as $index => $full_match) {
- $name = $attr_matches[1][$index];
- $value = $this->replaceEntities(
- $this->removeQuotes($attr_matches[2][$index]));
-
- $link_attrs[strtolower($name)] = $value;
- }
- $link_data[] = $link_attrs;
- }
-
- ini_set( 'pcre.backtrack_limit', $old_btlimit );
- return $link_data;
- }
-
- function relMatches($rel_attr, $target_rel)
- {
- // Does this target_rel appear in the rel_str?
- // XXX: TESTME
- $rels = preg_split("/\s+/", trim($rel_attr));
- foreach ($rels as $rel) {
- $rel = strtolower($rel);
- if ($rel == $target_rel) {
- return 1;
- }
- }
-
- return 0;
- }
-
- function linkHasRel($link_attrs, $target_rel)
- {
- // Does this link have target_rel as a relationship?
- // XXX: TESTME
- $rel_attr = Auth_OpeniD::arrayGet($link_attrs, 'rel', null);
- return ($rel_attr && $this->relMatches($rel_attr,
- $target_rel));
- }
-
- function findLinksRel($link_attrs_list, $target_rel)
- {
- // Filter the list of link attributes on whether it has
- // target_rel as a relationship.
- // XXX: TESTME
- $result = array();
- foreach ($link_attrs_list as $attr) {
- if ($this->linkHasRel($attr, $target_rel)) {
- $result[] = $attr;
- }
- }
-
- return $result;
- }
-
- function findFirstHref($link_attrs_list, $target_rel)
- {
- // Return the value of the href attribute for the first link
- // tag in the list that has target_rel as a relationship.
- // XXX: TESTME
- $matches = $this->findLinksRel($link_attrs_list,
- $target_rel);
- if (!$matches) {
- return null;
- }
- $first = $matches[0];
- return Auth_OpenID::arrayGet($first, 'href', null);
- }
-}
-
-function Auth_OpenID_legacy_discover($html_text, $server_rel,
- $delegate_rel)
-{
- $p = new Auth_OpenID_Parse();
-
- $link_attrs = $p->parseLinkAttrs($html_text);
-
- $server_url = $p->findFirstHref($link_attrs,
- $server_rel);
-
- if ($server_url === null) {
- return false;
- } else {
- $delegate_url = $p->findFirstHref($link_attrs,
- $delegate_rel);
- return array($delegate_url, $server_url);
- }
-}
-
diff --git a/lib/Auth/OpenID/PostgreSQLStore.php b/lib/Auth/OpenID/PostgreSQLStore.php
deleted file mode 100644
index d90e43e00d96001e0b0d389d21dd6ec704a8e163..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/PostgreSQLStore.php
+++ /dev/null
@@ -1,112 +0,0 @@
-<?php
-
-/**
- * A PostgreSQL store.
- *
- * @package OpenID
- */
-
-/**
- * Require the base class file.
- */
-require_once "Auth/OpenID/SQLStore.php";
-
-/**
- * An SQL store that uses PostgreSQL as its backend.
- *
- * @package OpenID
- */
-class Auth_OpenID_PostgreSQLStore extends Auth_OpenID_SQLStore {
- /**
- * @access private
- */
- function setSQL()
- {
- $this->sql['nonce_table'] =
- "CREATE TABLE %s (server_url VARCHAR(2047) NOT NULL, ".
- "timestamp INTEGER NOT NULL, ".
- "salt CHAR(40) NOT NULL, ".
- "UNIQUE (server_url, timestamp, salt))";
-
- $this->sql['assoc_table'] =
- "CREATE TABLE %s (server_url VARCHAR(2047) NOT NULL, ".
- "handle VARCHAR(255) NOT NULL, ".
- "secret BYTEA NOT NULL, ".
- "issued INTEGER NOT NULL, ".
- "lifetime INTEGER NOT NULL, ".
- "assoc_type VARCHAR(64) NOT NULL, ".
- "PRIMARY KEY (server_url, handle), ".
- "CONSTRAINT secret_length_constraint CHECK ".
- "(LENGTH(secret) <= 128))";
-
- $this->sql['set_assoc'] =
- array(
- 'insert_assoc' => "INSERT INTO %s (server_url, handle, ".
- "secret, issued, lifetime, assoc_type) VALUES ".
- "(?, ?, '!', ?, ?, ?)",
- 'update_assoc' => "UPDATE %s SET secret = '!', issued = ?, ".
- "lifetime = ?, assoc_type = ? WHERE server_url = ? AND ".
- "handle = ?"
- );
-
- $this->sql['get_assocs'] =
- "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ".
- "WHERE server_url = ?";
-
- $this->sql['get_assoc'] =
- "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ".
- "WHERE server_url = ? AND handle = ?";
-
- $this->sql['remove_assoc'] =
- "DELETE FROM %s WHERE server_url = ? AND handle = ?";
-
- $this->sql['add_nonce'] =
- "INSERT INTO %s (server_url, timestamp, salt) VALUES ".
- "(?, ?, ?)"
- ;
-
- $this->sql['clean_nonce'] =
- "DELETE FROM %s WHERE timestamp < ?";
-
- $this->sql['clean_assoc'] =
- "DELETE FROM %s WHERE issued + lifetime < ?";
- }
-
- /**
- * @access private
- */
- function _set_assoc($server_url, $handle, $secret, $issued, $lifetime,
- $assoc_type)
- {
- $result = $this->_get_assoc($server_url, $handle);
- if ($result) {
- // Update the table since this associations already exists.
- $this->connection->query($this->sql['set_assoc']['update_assoc'],
- array($secret, $issued, $lifetime,
- $assoc_type, $server_url, $handle));
- } else {
- // Insert a new record because this association wasn't
- // found.
- $this->connection->query($this->sql['set_assoc']['insert_assoc'],
- array($server_url, $handle, $secret,
- $issued, $lifetime, $assoc_type));
- }
- }
-
- /**
- * @access private
- */
- function blobEncode($blob)
- {
- return $this->_octify($blob);
- }
-
- /**
- * @access private
- */
- function blobDecode($blob)
- {
- return $this->_unoctify($blob);
- }
-}
-
diff --git a/lib/Auth/OpenID/SQLStore.php b/lib/Auth/OpenID/SQLStore.php
deleted file mode 100644
index c04059732cf370d01f915a3c755cf0c0fe5c6a96..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/SQLStore.php
+++ /dev/null
@@ -1,557 +0,0 @@
-<?php
-
-/**
- * SQL-backed OpenID stores.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * @access private
- */
-require_once 'Auth/OpenID/Interface.php';
-require_once 'Auth/OpenID/Nonce.php';
-
-/**
- * @access private
- */
-require_once 'Auth/OpenID.php';
-
-/**
- * @access private
- */
-require_once 'Auth/OpenID/Nonce.php';
-
-/**
- * This is the parent class for the SQL stores, which contains the
- * logic common to all of the SQL stores.
- *
- * The table names used are determined by the class variables
- * associations_table_name and nonces_table_name. To change the name
- * of the tables used, pass new table names into the constructor.
- *
- * To create the tables with the proper schema, see the createTables
- * method.
- *
- * This class shouldn't be used directly. Use one of its subclasses
- * instead, as those contain the code necessary to use a specific
- * database. If you're an OpenID integrator and you'd like to create
- * an SQL-driven store that wraps an application's database
- * abstraction, be sure to create a subclass of
- * {@link Auth_OpenID_DatabaseConnection} that calls the application's
- * database abstraction calls. Then, pass an instance of your new
- * database connection class to your SQLStore subclass constructor.
- *
- * All methods other than the constructor and createTables should be
- * considered implementation details.
- *
- * @package OpenID
- */
-class Auth_OpenID_SQLStore extends Auth_OpenID_OpenIDStore {
-
- /**
- * This creates a new SQLStore instance. It requires an
- * established database connection be given to it, and it allows
- * overriding the default table names.
- *
- * @param connection $connection This must be an established
- * connection to a database of the correct type for the SQLStore
- * subclass you're using. This must either be an PEAR DB
- * connection handle or an instance of a subclass of
- * Auth_OpenID_DatabaseConnection.
- *
- * @param associations_table: This is an optional parameter to
- * specify the name of the table used for storing associations.
- * The default value is 'oid_associations'.
- *
- * @param nonces_table: This is an optional parameter to specify
- * the name of the table used for storing nonces. The default
- * value is 'oid_nonces'.
- */
- function Auth_OpenID_SQLStore($connection,
- $associations_table = null,
- $nonces_table = null)
- {
- $this->associations_table_name = "oid_associations";
- $this->nonces_table_name = "oid_nonces";
-
- // Check the connection object type to be sure it's a PEAR
- // database connection.
- if (!(is_object($connection) &&
- (is_subclass_of($connection, 'db_common') ||
- is_subclass_of($connection,
- 'auth_openid_databaseconnection')))) {
- trigger_error("Auth_OpenID_SQLStore expected PEAR connection " .
- "object (got ".get_class($connection).")",
- E_USER_ERROR);
- return;
- }
-
- $this->connection = $connection;
-
- // Be sure to set the fetch mode so the results are keyed on
- // column name instead of column index. This is a PEAR
- // constant, so only try to use it if PEAR is present. Note
- // that Auth_Openid_Databaseconnection instances need not
- // implement ::setFetchMode for this reason.
- if (is_subclass_of($this->connection, 'db_common')) {
- $this->connection->setFetchMode(DB_FETCHMODE_ASSOC);
- }
-
- if ($associations_table) {
- $this->associations_table_name = $associations_table;
- }
-
- if ($nonces_table) {
- $this->nonces_table_name = $nonces_table;
- }
-
- $this->max_nonce_age = 6 * 60 * 60;
-
- // Be sure to run the database queries with auto-commit mode
- // turned OFF, because we want every function to run in a
- // transaction, implicitly. As a rule, methods named with a
- // leading underscore will NOT control transaction behavior.
- // Callers of these methods will worry about transactions.
- $this->connection->autoCommit(false);
-
- // Create an empty SQL strings array.
- $this->sql = array();
-
- // Call this method (which should be overridden by subclasses)
- // to populate the $this->sql array with SQL strings.
- $this->setSQL();
-
- // Verify that all required SQL statements have been set, and
- // raise an error if any expected SQL strings were either
- // absent or empty.
- list($missing, $empty) = $this->_verifySQL();
-
- if ($missing) {
- trigger_error("Expected keys in SQL query list: " .
- implode(", ", $missing),
- E_USER_ERROR);
- return;
- }
-
- if ($empty) {
- trigger_error("SQL list keys have no SQL strings: " .
- implode(", ", $empty),
- E_USER_ERROR);
- return;
- }
-
- // Add table names to queries.
- $this->_fixSQL();
- }
-
- function tableExists($table_name)
- {
- return !$this->isError(
- $this->connection->query(
- sprintf("SELECT * FROM %s LIMIT 0",
- $table_name)));
- }
-
- /**
- * Returns true if $value constitutes a database error; returns
- * false otherwise.
- */
- function isError($value)
- {
- return PEAR::isError($value);
- }
-
- /**
- * Converts a query result to a boolean. If the result is a
- * database error according to $this->isError(), this returns
- * false; otherwise, this returns true.
- */
- function resultToBool($obj)
- {
- if ($this->isError($obj)) {
- return false;
- } else {
- return true;
- }
- }
-
- /**
- * This method should be overridden by subclasses. This method is
- * called by the constructor to set values in $this->sql, which is
- * an array keyed on sql name.
- */
- function setSQL()
- {
- }
-
- /**
- * Resets the store by removing all records from the store's
- * tables.
- */
- function reset()
- {
- $this->connection->query(sprintf("DELETE FROM %s",
- $this->associations_table_name));
-
- $this->connection->query(sprintf("DELETE FROM %s",
- $this->nonces_table_name));
- }
-
- /**
- * @access private
- */
- function _verifySQL()
- {
- $missing = array();
- $empty = array();
-
- $required_sql_keys = array(
- 'nonce_table',
- 'assoc_table',
- 'set_assoc',
- 'get_assoc',
- 'get_assocs',
- 'remove_assoc'
- );
-
- foreach ($required_sql_keys as $key) {
- if (!array_key_exists($key, $this->sql)) {
- $missing[] = $key;
- } else if (!$this->sql[$key]) {
- $empty[] = $key;
- }
- }
-
- return array($missing, $empty);
- }
-
- /**
- * @access private
- */
- function _fixSQL()
- {
- $replacements = array(
- array(
- 'value' => $this->nonces_table_name,
- 'keys' => array('nonce_table',
- 'add_nonce',
- 'clean_nonce')
- ),
- array(
- 'value' => $this->associations_table_name,
- 'keys' => array('assoc_table',
- 'set_assoc',
- 'get_assoc',
- 'get_assocs',
- 'remove_assoc',
- 'clean_assoc')
- )
- );
-
- foreach ($replacements as $item) {
- $value = $item['value'];
- $keys = $item['keys'];
-
- foreach ($keys as $k) {
- if (is_array($this->sql[$k])) {
- foreach ($this->sql[$k] as $part_key => $part_value) {
- $this->sql[$k][$part_key] = sprintf($part_value,
- $value);
- }
- } else {
- $this->sql[$k] = sprintf($this->sql[$k], $value);
- }
- }
- }
- }
-
- function blobDecode($blob)
- {
- return $blob;
- }
-
- function blobEncode($str)
- {
- return $str;
- }
-
- function createTables()
- {
- $this->connection->autoCommit(true);
- $n = $this->create_nonce_table();
- $a = $this->create_assoc_table();
- $this->connection->autoCommit(false);
-
- if ($n && $a) {
- return true;
- } else {
- return false;
- }
- }
-
- function create_nonce_table()
- {
- if (!$this->tableExists($this->nonces_table_name)) {
- $r = $this->connection->query($this->sql['nonce_table']);
- return $this->resultToBool($r);
- }
- return true;
- }
-
- function create_assoc_table()
- {
- if (!$this->tableExists($this->associations_table_name)) {
- $r = $this->connection->query($this->sql['assoc_table']);
- return $this->resultToBool($r);
- }
- return true;
- }
-
- /**
- * @access private
- */
- function _set_assoc($server_url, $handle, $secret, $issued,
- $lifetime, $assoc_type)
- {
- return $this->connection->query($this->sql['set_assoc'],
- array(
- $server_url,
- $handle,
- $secret,
- $issued,
- $lifetime,
- $assoc_type));
- }
-
- function storeAssociation($server_url, $association)
- {
- if ($this->resultToBool($this->_set_assoc(
- $server_url,
- $association->handle,
- $this->blobEncode(
- $association->secret),
- $association->issued,
- $association->lifetime,
- $association->assoc_type
- ))) {
- $this->connection->commit();
- } else {
- $this->connection->rollback();
- }
- }
-
- /**
- * @access private
- */
- function _get_assoc($server_url, $handle)
- {
- $result = $this->connection->getRow($this->sql['get_assoc'],
- array($server_url, $handle));
- if ($this->isError($result)) {
- return null;
- } else {
- return $result;
- }
- }
-
- /**
- * @access private
- */
- function _get_assocs($server_url)
- {
- $result = $this->connection->getAll($this->sql['get_assocs'],
- array($server_url));
-
- if ($this->isError($result)) {
- return array();
- } else {
- return $result;
- }
- }
-
- function removeAssociation($server_url, $handle)
- {
- if ($this->_get_assoc($server_url, $handle) == null) {
- return false;
- }
-
- if ($this->resultToBool($this->connection->query(
- $this->sql['remove_assoc'],
- array($server_url, $handle)))) {
- $this->connection->commit();
- } else {
- $this->connection->rollback();
- }
-
- return true;
- }
-
- function getAssociation($server_url, $handle = null)
- {
- if ($handle !== null) {
- $assoc = $this->_get_assoc($server_url, $handle);
-
- $assocs = array();
- if ($assoc) {
- $assocs[] = $assoc;
- }
- } else {
- $assocs = $this->_get_assocs($server_url);
- }
-
- if (!$assocs || (count($assocs) == 0)) {
- return null;
- } else {
- $associations = array();
-
- foreach ($assocs as $assoc_row) {
- $assoc = new Auth_OpenID_Association($assoc_row['handle'],
- $assoc_row['secret'],
- $assoc_row['issued'],
- $assoc_row['lifetime'],
- $assoc_row['assoc_type']);
-
- $assoc->secret = $this->blobDecode($assoc->secret);
-
- if ($assoc->getExpiresIn() == 0) {
- $this->removeAssociation($server_url, $assoc->handle);
- } else {
- $associations[] = array($assoc->issued, $assoc);
- }
- }
-
- if ($associations) {
- $issued = array();
- $assocs = array();
- foreach ($associations as $key => $assoc) {
- $issued[$key] = $assoc[0];
- $assocs[$key] = $assoc[1];
- }
-
- array_multisort($issued, SORT_DESC, $assocs, SORT_DESC,
- $associations);
-
- // return the most recently issued one.
- list($issued, $assoc) = $associations[0];
- return $assoc;
- } else {
- return null;
- }
- }
- }
-
- /**
- * @access private
- */
- function _add_nonce($server_url, $timestamp, $salt)
- {
- $sql = $this->sql['add_nonce'];
- $result = $this->connection->query($sql, array($server_url,
- $timestamp,
- $salt));
- if ($this->isError($result)) {
- $this->connection->rollback();
- } else {
- $this->connection->commit();
- }
- return $this->resultToBool($result);
- }
-
- function useNonce($server_url, $timestamp, $salt)
- {
- global $Auth_OpenID_SKEW;
-
- if ( abs($timestamp - time()) > $Auth_OpenID_SKEW ) {
- return false;
- }
-
- return $this->_add_nonce($server_url, $timestamp, $salt);
- }
-
- /**
- * "Octifies" a binary string by returning a string with escaped
- * octal bytes. This is used for preparing binary data for
- * PostgreSQL BYTEA fields.
- *
- * @access private
- */
- function _octify($str)
- {
- $result = "";
- for ($i = 0; $i < Auth_OpenID::bytes($str); $i++) {
- $ch = substr($str, $i, 1);
- if ($ch == "\\") {
- $result .= "\\\\\\\\";
- } else if (ord($ch) == 0) {
- $result .= "\\\\000";
- } else {
- $result .= "\\" . strval(decoct(ord($ch)));
- }
- }
- return $result;
- }
-
- /**
- * "Unoctifies" octal-escaped data from PostgreSQL and returns the
- * resulting ASCII (possibly binary) string.
- *
- * @access private
- */
- function _unoctify($str)
- {
- $result = "";
- $i = 0;
- while ($i < strlen($str)) {
- $char = $str[$i];
- if ($char == "\\") {
- // Look to see if the next char is a backslash and
- // append it.
- if ($str[$i + 1] != "\\") {
- $octal_digits = substr($str, $i + 1, 3);
- $dec = octdec($octal_digits);
- $char = chr($dec);
- $i += 4;
- } else {
- $char = "\\";
- $i += 2;
- }
- } else {
- $i += 1;
- }
-
- $result .= $char;
- }
-
- return $result;
- }
-
- function cleanupNonces()
- {
- global $Auth_OpenID_SKEW;
- $v = time() - $Auth_OpenID_SKEW;
-
- $this->connection->query($this->sql['clean_nonce'], array($v));
- $num = $this->connection->affectedRows();
- $this->connection->commit();
- return $num;
- }
-
- function cleanupAssociations()
- {
- $this->connection->query($this->sql['clean_assoc'],
- array(time()));
- $num = $this->connection->affectedRows();
- $this->connection->commit();
- return $num;
- }
-}
-
-
diff --git a/lib/Auth/OpenID/SQLiteStore.php b/lib/Auth/OpenID/SQLiteStore.php
deleted file mode 100644
index 4558fa1c33b1931b6cfa9d6978537c5ac40a6091..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/SQLiteStore.php
+++ /dev/null
@@ -1,70 +0,0 @@
-<?php
-
-/**
- * An SQLite store.
- *
- * @package OpenID
- */
-
-/**
- * Require the base class file.
- */
-require_once "Auth/OpenID/SQLStore.php";
-
-/**
- * An SQL store that uses SQLite as its backend.
- *
- * @package OpenID
- */
-class Auth_OpenID_SQLiteStore extends Auth_OpenID_SQLStore {
- function setSQL()
- {
- $this->sql['nonce_table'] =
- "CREATE TABLE %s (server_url VARCHAR(2047), timestamp INTEGER, ".
- "salt CHAR(40), UNIQUE (server_url, timestamp, salt))";
-
- $this->sql['assoc_table'] =
- "CREATE TABLE %s (server_url VARCHAR(2047), handle VARCHAR(255), ".
- "secret BLOB(128), issued INTEGER, lifetime INTEGER, ".
- "assoc_type VARCHAR(64), PRIMARY KEY (server_url, handle))";
-
- $this->sql['set_assoc'] =
- "INSERT OR REPLACE INTO %s VALUES (?, ?, ?, ?, ?, ?)";
-
- $this->sql['get_assocs'] =
- "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ".
- "WHERE server_url = ?";
-
- $this->sql['get_assoc'] =
- "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ".
- "WHERE server_url = ? AND handle = ?";
-
- $this->sql['remove_assoc'] =
- "DELETE FROM %s WHERE server_url = ? AND handle = ?";
-
- $this->sql['add_nonce'] =
- "INSERT INTO %s (server_url, timestamp, salt) VALUES (?, ?, ?)";
-
- $this->sql['clean_nonce'] =
- "DELETE FROM %s WHERE timestamp < ?";
-
- $this->sql['clean_assoc'] =
- "DELETE FROM %s WHERE issued + lifetime < ?";
- }
-
- /**
- * @access private
- */
- function _add_nonce($server_url, $timestamp, $salt)
- {
- // PECL SQLite extensions 1.0.3 and older (1.0.3 is the
- // current release at the time of this writing) have a broken
- // sqlite_escape_string function that breaks when passed the
- // empty string. Prefixing all strings with one character
- // keeps them unique and avoids this bug. The nonce table is
- // write-only, so we don't have to worry about updating other
- // functions with this same bad hack.
- return parent::_add_nonce('x' . $server_url, $timestamp, $salt);
- }
-}
-
diff --git a/lib/Auth/OpenID/SReg.php b/lib/Auth/OpenID/SReg.php
deleted file mode 100644
index 5ece7072434bc62c340625db0a83d1312b4f1747..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/SReg.php
+++ /dev/null
@@ -1,521 +0,0 @@
-<?php
-
-/**
- * Simple registration request and response parsing and object
- * representation.
- *
- * This module contains objects representing simple registration
- * requests and responses that can be used with both OpenID relying
- * parties and OpenID providers.
- *
- * 1. The relying party creates a request object and adds it to the
- * {@link Auth_OpenID_AuthRequest} object before making the
- * checkid request to the OpenID provider:
- *
- * $sreg_req = Auth_OpenID_SRegRequest::build(array('email'));
- * $auth_request->addExtension($sreg_req);
- *
- * 2. The OpenID provider extracts the simple registration request
- * from the OpenID request using {@link
- * Auth_OpenID_SRegRequest::fromOpenIDRequest}, gets the user's
- * approval and data, creates an {@link Auth_OpenID_SRegResponse}
- * object and adds it to the id_res response:
- *
- * $sreg_req = Auth_OpenID_SRegRequest::fromOpenIDRequest(
- * $checkid_request);
- * // [ get the user's approval and data, informing the user that
- * // the fields in sreg_response were requested ]
- * $sreg_resp = Auth_OpenID_SRegResponse::extractResponse(
- * $sreg_req, $user_data);
- * $sreg_resp->toMessage($openid_response->fields);
- *
- * 3. The relying party uses {@link
- * Auth_OpenID_SRegResponse::fromSuccessResponse} to extract the data
- * from the OpenID response:
- *
- * $sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse(
- * $success_response);
- *
- * @package OpenID
- */
-
-/**
- * Import message and extension internals.
- */
-require_once 'Auth/OpenID/Message.php';
-require_once 'Auth/OpenID/Extension.php';
-
-// The data fields that are listed in the sreg spec
-global $Auth_OpenID_sreg_data_fields;
-$Auth_OpenID_sreg_data_fields = array(
- 'fullname' => 'Full Name',
- 'nickname' => 'Nickname',
- 'dob' => 'Date of Birth',
- 'email' => 'E-mail Address',
- 'gender' => 'Gender',
- 'postcode' => 'Postal Code',
- 'country' => 'Country',
- 'language' => 'Language',
- 'timezone' => 'Time Zone');
-
-/**
- * Check to see that the given value is a valid simple registration
- * data field name. Return true if so, false if not.
- */
-function Auth_OpenID_checkFieldName($field_name)
-{
- global $Auth_OpenID_sreg_data_fields;
-
- if (!in_array($field_name, array_keys($Auth_OpenID_sreg_data_fields))) {
- return false;
- }
- return true;
-}
-
-// URI used in the wild for Yadis documents advertising simple
-// registration support
-define('Auth_OpenID_SREG_NS_URI_1_0', 'http://openid.net/sreg/1.0');
-
-// URI in the draft specification for simple registration 1.1
-// <http://openid.net/specs/openid-simple-registration-extension-1_1-01.html>
-define('Auth_OpenID_SREG_NS_URI_1_1', 'http://openid.net/extensions/sreg/1.1');
-
-// This attribute will always hold the preferred URI to use when
-// adding sreg support to an XRDS file or in an OpenID namespace
-// declaration.
-define('Auth_OpenID_SREG_NS_URI', Auth_OpenID_SREG_NS_URI_1_1);
-
-Auth_OpenID_registerNamespaceAlias(Auth_OpenID_SREG_NS_URI_1_1, 'sreg');
-
-/**
- * Does the given endpoint advertise support for simple
- * registration?
- *
- * $endpoint: The endpoint object as returned by OpenID discovery.
- * returns whether an sreg type was advertised by the endpoint
- */
-function Auth_OpenID_supportsSReg($endpoint)
-{
- return ($endpoint->usesExtension(Auth_OpenID_SREG_NS_URI_1_1) ||
- $endpoint->usesExtension(Auth_OpenID_SREG_NS_URI_1_0));
-}
-
-/**
- * A base class for classes dealing with Simple Registration protocol
- * messages.
- *
- * @package OpenID
- */
-class Auth_OpenID_SRegBase extends Auth_OpenID_Extension {
- /**
- * Extract the simple registration namespace URI from the given
- * OpenID message. Handles OpenID 1 and 2, as well as both sreg
- * namespace URIs found in the wild, as well as missing namespace
- * definitions (for OpenID 1)
- *
- * $message: The OpenID message from which to parse simple
- * registration fields. This may be a request or response message.
- *
- * Returns the sreg namespace URI for the supplied message. The
- * message may be modified to define a simple registration
- * namespace.
- *
- * @access private
- */
- static function _getSRegNS($message)
- {
- $alias = null;
- $found_ns_uri = null;
-
- // See if there exists an alias for one of the two defined
- // simple registration types.
- foreach (array(Auth_OpenID_SREG_NS_URI_1_1,
- Auth_OpenID_SREG_NS_URI_1_0) as $sreg_ns_uri) {
- $alias = $message->namespaces->getAlias($sreg_ns_uri);
- if ($alias !== null) {
- $found_ns_uri = $sreg_ns_uri;
- break;
- }
- }
-
- if ($alias === null) {
- // There is no alias for either of the types, so try to
- // add one. We default to using the modern value (1.1)
- $found_ns_uri = Auth_OpenID_SREG_NS_URI_1_1;
- if ($message->namespaces->addAlias(Auth_OpenID_SREG_NS_URI_1_1,
- 'sreg') === null) {
- // An alias for the string 'sreg' already exists, but
- // it's defined for something other than simple
- // registration
- return null;
- }
- }
-
- return $found_ns_uri;
- }
-}
-
-/**
- * An object to hold the state of a simple registration request.
- *
- * required: A list of the required fields in this simple registration
- * request
- *
- * optional: A list of the optional fields in this simple registration
- * request
- *
- * @package OpenID
- */
-class Auth_OpenID_SRegRequest extends Auth_OpenID_SRegBase {
-
- var $ns_alias = 'sreg';
-
- /**
- * Initialize an empty simple registration request.
- */
- static function build($required=null, $optional=null,
- $policy_url=null,
- $sreg_ns_uri=Auth_OpenID_SREG_NS_URI,
- $cls='Auth_OpenID_SRegRequest')
- {
- $obj = new $cls();
-
- $obj->required = array();
- $obj->optional = array();
- $obj->policy_url = $policy_url;
- $obj->ns_uri = $sreg_ns_uri;
-
- if ($required) {
- if (!$obj->requestFields($required, true, true)) {
- return null;
- }
- }
-
- if ($optional) {
- if (!$obj->requestFields($optional, false, true)) {
- return null;
- }
- }
-
- return $obj;
- }
-
- /**
- * Create a simple registration request that contains the fields
- * that were requested in the OpenID request with the given
- * arguments
- *
- * $request: The OpenID authentication request from which to
- * extract an sreg request.
- *
- * $cls: name of class to use when creating sreg request object.
- * Used for testing.
- *
- * Returns the newly created simple registration request
- */
- static function fromOpenIDRequest($request, $cls='Auth_OpenID_SRegRequest')
- {
-
- $obj = call_user_func_array(array($cls, 'build'),
- array(null, null, null, Auth_OpenID_SREG_NS_URI, $cls));
-
- // Since we're going to mess with namespace URI mapping, don't
- // mutate the object that was passed in.
- $m = $request->message;
-
- $obj->ns_uri = $obj->_getSRegNS($m);
- $args = $m->getArgs($obj->ns_uri);
-
- if ($args === null || Auth_OpenID::isFailure($args)) {
- return null;
- }
-
- $obj->parseExtensionArgs($args);
-
- return $obj;
- }
-
- /**
- * Parse the unqualified simple registration request parameters
- * and add them to this object.
- *
- * This method is essentially the inverse of
- * getExtensionArgs. This method restores the serialized simple
- * registration request fields.
- *
- * If you are extracting arguments from a standard OpenID
- * checkid_* request, you probably want to use fromOpenIDRequest,
- * which will extract the sreg namespace and arguments from the
- * OpenID request. This method is intended for cases where the
- * OpenID server needs more control over how the arguments are
- * parsed than that method provides.
- *
- * $args == $message->getArgs($ns_uri);
- * $request->parseExtensionArgs($args);
- *
- * $args: The unqualified simple registration arguments
- *
- * strict: Whether requests with fields that are not defined in
- * the simple registration specification should be tolerated (and
- * ignored)
- */
- function parseExtensionArgs($args, $strict=false)
- {
- foreach (array('required', 'optional') as $list_name) {
- $required = ($list_name == 'required');
- $items = Auth_OpenID::arrayGet($args, $list_name);
- if ($items) {
- foreach (explode(',', $items) as $field_name) {
- if (!$this->requestField($field_name, $required, $strict)) {
- if ($strict) {
- return false;
- }
- }
- }
- }
- }
-
- $this->policy_url = Auth_OpenID::arrayGet($args, 'policy_url');
-
- return true;
- }
-
- /**
- * A list of all of the simple registration fields that were
- * requested, whether they were required or optional.
- */
- function allRequestedFields()
- {
- return array_merge($this->required, $this->optional);
- }
-
- /**
- * Have any simple registration fields been requested?
- */
- function wereFieldsRequested()
- {
- return count($this->allRequestedFields());
- }
-
- /**
- * Was this field in the request?
- */
- function contains($field_name)
- {
- return (in_array($field_name, $this->required) ||
- in_array($field_name, $this->optional));
- }
-
- /**
- * Request the specified field from the OpenID user
- *
- * $field_name: the unqualified simple registration field name
- *
- * required: whether the given field should be presented to the
- * user as being a required to successfully complete the request
- *
- * strict: whether to raise an exception when a field is added to
- * a request more than once
- */
- function requestField($field_name,
- $required=false, $strict=false)
- {
- if (!Auth_OpenID_checkFieldName($field_name)) {
- return false;
- }
-
- if ($strict) {
- if ($this->contains($field_name)) {
- return false;
- }
- } else {
- if (in_array($field_name, $this->required)) {
- return true;
- }
-
- if (in_array($field_name, $this->optional)) {
- if ($required) {
- unset($this->optional[array_search($field_name,
- $this->optional)]);
- } else {
- return true;
- }
- }
- }
-
- if ($required) {
- $this->required[] = $field_name;
- } else {
- $this->optional[] = $field_name;
- }
-
- return true;
- }
-
- /**
- * Add the given list of fields to the request
- *
- * field_names: The simple registration data fields to request
- *
- * required: Whether these values should be presented to the user
- * as required
- *
- * strict: whether to raise an exception when a field is added to
- * a request more than once
- */
- function requestFields($field_names, $required=false, $strict=false)
- {
- if (!is_array($field_names)) {
- return false;
- }
-
- foreach ($field_names as $field_name) {
- if (!$this->requestField($field_name, $required, $strict=$strict)) {
- return false;
- }
- }
-
- return true;
- }
-
- /**
- * Get a dictionary of unqualified simple registration arguments
- * representing this request.
- *
- * This method is essentially the inverse of
- * C{L{parseExtensionArgs}}. This method serializes the simple
- * registration request fields.
- */
- function getExtensionArgs()
- {
- $args = array();
-
- if ($this->required) {
- $args['required'] = implode(',', $this->required);
- }
-
- if ($this->optional) {
- $args['optional'] = implode(',', $this->optional);
- }
-
- if ($this->policy_url) {
- $args['policy_url'] = $this->policy_url;
- }
-
- return $args;
- }
-}
-
-/**
- * Represents the data returned in a simple registration response
- * inside of an OpenID C{id_res} response. This object will be created
- * by the OpenID server, added to the C{id_res} response object, and
- * then extracted from the C{id_res} message by the Consumer.
- *
- * @package OpenID
- */
-class Auth_OpenID_SRegResponse extends Auth_OpenID_SRegBase {
-
- var $ns_alias = 'sreg';
-
- function Auth_OpenID_SRegResponse($data=null,
- $sreg_ns_uri=Auth_OpenID_SREG_NS_URI)
- {
- if ($data === null) {
- $this->data = array();
- } else {
- $this->data = $data;
- }
-
- $this->ns_uri = $sreg_ns_uri;
- }
-
- /**
- * Take a C{L{SRegRequest}} and a dictionary of simple
- * registration values and create a C{L{SRegResponse}} object
- * containing that data.
- *
- * request: The simple registration request object
- *
- * data: The simple registration data for this response, as a
- * dictionary from unqualified simple registration field name to
- * string (unicode) value. For instance, the nickname should be
- * stored under the key 'nickname'.
- */
- static function extractResponse($request, $data)
- {
- $obj = new Auth_OpenID_SRegResponse();
- $obj->ns_uri = $request->ns_uri;
-
- foreach ($request->allRequestedFields() as $field) {
- $value = Auth_OpenID::arrayGet($data, $field);
- if ($value !== null) {
- $obj->data[$field] = $value;
- }
- }
-
- return $obj;
- }
-
- /**
- * Create a C{L{SRegResponse}} object from a successful OpenID
- * library response
- * (C{L{openid.consumer.consumer.SuccessResponse}}) response
- * message
- *
- * success_response: A SuccessResponse from consumer.complete()
- *
- * signed_only: Whether to process only data that was
- * signed in the id_res message from the server.
- *
- * Returns a simple registration response containing the data that
- * was supplied with the C{id_res} response.
- */
- static function fromSuccessResponse($success_response, $signed_only=true)
- {
- global $Auth_OpenID_sreg_data_fields;
-
- $obj = new Auth_OpenID_SRegResponse();
- $obj->ns_uri = $obj->_getSRegNS($success_response->message);
-
- if ($signed_only) {
- $args = $success_response->getSignedNS($obj->ns_uri);
- } else {
- $args = $success_response->message->getArgs($obj->ns_uri);
- }
-
- if ($args === null || Auth_OpenID::isFailure($args)) {
- return null;
- }
-
- foreach ($Auth_OpenID_sreg_data_fields as $field_name => $desc) {
- if (in_array($field_name, array_keys($args))) {
- $obj->data[$field_name] = $args[$field_name];
- }
- }
-
- return $obj;
- }
-
- function getExtensionArgs()
- {
- return $this->data;
- }
-
- // Read-only dictionary interface
- function get($field_name, $default=null)
- {
- if (!Auth_OpenID_checkFieldName($field_name)) {
- return null;
- }
-
- return Auth_OpenID::arrayGet($this->data, $field_name, $default);
- }
-
- function contents()
- {
- return $this->data;
- }
-}
-
-
diff --git a/lib/Auth/OpenID/Server.php b/lib/Auth/OpenID/Server.php
deleted file mode 100644
index 9887d1e8d8d99c8b8c759d5c0c76b312dcb0c037..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/Server.php
+++ /dev/null
@@ -1,1765 +0,0 @@
-<?php
-
-/**
- * OpenID server protocol and logic.
- *
- * Overview
- *
- * An OpenID server must perform three tasks:
- *
- * 1. Examine the incoming request to determine its nature and validity.
- * 2. Make a decision about how to respond to this request.
- * 3. Format the response according to the protocol.
- *
- * The first and last of these tasks may performed by the {@link
- * Auth_OpenID_Server::decodeRequest()} and {@link
- * Auth_OpenID_Server::encodeResponse} methods. Who gets to do the
- * intermediate task -- deciding how to respond to the request -- will
- * depend on what type of request it is.
- *
- * If it's a request to authenticate a user (a 'checkid_setup' or
- * 'checkid_immediate' request), you need to decide if you will assert
- * that this user may claim the identity in question. Exactly how you
- * do that is a matter of application policy, but it generally
- * involves making sure the user has an account with your system and
- * is logged in, checking to see if that identity is hers to claim,
- * and verifying with the user that she does consent to releasing that
- * information to the party making the request.
- *
- * Examine the properties of the {@link Auth_OpenID_CheckIDRequest}
- * object, and if and when you've come to a decision, form a response
- * by calling {@link Auth_OpenID_CheckIDRequest::answer()}.
- *
- * Other types of requests relate to establishing associations between
- * client and server and verifing the authenticity of previous
- * communications. {@link Auth_OpenID_Server} contains all the logic
- * and data necessary to respond to such requests; just pass it to
- * {@link Auth_OpenID_Server::handleRequest()}.
- *
- * OpenID Extensions
- *
- * Do you want to provide other information for your users in addition
- * to authentication? Version 1.2 of the OpenID protocol allows
- * consumers to add extensions to their requests. For example, with
- * sites using the Simple Registration
- * Extension
- * (http://openid.net/specs/openid-simple-registration-extension-1_0.html),
- * a user can agree to have their nickname and e-mail address sent to
- * a site when they sign up.
- *
- * Since extensions do not change the way OpenID authentication works,
- * code to handle extension requests may be completely separate from
- * the {@link Auth_OpenID_Request} class here. But you'll likely want
- * data sent back by your extension to be signed. {@link
- * Auth_OpenID_ServerResponse} provides methods with which you can add
- * data to it which can be signed with the other data in the OpenID
- * signature.
- *
- * For example:
- *
- * <pre> // when request is a checkid_* request
- * $response = $request->answer(true);
- * // this will a signed 'openid.sreg.timezone' parameter to the response
- * response.addField('sreg', 'timezone', 'America/Los_Angeles')</pre>
- *
- * Stores
- *
- * The OpenID server needs to maintain state between requests in order
- * to function. Its mechanism for doing this is called a store. The
- * store interface is defined in Interface.php. Additionally, several
- * concrete store implementations are provided, so that most sites
- * won't need to implement a custom store. For a store backed by flat
- * files on disk, see {@link Auth_OpenID_FileStore}. For stores based
- * on MySQL, SQLite, or PostgreSQL, see the {@link
- * Auth_OpenID_SQLStore} subclasses.
- *
- * Upgrading
- *
- * The keys by which a server looks up associations in its store have
- * changed in version 1.2 of this library. If your store has entries
- * created from version 1.0 code, you should empty it.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Required imports
- */
-require_once "Auth/OpenID.php";
-require_once "Auth/OpenID/Association.php";
-require_once "Auth/OpenID/CryptUtil.php";
-require_once "Auth/OpenID/BigMath.php";
-require_once "Auth/OpenID/DiffieHellman.php";
-require_once "Auth/OpenID/KVForm.php";
-require_once "Auth/OpenID/TrustRoot.php";
-require_once "Auth/OpenID/ServerRequest.php";
-require_once "Auth/OpenID/Message.php";
-require_once "Auth/OpenID/Nonce.php";
-
-define('AUTH_OPENID_HTTP_OK', 200);
-define('AUTH_OPENID_HTTP_REDIRECT', 302);
-define('AUTH_OPENID_HTTP_ERROR', 400);
-
-/**
- * @access private
- */
-global $_Auth_OpenID_Request_Modes;
-$_Auth_OpenID_Request_Modes = array('checkid_setup',
- 'checkid_immediate');
-
-/**
- * @access private
- */
-define('Auth_OpenID_ENCODE_KVFORM', 'kfvorm');
-
-/**
- * @access private
- */
-define('Auth_OpenID_ENCODE_URL', 'URL/redirect');
-
-/**
- * @access private
- */
-define('Auth_OpenID_ENCODE_HTML_FORM', 'HTML form');
-
-/**
- * @access private
- */
-function Auth_OpenID_isError($obj, $cls = 'Auth_OpenID_ServerError')
-{
- return is_a($obj, $cls);
-}
-
-/**
- * An error class which gets instantiated and returned whenever an
- * OpenID protocol error occurs. Be prepared to use this in place of
- * an ordinary server response.
- *
- * @package OpenID
- */
-class Auth_OpenID_ServerError {
- /**
- * @access private
- */
- function Auth_OpenID_ServerError($message = null, $text = null,
- $reference = null, $contact = null)
- {
- $this->message = $message;
- $this->text = $text;
- $this->contact = $contact;
- $this->reference = $reference;
- }
-
- function getReturnTo()
- {
- if ($this->message &&
- $this->message->hasKey(Auth_OpenID_OPENID_NS, 'return_to')) {
- return $this->message->getArg(Auth_OpenID_OPENID_NS,
- 'return_to');
- } else {
- return null;
- }
- }
-
- /**
- * Returns the return_to URL for the request which caused this
- * error.
- */
- function hasReturnTo()
- {
- return $this->getReturnTo() !== null;
- }
-
- /**
- * Encodes this error's response as a URL suitable for
- * redirection. If the response has no return_to, another
- * Auth_OpenID_ServerError is returned.
- */
- function encodeToURL()
- {
- if (!$this->message) {
- return null;
- }
-
- $msg = $this->toMessage();
- return $msg->toURL($this->getReturnTo());
- }
-
- /**
- * Encodes the response to key-value form. This is a
- * machine-readable format used to respond to messages which came
- * directly from the consumer and not through the user-agent. See
- * the OpenID specification.
- */
- function encodeToKVForm()
- {
- return Auth_OpenID_KVForm::fromArray(
- array('mode' => 'error',
- 'error' => $this->toString()));
- }
-
- function toFormMarkup($form_tag_attrs=null)
- {
- $msg = $this->toMessage();
- return $msg->toFormMarkup($this->getReturnTo(), $form_tag_attrs);
- }
-
- function toHTML($form_tag_attrs=null)
- {
- return Auth_OpenID::autoSubmitHTML(
- $this->toFormMarkup($form_tag_attrs));
- }
-
- function toMessage()
- {
- // Generate a Message object for sending to the relying party,
- // after encoding.
- $namespace = $this->message->getOpenIDNamespace();
- $reply = new Auth_OpenID_Message($namespace);
- $reply->setArg(Auth_OpenID_OPENID_NS, 'mode', 'error');
- $reply->setArg(Auth_OpenID_OPENID_NS, 'error', $this->toString());
-
- if ($this->contact !== null) {
- $reply->setArg(Auth_OpenID_OPENID_NS, 'contact', $this->contact);
- }
-
- if ($this->reference !== null) {
- $reply->setArg(Auth_OpenID_OPENID_NS, 'reference',
- $this->reference);
- }
-
- return $reply;
- }
-
- /**
- * Returns one of Auth_OpenID_ENCODE_URL,
- * Auth_OpenID_ENCODE_KVFORM, or null, depending on the type of
- * encoding expected for this error's payload.
- */
- function whichEncoding()
- {
- global $_Auth_OpenID_Request_Modes;
-
- if ($this->hasReturnTo()) {
- if ($this->message->isOpenID2() &&
- (strlen($this->encodeToURL()) >
- Auth_OpenID_OPENID1_URL_LIMIT)) {
- return Auth_OpenID_ENCODE_HTML_FORM;
- } else {
- return Auth_OpenID_ENCODE_URL;
- }
- }
-
- if (!$this->message) {
- return null;
- }
-
- $mode = $this->message->getArg(Auth_OpenID_OPENID_NS,
- 'mode');
-
- if ($mode) {
- if (!in_array($mode, $_Auth_OpenID_Request_Modes)) {
- return Auth_OpenID_ENCODE_KVFORM;
- }
- }
- return null;
- }
-
- /**
- * Returns this error message.
- */
- function toString()
- {
- if ($this->text) {
- return $this->text;
- } else {
- return get_class($this) . " error";
- }
- }
-}
-
-/**
- * Error returned by the server code when a return_to is absent from a
- * request.
- *
- * @package OpenID
- */
-class Auth_OpenID_NoReturnToError extends Auth_OpenID_ServerError {
- function Auth_OpenID_NoReturnToError($message = null,
- $text = "No return_to URL available")
- {
- parent::Auth_OpenID_ServerError($message, $text);
- }
-
- function toString()
- {
- return "No return_to available";
- }
-}
-
-/**
- * An error indicating that the return_to URL is malformed.
- *
- * @package OpenID
- */
-class Auth_OpenID_MalformedReturnURL extends Auth_OpenID_ServerError {
- function Auth_OpenID_MalformedReturnURL($message, $return_to)
- {
- $this->return_to = $return_to;
- parent::Auth_OpenID_ServerError($message, "malformed return_to URL");
- }
-}
-
-/**
- * This error is returned when the trust_root value is malformed.
- *
- * @package OpenID
- */
-class Auth_OpenID_MalformedTrustRoot extends Auth_OpenID_ServerError {
- function Auth_OpenID_MalformedTrustRoot($message = null,
- $text = "Malformed trust root")
- {
- parent::Auth_OpenID_ServerError($message, $text);
- }
-
- function toString()
- {
- return "Malformed trust root";
- }
-}
-
-/**
- * The base class for all server request classes.
- *
- * @package OpenID
- */
-class Auth_OpenID_Request {
- var $mode = null;
-}
-
-/**
- * A request to verify the validity of a previous response.
- *
- * @package OpenID
- */
-class Auth_OpenID_CheckAuthRequest extends Auth_OpenID_Request {
- var $mode = "check_authentication";
- var $invalidate_handle = null;
-
- function Auth_OpenID_CheckAuthRequest($assoc_handle, $signed,
- $invalidate_handle = null)
- {
- $this->assoc_handle = $assoc_handle;
- $this->signed = $signed;
- if ($invalidate_handle !== null) {
- $this->invalidate_handle = $invalidate_handle;
- }
- $this->namespace = Auth_OpenID_OPENID2_NS;
- $this->message = null;
- }
-
- static function fromMessage($message, $server=null)
- {
- $required_keys = array('assoc_handle', 'sig', 'signed');
-
- foreach ($required_keys as $k) {
- if (!$message->getArg(Auth_OpenID_OPENID_NS, $k)) {
- return new Auth_OpenID_ServerError($message,
- sprintf("%s request missing required parameter %s from \
- query", "check_authentication", $k));
- }
- }
-
- $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, 'assoc_handle');
- $sig = $message->getArg(Auth_OpenID_OPENID_NS, 'sig');
-
- $signed_list = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
- $signed_list = explode(",", $signed_list);
-
- $signed = $message;
- if ($signed->hasKey(Auth_OpenID_OPENID_NS, 'mode')) {
- $signed->setArg(Auth_OpenID_OPENID_NS, 'mode', 'id_res');
- }
-
- $result = new Auth_OpenID_CheckAuthRequest($assoc_handle, $signed);
- $result->message = $message;
- $result->sig = $sig;
- $result->invalidate_handle = $message->getArg(Auth_OpenID_OPENID_NS,
- 'invalidate_handle');
- return $result;
- }
-
- function answer($signatory)
- {
- $is_valid = $signatory->verify($this->assoc_handle, $this->signed);
-
- // Now invalidate that assoc_handle so it this checkAuth
- // message cannot be replayed.
- $signatory->invalidate($this->assoc_handle, true);
- $response = new Auth_OpenID_ServerResponse($this);
-
- $response->fields->setArg(Auth_OpenID_OPENID_NS,
- 'is_valid',
- ($is_valid ? "true" : "false"));
-
- if ($this->invalidate_handle) {
- $assoc = $signatory->getAssociation($this->invalidate_handle,
- false);
- if (!$assoc) {
- $response->fields->setArg(Auth_OpenID_OPENID_NS,
- 'invalidate_handle',
- $this->invalidate_handle);
- }
- }
- return $response;
- }
-}
-
-/**
- * A class implementing plaintext server sessions.
- *
- * @package OpenID
- */
-class Auth_OpenID_PlainTextServerSession {
- /**
- * An object that knows how to handle association requests with no
- * session type.
- */
- var $session_type = 'no-encryption';
- var $needs_math = false;
- var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256');
-
- static function fromMessage($unused_request)
- {
- return new Auth_OpenID_PlainTextServerSession();
- }
-
- function answer($secret)
- {
- return array('mac_key' => base64_encode($secret));
- }
-}
-
-/**
- * A class implementing DH-SHA1 server sessions.
- *
- * @package OpenID
- */
-class Auth_OpenID_DiffieHellmanSHA1ServerSession {
- /**
- * An object that knows how to handle association requests with
- * the Diffie-Hellman session type.
- */
-
- var $session_type = 'DH-SHA1';
- var $needs_math = true;
- var $allowed_assoc_types = array('HMAC-SHA1');
- var $hash_func = 'Auth_OpenID_SHA1';
-
- function Auth_OpenID_DiffieHellmanSHA1ServerSession($dh, $consumer_pubkey)
- {
- $this->dh = $dh;
- $this->consumer_pubkey = $consumer_pubkey;
- }
-
- static function getDH($message)
- {
- $dh_modulus = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_modulus');
- $dh_gen = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_gen');
-
- if ((($dh_modulus === null) && ($dh_gen !== null)) ||
- (($dh_gen === null) && ($dh_modulus !== null))) {
-
- if ($dh_modulus === null) {
- $missing = 'modulus';
- } else {
- $missing = 'generator';
- }
-
- return new Auth_OpenID_ServerError($message,
- 'If non-default modulus or generator is '.
- 'supplied, both must be supplied. Missing '.
- $missing);
- }
-
- $lib = Auth_OpenID_getMathLib();
-
- if ($dh_modulus || $dh_gen) {
- $dh_modulus = $lib->base64ToLong($dh_modulus);
- $dh_gen = $lib->base64ToLong($dh_gen);
- if ($lib->cmp($dh_modulus, 0) == 0 ||
- $lib->cmp($dh_gen, 0) == 0) {
- return new Auth_OpenID_ServerError(
- $message, "Failed to parse dh_mod or dh_gen");
- }
- $dh = new Auth_OpenID_DiffieHellman($dh_modulus, $dh_gen);
- } else {
- $dh = new Auth_OpenID_DiffieHellman();
- }
-
- $consumer_pubkey = $message->getArg(Auth_OpenID_OPENID_NS,
- 'dh_consumer_public');
- if ($consumer_pubkey === null) {
- return new Auth_OpenID_ServerError($message,
- 'Public key for DH-SHA1 session '.
- 'not found in query');
- }
-
- $consumer_pubkey =
- $lib->base64ToLong($consumer_pubkey);
-
- if ($consumer_pubkey === false) {
- return new Auth_OpenID_ServerError($message,
- "dh_consumer_public is not base64");
- }
-
- return array($dh, $consumer_pubkey);
- }
-
- static function fromMessage($message)
- {
- $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message);
-
- if (is_a($result, 'Auth_OpenID_ServerError')) {
- return $result;
- } else {
- list($dh, $consumer_pubkey) = $result;
- return new Auth_OpenID_DiffieHellmanSHA1ServerSession($dh,
- $consumer_pubkey);
- }
- }
-
- function answer($secret)
- {
- $lib = Auth_OpenID_getMathLib();
- $mac_key = $this->dh->xorSecret($this->consumer_pubkey, $secret,
- $this->hash_func);
- return array(
- 'dh_server_public' =>
- $lib->longToBase64($this->dh->public),
- 'enc_mac_key' => base64_encode($mac_key));
- }
-}
-
-/**
- * A class implementing DH-SHA256 server sessions.
- *
- * @package OpenID
- */
-class Auth_OpenID_DiffieHellmanSHA256ServerSession
- extends Auth_OpenID_DiffieHellmanSHA1ServerSession {
-
- var $session_type = 'DH-SHA256';
- var $hash_func = 'Auth_OpenID_SHA256';
- var $allowed_assoc_types = array('HMAC-SHA256');
-
- static function fromMessage($message)
- {
- $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message);
-
- if (is_a($result, 'Auth_OpenID_ServerError')) {
- return $result;
- } else {
- list($dh, $consumer_pubkey) = $result;
- return new Auth_OpenID_DiffieHellmanSHA256ServerSession($dh,
- $consumer_pubkey);
- }
- }
-}
-
-/**
- * A request to associate with the server.
- *
- * @package OpenID
- */
-class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request {
- var $mode = "associate";
-
- static function getSessionClasses()
- {
- return array(
- 'no-encryption' => 'Auth_OpenID_PlainTextServerSession',
- 'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ServerSession',
- 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ServerSession');
- }
-
- function Auth_OpenID_AssociateRequest($session, $assoc_type)
- {
- $this->session = $session;
- $this->namespace = Auth_OpenID_OPENID2_NS;
- $this->assoc_type = $assoc_type;
- }
-
- static function fromMessage($message, $server=null)
- {
- if ($message->isOpenID1()) {
- $session_type = $message->getArg(Auth_OpenID_OPENID_NS,
- 'session_type');
-
- if ($session_type == 'no-encryption') {
- // oidutil.log('Received OpenID 1 request with a no-encryption '
- // 'assocaition session type. Continuing anyway.')
- } else if (!$session_type) {
- $session_type = 'no-encryption';
- }
- } else {
- $session_type = $message->getArg(Auth_OpenID_OPENID_NS,
- 'session_type');
- if ($session_type === null) {
- return new Auth_OpenID_ServerError($message,
- "session_type missing from request");
- }
- }
-
- $session_class = Auth_OpenID::arrayGet(
- Auth_OpenID_AssociateRequest::getSessionClasses(),
- $session_type);
-
- if ($session_class === null) {
- return new Auth_OpenID_ServerError($message,
- "Unknown session type " .
- $session_type);
- }
-
- $session = call_user_func(array($session_class, 'fromMessage'),
- $message);
- if (is_a($session, 'Auth_OpenID_ServerError')) {
- return $session;
- }
-
- $assoc_type = $message->getArg(Auth_OpenID_OPENID_NS,
- 'assoc_type', 'HMAC-SHA1');
-
- if (!in_array($assoc_type, $session->allowed_assoc_types)) {
- $fmt = "Session type %s does not support association type %s";
- return new Auth_OpenID_ServerError($message,
- sprintf($fmt, $session_type, $assoc_type));
- }
-
- $obj = new Auth_OpenID_AssociateRequest($session, $assoc_type);
- $obj->message = $message;
- $obj->namespace = $message->getOpenIDNamespace();
- return $obj;
- }
-
- function answer($assoc)
- {
- $response = new Auth_OpenID_ServerResponse($this);
- $response->fields->updateArgs(Auth_OpenID_OPENID_NS,
- array(
- 'expires_in' => sprintf('%d', $assoc->getExpiresIn()),
- 'assoc_type' => $this->assoc_type,
- 'assoc_handle' => $assoc->handle));
-
- $response->fields->updateArgs(Auth_OpenID_OPENID_NS,
- $this->session->answer($assoc->secret));
-
- if (! ($this->session->session_type == 'no-encryption'
- && $this->message->isOpenID1())) {
- $response->fields->setArg(Auth_OpenID_OPENID_NS,
- 'session_type',
- $this->session->session_type);
- }
-
- return $response;
- }
-
- function answerUnsupported($text_message,
- $preferred_association_type=null,
- $preferred_session_type=null)
- {
- if ($this->message->isOpenID1()) {
- return new Auth_OpenID_ServerError($this->message);
- }
-
- $response = new Auth_OpenID_ServerResponse($this);
- $response->fields->setArg(Auth_OpenID_OPENID_NS,
- 'error_code', 'unsupported-type');
- $response->fields->setArg(Auth_OpenID_OPENID_NS,
- 'error', $text_message);
-
- if ($preferred_association_type) {
- $response->fields->setArg(Auth_OpenID_OPENID_NS,
- 'assoc_type',
- $preferred_association_type);
- }
-
- if ($preferred_session_type) {
- $response->fields->setArg(Auth_OpenID_OPENID_NS,
- 'session_type',
- $preferred_session_type);
- }
- $response->code = AUTH_OPENID_HTTP_ERROR;
- return $response;
- }
-}
-
-/**
- * A request to confirm the identity of a user.
- *
- * @package OpenID
- */
-class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request {
- /**
- * Return-to verification callback. Default is
- * Auth_OpenID_verifyReturnTo from TrustRoot.php.
- */
- var $verifyReturnTo = 'Auth_OpenID_verifyReturnTo';
-
- /**
- * The mode of this request.
- */
- var $mode = "checkid_setup"; // or "checkid_immediate"
-
- /**
- * Whether this request is for immediate mode.
- */
- var $immediate = false;
-
- /**
- * The trust_root value for this request.
- */
- var $trust_root = null;
-
- /**
- * The OpenID namespace for this request.
- * deprecated since version 2.0.2
- */
- var $namespace;
-
- static function make($message, $identity, $return_to, $trust_root = null,
- $immediate = false, $assoc_handle = null, $server = null)
- {
- if ($server === null) {
- return new Auth_OpenID_ServerError($message,
- "server must not be null");
- }
-
- if ($return_to &&
- !Auth_OpenID_TrustRoot::_parse($return_to)) {
- return new Auth_OpenID_MalformedReturnURL($message, $return_to);
- }
-
- $r = new Auth_OpenID_CheckIDRequest($identity, $return_to,
- $trust_root, $immediate,
- $assoc_handle, $server);
-
- $r->namespace = $message->getOpenIDNamespace();
- $r->message = $message;
-
- if (!$r->trustRootValid()) {
- return new Auth_OpenID_UntrustedReturnURL($message,
- $return_to,
- $trust_root);
- } else {
- return $r;
- }
- }
-
- function Auth_OpenID_CheckIDRequest($identity, $return_to,
- $trust_root = null, $immediate = false,
- $assoc_handle = null, $server = null,
- $claimed_id = null)
- {
- $this->namespace = Auth_OpenID_OPENID2_NS;
- $this->assoc_handle = $assoc_handle;
- $this->identity = $identity;
- if ($claimed_id === null) {
- $this->claimed_id = $identity;
- } else {
- $this->claimed_id = $claimed_id;
- }
- $this->return_to = $return_to;
- $this->trust_root = $trust_root;
- $this->server = $server;
-
- if ($immediate) {
- $this->immediate = true;
- $this->mode = "checkid_immediate";
- } else {
- $this->immediate = false;
- $this->mode = "checkid_setup";
- }
- }
-
- function equals($other)
- {
- return (
- (is_a($other, 'Auth_OpenID_CheckIDRequest')) &&
- ($this->namespace == $other->namespace) &&
- ($this->assoc_handle == $other->assoc_handle) &&
- ($this->identity == $other->identity) &&
- ($this->claimed_id == $other->claimed_id) &&
- ($this->return_to == $other->return_to) &&
- ($this->trust_root == $other->trust_root));
- }
-
- /*
- * Does the relying party publish the return_to URL for this
- * response under the realm? It is up to the provider to set a
- * policy for what kinds of realms should be allowed. This
- * return_to URL verification reduces vulnerability to data-theft
- * attacks based on open proxies, corss-site-scripting, or open
- * redirectors.
- *
- * This check should only be performed after making sure that the
- * return_to URL matches the realm.
- *
- * @return true if the realm publishes a document with the
- * return_to URL listed, false if not or if discovery fails
- */
- function returnToVerified()
- {
- $fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
- return call_user_func_array($this->verifyReturnTo,
- array($this->trust_root, $this->return_to, $fetcher));
- }
-
- static function fromMessage($message, $server)
- {
- $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
- $immediate = null;
-
- if ($mode == "checkid_immediate") {
- $immediate = true;
- $mode = "checkid_immediate";
- } else {
- $immediate = false;
- $mode = "checkid_setup";
- }
-
- $return_to = $message->getArg(Auth_OpenID_OPENID_NS,
- 'return_to');
-
- if (($message->isOpenID1()) &&
- (!$return_to)) {
- $fmt = "Missing required field 'return_to' from checkid request";
- return new Auth_OpenID_ServerError($message, $fmt);
- }
-
- $identity = $message->getArg(Auth_OpenID_OPENID_NS,
- 'identity');
- $claimed_id = $message->getArg(Auth_OpenID_OPENID_NS, 'claimed_id');
- if ($message->isOpenID1()) {
- if ($identity === null) {
- $s = "OpenID 1 message did not contain openid.identity";
- return new Auth_OpenID_ServerError($message, $s);
- }
- } else {
- if ($identity && !$claimed_id) {
- $s = "OpenID 2.0 message contained openid.identity but not " .
- "claimed_id";
- return new Auth_OpenID_ServerError($message, $s);
- } else if ($claimed_id && !$identity) {
- $s = "OpenID 2.0 message contained openid.claimed_id " .
- "but not identity";
- return new Auth_OpenID_ServerError($message, $s);
- }
- }
-
- // There's a case for making self.trust_root be a TrustRoot
- // here. But if TrustRoot isn't currently part of the
- // "public" API, I'm not sure it's worth doing.
- if ($message->isOpenID1()) {
- $trust_root_param = 'trust_root';
- } else {
- $trust_root_param = 'realm';
- }
- $trust_root = $message->getArg(Auth_OpenID_OPENID_NS,
- $trust_root_param);
- if (! $trust_root) {
- $trust_root = $return_to;
- }
-
- if (! $message->isOpenID1() &&
- ($return_to === null) &&
- ($trust_root === null)) {
- return new Auth_OpenID_ServerError($message,
- "openid.realm required when openid.return_to absent");
- }
-
- $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
- 'assoc_handle');
-
- $obj = Auth_OpenID_CheckIDRequest::make($message,
- $identity,
- $return_to,
- $trust_root,
- $immediate,
- $assoc_handle,
- $server);
-
- if (is_a($obj, 'Auth_OpenID_ServerError')) {
- return $obj;
- }
-
- $obj->claimed_id = $claimed_id;
-
- return $obj;
- }
-
- function idSelect()
- {
- // Is the identifier to be selected by the IDP?
- // So IDPs don't have to import the constant
- return $this->identity == Auth_OpenID_IDENTIFIER_SELECT;
- }
-
- function trustRootValid()
- {
- if (!$this->trust_root) {
- return true;
- }
-
- $tr = Auth_OpenID_TrustRoot::_parse($this->trust_root);
- if ($tr === false) {
- return new Auth_OpenID_MalformedTrustRoot($this->message,
- $this->trust_root);
- }
-
- if ($this->return_to !== null) {
- return Auth_OpenID_TrustRoot::match($this->trust_root,
- $this->return_to);
- } else {
- return true;
- }
- }
-
- /**
- * Respond to this request. Return either an
- * {@link Auth_OpenID_ServerResponse} or
- * {@link Auth_OpenID_ServerError}.
- *
- * @param bool $allow Allow this user to claim this identity, and
- * allow the consumer to have this information?
- *
- * @param string $server_url DEPRECATED. Passing $op_endpoint to
- * the {@link Auth_OpenID_Server} constructor makes this optional.
- *
- * When an OpenID 1.x immediate mode request does not succeed, it
- * gets back a URL where the request may be carried out in a
- * not-so-immediate fashion. Pass my URL in here (the fully
- * qualified address of this server's endpoint, i.e.
- * http://example.com/server), and I will use it as a base for the
- * URL for a new request.
- *
- * Optional for requests where {@link $immediate} is false or
- * $allow is true.
- *
- * @param string $identity The OP-local identifier to answer with.
- * Only for use when the relying party requested identifier
- * selection.
- *
- * @param string $claimed_id The claimed identifier to answer
- * with, for use with identifier selection in the case where the
- * claimed identifier and the OP-local identifier differ,
- * i.e. when the claimed_id uses delegation.
- *
- * If $identity is provided but this is not, $claimed_id will
- * default to the value of $identity. When answering requests
- * that did not ask for identifier selection, the response
- * $claimed_id will default to that of the request.
- *
- * This parameter is new in OpenID 2.0.
- *
- * @return mixed
- */
- function answer($allow, $server_url = null, $identity = null,
- $claimed_id = null)
- {
- if (!$this->return_to) {
- return new Auth_OpenID_NoReturnToError();
- }
-
- if (!$server_url) {
- if ((!$this->message->isOpenID1()) &&
- (!$this->server->op_endpoint)) {
- return new Auth_OpenID_ServerError(null,
- "server should be constructed with op_endpoint to " .
- "respond to OpenID 2.0 messages.");
- }
-
- $server_url = $this->server->op_endpoint;
- }
-
- if ($allow) {
- $mode = 'id_res';
- } else if ($this->message->isOpenID1()) {
- if ($this->immediate) {
- $mode = 'id_res';
- } else {
- $mode = 'cancel';
- }
- } else {
- if ($this->immediate) {
- $mode = 'setup_needed';
- } else {
- $mode = 'cancel';
- }
- }
-
- if (!$this->trustRootValid()) {
- return new Auth_OpenID_UntrustedReturnURL(null,
- $this->return_to,
- $this->trust_root);
- }
-
- $response = new Auth_OpenID_ServerResponse($this);
-
- if ($claimed_id &&
- ($this->message->isOpenID1())) {
- return new Auth_OpenID_ServerError(null,
- "claimed_id is new in OpenID 2.0 and not " .
- "available for ".$this->namespace);
- }
-
- if ($identity && !$claimed_id) {
- $claimed_id = $identity;
- }
-
- if ($allow) {
-
- if ($this->identity == Auth_OpenID_IDENTIFIER_SELECT) {
- if (!$identity) {
- return new Auth_OpenID_ServerError(null,
- "This request uses IdP-driven identifier selection. " .
- "You must supply an identifier in the response.");
- }
-
- $response_identity = $identity;
- $response_claimed_id = $claimed_id;
-
- } else if ($this->identity) {
- if ($identity &&
- ($this->identity != $identity)) {
- $fmt = "Request was for %s, cannot reply with identity %s";
- return new Auth_OpenID_ServerError(null,
- sprintf($fmt, $this->identity, $identity));
- }
-
- $response_identity = $this->identity;
- $response_claimed_id = $this->claimed_id;
- } else {
- if ($identity) {
- return new Auth_OpenID_ServerError(null,
- "This request specified no identity and " .
- "you supplied ".$identity);
- }
-
- $response_identity = null;
- }
-
- if (($this->message->isOpenID1()) &&
- ($response_identity === null)) {
- return new Auth_OpenID_ServerError(null,
- "Request was an OpenID 1 request, so response must " .
- "include an identifier.");
- }
-
- $response->fields->updateArgs(Auth_OpenID_OPENID_NS,
- array('mode' => $mode,
- 'return_to' => $this->return_to,
- 'response_nonce' => Auth_OpenID_mkNonce()));
-
- if (!$this->message->isOpenID1()) {
- $response->fields->setArg(Auth_OpenID_OPENID_NS,
- 'op_endpoint', $server_url);
- }
-
- if ($response_identity !== null) {
- $response->fields->setArg(
- Auth_OpenID_OPENID_NS,
- 'identity',
- $response_identity);
- if ($this->message->isOpenID2()) {
- $response->fields->setArg(
- Auth_OpenID_OPENID_NS,
- 'claimed_id',
- $response_claimed_id);
- }
- }
-
- } else {
- $response->fields->setArg(Auth_OpenID_OPENID_NS,
- 'mode', $mode);
-
- if ($this->immediate) {
- if (($this->message->isOpenID1()) &&
- (!$server_url)) {
- return new Auth_OpenID_ServerError(null,
- 'setup_url is required for $allow=false \
- in OpenID 1.x immediate mode.');
- }
-
- $setup_request = new Auth_OpenID_CheckIDRequest(
- $this->identity,
- $this->return_to,
- $this->trust_root,
- false,
- $this->assoc_handle,
- $this->server,
- $this->claimed_id);
- $setup_request->message = $this->message;
-
- $setup_url = $setup_request->encodeToURL($server_url);
-
- if ($setup_url === null) {
- return new Auth_OpenID_NoReturnToError();
- }
-
- $response->fields->setArg(Auth_OpenID_OPENID_NS,
- 'user_setup_url',
- $setup_url);
- }
- }
-
- return $response;
- }
-
- function encodeToURL($server_url)
- {
- if (!$this->return_to) {
- return new Auth_OpenID_NoReturnToError();
- }
-
- // Imported from the alternate reality where these classes are
- // used in both the client and server code, so Requests are
- // Encodable too. That's right, code imported from alternate
- // realities all for the love of you, id_res/user_setup_url.
-
- $q = array('mode' => $this->mode,
- 'identity' => $this->identity,
- 'claimed_id' => $this->claimed_id,
- 'return_to' => $this->return_to);
-
- if ($this->trust_root) {
- if ($this->message->isOpenID1()) {
- $q['trust_root'] = $this->trust_root;
- } else {
- $q['realm'] = $this->trust_root;
- }
- }
-
- if ($this->assoc_handle) {
- $q['assoc_handle'] = $this->assoc_handle;
- }
-
- $response = new Auth_OpenID_Message(
- $this->message->getOpenIDNamespace());
- $response->updateArgs(Auth_OpenID_OPENID_NS, $q);
- return $response->toURL($server_url);
- }
-
- function getCancelURL()
- {
- if (!$this->return_to) {
- return new Auth_OpenID_NoReturnToError();
- }
-
- if ($this->immediate) {
- return new Auth_OpenID_ServerError(null,
- "Cancel is not an appropriate \
- response to immediate mode \
- requests.");
- }
-
- $response = new Auth_OpenID_Message(
- $this->message->getOpenIDNamespace());
- $response->setArg(Auth_OpenID_OPENID_NS, 'mode', 'cancel');
- return $response->toURL($this->return_to);
- }
-}
-
-/**
- * This class encapsulates the response to an OpenID server request.
- *
- * @package OpenID
- */
-class Auth_OpenID_ServerResponse {
-
- function Auth_OpenID_ServerResponse($request)
- {
- $this->request = $request;
- $this->fields = new Auth_OpenID_Message($this->request->namespace);
- }
-
- function whichEncoding()
- {
- global $_Auth_OpenID_Request_Modes;
-
- if (in_array($this->request->mode, $_Auth_OpenID_Request_Modes)) {
- if ($this->fields->isOpenID2() &&
- (strlen($this->encodeToURL()) >
- Auth_OpenID_OPENID1_URL_LIMIT)) {
- return Auth_OpenID_ENCODE_HTML_FORM;
- } else {
- return Auth_OpenID_ENCODE_URL;
- }
- } else {
- return Auth_OpenID_ENCODE_KVFORM;
- }
- }
-
- /*
- * Returns the form markup for this response.
- *
- * @return str
- */
- function toFormMarkup($form_tag_attrs=null)
- {
- return $this->fields->toFormMarkup($this->request->return_to,
- $form_tag_attrs);
- }
-
- /*
- * Returns an HTML document containing the form markup for this
- * response that autosubmits with javascript.
- */
- function toHTML()
- {
- return Auth_OpenID::autoSubmitHTML($this->toFormMarkup());
- }
-
- /*
- * Returns True if this response's encoding is ENCODE_HTML_FORM.
- * Convenience method for server authors.
- *
- * @return bool
- */
- function renderAsForm()
- {
- return $this->whichEncoding() == Auth_OpenID_ENCODE_HTML_FORM;
- }
-
-
- function encodeToURL()
- {
- return $this->fields->toURL($this->request->return_to);
- }
-
- function addExtension($extension_response)
- {
- $extension_response->toMessage($this->fields);
- }
-
- function needsSigning()
- {
- return $this->fields->getArg(Auth_OpenID_OPENID_NS,
- 'mode') == 'id_res';
- }
-
- function encodeToKVForm()
- {
- return $this->fields->toKVForm();
- }
-}
-
-/**
- * A web-capable response object which you can use to generate a
- * user-agent response.
- *
- * @package OpenID
- */
-class Auth_OpenID_WebResponse {
- var $code = AUTH_OPENID_HTTP_OK;
- var $body = "";
-
- function Auth_OpenID_WebResponse($code = null, $headers = null,
- $body = null)
- {
- if ($code) {
- $this->code = $code;
- }
-
- if ($headers !== null) {
- $this->headers = $headers;
- } else {
- $this->headers = array();
- }
-
- if ($body !== null) {
- $this->body = $body;
- }
- }
-}
-
-/**
- * Responsible for the signature of query data and the verification of
- * OpenID signature values.
- *
- * @package OpenID
- */
-class Auth_OpenID_Signatory {
-
- // = 14 * 24 * 60 * 60; # 14 days, in seconds
- var $SECRET_LIFETIME = 1209600;
-
- // keys have a bogus server URL in them because the filestore
- // really does expect that key to be a URL. This seems a little
- // silly for the server store, since I expect there to be only one
- // server URL.
- var $normal_key = 'http://localhost/|normal';
- var $dumb_key = 'http://localhost/|dumb';
-
- /**
- * Create a new signatory using a given store.
- */
- function Auth_OpenID_Signatory($store)
- {
- // assert store is not None
- $this->store = $store;
- }
-
- /**
- * Verify, using a given association handle, a signature with
- * signed key-value pairs from an HTTP request.
- */
- function verify($assoc_handle, $message)
- {
- $assoc = $this->getAssociation($assoc_handle, true);
- if (!$assoc) {
- // oidutil.log("failed to get assoc with handle %r to verify sig %r"
- // % (assoc_handle, sig))
- return false;
- }
-
- return $assoc->checkMessageSignature($message);
- }
-
- /**
- * Given a response, sign the fields in the response's 'signed'
- * list, and insert the signature into the response.
- */
- function sign($response)
- {
- $signed_response = $response;
- $assoc_handle = $response->request->assoc_handle;
-
- if ($assoc_handle) {
- // normal mode
- $assoc = $this->getAssociation($assoc_handle, false, false);
- if (!$assoc || ($assoc->getExpiresIn() <= 0)) {
- // fall back to dumb mode
- $signed_response->fields->setArg(Auth_OpenID_OPENID_NS,
- 'invalidate_handle', $assoc_handle);
- $assoc_type = ($assoc ? $assoc->assoc_type : 'HMAC-SHA1');
-
- if ($assoc && ($assoc->getExpiresIn() <= 0)) {
- $this->invalidate($assoc_handle, false);
- }
-
- $assoc = $this->createAssociation(true, $assoc_type);
- }
- } else {
- // dumb mode.
- $assoc = $this->createAssociation(true);
- }
-
- $signed_response->fields = $assoc->signMessage(
- $signed_response->fields);
- return $signed_response;
- }
-
- /**
- * Make a new association.
- */
- function createAssociation($dumb = true, $assoc_type = 'HMAC-SHA1')
- {
- $secret = Auth_OpenID_CryptUtil::getBytes(
- Auth_OpenID_getSecretSize($assoc_type));
-
- $uniq = base64_encode(Auth_OpenID_CryptUtil::getBytes(4));
- $handle = sprintf('{%s}{%x}{%s}', $assoc_type, intval(time()), $uniq);
-
- $assoc = Auth_OpenID_Association::fromExpiresIn(
- $this->SECRET_LIFETIME, $handle, $secret, $assoc_type);
-
- if ($dumb) {
- $key = $this->dumb_key;
- } else {
- $key = $this->normal_key;
- }
-
- $this->store->storeAssociation($key, $assoc);
- return $assoc;
- }
-
- /**
- * Given an association handle, get the association from the
- * store, or return a ServerError or null if something goes wrong.
- */
- function getAssociation($assoc_handle, $dumb, $check_expiration=true)
- {
- if ($assoc_handle === null) {
- return new Auth_OpenID_ServerError(null,
- "assoc_handle must not be null");
- }
-
- if ($dumb) {
- $key = $this->dumb_key;
- } else {
- $key = $this->normal_key;
- }
-
- $assoc = $this->store->getAssociation($key, $assoc_handle);
-
- if (($assoc !== null) && ($assoc->getExpiresIn() <= 0)) {
- if ($check_expiration) {
- $this->store->removeAssociation($key, $assoc_handle);
- $assoc = null;
- }
- }
-
- return $assoc;
- }
-
- /**
- * Invalidate a given association handle.
- */
- function invalidate($assoc_handle, $dumb)
- {
- if ($dumb) {
- $key = $this->dumb_key;
- } else {
- $key = $this->normal_key;
- }
- $this->store->removeAssociation($key, $assoc_handle);
- }
-}
-
-/**
- * Encode an {@link Auth_OpenID_ServerResponse} to an
- * {@link Auth_OpenID_WebResponse}.
- *
- * @package OpenID
- */
-class Auth_OpenID_Encoder {
-
- var $responseFactory = 'Auth_OpenID_WebResponse';
-
- /**
- * Encode an {@link Auth_OpenID_ServerResponse} and return an
- * {@link Auth_OpenID_WebResponse}.
- */
- function encode($response)
- {
- $cls = $this->responseFactory;
-
- $encode_as = $response->whichEncoding();
- if ($encode_as == Auth_OpenID_ENCODE_KVFORM) {
- $wr = new $cls(null, null, $response->encodeToKVForm());
- if (is_a($response, 'Auth_OpenID_ServerError')) {
- $wr->code = AUTH_OPENID_HTTP_ERROR;
- }
- } else if ($encode_as == Auth_OpenID_ENCODE_URL) {
- $location = $response->encodeToURL();
- $wr = new $cls(AUTH_OPENID_HTTP_REDIRECT,
- array('location' => $location));
- } else if ($encode_as == Auth_OpenID_ENCODE_HTML_FORM) {
- $wr = new $cls(AUTH_OPENID_HTTP_OK, array(),
- $response->toHTML());
- } else {
- return new Auth_OpenID_EncodingError($response);
- }
- /* Allow the response to carry a custom error code (ex: for Association errors) */
- if(isset($response->code)) {
- $wr->code = $response->code;
- }
- return $wr;
- }
-}
-
-/**
- * An encoder which also takes care of signing fields when required.
- *
- * @package OpenID
- */
-class Auth_OpenID_SigningEncoder extends Auth_OpenID_Encoder {
-
- function Auth_OpenID_SigningEncoder($signatory)
- {
- $this->signatory = $signatory;
- }
-
- /**
- * Sign an {@link Auth_OpenID_ServerResponse} and return an
- * {@link Auth_OpenID_WebResponse}.
- */
- function encode($response)
- {
- // the isinstance is a bit of a kludge... it means there isn't
- // really an adapter to make the interfaces quite match.
- if (!is_a($response, 'Auth_OpenID_ServerError') &&
- $response->needsSigning()) {
-
- if (!$this->signatory) {
- return new Auth_OpenID_ServerError(null,
- "Must have a store to sign request");
- }
-
- if ($response->fields->hasKey(Auth_OpenID_OPENID_NS, 'sig')) {
- return new Auth_OpenID_AlreadySigned($response);
- }
- $response = $this->signatory->sign($response);
- }
-
- return parent::encode($response);
- }
-}
-
-/**
- * Decode an incoming query into an Auth_OpenID_Request.
- *
- * @package OpenID
- */
-class Auth_OpenID_Decoder {
-
- function Auth_OpenID_Decoder($server)
- {
- $this->server = $server;
-
- $this->handlers = array(
- 'checkid_setup' => 'Auth_OpenID_CheckIDRequest',
- 'checkid_immediate' => 'Auth_OpenID_CheckIDRequest',
- 'check_authentication' => 'Auth_OpenID_CheckAuthRequest',
- 'associate' => 'Auth_OpenID_AssociateRequest'
- );
- }
-
- /**
- * Given an HTTP query in an array (key-value pairs), decode it
- * into an Auth_OpenID_Request object.
- */
- function decode($query)
- {
- if (!$query) {
- return null;
- }
-
- $message = Auth_OpenID_Message::fromPostArgs($query);
-
- if ($message === null) {
- /*
- * It's useful to have a Message attached to a
- * ProtocolError, so we override the bad ns value to build
- * a Message out of it. Kinda kludgy, since it's made of
- * lies, but the parts that aren't lies are more useful
- * than a 'None'.
- */
- $old_ns = $query['openid.ns'];
-
- $query['openid.ns'] = Auth_OpenID_OPENID2_NS;
- $message = Auth_OpenID_Message::fromPostArgs($query);
- return new Auth_OpenID_ServerError(
- $message,
- sprintf("Invalid OpenID namespace URI: %s", $old_ns));
- }
-
- $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
- if (!$mode) {
- return new Auth_OpenID_ServerError($message,
- "No mode value in message");
- }
-
- if (Auth_OpenID::isFailure($mode)) {
- return new Auth_OpenID_ServerError($message,
- $mode->message);
- }
-
- $handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode,
- $this->defaultDecoder($message));
-
- if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) {
- return call_user_func_array(array($handlerCls, 'fromMessage'),
- array($message, $this->server));
- } else {
- return $handlerCls;
- }
- }
-
- function defaultDecoder($message)
- {
- $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
-
- if (Auth_OpenID::isFailure($mode)) {
- return new Auth_OpenID_ServerError($message,
- $mode->message);
- }
-
- return new Auth_OpenID_ServerError($message,
- sprintf("Unrecognized OpenID mode %s", $mode));
- }
-}
-
-/**
- * An error that indicates an encoding problem occurred.
- *
- * @package OpenID
- */
-class Auth_OpenID_EncodingError {
- function Auth_OpenID_EncodingError($response)
- {
- $this->response = $response;
- }
-}
-
-/**
- * An error that indicates that a response was already signed.
- *
- * @package OpenID
- */
-class Auth_OpenID_AlreadySigned extends Auth_OpenID_EncodingError {
- // This response is already signed.
-}
-
-/**
- * An error that indicates that the given return_to is not under the
- * given trust_root.
- *
- * @package OpenID
- */
-class Auth_OpenID_UntrustedReturnURL extends Auth_OpenID_ServerError {
- function Auth_OpenID_UntrustedReturnURL($message, $return_to,
- $trust_root)
- {
- parent::Auth_OpenID_ServerError($message, "Untrusted return_to URL");
- $this->return_to = $return_to;
- $this->trust_root = $trust_root;
- }
-
- function toString()
- {
- return sprintf("return_to %s not under trust_root %s",
- $this->return_to, $this->trust_root);
- }
-}
-
-/**
- * I handle requests for an OpenID server.
- *
- * Some types of requests (those which are not checkid requests) may
- * be handed to my {@link handleRequest} method, and I will take care
- * of it and return a response.
- *
- * For your convenience, I also provide an interface to {@link
- * Auth_OpenID_Decoder::decode()} and {@link
- * Auth_OpenID_SigningEncoder::encode()} through my methods {@link
- * decodeRequest} and {@link encodeResponse}.
- *
- * All my state is encapsulated in an {@link Auth_OpenID_OpenIDStore}.
- *
- * Example:
- *
- * <pre> $oserver = new Auth_OpenID_Server(Auth_OpenID_FileStore($data_path),
- * "http://example.com/op");
- * $request = $oserver->decodeRequest();
- * if (in_array($request->mode, array('checkid_immediate',
- * 'checkid_setup'))) {
- * if ($app->isAuthorized($request->identity, $request->trust_root)) {
- * $response = $request->answer(true);
- * } else if ($request->immediate) {
- * $response = $request->answer(false);
- * } else {
- * $app->showDecidePage($request);
- * return;
- * }
- * } else {
- * $response = $oserver->handleRequest($request);
- * }
- *
- * $webresponse = $oserver->encode($response);</pre>
- *
- * @package OpenID
- */
-class Auth_OpenID_Server {
- function Auth_OpenID_Server($store, $op_endpoint=null)
- {
- $this->store = $store;
- $this->signatory = new Auth_OpenID_Signatory($this->store);
- $this->encoder = new Auth_OpenID_SigningEncoder($this->signatory);
- $this->decoder = new Auth_OpenID_Decoder($this);
- $this->op_endpoint = $op_endpoint;
- $this->negotiator = Auth_OpenID_getDefaultNegotiator();
- }
-
- /**
- * Handle a request. Given an {@link Auth_OpenID_Request} object,
- * call the appropriate {@link Auth_OpenID_Server} method to
- * process the request and generate a response.
- *
- * @param Auth_OpenID_Request $request An {@link Auth_OpenID_Request}
- * returned by {@link Auth_OpenID_Server::decodeRequest()}.
- *
- * @return Auth_OpenID_ServerResponse $response A response object
- * capable of generating a user-agent reply.
- */
- function handleRequest($request)
- {
- if (method_exists($this, "openid_" . $request->mode)) {
- $handler = array($this, "openid_" . $request->mode);
- return call_user_func_array($handler, array($request));
- }
- return null;
- }
-
- /**
- * The callback for 'check_authentication' messages.
- */
- function openid_check_authentication($request)
- {
- return $request->answer($this->signatory);
- }
-
- /**
- * The callback for 'associate' messages.
- */
- function openid_associate($request)
- {
- $assoc_type = $request->assoc_type;
- $session_type = $request->session->session_type;
- if ($this->negotiator->isAllowed($assoc_type, $session_type)) {
- $assoc = $this->signatory->createAssociation(false,
- $assoc_type);
- return $request->answer($assoc);
- } else {
- $message = sprintf('Association type %s is not supported with '.
- 'session type %s', $assoc_type, $session_type);
- list($preferred_assoc_type, $preferred_session_type) =
- $this->negotiator->getAllowedType();
- return $request->answerUnsupported($message,
- $preferred_assoc_type,
- $preferred_session_type);
- }
- }
-
- /**
- * Encodes as response in the appropriate format suitable for
- * sending to the user agent.
- */
- function encodeResponse($response)
- {
- return $this->encoder->encode($response);
- }
-
- /**
- * Decodes a query args array into the appropriate
- * {@link Auth_OpenID_Request} object.
- */
- function decodeRequest($query=null)
- {
- if ($query === null) {
- $query = Auth_OpenID::getQuery();
- }
-
- return $this->decoder->decode($query);
- }
-}
-
-
diff --git a/lib/Auth/OpenID/ServerRequest.php b/lib/Auth/OpenID/ServerRequest.php
deleted file mode 100644
index 69222a5e0466851779cb9e6ea57707f6b0f7ef90..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/ServerRequest.php
+++ /dev/null
@@ -1,36 +0,0 @@
-<?php
-/**
- * OpenID Server Request
- *
- * @see Auth_OpenID_Server
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Imports
- */
-require_once "Auth/OpenID.php";
-
-/**
- * Object that holds the state of a request to the OpenID server
- *
- * With accessor functions to get at the internal request data.
- *
- * @see Auth_OpenID_Server
- * @package OpenID
- */
-class Auth_OpenID_ServerRequest {
- function Auth_OpenID_ServerRequest()
- {
- $this->mode = null;
- }
-}
-
diff --git a/lib/Auth/OpenID/TrustRoot.php b/lib/Auth/OpenID/TrustRoot.php
deleted file mode 100644
index 000440b5888649b75f7b3d81f8b29eb283b06450..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/TrustRoot.php
+++ /dev/null
@@ -1,461 +0,0 @@
-<?php
-/**
- * Functions for dealing with OpenID trust roots
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-require_once 'Auth/OpenID/Discover.php';
-
-/**
- * A regular expression that matches a domain ending in a top-level domains.
- * Used in checking trust roots for sanity.
- *
- * @access private
- */
-define('Auth_OpenID___TLDs',
- '/\.(ac|ad|ae|aero|af|ag|ai|al|am|an|ao|aq|ar|arpa|as|asia' .
- '|at|au|aw|ax|az|ba|bb|bd|be|bf|bg|bh|bi|biz|bj|bm|bn|bo|br' .
- '|bs|bt|bv|bw|by|bz|ca|cat|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co' .
- '|com|coop|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|edu|ee|eg' .
- '|er|es|et|eu|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl' .
- '|gm|gn|gov|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie' .
- '|il|im|in|info|int|io|iq|ir|is|it|je|jm|jo|jobs|jp|ke|kg|kh' .
- '|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly' .
- '|ma|mc|md|me|mg|mh|mil|mk|ml|mm|mn|mo|mobi|mp|mq|mr|ms|mt' .
- '|mu|museum|mv|mw|mx|my|mz|na|name|nc|ne|net|nf|ng|ni|nl|no' .
- '|np|nr|nu|nz|om|org|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|pro|ps|pt' .
- '|pw|py|qa|re|ro|rs|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl' .
- '|sm|sn|so|sr|st|su|sv|sy|sz|tc|td|tel|tf|tg|th|tj|tk|tl|tm' .
- '|tn|to|tp|tr|travel|tt|tv|tw|tz|ua|ug|uk|us|uy|uz|va|vc|ve' .
- '|vg|vi|vn|vu|wf|ws|xn--0zwm56d|xn--11b5bs3a9aj6g' .
- '|xn--80akhbyknj4f|xn--9t4b11yi5a|xn--deba0ad|xn--g6w251d' .
- '|xn--hgbk6aj7f53bba|xn--hlcj6aya9esc7a|xn--jxalpdlp' .
- '|xn--kgbechtv|xn--zckzah|ye|yt|yu|za|zm|zw)\.?$/');
-
-define('Auth_OpenID___HostSegmentRe',
- "/^(?:[-a-zA-Z0-9!$&'\\(\\)\\*+,;=._~]|%[a-zA-Z0-9]{2})*$/");
-
-/**
- * A wrapper for trust-root related functions
- */
-class Auth_OpenID_TrustRoot {
- /*
- * Return a discovery URL for this realm.
- *
- * Return null if the realm could not be parsed or was not valid.
- *
- * @param return_to The relying party return URL of the OpenID
- * authentication request
- *
- * @return The URL upon which relying party discovery should be
- * run in order to verify the return_to URL
- */
- static function buildDiscoveryURL($realm)
- {
- $parsed = Auth_OpenID_TrustRoot::_parse($realm);
-
- if ($parsed === false) {
- return false;
- }
-
- if ($parsed['wildcard']) {
- // Use "www." in place of the star
- if ($parsed['host'][0] != '.') {
- return false;
- }
-
- $www_domain = 'www' . $parsed['host'];
-
- return sprintf('%s://%s%s', $parsed['scheme'],
- $www_domain, $parsed['path']);
- } else {
- return $parsed['unparsed'];
- }
- }
-
- /**
- * Parse a URL into its trust_root parts.
- *
- * @static
- *
- * @access private
- *
- * @param string $trust_root The url to parse
- *
- * @return mixed $parsed Either an associative array of trust root
- * parts or false if parsing failed.
- */
- static function _parse($trust_root)
- {
- $trust_root = Auth_OpenID_urinorm($trust_root);
- if ($trust_root === null) {
- return false;
- }
-
- if (preg_match("/:\/\/[^:]+(:\d+){2,}(\/|$)/", $trust_root)) {
- return false;
- }
-
- $parts = @parse_url($trust_root);
- if ($parts === false) {
- return false;
- }
-
- $required_parts = array('scheme', 'host');
- $forbidden_parts = array('user', 'pass', 'fragment');
- $keys = array_keys($parts);
- if (array_intersect($keys, $required_parts) != $required_parts) {
- return false;
- }
-
- if (array_intersect($keys, $forbidden_parts) != array()) {
- return false;
- }
-
- if (!preg_match(Auth_OpenID___HostSegmentRe, $parts['host'])) {
- return false;
- }
-
- $scheme = strtolower($parts['scheme']);
- $allowed_schemes = array('http', 'https');
- if (!in_array($scheme, $allowed_schemes)) {
- return false;
- }
- $parts['scheme'] = $scheme;
-
- $host = strtolower($parts['host']);
- $hostparts = explode('*', $host);
- switch (count($hostparts)) {
- case 1:
- $parts['wildcard'] = false;
- break;
- case 2:
- if ($hostparts[0] ||
- ($hostparts[1] && substr($hostparts[1], 0, 1) != '.')) {
- return false;
- }
- $host = $hostparts[1];
- $parts['wildcard'] = true;
- break;
- default:
- return false;
- }
- if (strpos($host, ':') !== false) {
- return false;
- }
-
- $parts['host'] = $host;
-
- if (isset($parts['path'])) {
- $path = strtolower($parts['path']);
- if (substr($path, 0, 1) != '/') {
- return false;
- }
- } else {
- $path = '/';
- }
-
- $parts['path'] = $path;
- if (!isset($parts['port'])) {
- $parts['port'] = false;
- }
-
-
- $parts['unparsed'] = $trust_root;
-
- return $parts;
- }
-
- /**
- * Is this trust root sane?
- *
- * A trust root is sane if it is syntactically valid and it has a
- * reasonable domain name. Specifically, the domain name must be
- * more than one level below a standard TLD or more than two
- * levels below a two-letter tld.
- *
- * For example, '*.com' is not a sane trust root, but '*.foo.com'
- * is. '*.co.uk' is not sane, but '*.bbc.co.uk' is.
- *
- * This check is not always correct, but it attempts to err on the
- * side of marking sane trust roots insane instead of marking
- * insane trust roots sane. For example, 'kink.fm' is marked as
- * insane even though it "should" (for some meaning of should) be
- * marked sane.
- *
- * This function should be used when creating OpenID servers to
- * alert the users of the server when a consumer attempts to get
- * the user to accept a suspicious trust root.
- *
- * @static
- * @param string $trust_root The trust root to check
- * @return bool $sanity Whether the trust root looks OK
- */
- static function isSane($trust_root)
- {
- $parts = Auth_OpenID_TrustRoot::_parse($trust_root);
- if ($parts === false) {
- return false;
- }
-
- // Localhost is a special case
- if ($parts['host'] == 'localhost') {
- return true;
- }
-
- $host_parts = explode('.', $parts['host']);
- if ($parts['wildcard']) {
- // Remove the empty string from the beginning of the array
- array_shift($host_parts);
- }
-
- if ($host_parts && !$host_parts[count($host_parts) - 1]) {
- array_pop($host_parts);
- }
-
- if (!$host_parts) {
- return false;
- }
-
- // Don't allow adjacent dots
- if (in_array('', $host_parts, true)) {
- return false;
- }
-
- // Get the top-level domain of the host. If it is not a valid TLD,
- // it's not sane.
- preg_match(Auth_OpenID___TLDs, $parts['host'], $matches);
- if (!$matches) {
- return false;
- }
- $tld = $matches[1];
-
- if (count($host_parts) == 1) {
- return false;
- }
-
- if ($parts['wildcard']) {
- // It's a 2-letter tld with a short second to last segment
- // so there needs to be more than two segments specified
- // (e.g. *.co.uk is insane)
- $second_level = $host_parts[count($host_parts) - 2];
- if (strlen($tld) == 2 && strlen($second_level) <= 3) {
- return count($host_parts) > 2;
- }
- }
-
- return true;
- }
-
- /**
- * Does this URL match the given trust root?
- *
- * Return whether the URL falls under the given trust root. This
- * does not check whether the trust root is sane. If the URL or
- * trust root do not parse, this function will return false.
- *
- * @param string $trust_root The trust root to match against
- *
- * @param string $url The URL to check
- *
- * @return bool $matches Whether the URL matches against the
- * trust root
- */
- static function match($trust_root, $url)
- {
- $trust_root_parsed = Auth_OpenID_TrustRoot::_parse($trust_root);
- $url_parsed = Auth_OpenID_TrustRoot::_parse($url);
- if (!$trust_root_parsed || !$url_parsed) {
- return false;
- }
-
- // Check hosts matching
- if ($url_parsed['wildcard']) {
- return false;
- }
- if ($trust_root_parsed['wildcard']) {
- $host_tail = $trust_root_parsed['host'];
- $host = $url_parsed['host'];
- if ($host_tail &&
- substr($host, -(strlen($host_tail))) != $host_tail &&
- substr($host_tail, 1) != $host) {
- return false;
- }
- } else {
- if ($trust_root_parsed['host'] != $url_parsed['host']) {
- return false;
- }
- }
-
- // Check path and query matching
- $base_path = $trust_root_parsed['path'];
- $path = $url_parsed['path'];
- if (!isset($trust_root_parsed['query'])) {
- if ($base_path != $path) {
- if (substr($path, 0, strlen($base_path)) != $base_path) {
- return false;
- }
- if (substr($base_path, strlen($base_path) - 1, 1) != '/' &&
- substr($path, strlen($base_path), 1) != '/') {
- return false;
- }
- }
- } else {
- $base_query = $trust_root_parsed['query'];
- $query = @$url_parsed['query'];
- $qplus = substr($query, 0, strlen($base_query) + 1);
- $bqplus = $base_query . '&';
- if ($base_path != $path ||
- ($base_query != $query && $qplus != $bqplus)) {
- return false;
- }
- }
-
- // The port and scheme need to match exactly
- return ($trust_root_parsed['scheme'] == $url_parsed['scheme'] &&
- $url_parsed['port'] === $trust_root_parsed['port']);
- }
-}
-
-/*
- * If the endpoint is a relying party OpenID return_to endpoint,
- * return the endpoint URL. Otherwise, return None.
- *
- * This function is intended to be used as a filter for the Yadis
- * filtering interface.
- *
- * @see: C{L{openid.yadis.services}}
- * @see: C{L{openid.yadis.filters}}
- *
- * @param endpoint: An XRDS BasicServiceEndpoint, as returned by
- * performing Yadis dicovery.
- *
- * @returns: The endpoint URL or None if the endpoint is not a
- * relying party endpoint.
- */
-function filter_extractReturnURL($endpoint)
-{
- if ($endpoint->matchTypes(array(Auth_OpenID_RP_RETURN_TO_URL_TYPE))) {
- return $endpoint;
- } else {
- return null;
- }
-}
-
-function &Auth_OpenID_extractReturnURL(&$endpoint_list)
-{
- $result = array();
-
- foreach ($endpoint_list as $endpoint) {
- if (filter_extractReturnURL($endpoint)) {
- $result[] = $endpoint;
- }
- }
-
- return $result;
-}
-
-/*
- * Is the return_to URL under one of the supplied allowed return_to
- * URLs?
- */
-function Auth_OpenID_returnToMatches($allowed_return_to_urls, $return_to)
-{
- foreach ($allowed_return_to_urls as $allowed_return_to) {
- // A return_to pattern works the same as a realm, except that
- // it's not allowed to use a wildcard. We'll model this by
- // parsing it as a realm, and not trying to match it if it has
- // a wildcard.
-
- $return_realm = Auth_OpenID_TrustRoot::_parse($allowed_return_to);
- if (// Parses as a trust root
- ($return_realm !== false) &&
- // Does not have a wildcard
- (!$return_realm['wildcard']) &&
- // Matches the return_to that we passed in with it
- (Auth_OpenID_TrustRoot::match($allowed_return_to, $return_to))) {
- return true;
- }
- }
-
- // No URL in the list matched
- return false;
-}
-
-/*
- * Given a relying party discovery URL return a list of return_to
- * URLs.
- */
-function Auth_OpenID_getAllowedReturnURLs($relying_party_url, $fetcher,
- $discover_function=null)
-{
- if ($discover_function === null) {
- $discover_function = array('Auth_Yadis_Yadis', 'discover');
- }
-
- $xrds_parse_cb = array('Auth_OpenID_ServiceEndpoint', 'consumerFromXRDS');
-
- list($rp_url_after_redirects, $endpoints) =
- Auth_Yadis_getServiceEndpoints($relying_party_url, $xrds_parse_cb,
- $discover_function, $fetcher);
-
- if ($rp_url_after_redirects != $relying_party_url) {
- // Verification caused a redirect
- return false;
- }
-
- call_user_func_array($discover_function,
- array($relying_party_url, &$fetcher));
-
- $return_to_urls = array();
- $matching_endpoints = Auth_OpenID_extractReturnURL($endpoints);
-
- foreach ($matching_endpoints as $e) {
- $return_to_urls[] = $e->server_url;
- }
-
- return $return_to_urls;
-}
-
-/*
- * Verify that a return_to URL is valid for the given realm.
- *
- * This function builds a discovery URL, performs Yadis discovery on
- * it, makes sure that the URL does not redirect, parses out the
- * return_to URLs, and finally checks to see if the current return_to
- * URL matches the return_to.
- *
- * @return true if the return_to URL is valid for the realm
- */
-function Auth_OpenID_verifyReturnTo($realm_str, $return_to, $fetcher,
- $_vrfy='Auth_OpenID_getAllowedReturnURLs')
-{
- $disco_url = Auth_OpenID_TrustRoot::buildDiscoveryURL($realm_str);
-
- if ($disco_url === false) {
- return false;
- }
-
- $allowable_urls = call_user_func_array($_vrfy,
- array($disco_url, $fetcher));
-
- // The realm_str could not be parsed.
- if ($allowable_urls === false) {
- return false;
- }
-
- if (Auth_OpenID_returnToMatches($allowable_urls, $return_to)) {
- return true;
- } else {
- return false;
- }
-}
-
diff --git a/lib/Auth/OpenID/URINorm.php b/lib/Auth/OpenID/URINorm.php
deleted file mode 100644
index c051b550aa1b1e3d339cb7110f6bc80ddedaa8d8..0000000000000000000000000000000000000000
--- a/lib/Auth/OpenID/URINorm.php
+++ /dev/null
@@ -1,249 +0,0 @@
-<?php
-
-/**
- * URI normalization routines.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-require_once 'Auth/Yadis/Misc.php';
-
-// from appendix B of rfc 3986 (http://www.ietf.org/rfc/rfc3986.txt)
-function Auth_OpenID_getURIPattern()
-{
- return '&^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?&';
-}
-
-function Auth_OpenID_getAuthorityPattern()
-{
- return '/^([^@]*@)?([^:]*)(:.*)?/';
-}
-
-function Auth_OpenID_getEncodedPattern()
-{
- return '/%([0-9A-Fa-f]{2})/';
-}
-
-# gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@"
-#
-# sub-delims = "!" / "$" / "&" / "'" / "(" / ")"
-# / "*" / "+" / "," / ";" / "="
-#
-# unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
-function Auth_OpenID_getURLIllegalCharRE()
-{
- return "/([^-A-Za-z0-9:\/\?#\[\]@\!\$&'\(\)\*\+,;=\._~\%])/";
-}
-
-function Auth_OpenID_getUnreserved()
-{
- $_unreserved = array();
- for ($i = 0; $i < 256; $i++) {
- $_unreserved[$i] = false;
- }
-
- for ($i = ord('A'); $i <= ord('Z'); $i++) {
- $_unreserved[$i] = true;
- }
-
- for ($i = ord('0'); $i <= ord('9'); $i++) {
- $_unreserved[$i] = true;
- }
-
- for ($i = ord('a'); $i <= ord('z'); $i++) {
- $_unreserved[$i] = true;
- }
-
- $_unreserved[ord('-')] = true;
- $_unreserved[ord('.')] = true;
- $_unreserved[ord('_')] = true;
- $_unreserved[ord('~')] = true;
-
- return $_unreserved;
-}
-
-function Auth_OpenID_getEscapeRE()
-{
- $parts = array();
- foreach (array_merge(Auth_Yadis_getUCSChars(),
- Auth_Yadis_getIPrivateChars()) as $pair) {
- list($m, $n) = $pair;
- $parts[] = sprintf("%s-%s", chr($m), chr($n));
- }
-
- return sprintf('[%s]', implode('', $parts));
-}
-
-function Auth_OpenID_pct_encoded_replace_unreserved($mo)
-{
- $_unreserved = Auth_OpenID_getUnreserved();
-
- $i = intval($mo[1], 16);
- if ($_unreserved[$i]) {
- return chr($i);
- } else {
- return strtoupper($mo[0]);
- }
-
- return $mo[0];
-}
-
-function Auth_OpenID_pct_encoded_replace($mo)
-{
- return chr(intval($mo[1], 16));
-}
-
-function Auth_OpenID_remove_dot_segments($path)
-{
- $result_segments = array();
-
- while ($path) {
- if (Auth_Yadis_startswith($path, '../')) {
- $path = substr($path, 3);
- } else if (Auth_Yadis_startswith($path, './')) {
- $path = substr($path, 2);
- } else if (Auth_Yadis_startswith($path, '/./')) {
- $path = substr($path, 2);
- } else if ($path == '/.') {
- $path = '/';
- } else if (Auth_Yadis_startswith($path, '/../')) {
- $path = substr($path, 3);
- if ($result_segments) {
- array_pop($result_segments);
- }
- } else if ($path == '/..') {
- $path = '/';
- if ($result_segments) {
- array_pop($result_segments);
- }
- } else if (($path == '..') ||
- ($path == '.')) {
- $path = '';
- } else {
- $i = 0;
- if ($path[0] == '/') {
- $i = 1;
- }
- $i = strpos($path, '/', $i);
- if ($i === false) {
- $i = strlen($path);
- }
- $result_segments[] = substr($path, 0, $i);
- $path = substr($path, $i);
- }
- }
-
- return implode('', $result_segments);
-}
-
-function Auth_OpenID_urinorm($uri)
-{
- $uri_matches = array();
- preg_match(Auth_OpenID_getURIPattern(), $uri, $uri_matches);
-
- if (count($uri_matches) < 9) {
- for ($i = count($uri_matches); $i <= 9; $i++) {
- $uri_matches[] = '';
- }
- }
-
- $illegal_matches = array();
- preg_match(Auth_OpenID_getURLIllegalCharRE(),
- $uri, $illegal_matches);
- if ($illegal_matches) {
- return null;
- }
-
- $scheme = $uri_matches[2];
- if ($scheme) {
- $scheme = strtolower($scheme);
- }
-
- $scheme = $uri_matches[2];
- if ($scheme === '') {
- // No scheme specified
- return null;
- }
-
- $scheme = strtolower($scheme);
- if (!in_array($scheme, array('http', 'https'))) {
- // Not an absolute HTTP or HTTPS URI
- return null;
- }
-
- $authority = $uri_matches[4];
- if ($authority === '') {
- // Not an absolute URI
- return null;
- }
-
- $authority_matches = array();
- preg_match(Auth_OpenID_getAuthorityPattern(),
- $authority, $authority_matches);
- if (count($authority_matches) === 0) {
- // URI does not have a valid authority
- return null;
- }
-
- if (count($authority_matches) < 4) {
- for ($i = count($authority_matches); $i <= 4; $i++) {
- $authority_matches[] = '';
- }
- }
-
- list($_whole, $userinfo, $host, $port) = $authority_matches;
-
- if ($userinfo === null) {
- $userinfo = '';
- }
-
- if (strpos($host, '%') !== -1) {
- $host = strtolower($host);
- $host = preg_replace_callback(
- Auth_OpenID_getEncodedPattern(),
- 'Auth_OpenID_pct_encoded_replace', $host);
- // NO IDNA.
- // $host = unicode($host, 'utf-8').encode('idna');
- } else {
- $host = strtolower($host);
- }
-
- if ($port) {
- if (($port == ':') ||
- ($scheme == 'http' && $port == ':80') ||
- ($scheme == 'https' && $port == ':443')) {
- $port = '';
- }
- } else {
- $port = '';
- }
-
- $authority = $userinfo . $host . $port;
-
- $path = $uri_matches[5];
- $path = preg_replace_callback(
- Auth_OpenID_getEncodedPattern(),
- 'Auth_OpenID_pct_encoded_replace_unreserved', $path);
-
- $path = Auth_OpenID_remove_dot_segments($path);
- if (!$path) {
- $path = '/';
- }
-
- $query = $uri_matches[6];
- if ($query === null) {
- $query = '';
- }
-
- $fragment = $uri_matches[8];
- if ($fragment === null) {
- $fragment = '';
- }
-
- return $scheme . '://' . $authority . $path . $query . $fragment;
-}
-
-
diff --git a/lib/Auth/Yadis/HTTPFetcher.php b/lib/Auth/Yadis/HTTPFetcher.php
deleted file mode 100644
index 148cde1b2edc4d61dfd4402455402eeda62e84c1..0000000000000000000000000000000000000000
--- a/lib/Auth/Yadis/HTTPFetcher.php
+++ /dev/null
@@ -1,174 +0,0 @@
-<?php
-
-/**
- * This module contains the HTTP fetcher interface
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Require logging functionality
- */
-require_once "Auth/OpenID.php";
-
-define('Auth_OpenID_FETCHER_MAX_RESPONSE_KB', 1024);
-define('Auth_OpenID_USER_AGENT',
- 'php-openid/'.Auth_OpenID_VERSION.' (php/'.phpversion().')');
-
-class Auth_Yadis_HTTPResponse {
- function Auth_Yadis_HTTPResponse($final_url = null, $status = null,
- $headers = null, $body = null)
- {
- $this->final_url = $final_url;
- $this->status = $status;
- $this->headers = $headers;
- $this->body = $body;
- }
-}
-
-/**
- * This class is the interface for HTTP fetchers the Yadis library
- * uses. This interface is only important if you need to write a new
- * fetcher for some reason.
- *
- * @access private
- * @package OpenID
- */
-class Auth_Yadis_HTTPFetcher {
-
- var $timeout = 20; // timeout in seconds.
-
- /**
- * Return whether a URL can be fetched. Returns false if the URL
- * scheme is not allowed or is not supported by this fetcher
- * implementation; returns true otherwise.
- *
- * @return bool
- */
- function canFetchURL($url)
- {
- if ($this->isHTTPS($url) && !$this->supportsSSL()) {
- Auth_OpenID::log("HTTPS URL unsupported fetching %s",
- $url);
- return false;
- }
-
- if (!$this->allowedURL($url)) {
- Auth_OpenID::log("URL fetching not allowed for '%s'",
- $url);
- return false;
- }
-
- return true;
- }
-
- /**
- * Return whether a URL should be allowed. Override this method to
- * conform to your local policy.
- *
- * By default, will attempt to fetch any http or https URL.
- */
- function allowedURL($url)
- {
- return $this->URLHasAllowedScheme($url);
- }
-
- /**
- * Does this fetcher implementation (and runtime) support fetching
- * HTTPS URLs? May inspect the runtime environment.
- *
- * @return bool $support True if this fetcher supports HTTPS
- * fetching; false if not.
- */
- function supportsSSL()
- {
- trigger_error("not implemented", E_USER_ERROR);
- }
-
- /**
- * Is this an https URL?
- *
- * @access private
- */
- function isHTTPS($url)
- {
- return (bool)preg_match('/^https:\/\//i', $url);
- }
-
- /**
- * Is this an http or https URL?
- *
- * @access private
- */
- function URLHasAllowedScheme($url)
- {
- return (bool)preg_match('/^https?:\/\//i', $url);
- }
-
- /**
- * @access private
- */
- function _findRedirect($headers, $url)
- {
- foreach ($headers as $line) {
- if (strpos(strtolower($line), "location: ") === 0) {
- $parts = explode(" ", $line, 2);
- $loc = $parts[1];
- $ppos = strpos($loc, "://");
- if ($ppos === false || $ppos > strpos($loc, "/")) {
- /* no host; add it */
- $hpos = strpos($url, "://");
- $prt = substr($url, 0, $hpos+3);
- $url = substr($url, $hpos+3);
- if (substr($loc, 0, 1) == "/") {
- /* absolute path */
- $fspos = strpos($url, "/");
- if ($fspos) $loc = $prt.substr($url, 0, $fspos).$loc;
- else $loc = $prt.$url.$loc;
- } else {
- /* relative path */
- $pp = $prt;
- while (1) {
- $xpos = strpos($url, "/");
- if ($xpos === false) break;
- $apos = strpos($url, "?");
- if ($apos !== false && $apos < $xpos) break;
- $apos = strpos($url, "&");
- if ($apos !== false && $apos < $xpos) break;
- $pp .= substr($url, 0, $xpos+1);
- $url = substr($url, $xpos+1);
- }
- $loc = $pp.$loc;
- }
- }
- return $loc;
- }
- }
- return null;
- }
-
- /**
- * Fetches the specified URL using optional extra headers and
- * returns the server's response.
- *
- * @param string $url The URL to be fetched.
- * @param array $extra_headers An array of header strings
- * (e.g. "Accept: text/html").
- * @return mixed $result An array of ($code, $url, $headers,
- * $body) if the URL could be fetched; null if the URL does not
- * pass the URLHasAllowedScheme check or if the server's response
- * is malformed.
- */
- function get($url, $headers = null)
- {
- trigger_error("not implemented", E_USER_ERROR);
- }
-}
-
diff --git a/lib/Auth/Yadis/Manager.php b/lib/Auth/Yadis/Manager.php
deleted file mode 100644
index 3f54fd0bcd908eab5f3037567fc3e5bf77f437f5..0000000000000000000000000000000000000000
--- a/lib/Auth/Yadis/Manager.php
+++ /dev/null
@@ -1,523 +0,0 @@
-<?php
-
-/**
- * Yadis service manager to be used during yadis-driven authentication
- * attempts.
- *
- * @package OpenID
- */
-
-/**
- * The base session class used by the Auth_Yadis_Manager. This
- * class wraps the default PHP session machinery and should be
- * subclassed if your application doesn't use PHP sessioning.
- *
- * @package OpenID
- */
-class Auth_Yadis_PHPSession {
- /**
- * Set a session key/value pair.
- *
- * @param string $name The name of the session key to add.
- * @param string $value The value to add to the session.
- */
- function set($name, $value)
- {
- $_SESSION[$name] = $value;
- }
-
- /**
- * Get a key's value from the session.
- *
- * @param string $name The name of the key to retrieve.
- * @param string $default The optional value to return if the key
- * is not found in the session.
- * @return string $result The key's value in the session or
- * $default if it isn't found.
- */
- function get($name, $default=null)
- {
- if (array_key_exists($name, $_SESSION)) {
- return $_SESSION[$name];
- } else {
- return $default;
- }
- }
-
- /**
- * Remove a key/value pair from the session.
- *
- * @param string $name The name of the key to remove.
- */
- function del($name)
- {
- unset($_SESSION[$name]);
- }
-
- /**
- * Return the contents of the session in array form.
- */
- function contents()
- {
- return $_SESSION;
- }
-}
-
-/**
- * A session helper class designed to translate between arrays and
- * objects. Note that the class used must have a constructor that
- * takes no parameters. This is not a general solution, but it works
- * for dumb objects that just need to have attributes set. The idea
- * is that you'll subclass this and override $this->check($data) ->
- * bool to implement your own session data validation.
- *
- * @package OpenID
- */
-class Auth_Yadis_SessionLoader {
- /**
- * Override this.
- *
- * @access private
- */
- function check($data)
- {
- return true;
- }
-
- /**
- * Given a session data value (an array), this creates an object
- * (returned by $this->newObject()) whose attributes and values
- * are those in $data. Returns null if $data lacks keys found in
- * $this->requiredKeys(). Returns null if $this->check($data)
- * evaluates to false. Returns null if $this->newObject()
- * evaluates to false.
- *
- * @access private
- */
- function fromSession($data)
- {
- if (!$data) {
- return null;
- }
-
- $required = $this->requiredKeys();
-
- foreach ($required as $k) {
- if (!array_key_exists($k, $data)) {
- return null;
- }
- }
-
- if (!$this->check($data)) {
- return null;
- }
-
- $data = array_merge($data, $this->prepareForLoad($data));
- $obj = $this->newObject($data);
-
- if (!$obj) {
- return null;
- }
-
- foreach ($required as $k) {
- $obj->$k = $data[$k];
- }
-
- return $obj;
- }
-
- /**
- * Prepares the data array by making any necessary changes.
- * Returns an array whose keys and values will be used to update
- * the original data array before calling $this->newObject($data).
- *
- * @access private
- */
- function prepareForLoad($data)
- {
- return array();
- }
-
- /**
- * Returns a new instance of this loader's class, using the
- * session data to construct it if necessary. The object need
- * only be created; $this->fromSession() will take care of setting
- * the object's attributes.
- *
- * @access private
- */
- function newObject($data)
- {
- return null;
- }
-
- /**
- * Returns an array of keys and values built from the attributes
- * of $obj. If $this->prepareForSave($obj) returns an array, its keys
- * and values are used to update the $data array of attributes
- * from $obj.
- *
- * @access private
- */
- function toSession($obj)
- {
- $data = array();
- foreach ($obj as $k => $v) {
- $data[$k] = $v;
- }
-
- $extra = $this->prepareForSave($obj);
-
- if ($extra && is_array($extra)) {
- foreach ($extra as $k => $v) {
- $data[$k] = $v;
- }
- }
-
- return $data;
- }
-
- /**
- * Override this.
- *
- * @access private
- */
- function prepareForSave($obj)
- {
- return array();
- }
-}
-
-/**
- * A concrete loader implementation for Auth_OpenID_ServiceEndpoints.
- *
- * @package OpenID
- */
-class Auth_OpenID_ServiceEndpointLoader extends Auth_Yadis_SessionLoader {
- function newObject($data)
- {
- return new Auth_OpenID_ServiceEndpoint();
- }
-
- function requiredKeys()
- {
- $obj = new Auth_OpenID_ServiceEndpoint();
- $data = array();
- foreach ($obj as $k => $v) {
- $data[] = $k;
- }
- return $data;
- }
-
- function check($data)
- {
- return is_array($data['type_uris']);
- }
-}
-
-/**
- * A concrete loader implementation for Auth_Yadis_Managers.
- *
- * @package OpenID
- */
-class Auth_Yadis_ManagerLoader extends Auth_Yadis_SessionLoader {
- function requiredKeys()
- {
- return array('starting_url',
- 'yadis_url',
- 'services',
- 'session_key',
- '_current',
- 'stale');
- }
-
- function newObject($data)
- {
- return new Auth_Yadis_Manager($data['starting_url'],
- $data['yadis_url'],
- $data['services'],
- $data['session_key']);
- }
-
- function check($data)
- {
- return is_array($data['services']);
- }
-
- function prepareForLoad($data)
- {
- $loader = new Auth_OpenID_ServiceEndpointLoader();
- $services = array();
- foreach ($data['services'] as $s) {
- $services[] = $loader->fromSession($s);
- }
- return array('services' => $services);
- }
-
- function prepareForSave($obj)
- {
- $loader = new Auth_OpenID_ServiceEndpointLoader();
- $services = array();
- foreach ($obj->services as $s) {
- $services[] = $loader->toSession($s);
- }
- return array('services' => $services);
- }
-}
-
-/**
- * The Yadis service manager which stores state in a session and
- * iterates over <Service> elements in a Yadis XRDS document and lets
- * a caller attempt to use each one. This is used by the Yadis
- * library internally.
- *
- * @package OpenID
- */
-class Auth_Yadis_Manager {
-
- /**
- * Intialize a new yadis service manager.
- *
- * @access private
- */
- function Auth_Yadis_Manager($starting_url, $yadis_url,
- $services, $session_key)
- {
- // The URL that was used to initiate the Yadis protocol
- $this->starting_url = $starting_url;
-
- // The URL after following redirects (the identifier)
- $this->yadis_url = $yadis_url;
-
- // List of service elements
- $this->services = $services;
-
- $this->session_key = $session_key;
-
- // Reference to the current service object
- $this->_current = null;
-
- // Stale flag for cleanup if PHP lib has trouble.
- $this->stale = false;
- }
-
- /**
- * @access private
- */
- function length()
- {
- // How many untried services remain?
- return count($this->services);
- }
-
- /**
- * Return the next service
- *
- * $this->current() will continue to return that service until the
- * next call to this method.
- */
- function nextService()
- {
-
- if ($this->services) {
- $this->_current = array_shift($this->services);
- } else {
- $this->_current = null;
- }
-
- return $this->_current;
- }
-
- /**
- * @access private
- */
- function current()
- {
- // Return the current service.
- // Returns None if there are no services left.
- return $this->_current;
- }
-
- /**
- * @access private
- */
- function forURL($url)
- {
- return in_array($url, array($this->starting_url, $this->yadis_url));
- }
-
- /**
- * @access private
- */
- function started()
- {
- // Has the first service been returned?
- return $this->_current !== null;
- }
-}
-
-/**
- * State management for discovery.
- *
- * High-level usage pattern is to call .getNextService(discover) in
- * order to find the next available service for this user for this
- * session. Once a request completes, call .cleanup() to clean up the
- * session state.
- *
- * @package OpenID
- */
-class Auth_Yadis_Discovery {
-
- /**
- * @access private
- */
- var $DEFAULT_SUFFIX = 'auth';
-
- /**
- * @access private
- */
- var $PREFIX = '_yadis_services_';
-
- /**
- * Initialize a discovery object.
- *
- * @param Auth_Yadis_PHPSession $session An object which
- * implements the Auth_Yadis_PHPSession API.
- * @param string $url The URL on which to attempt discovery.
- * @param string $session_key_suffix The optional session key
- * suffix override.
- */
- function Auth_Yadis_Discovery($session, $url,
- $session_key_suffix = null)
- {
- /// Initialize a discovery object
- $this->session = $session;
- $this->url = $url;
- if ($session_key_suffix === null) {
- $session_key_suffix = $this->DEFAULT_SUFFIX;
- }
-
- $this->session_key_suffix = $session_key_suffix;
- $this->session_key = $this->PREFIX . $this->session_key_suffix;
- }
-
- /**
- * Return the next authentication service for the pair of
- * user_input and session. This function handles fallback.
- */
- function getNextService($discover_cb, $fetcher)
- {
- $manager = $this->getManager();
- if (!$manager || (!$manager->services)) {
- $this->destroyManager();
-
- list($yadis_url, $services) = call_user_func_array($discover_cb,
- array(
- $this->url,
- &$fetcher,
- ));
-
- $manager = $this->createManager($services, $yadis_url);
- }
-
- if ($manager) {
- $loader = new Auth_Yadis_ManagerLoader();
- $service = $manager->nextService();
- $this->session->set($this->session_key,
- serialize($loader->toSession($manager)));
- } else {
- $service = null;
- }
-
- return $service;
- }
-
- /**
- * Clean up Yadis-related services in the session and return the
- * most-recently-attempted service from the manager, if one
- * exists.
- *
- * @param $force True if the manager should be deleted regardless
- * of whether it's a manager for $this->url.
- */
- function cleanup($force=false)
- {
- $manager = $this->getManager($force);
- if ($manager) {
- $service = $manager->current();
- $this->destroyManager($force);
- } else {
- $service = null;
- }
-
- return $service;
- }
-
- /**
- * @access private
- */
- function getSessionKey()
- {
- // Get the session key for this starting URL and suffix
- return $this->PREFIX . $this->session_key_suffix;
- }
-
- /**
- * @access private
- *
- * @param $force True if the manager should be returned regardless
- * of whether it's a manager for $this->url.
- */
- function getManager($force=false)
- {
- // Extract the YadisServiceManager for this object's URL and
- // suffix from the session.
-
- $manager_str = $this->session->get($this->getSessionKey());
- $manager = null;
-
- if ($manager_str !== null) {
- $loader = new Auth_Yadis_ManagerLoader();
- $manager = $loader->fromSession(unserialize($manager_str));
- }
-
- if ($manager && ($manager->forURL($this->url) || $force)) {
- return $manager;
- }
- }
-
- /**
- * @access private
- */
- function createManager($services, $yadis_url = null)
- {
- $key = $this->getSessionKey();
- if ($this->getManager()) {
- return $this->getManager();
- }
-
- if ($services) {
- $loader = new Auth_Yadis_ManagerLoader();
- $manager = new Auth_Yadis_Manager($this->url, $yadis_url,
- $services, $key);
- $this->session->set($this->session_key,
- serialize($loader->toSession($manager)));
- return $manager;
- }
- }
-
- /**
- * @access private
- *
- * @param $force True if the manager should be deleted regardless
- * of whether it's a manager for $this->url.
- */
- function destroyManager($force=false)
- {
- if ($this->getManager($force) !== null) {
- $key = $this->getSessionKey();
- $this->session->del($key);
- }
- }
-}
-
diff --git a/lib/Auth/Yadis/Misc.php b/lib/Auth/Yadis/Misc.php
deleted file mode 100644
index a5afa8e9a82c2f46aa0feb7e73cc62da8176f381..0000000000000000000000000000000000000000
--- a/lib/Auth/Yadis/Misc.php
+++ /dev/null
@@ -1,58 +0,0 @@
-<?php
-
-/**
- * Miscellaneous utility values and functions for OpenID and Yadis.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-function Auth_Yadis_getUCSChars()
-{
- return array(
- array(0xA0, 0xD7FF),
- array(0xF900, 0xFDCF),
- array(0xFDF0, 0xFFEF),
- array(0x10000, 0x1FFFD),
- array(0x20000, 0x2FFFD),
- array(0x30000, 0x3FFFD),
- array(0x40000, 0x4FFFD),
- array(0x50000, 0x5FFFD),
- array(0x60000, 0x6FFFD),
- array(0x70000, 0x7FFFD),
- array(0x80000, 0x8FFFD),
- array(0x90000, 0x9FFFD),
- array(0xA0000, 0xAFFFD),
- array(0xB0000, 0xBFFFD),
- array(0xC0000, 0xCFFFD),
- array(0xD0000, 0xDFFFD),
- array(0xE1000, 0xEFFFD)
- );
-}
-
-function Auth_Yadis_getIPrivateChars()
-{
- return array(
- array(0xE000, 0xF8FF),
- array(0xF0000, 0xFFFFD),
- array(0x100000, 0x10FFFD)
- );
-}
-
-function Auth_Yadis_pct_escape_unicode($char_match)
-{
- $c = $char_match[0];
- $result = "";
- for ($i = 0; $i < strlen($c); $i++) {
- $result .= "%".sprintf("%X", ord($c[$i]));
- }
- return $result;
-}
-
-function Auth_Yadis_startswith($s, $stuff)
-{
- return strpos($s, $stuff) === 0;
-}
-
diff --git a/lib/Auth/Yadis/ParanoidHTTPFetcher.php b/lib/Auth/Yadis/ParanoidHTTPFetcher.php
deleted file mode 100644
index c44adfe923f21c6e9ce5416067df7a2e043e1b4b..0000000000000000000000000000000000000000
--- a/lib/Auth/Yadis/ParanoidHTTPFetcher.php
+++ /dev/null
@@ -1,267 +0,0 @@
-<?php
-
-/**
- * This module contains the CURL-based HTTP fetcher implementation.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Interface import
- */
-require_once "Auth/Yadis/HTTPFetcher.php";
-
-require_once "Auth/OpenID.php";
-
-/**
- * A paranoid {@link Auth_Yadis_HTTPFetcher} class which uses CURL
- * for fetching.
- *
- * @package OpenID
- */
-class Auth_Yadis_ParanoidHTTPFetcher extends Auth_Yadis_HTTPFetcher {
- function Auth_Yadis_ParanoidHTTPFetcher()
- {
- $this->reset();
- }
-
- function reset()
- {
- $this->headers = array();
- $this->data = "";
- }
-
- /**
- * @access private
- */
- function _writeHeader($ch, $header)
- {
- array_push($this->headers, rtrim($header));
- return strlen($header);
- }
-
- /**
- * @access private
- */
- function _writeData($ch, $data)
- {
- if (strlen($this->data) > 1024*Auth_OpenID_FETCHER_MAX_RESPONSE_KB) {
- return 0;
- } else {
- $this->data .= $data;
- return strlen($data);
- }
- }
-
- /**
- * Does this fetcher support SSL URLs?
- */
- function supportsSSL()
- {
- $v = curl_version();
- if(is_array($v)) {
- return in_array('https', $v['protocols']);
- } elseif (is_string($v)) {
- return preg_match('/OpenSSL/i', $v);
- } else {
- return 0;
- }
- }
-
- function get($url, $extra_headers = null)
- {
- if (!$this->canFetchURL($url)) {
- return null;
- }
-
- $stop = time() + $this->timeout;
- $off = $this->timeout;
-
- $redir = true;
-
- while ($redir && ($off > 0)) {
- $this->reset();
-
- $c = curl_init();
-
- if ($c === false) {
- Auth_OpenID::log(
- "curl_init returned false; could not " .
- "initialize for URL '%s'", $url);
- return null;
- }
-
- if (defined('CURLOPT_NOSIGNAL')) {
- curl_setopt($c, CURLOPT_NOSIGNAL, true);
- }
-
- if (!$this->allowedURL($url)) {
- Auth_OpenID::log("Fetching URL not allowed: %s",
- $url);
- return null;
- }
-
- curl_setopt($c, CURLOPT_WRITEFUNCTION,
- array($this, "_writeData"));
- curl_setopt($c, CURLOPT_HEADERFUNCTION,
- array($this, "_writeHeader"));
-
- if ($extra_headers) {
- curl_setopt($c, CURLOPT_HTTPHEADER, $extra_headers);
- }
-
- $cv = curl_version();
- if(is_array($cv)) {
- $curl_user_agent = 'curl/'.$cv['version'];
- } else {
- $curl_user_agent = $cv;
- }
- curl_setopt($c, CURLOPT_USERAGENT,
- Auth_OpenID_USER_AGENT.' '.$curl_user_agent);
- curl_setopt($c, CURLOPT_TIMEOUT, $off);
- curl_setopt($c, CURLOPT_URL, $url);
-
- if (defined('Auth_OpenID_VERIFY_HOST')) {
- // set SSL verification options only if Auth_OpenID_VERIFY_HOST
- // is explicitly set, otherwise use system default.
- if (Auth_OpenID_VERIFY_HOST) {
- curl_setopt($c, CURLOPT_SSL_VERIFYPEER, true);
- curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 2);
- if (defined('Auth_OpenID_CAINFO')) {
- curl_setopt($c, CURLOPT_CAINFO, Auth_OpenID_CAINFO);
- }
- } else {
- curl_setopt($c, CURLOPT_SSL_VERIFYPEER, false);
- }
- }
-
- curl_exec($c);
-
- $code = curl_getinfo($c, CURLINFO_HTTP_CODE);
- $body = $this->data;
- $headers = $this->headers;
-
- if (!$code) {
- Auth_OpenID::log("Got no response code when fetching %s", $url);
- Auth_OpenID::log("CURL error (%s): %s",
- curl_errno($c), curl_error($c));
- return null;
- }
-
- if (in_array($code, array(301, 302, 303, 307))) {
- $url = $this->_findRedirect($headers, $url);
- $redir = true;
- } else {
- $redir = false;
- curl_close($c);
-
- if (defined('Auth_OpenID_VERIFY_HOST') &&
- Auth_OpenID_VERIFY_HOST == true &&
- $this->isHTTPS($url)) {
- Auth_OpenID::log('OpenID: Verified SSL host %s using '.
- 'curl/get', $url);
- }
- $new_headers = array();
-
- foreach ($headers as $header) {
- if (strpos($header, ': ')) {
- list($name, $value) = explode(': ', $header, 2);
- $new_headers[$name] = $value;
- }
- }
-
- Auth_OpenID::log(
- "Successfully fetched '%s': GET response code %s",
- $url, $code);
-
- return new Auth_Yadis_HTTPResponse($url, $code,
- $new_headers, $body);
- }
-
- $off = $stop - time();
- }
-
- return null;
- }
-
- function post($url, $body, $extra_headers = null)
- {
- if (!$this->canFetchURL($url)) {
- return null;
- }
-
- $this->reset();
-
- $c = curl_init();
-
- if (defined('CURLOPT_NOSIGNAL')) {
- curl_setopt($c, CURLOPT_NOSIGNAL, true);
- }
-
- curl_setopt($c, CURLOPT_POST, true);
- curl_setopt($c, CURLOPT_POSTFIELDS, $body);
- curl_setopt($c, CURLOPT_TIMEOUT, $this->timeout);
- curl_setopt($c, CURLOPT_URL, $url);
- curl_setopt($c, CURLOPT_WRITEFUNCTION,
- array($this, "_writeData"));
-
- if (defined('Auth_OpenID_VERIFY_HOST')) {
- // set SSL verification options only if Auth_OpenID_VERIFY_HOST
- // is explicitly set, otherwise use system default.
- if (Auth_OpenID_VERIFY_HOST) {
- curl_setopt($c, CURLOPT_SSL_VERIFYPEER, true);
- curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 2);
- if (defined('Auth_OpenID_CAINFO')) {
- curl_setopt($c, CURLOPT_CAINFO, Auth_OpenID_CAINFO);
- }
- } else {
- curl_setopt($c, CURLOPT_SSL_VERIFYPEER, false);
- }
- }
-
- curl_exec($c);
-
- $code = curl_getinfo($c, CURLINFO_HTTP_CODE);
-
- if (!$code) {
- Auth_OpenID::log("Got no response code when fetching %s", $url);
- Auth_OpenID::log("CURL error (%s): %s",
- curl_errno($c), curl_error($c));
- return null;
- }
-
- if (defined('Auth_OpenID_VERIFY_HOST') &&
- Auth_OpenID_VERIFY_HOST == true &&
- $this->isHTTPS($url)) {
- Auth_OpenID::log('OpenID: Verified SSL host %s using '.
- 'curl/post', $url);
- }
- $body = $this->data;
-
- curl_close($c);
-
- $new_headers = $extra_headers;
-
- foreach ($this->headers as $header) {
- if (strpos($header, ': ')) {
- list($name, $value) = explode(': ', $header, 2);
- $new_headers[$name] = $value;
- }
-
- }
-
- Auth_OpenID::log("Successfully fetched '%s': POST response code %s",
- $url, $code);
-
- return new Auth_Yadis_HTTPResponse($url, $code,
- $new_headers, $body);
- }
-}
-
diff --git a/lib/Auth/Yadis/ParseHTML.php b/lib/Auth/Yadis/ParseHTML.php
deleted file mode 100644
index 6f0f8b7e282574a62b651a5f470bab923b40d324..0000000000000000000000000000000000000000
--- a/lib/Auth/Yadis/ParseHTML.php
+++ /dev/null
@@ -1,258 +0,0 @@
-<?php
-
-/**
- * This is the HTML pseudo-parser for the Yadis library.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * This class is responsible for scanning an HTML string to find META
- * tags and their attributes. This is used by the Yadis discovery
- * process. This class must be instantiated to be used.
- *
- * @package OpenID
- */
-class Auth_Yadis_ParseHTML {
-
- /**
- * @access private
- */
- var $_re_flags = "si";
-
- /**
- * @access private
- */
- var $_removed_re =
- "<!--.*?-->|<!\[CDATA\[.*?\]\]>|<script\b(?!:)[^>]*>.*?<\/script>";
-
- /**
- * @access private
- */
- var $_tag_expr = "<%s%s(?:\s.*?)?%s>";
-
- /**
- * @access private
- */
- var $_attr_find = '\b([-\w]+)=(".*?"|\'.*?\'|.+?)[\/\s>]';
-
- function Auth_Yadis_ParseHTML()
- {
- $this->_attr_find = sprintf("/%s/%s",
- $this->_attr_find,
- $this->_re_flags);
-
- $this->_removed_re = sprintf("/%s/%s",
- $this->_removed_re,
- $this->_re_flags);
-
- $this->_entity_replacements = array(
- 'amp' => '&',
- 'lt' => '<',
- 'gt' => '>',
- 'quot' => '"'
- );
-
- $this->_ent_replace =
- sprintf("&(%s);", implode("|",
- $this->_entity_replacements));
- }
-
- /**
- * Replace HTML entities (amp, lt, gt, and quot) as well as
- * numeric entities (e.g. #x9f;) with their actual values and
- * return the new string.
- *
- * @access private
- * @param string $str The string in which to look for entities
- * @return string $new_str The new string entities decoded
- */
- function replaceEntities($str)
- {
- foreach ($this->_entity_replacements as $old => $new) {
- $str = preg_replace(sprintf("/&%s;/", $old), $new, $str);
- }
-
- // Replace numeric entities because html_entity_decode doesn't
- // do it for us.
- $str = preg_replace('~&#x([0-9a-f]+);~ei', 'chr(hexdec("\\1"))', $str);
- $str = preg_replace('~&#([0-9]+);~e', 'chr(\\1)', $str);
-
- return $str;
- }
-
- /**
- * Strip single and double quotes off of a string, if they are
- * present.
- *
- * @access private
- * @param string $str The original string
- * @return string $new_str The new string with leading and
- * trailing quotes removed
- */
- function removeQuotes($str)
- {
- $matches = array();
- $double = '/^"(.*)"$/';
- $single = "/^\'(.*)\'$/";
-
- if (preg_match($double, $str, $matches)) {
- return $matches[1];
- } else if (preg_match($single, $str, $matches)) {
- return $matches[1];
- } else {
- return $str;
- }
- }
-
- /**
- * Create a regular expression that will match an opening
- * or closing tag from a set of names.
- *
- * @access private
- * @param mixed $tag_names Tag names to match
- * @param mixed $close false/0 = no, true/1 = yes, other = maybe
- * @param mixed $self_close false/0 = no, true/1 = yes, other = maybe
- * @return string $regex A regular expression string to be used
- * in, say, preg_match.
- */
- function tagPattern($tag_names, $close, $self_close)
- {
- if (is_array($tag_names)) {
- $tag_names = '(?:'.implode('|',$tag_names).')';
- }
- if ($close) {
- $close = '\/' . (($close == 1)? '' : '?');
- } else {
- $close = '';
- }
- if ($self_close) {
- $self_close = '(?:\/\s*)' . (($self_close == 1)? '' : '?');
- } else {
- $self_close = '';
- }
- $expr = sprintf($this->_tag_expr, $close, $tag_names, $self_close);
-
- return sprintf("/%s/%s", $expr, $this->_re_flags);
- }
-
- /**
- * Given an HTML document string, this finds all the META tags in
- * the document, provided they are found in the
- * <HTML><HEAD>...</HEAD> section of the document. The <HTML> tag
- * may be missing.
- *
- * @access private
- * @param string $html_string An HTMl document string
- * @return array $tag_list Array of tags; each tag is an array of
- * attribute -> value.
- */
- function getMetaTags($html_string)
- {
- $html_string = preg_replace($this->_removed_re,
- "",
- $html_string);
-
- $key_tags = array($this->tagPattern('html', false, false),
- $this->tagPattern('head', false, false),
- $this->tagPattern('head', true, false),
- $this->tagPattern('html', true, false),
- $this->tagPattern(array(
- 'body', 'frameset', 'frame', 'p', 'div',
- 'table','span','a'), 'maybe', 'maybe'));
- $key_tags_pos = array();
- foreach ($key_tags as $pat) {
- $matches = array();
- preg_match($pat, $html_string, $matches, PREG_OFFSET_CAPTURE);
- if($matches) {
- $key_tags_pos[] = $matches[0][1];
- } else {
- $key_tags_pos[] = null;
- }
- }
- // no opening head tag
- if (is_null($key_tags_pos[1])) {
- return array();
- }
- // the effective </head> is the min of the following
- if (is_null($key_tags_pos[2])) {
- $key_tags_pos[2] = strlen($html_string);
- }
- foreach (array($key_tags_pos[3], $key_tags_pos[4]) as $pos) {
- if (!is_null($pos) && $pos < $key_tags_pos[2]) {
- $key_tags_pos[2] = $pos;
- }
- }
- // closing head tag comes before opening head tag
- if ($key_tags_pos[1] > $key_tags_pos[2]) {
- return array();
- }
- // if there is an opening html tag, make sure the opening head tag
- // comes after it
- if (!is_null($key_tags_pos[0]) && $key_tags_pos[1] < $key_tags_pos[0]) {
- return array();
- }
- $html_string = substr($html_string, $key_tags_pos[1],
- ($key_tags_pos[2]-$key_tags_pos[1]));
-
- $link_data = array();
- $link_matches = array();
-
- if (!preg_match_all($this->tagPattern('meta', false, 'maybe'),
- $html_string, $link_matches)) {
- return array();
- }
-
- foreach ($link_matches[0] as $link) {
- $attr_matches = array();
- preg_match_all($this->_attr_find, $link, $attr_matches);
- $link_attrs = array();
- foreach ($attr_matches[0] as $index => $full_match) {
- $name = $attr_matches[1][$index];
- $value = $this->replaceEntities(
- $this->removeQuotes($attr_matches[2][$index]));
-
- $link_attrs[strtolower($name)] = $value;
- }
- $link_data[] = $link_attrs;
- }
-
- return $link_data;
- }
-
- /**
- * Looks for a META tag with an "http-equiv" attribute whose value
- * is one of ("x-xrds-location", "x-yadis-location"), ignoring
- * case. If such a META tag is found, its "content" attribute
- * value is returned.
- *
- * @param string $html_string An HTML document in string format
- * @return mixed $content The "content" attribute value of the
- * META tag, if found, or null if no such tag was found.
- */
- function getHTTPEquiv($html_string)
- {
- $meta_tags = $this->getMetaTags($html_string);
-
- if ($meta_tags) {
- foreach ($meta_tags as $tag) {
- if (array_key_exists('http-equiv', $tag) &&
- (in_array(strtolower($tag['http-equiv']),
- array('x-xrds-location', 'x-yadis-location'))) &&
- array_key_exists('content', $tag)) {
- return $tag['content'];
- }
- }
- }
-
- return null;
- }
-}
-
diff --git a/lib/Auth/Yadis/PlainHTTPFetcher.php b/lib/Auth/Yadis/PlainHTTPFetcher.php
deleted file mode 100644
index 26890539aad69fa3c991d2c41c04c1140ee1a4a0..0000000000000000000000000000000000000000
--- a/lib/Auth/Yadis/PlainHTTPFetcher.php
+++ /dev/null
@@ -1,248 +0,0 @@
-<?php
-
-/**
- * This module contains the plain non-curl HTTP fetcher
- * implementation.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Interface import
- */
-require_once "Auth/Yadis/HTTPFetcher.php";
-
-/**
- * This class implements a plain, hand-built socket-based fetcher
- * which will be used in the event that CURL is unavailable.
- *
- * @package OpenID
- */
-class Auth_Yadis_PlainHTTPFetcher extends Auth_Yadis_HTTPFetcher {
- /**
- * Does this fetcher support SSL URLs?
- */
- function supportsSSL()
- {
- return function_exists('openssl_open');
- }
-
- function get($url, $extra_headers = null)
- {
- if (!$this->canFetchURL($url)) {
- return null;
- }
-
- $redir = true;
-
- $stop = time() + $this->timeout;
- $off = $this->timeout;
-
- while ($redir && ($off > 0)) {
-
- $parts = parse_url($url);
-
- $specify_port = true;
-
- // Set a default port.
- if (!array_key_exists('port', $parts)) {
- $specify_port = false;
- if ($parts['scheme'] == 'http') {
- $parts['port'] = 80;
- } elseif ($parts['scheme'] == 'https') {
- $parts['port'] = 443;
- } else {
- return null;
- }
- }
-
- if (!array_key_exists('path', $parts)) {
- $parts['path'] = '/';
- }
-
- $host = $parts['host'];
-
- if ($parts['scheme'] == 'https') {
- $host = 'ssl://' . $host;
- }
-
- $user_agent = Auth_OpenID_USER_AGENT;
-
- $headers = array(
- "GET ".$parts['path'].
- (array_key_exists('query', $parts) ?
- "?".$parts['query'] : "").
- " HTTP/1.0",
- "User-Agent: $user_agent",
- "Host: ".$parts['host'].
- ($specify_port ? ":".$parts['port'] : ""),
- "Port: ".$parts['port']);
-
- $errno = 0;
- $errstr = '';
-
- if ($extra_headers) {
- foreach ($extra_headers as $h) {
- $headers[] = $h;
- }
- }
-
- @$sock = fsockopen($host, $parts['port'], $errno, $errstr,
- $this->timeout);
- if ($sock === false) {
- return false;
- }
-
- stream_set_timeout($sock, $this->timeout);
-
- fputs($sock, implode("\r\n", $headers) . "\r\n\r\n");
-
- $data = "";
- $kilobytes = 0;
- while (!feof($sock) &&
- $kilobytes < Auth_OpenID_FETCHER_MAX_RESPONSE_KB ) {
- $data .= fgets($sock, 1024);
- $kilobytes += 1;
- }
-
- fclose($sock);
-
- // Split response into header and body sections
- list($headers, $body) = explode("\r\n\r\n", $data, 2);
- $headers = explode("\r\n", $headers);
-
- $http_code = explode(" ", $headers[0]);
- $code = $http_code[1];
-
- if (in_array($code, array('301', '302'))) {
- $url = $this->_findRedirect($headers, $url);
- $redir = true;
- } else {
- $redir = false;
- }
-
- $off = $stop - time();
- }
-
- $new_headers = array();
-
- foreach ($headers as $header) {
- if (preg_match("/:/", $header)) {
- $parts = explode(": ", $header, 2);
-
- if (count($parts) == 2) {
- list($name, $value) = $parts;
- $new_headers[$name] = $value;
- }
- }
-
- }
-
- return new Auth_Yadis_HTTPResponse($url, $code, $new_headers, $body);
- }
-
- function post($url, $body, $extra_headers = null)
- {
- if (!$this->canFetchURL($url)) {
- return null;
- }
-
- $parts = parse_url($url);
-
- $headers = array();
-
- $post_path = $parts['path'];
- if (isset($parts['query'])) {
- $post_path .= '?' . $parts['query'];
- }
-
- $headers[] = "POST ".$post_path." HTTP/1.0";
- $headers[] = "Host: " . $parts['host'];
- $headers[] = "Content-type: application/x-www-form-urlencoded";
- $headers[] = "Content-length: " . strval(strlen($body));
-
- if ($extra_headers &&
- is_array($extra_headers)) {
- $headers = array_merge($headers, $extra_headers);
- }
-
- // Join all headers together.
- $all_headers = implode("\r\n", $headers);
-
- // Add headers, two newlines, and request body.
- $request = $all_headers . "\r\n\r\n" . $body;
-
- // Set a default port.
- if (!array_key_exists('port', $parts)) {
- if ($parts['scheme'] == 'http') {
- $parts['port'] = 80;
- } elseif ($parts['scheme'] == 'https') {
- $parts['port'] = 443;
- } else {
- return null;
- }
- }
-
- if ($parts['scheme'] == 'https') {
- $parts['host'] = sprintf("ssl://%s", $parts['host']);
- }
-
- // Connect to the remote server.
- $errno = 0;
- $errstr = '';
-
- $sock = fsockopen($parts['host'], $parts['port'], $errno, $errstr,
- $this->timeout);
-
- if ($sock === false) {
- return null;
- }
-
- stream_set_timeout($sock, $this->timeout);
-
- // Write the POST request.
- fputs($sock, $request);
-
- // Get the response from the server.
- $response = "";
- while (!feof($sock)) {
- if ($data = fgets($sock, 128)) {
- $response .= $data;
- } else {
- break;
- }
- }
-
- // Split the request into headers and body.
- list($headers, $response_body) = explode("\r\n\r\n", $response, 2);
-
- $headers = explode("\r\n", $headers);
-
- // Expect the first line of the headers data to be something
- // like HTTP/1.1 200 OK. Split the line on spaces and take
- // the second token, which should be the return code.
- $http_code = explode(" ", $headers[0]);
- $code = $http_code[1];
-
- $new_headers = array();
-
- foreach ($headers as $header) {
- if (preg_match("/:/", $header)) {
- list($name, $value) = explode(": ", $header, 2);
- $new_headers[$name] = $value;
- }
-
- }
-
- return new Auth_Yadis_HTTPResponse($url, $code,
- $new_headers, $response_body);
- }
-}
-
diff --git a/lib/Auth/Yadis/XML.php b/lib/Auth/Yadis/XML.php
deleted file mode 100644
index cf1f5c41b28638f32c4126ea651dfbf93dc984f2..0000000000000000000000000000000000000000
--- a/lib/Auth/Yadis/XML.php
+++ /dev/null
@@ -1,352 +0,0 @@
-<?php
-
-/**
- * XML-parsing classes to wrap the domxml and DOM extensions for PHP 4
- * and 5, respectively.
- *
- * @package OpenID
- */
-
-/**
- * The base class for wrappers for available PHP XML-parsing
- * extensions. To work with this Yadis library, subclasses of this
- * class MUST implement the API as defined in the remarks for this
- * class. Subclasses of Auth_Yadis_XMLParser are used to wrap
- * particular PHP XML extensions such as 'domxml'. These are used
- * internally by the library depending on the availability of
- * supported PHP XML extensions.
- *
- * @package OpenID
- */
-class Auth_Yadis_XMLParser {
- /**
- * Initialize an instance of Auth_Yadis_XMLParser with some
- * XML and namespaces. This SHOULD NOT be overridden by
- * subclasses.
- *
- * @param string $xml_string A string of XML to be parsed.
- * @param array $namespace_map An array of ($ns_name => $ns_uri)
- * to be registered with the XML parser. May be empty.
- * @return boolean $result True if the initialization and
- * namespace registration(s) succeeded; false otherwise.
- */
- function init($xml_string, $namespace_map)
- {
- if (!$this->setXML($xml_string)) {
- return false;
- }
-
- foreach ($namespace_map as $prefix => $uri) {
- if (!$this->registerNamespace($prefix, $uri)) {
- return false;
- }
- }
-
- return true;
- }
-
- /**
- * Register a namespace with the XML parser. This should be
- * overridden by subclasses.
- *
- * @param string $prefix The namespace prefix to appear in XML tag
- * names.
- *
- * @param string $uri The namespace URI to be used to identify the
- * namespace in the XML.
- *
- * @return boolean $result True if the registration succeeded;
- * false otherwise.
- */
- function registerNamespace($prefix, $uri)
- {
- // Not implemented.
- }
-
- /**
- * Set this parser object's XML payload. This should be
- * overridden by subclasses.
- *
- * @param string $xml_string The XML string to pass to this
- * object's XML parser.
- *
- * @return boolean $result True if the initialization succeeded;
- * false otherwise.
- */
- function setXML($xml_string)
- {
- // Not implemented.
- }
-
- /**
- * Evaluate an XPath expression and return the resulting node
- * list. This should be overridden by subclasses.
- *
- * @param string $xpath The XPath expression to be evaluated.
- *
- * @param mixed $node A node object resulting from a previous
- * evalXPath call. This node, if specified, provides the context
- * for the evaluation of this xpath expression.
- *
- * @return array $node_list An array of matching opaque node
- * objects to be used with other methods of this parser class.
- */
- function &evalXPath($xpath, $node = null)
- {
- // Not implemented.
- }
-
- /**
- * Return the textual content of a specified node.
- *
- * @param mixed $node A node object from a previous call to
- * $this->evalXPath().
- *
- * @return string $content The content of this node.
- */
- function content($node)
- {
- // Not implemented.
- }
-
- /**
- * Return the attributes of a specified node.
- *
- * @param mixed $node A node object from a previous call to
- * $this->evalXPath().
- *
- * @return array $attrs An array mapping attribute names to
- * values.
- */
- function attributes($node)
- {
- // Not implemented.
- }
-}
-
-/**
- * This concrete implementation of Auth_Yadis_XMLParser implements
- * the appropriate API for the 'domxml' extension which is typically
- * packaged with PHP 4. This class will be used whenever the 'domxml'
- * extension is detected. See the Auth_Yadis_XMLParser class for
- * details on this class's methods.
- *
- * @package OpenID
- */
-class Auth_Yadis_domxml extends Auth_Yadis_XMLParser {
- function Auth_Yadis_domxml()
- {
- $this->xml = null;
- $this->doc = null;
- $this->xpath = null;
- $this->errors = array();
- }
-
- function setXML($xml_string)
- {
- $this->xml = $xml_string;
- $this->doc = @domxml_open_mem($xml_string, DOMXML_LOAD_PARSING,
- $this->errors);
-
- if (!$this->doc) {
- return false;
- }
-
- $this->xpath = $this->doc->xpath_new_context();
-
- return true;
- }
-
- function registerNamespace($prefix, $uri)
- {
- return xpath_register_ns($this->xpath, $prefix, $uri);
- }
-
- function &evalXPath($xpath, $node = null)
- {
- if ($node) {
- $result = @$this->xpath->xpath_eval($xpath, $node);
- } else {
- $result = @$this->xpath->xpath_eval($xpath);
- }
-
- if (!$result) {
- $n = array();
- return $n;
- }
-
- if (!$result->nodeset) {
- $n = array();
- return $n;
- }
-
- return $result->nodeset;
- }
-
- function content($node)
- {
- if ($node) {
- return $node->get_content();
- }
- }
-
- function attributes($node)
- {
- if ($node) {
- $arr = $node->attributes();
- $result = array();
-
- if ($arr) {
- foreach ($arr as $attrnode) {
- $result[$attrnode->name] = $attrnode->value;
- }
- }
-
- return $result;
- }
- }
-}
-
-/**
- * This concrete implementation of Auth_Yadis_XMLParser implements
- * the appropriate API for the 'dom' extension which is typically
- * packaged with PHP 5. This class will be used whenever the 'dom'
- * extension is detected. See the Auth_Yadis_XMLParser class for
- * details on this class's methods.
- *
- * @package OpenID
- */
-class Auth_Yadis_dom extends Auth_Yadis_XMLParser {
- function Auth_Yadis_dom()
- {
- $this->xml = null;
- $this->doc = null;
- $this->xpath = null;
- $this->errors = array();
- }
-
- function setXML($xml_string)
- {
- $this->xml = $xml_string;
- $this->doc = new DOMDocument;
-
- if (!$this->doc) {
- return false;
- }
-
- if (!@$this->doc->loadXML($xml_string)) {
- return false;
- }
-
- $this->xpath = new DOMXPath($this->doc);
-
- if ($this->xpath) {
- return true;
- } else {
- return false;
- }
- }
-
- function registerNamespace($prefix, $uri)
- {
- return $this->xpath->registerNamespace($prefix, $uri);
- }
-
- function &evalXPath($xpath, $node = null)
- {
- if ($node) {
- $result = @$this->xpath->query($xpath, $node);
- } else {
- $result = @$this->xpath->query($xpath);
- }
-
- $n = array();
-
- if (!$result) {
- return $n;
- }
-
- for ($i = 0; $i < $result->length; $i++) {
- $n[] = $result->item($i);
- }
-
- return $n;
- }
-
- function content($node)
- {
- if ($node) {
- return $node->textContent;
- }
- }
-
- function attributes($node)
- {
- if ($node) {
- $arr = $node->attributes;
- $result = array();
-
- if ($arr) {
- for ($i = 0; $i < $arr->length; $i++) {
- $node = $arr->item($i);
- $result[$node->nodeName] = $node->nodeValue;
- }
- }
-
- return $result;
- }
- }
-}
-
-global $__Auth_Yadis_defaultParser;
-$__Auth_Yadis_defaultParser = null;
-
-/**
- * Set a default parser to override the extension-driven selection of
- * available parser classes. This is helpful in a test environment or
- * one in which multiple parsers can be used but one is more
- * desirable.
- *
- * @param Auth_Yadis_XMLParser $parser An instance of a
- * Auth_Yadis_XMLParser subclass.
- */
-function Auth_Yadis_setDefaultParser($parser)
-{
- global $__Auth_Yadis_defaultParser;
- $__Auth_Yadis_defaultParser = $parser;
-}
-
-function Auth_Yadis_getSupportedExtensions()
-{
- return array('dom' => 'Auth_Yadis_dom',
- 'domxml' => 'Auth_Yadis_domxml');
-}
-
-/**
- * Returns an instance of a Auth_Yadis_XMLParser subclass based on
- * the availability of PHP extensions for XML parsing. If
- * Auth_Yadis_setDefaultParser has been called, the parser used in
- * that call will be returned instead.
- */
-function Auth_Yadis_getXMLParser()
-{
- global $__Auth_Yadis_defaultParser;
-
- if (isset($__Auth_Yadis_defaultParser)) {
- return $__Auth_Yadis_defaultParser;
- }
-
- foreach(Auth_Yadis_getSupportedExtensions() as $extension => $classname)
- {
- if (extension_loaded($extension))
- {
- $p = new $classname();
- Auth_Yadis_setDefaultParser($p);
- return $p;
- }
- }
-
- return false;
-}
-
-
diff --git a/lib/Auth/Yadis/XRDS.php b/lib/Auth/Yadis/XRDS.php
deleted file mode 100644
index 1f5af96fb21a69c0dcc0641fde44567eb72e9a24..0000000000000000000000000000000000000000
--- a/lib/Auth/Yadis/XRDS.php
+++ /dev/null
@@ -1,478 +0,0 @@
-<?php
-
-/**
- * This module contains the XRDS parsing code.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Require the XPath implementation.
- */
-require_once 'Auth/Yadis/XML.php';
-
-/**
- * This match mode means a given service must match ALL filters passed
- * to the Auth_Yadis_XRDS::services() call.
- */
-define('SERVICES_YADIS_MATCH_ALL', 101);
-
-/**
- * This match mode means a given service must match ANY filters (at
- * least one) passed to the Auth_Yadis_XRDS::services() call.
- */
-define('SERVICES_YADIS_MATCH_ANY', 102);
-
-/**
- * The priority value used for service elements with no priority
- * specified.
- */
-define('SERVICES_YADIS_MAX_PRIORITY', pow(2, 30));
-
-/**
- * XRD XML namespace
- */
-define('Auth_Yadis_XMLNS_XRD_2_0', 'xri://$xrd*($v*2.0)');
-
-/**
- * XRDS XML namespace
- */
-define('Auth_Yadis_XMLNS_XRDS', 'xri://$xrds');
-
-function Auth_Yadis_getNSMap()
-{
- return array('xrds' => Auth_Yadis_XMLNS_XRDS,
- 'xrd' => Auth_Yadis_XMLNS_XRD_2_0);
-}
-
-/**
- * @access private
- */
-function Auth_Yadis_array_scramble($arr)
-{
- $result = array();
-
- while (count($arr)) {
- $index = array_rand($arr, 1);
- $result[] = $arr[$index];
- unset($arr[$index]);
- }
-
- return $result;
-}
-
-/**
- * This class represents a <Service> element in an XRDS document.
- * Objects of this type are returned by
- * Auth_Yadis_XRDS::services() and
- * Auth_Yadis_Yadis::services(). Each object corresponds directly
- * to a <Service> element in the XRDS and supplies a
- * getElements($name) method which you should use to inspect the
- * element's contents. See {@link Auth_Yadis_Yadis} for more
- * information on the role this class plays in Yadis discovery.
- *
- * @package OpenID
- */
-class Auth_Yadis_Service {
-
- /**
- * Creates an empty service object.
- */
- function Auth_Yadis_Service()
- {
- $this->element = null;
- $this->parser = null;
- }
-
- /**
- * Return the URIs in the "Type" elements, if any, of this Service
- * element.
- *
- * @return array $type_uris An array of Type URI strings.
- */
- function getTypes()
- {
- $t = array();
- foreach ($this->getElements('xrd:Type') as $elem) {
- $c = $this->parser->content($elem);
- if ($c) {
- $t[] = $c;
- }
- }
- return $t;
- }
-
- function matchTypes($type_uris)
- {
- $result = array();
-
- foreach ($this->getTypes() as $typ) {
- if (in_array($typ, $type_uris)) {
- $result[] = $typ;
- }
- }
-
- return $result;
- }
-
- /**
- * Return the URIs in the "URI" elements, if any, of this Service
- * element. The URIs are returned sorted in priority order.
- *
- * @return array $uris An array of URI strings.
- */
- function getURIs()
- {
- $uris = array();
- $last = array();
-
- foreach ($this->getElements('xrd:URI') as $elem) {
- $uri_string = $this->parser->content($elem);
- $attrs = $this->parser->attributes($elem);
- if ($attrs &&
- array_key_exists('priority', $attrs)) {
- $priority = intval($attrs['priority']);
- if (!array_key_exists($priority, $uris)) {
- $uris[$priority] = array();
- }
-
- $uris[$priority][] = $uri_string;
- } else {
- $last[] = $uri_string;
- }
- }
-
- $keys = array_keys($uris);
- sort($keys);
-
- // Rebuild array of URIs.
- $result = array();
- foreach ($keys as $k) {
- $new_uris = Auth_Yadis_array_scramble($uris[$k]);
- $result = array_merge($result, $new_uris);
- }
-
- $result = array_merge($result,
- Auth_Yadis_array_scramble($last));
-
- return $result;
- }
-
- /**
- * Returns the "priority" attribute value of this <Service>
- * element, if the attribute is present. Returns null if not.
- *
- * @return mixed $result Null or integer, depending on whether
- * this Service element has a 'priority' attribute.
- */
- function getPriority()
- {
- $attributes = $this->parser->attributes($this->element);
-
- if (array_key_exists('priority', $attributes)) {
- return intval($attributes['priority']);
- }
-
- return null;
- }
-
- /**
- * Used to get XML elements from this object's <Service> element.
- *
- * This is what you should use to get all custom information out
- * of this element. This is used by service filter functions to
- * determine whether a service element contains specific tags,
- * etc. NOTE: this only considers elements which are direct
- * children of the <Service> element for this object.
- *
- * @param string $name The name of the element to look for
- * @return array $list An array of elements with the specified
- * name which are direct children of the <Service> element. The
- * nodes returned by this function can be passed to $this->parser
- * methods (see {@link Auth_Yadis_XMLParser}).
- */
- function getElements($name)
- {
- return $this->parser->evalXPath($name, $this->element);
- }
-}
-
-/*
- * Return the expiration date of this XRD element, or None if no
- * expiration was specified.
- *
- * @param $default The value to use as the expiration if no expiration
- * was specified in the XRD.
- */
-function Auth_Yadis_getXRDExpiration($xrd_element, $default=null)
-{
- $expires_element = $xrd_element->$parser->evalXPath('/xrd:Expires');
- if ($expires_element === null) {
- return $default;
- } else {
- $expires_string = $expires_element->text;
-
- // Will raise ValueError if the string is not the expected
- // format
- $t = strptime($expires_string, "%Y-%m-%dT%H:%M:%SZ");
-
- if ($t === false) {
- return false;
- }
-
- // [int $hour [, int $minute [, int $second [,
- // int $month [, int $day [, int $year ]]]]]]
- return mktime($t['tm_hour'], $t['tm_min'], $t['tm_sec'],
- $t['tm_mon'], $t['tm_day'], $t['tm_year']);
- }
-}
-
-/**
- * This class performs parsing of XRDS documents.
- *
- * You should not instantiate this class directly; rather, call
- * parseXRDS statically:
- *
- * <pre> $xrds = Auth_Yadis_XRDS::parseXRDS($xml_string);</pre>
- *
- * If the XRDS can be parsed and is valid, an instance of
- * Auth_Yadis_XRDS will be returned. Otherwise, null will be
- * returned. This class is used by the Auth_Yadis_Yadis::discover
- * method.
- *
- * @package OpenID
- */
-class Auth_Yadis_XRDS {
-
- /**
- * Instantiate a Auth_Yadis_XRDS object. Requires an XPath
- * instance which has been used to parse a valid XRDS document.
- */
- function Auth_Yadis_XRDS($xmlParser, $xrdNodes)
- {
- $this->parser = $xmlParser;
- $this->xrdNode = $xrdNodes[count($xrdNodes) - 1];
- $this->allXrdNodes = $xrdNodes;
- $this->serviceList = array();
- $this->_parse();
- }
-
- /**
- * Parse an XML string (XRDS document) and return either a
- * Auth_Yadis_XRDS object or null, depending on whether the
- * XRDS XML is valid.
- *
- * @param string $xml_string An XRDS XML string.
- * @return mixed $xrds An instance of Auth_Yadis_XRDS or null,
- * depending on the validity of $xml_string
- */
- static function parseXRDS($xml_string, $extra_ns_map = null)
- {
- $_null = null;
-
- if (!$xml_string) {
- return $_null;
- }
-
- $parser = Auth_Yadis_getXMLParser();
-
- $ns_map = Auth_Yadis_getNSMap();
-
- if ($extra_ns_map && is_array($extra_ns_map)) {
- $ns_map = array_merge($ns_map, $extra_ns_map);
- }
-
- if (!($parser && $parser->init($xml_string, $ns_map))) {
- return $_null;
- }
-
- // Try to get root element.
- $root = $parser->evalXPath('/xrds:XRDS[1]');
- if (!$root) {
- return $_null;
- }
-
- if (is_array($root)) {
- $root = $root[0];
- }
-
- $attrs = $parser->attributes($root);
-
- if (array_key_exists('xmlns:xrd', $attrs) &&
- $attrs['xmlns:xrd'] != Auth_Yadis_XMLNS_XRDS) {
- return $_null;
- } else if (array_key_exists('xmlns', $attrs) &&
- preg_match('/xri/', $attrs['xmlns']) &&
- $attrs['xmlns'] != Auth_Yadis_XMLNS_XRD_2_0) {
- return $_null;
- }
-
- // Get the last XRD node.
- $xrd_nodes = $parser->evalXPath('/xrds:XRDS[1]/xrd:XRD');
-
- if (!$xrd_nodes) {
- return $_null;
- }
-
- $xrds = new Auth_Yadis_XRDS($parser, $xrd_nodes);
- return $xrds;
- }
-
- /**
- * @access private
- */
- function _addService($priority, $service)
- {
- $priority = intval($priority);
-
- if (!array_key_exists($priority, $this->serviceList)) {
- $this->serviceList[$priority] = array();
- }
-
- $this->serviceList[$priority][] = $service;
- }
-
- /**
- * Creates the service list using nodes from the XRDS XML
- * document.
- *
- * @access private
- */
- function _parse()
- {
- $this->serviceList = array();
-
- $services = $this->parser->evalXPath('xrd:Service', $this->xrdNode);
-
- foreach ($services as $node) {
- $s = new Auth_Yadis_Service();
- $s->element = $node;
- $s->parser = $this->parser;
-
- $priority = $s->getPriority();
-
- if ($priority === null) {
- $priority = SERVICES_YADIS_MAX_PRIORITY;
- }
-
- $this->_addService($priority, $s);
- }
- }
-
- /**
- * Returns a list of service objects which correspond to <Service>
- * elements in the XRDS XML document for this object.
- *
- * Optionally, an array of filter callbacks may be given to limit
- * the list of returned service objects. Furthermore, the default
- * mode is to return all service objects which match ANY of the
- * specified filters, but $filter_mode may be
- * SERVICES_YADIS_MATCH_ALL if you want to be sure that the
- * returned services match all the given filters. See {@link
- * Auth_Yadis_Yadis} for detailed usage information on filter
- * functions.
- *
- * @param mixed $filters An array of callbacks to filter the
- * returned services, or null if all services are to be returned.
- * @param integer $filter_mode SERVICES_YADIS_MATCH_ALL or
- * SERVICES_YADIS_MATCH_ANY, depending on whether the returned
- * services should match ALL or ANY of the specified filters,
- * respectively.
- * @return mixed $services An array of {@link
- * Auth_Yadis_Service} objects if $filter_mode is a valid
- * mode; null if $filter_mode is an invalid mode (i.e., not
- * SERVICES_YADIS_MATCH_ANY or SERVICES_YADIS_MATCH_ALL).
- */
- function services($filters = null,
- $filter_mode = SERVICES_YADIS_MATCH_ANY)
- {
-
- $pri_keys = array_keys($this->serviceList);
- sort($pri_keys, SORT_NUMERIC);
-
- // If no filters are specified, return the entire service
- // list, ordered by priority.
- if (!$filters ||
- (!is_array($filters))) {
-
- $result = array();
- foreach ($pri_keys as $pri) {
- $result = array_merge($result, $this->serviceList[$pri]);
- }
-
- return $result;
- }
-
- // If a bad filter mode is specified, return null.
- if (!in_array($filter_mode, array(SERVICES_YADIS_MATCH_ANY,
- SERVICES_YADIS_MATCH_ALL))) {
- return null;
- }
-
- // Otherwise, use the callbacks in the filter list to
- // determine which services are returned.
- $filtered = array();
-
- foreach ($pri_keys as $priority_value) {
- $service_obj_list = $this->serviceList[$priority_value];
-
- foreach ($service_obj_list as $service) {
-
- $matches = 0;
-
- foreach ($filters as $filter) {
-
- if (call_user_func_array($filter, array(&$service))) {
- $matches++;
-
- if ($filter_mode == SERVICES_YADIS_MATCH_ANY) {
- $pri = $service->getPriority();
- if ($pri === null) {
- $pri = SERVICES_YADIS_MAX_PRIORITY;
- }
-
- if (!array_key_exists($pri, $filtered)) {
- $filtered[$pri] = array();
- }
-
- $filtered[$pri][] = $service;
- break;
- }
- }
- }
-
- if (($filter_mode == SERVICES_YADIS_MATCH_ALL) &&
- ($matches == count($filters))) {
-
- $pri = $service->getPriority();
- if ($pri === null) {
- $pri = SERVICES_YADIS_MAX_PRIORITY;
- }
-
- if (!array_key_exists($pri, $filtered)) {
- $filtered[$pri] = array();
- }
- $filtered[$pri][] = $service;
- }
- }
- }
-
- $pri_keys = array_keys($filtered);
- sort($pri_keys, SORT_NUMERIC);
-
- $result = array();
- foreach ($pri_keys as $pri) {
- $result = array_merge($result, $filtered[$pri]);
- }
-
- return $result;
- }
-}
-
diff --git a/lib/Auth/Yadis/XRI.php b/lib/Auth/Yadis/XRI.php
deleted file mode 100644
index 0143a692e0d12138c91e37dd6059be814d8525af..0000000000000000000000000000000000000000
--- a/lib/Auth/Yadis/XRI.php
+++ /dev/null
@@ -1,234 +0,0 @@
-<?php
-
-/**
- * Routines for XRI resolution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-require_once 'Auth/Yadis/Misc.php';
-require_once 'Auth/Yadis/Yadis.php';
-require_once 'Auth/OpenID.php';
-
-function Auth_Yadis_getDefaultProxy()
-{
- return 'http://xri.net/';
-}
-
-function Auth_Yadis_getXRIAuthorities()
-{
- return array('!', '=', '@', '+', '$', '(');
-}
-
-function Auth_Yadis_getEscapeRE()
-{
- $parts = array();
- foreach (array_merge(Auth_Yadis_getUCSChars(),
- Auth_Yadis_getIPrivateChars()) as $pair) {
- list($m, $n) = $pair;
- $parts[] = sprintf("%s-%s", chr($m), chr($n));
- }
-
- return sprintf('/[%s]/', implode('', $parts));
-}
-
-function Auth_Yadis_getXrefRE()
-{
- return '/\((.*?)\)/';
-}
-
-function Auth_Yadis_identifierScheme($identifier)
-{
- if (Auth_Yadis_startswith($identifier, 'xri://') ||
- ($identifier &&
- in_array($identifier[0], Auth_Yadis_getXRIAuthorities()))) {
- return "XRI";
- } else {
- return "URI";
- }
-}
-
-function Auth_Yadis_toIRINormal($xri)
-{
- if (!Auth_Yadis_startswith($xri, 'xri://')) {
- $xri = 'xri://' . $xri;
- }
-
- return Auth_Yadis_escapeForIRI($xri);
-}
-
-function _escape_xref($xref_match)
-{
- $xref = $xref_match[0];
- $xref = str_replace('/', '%2F', $xref);
- $xref = str_replace('?', '%3F', $xref);
- $xref = str_replace('#', '%23', $xref);
- return $xref;
-}
-
-function Auth_Yadis_escapeForIRI($xri)
-{
- $xri = str_replace('%', '%25', $xri);
- $xri = preg_replace_callback(Auth_Yadis_getXrefRE(),
- '_escape_xref', $xri);
- return $xri;
-}
-
-function Auth_Yadis_toURINormal($xri)
-{
- return Auth_Yadis_iriToURI(Auth_Yadis_toIRINormal($xri));
-}
-
-function Auth_Yadis_iriToURI($iri)
-{
- if (1) {
- return $iri;
- } else {
- // According to RFC 3987, section 3.1, "Mapping of IRIs to URIs"
- return preg_replace_callback(Auth_Yadis_getEscapeRE(),
- 'Auth_Yadis_pct_escape_unicode', $iri);
- }
-}
-
-
-function Auth_Yadis_XRIAppendArgs($url, $args)
-{
- // Append some arguments to an HTTP query. Yes, this is just like
- // OpenID's appendArgs, but with special seasoning for XRI
- // queries.
-
- if (count($args) == 0) {
- return $url;
- }
-
- // Non-empty array; if it is an array of arrays, use multisort;
- // otherwise use sort.
- if (array_key_exists(0, $args) &&
- is_array($args[0])) {
- // Do nothing here.
- } else {
- $keys = array_keys($args);
- sort($keys);
- $new_args = array();
- foreach ($keys as $key) {
- $new_args[] = array($key, $args[$key]);
- }
- $args = $new_args;
- }
-
- // According to XRI Resolution section "QXRI query parameters":
- //
- // "If the original QXRI had a null query component (only a
- // leading question mark), or a query component consisting of
- // only question marks, one additional leading question mark MUST
- // be added when adding any XRI resolution parameters."
- if (strpos(rtrim($url, '?'), '?') !== false) {
- $sep = '&';
- } else {
- $sep = '?';
- }
-
- return $url . $sep . Auth_OpenID::httpBuildQuery($args);
-}
-
-function Auth_Yadis_providerIsAuthoritative($providerID, $canonicalID)
-{
- $lastbang = strrpos($canonicalID, '!');
- $p = substr($canonicalID, 0, $lastbang);
- return $p == $providerID;
-}
-
-function Auth_Yadis_rootAuthority($xri)
-{
- // Return the root authority for an XRI.
-
- $root = null;
-
- if (Auth_Yadis_startswith($xri, 'xri://')) {
- $xri = substr($xri, 6);
- }
-
- $authority = explode('/', $xri, 2);
- $authority = $authority[0];
- if ($authority[0] == '(') {
- // Cross-reference.
- // XXX: This is incorrect if someone nests cross-references so
- // there is another close-paren in there. Hopefully nobody
- // does that before we have a real xriparse function.
- // Hopefully nobody does that *ever*.
- $root = substr($authority, 0, strpos($authority, ')') + 1);
- } else if (in_array($authority[0], Auth_Yadis_getXRIAuthorities())) {
- // Other XRI reference.
- $root = $authority[0];
- } else {
- // IRI reference.
- $_segments = explode("!", $authority);
- $segments = array();
- foreach ($_segments as $s) {
- $segments = array_merge($segments, explode("*", $s));
- }
- $root = $segments[0];
- }
-
- return Auth_Yadis_XRI($root);
-}
-
-function Auth_Yadis_XRI($xri)
-{
- if (!Auth_Yadis_startswith($xri, 'xri://')) {
- $xri = 'xri://' . $xri;
- }
- return $xri;
-}
-
-function Auth_Yadis_getCanonicalID($iname, $xrds)
-{
- // Returns false or a canonical ID value.
-
- // Now nodes are in reverse order.
- $xrd_list = array_reverse($xrds->allXrdNodes);
- $parser = $xrds->parser;
- $node = $xrd_list[0];
-
- $canonicalID_nodes = $parser->evalXPath('xrd:CanonicalID', $node);
-
- if (!$canonicalID_nodes) {
- return false;
- }
-
- $canonicalID = $canonicalID_nodes[0];
- $canonicalID = Auth_Yadis_XRI($parser->content($canonicalID));
-
- $childID = $canonicalID;
-
- for ($i = 1; $i < count($xrd_list); $i++) {
- $xrd = $xrd_list[$i];
-
- $parent_sought = substr($childID, 0, strrpos($childID, '!'));
- $parentCID = $parser->evalXPath('xrd:CanonicalID', $xrd);
- if (!$parentCID) {
- return false;
- }
- $parentCID = Auth_Yadis_XRI($parser->content($parentCID[0]));
-
- if (strcasecmp($parent_sought, $parentCID)) {
- // raise XRDSFraud.
- return false;
- }
-
- $childID = $parent_sought;
- }
-
- $root = Auth_Yadis_rootAuthority($iname);
- if (!Auth_Yadis_providerIsAuthoritative($root, $childID)) {
- // raise XRDSFraud.
- return false;
- }
-
- return $canonicalID;
-}
-
-
diff --git a/lib/Auth/Yadis/XRIRes.php b/lib/Auth/Yadis/XRIRes.php
deleted file mode 100644
index 5e11587352aa2cbfcc26ecd6589b42ec5c0244f1..0000000000000000000000000000000000000000
--- a/lib/Auth/Yadis/XRIRes.php
+++ /dev/null
@@ -1,72 +0,0 @@
-<?php
-
-/**
- * Code for using a proxy XRI resolver.
- */
-
-require_once 'Auth/Yadis/XRDS.php';
-require_once 'Auth/Yadis/XRI.php';
-
-class Auth_Yadis_ProxyResolver {
- function Auth_Yadis_ProxyResolver($fetcher, $proxy_url = null)
- {
- $this->fetcher = $fetcher;
- $this->proxy_url = $proxy_url;
- if (!$this->proxy_url) {
- $this->proxy_url = Auth_Yadis_getDefaultProxy();
- }
- }
-
- function queryURL($xri, $service_type = null)
- {
- // trim off the xri:// prefix
- $qxri = substr(Auth_Yadis_toURINormal($xri), 6);
- $hxri = $this->proxy_url . $qxri;
- $args = array(
- '_xrd_r' => 'application/xrds+xml'
- );
-
- if ($service_type) {
- $args['_xrd_t'] = $service_type;
- } else {
- // Don't perform service endpoint selection.
- $args['_xrd_r'] .= ';sep=false';
- }
-
- $query = Auth_Yadis_XRIAppendArgs($hxri, $args);
- return $query;
- }
-
- function query($xri, $service_types, $filters = array())
- {
- $services = array();
- $canonicalID = null;
- foreach ($service_types as $service_type) {
- $url = $this->queryURL($xri, $service_type);
- $response = $this->fetcher->get($url);
- if ($response->status != 200 and $response->status != 206) {
- continue;
- }
- $xrds = Auth_Yadis_XRDS::parseXRDS($response->body);
- if (!$xrds) {
- continue;
- }
- $canonicalID = Auth_Yadis_getCanonicalID($xri,
- $xrds);
-
- if ($canonicalID === false) {
- return null;
- }
-
- $some_services = $xrds->services($filters);
- $services = array_merge($services, $some_services);
- // TODO:
- // * If we do get hits for multiple service_types, we're
- // almost certainly going to have duplicated service
- // entries and broken priority ordering.
- }
- return array($canonicalID, $services);
- }
-}
-
-
diff --git a/lib/Auth/Yadis/Yadis.php b/lib/Auth/Yadis/Yadis.php
deleted file mode 100644
index 9ea2db7f91f5c9aa626912235d6d239a0afa4577..0000000000000000000000000000000000000000
--- a/lib/Auth/Yadis/Yadis.php
+++ /dev/null
@@ -1,382 +0,0 @@
-<?php
-
-/**
- * The core PHP Yadis implementation.
- *
- * PHP versions 4 and 5
- *
- * LICENSE: See the COPYING file included in this distribution.
- *
- * @package OpenID
- * @author JanRain, Inc. <openid@janrain.com>
- * @copyright 2005-2008 Janrain, Inc.
- * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
- */
-
-/**
- * Need both fetcher types so we can use the right one based on the
- * presence or absence of CURL.
- */
-require_once "Auth/Yadis/PlainHTTPFetcher.php";
-require_once "Auth/Yadis/ParanoidHTTPFetcher.php";
-
-/**
- * Need this for parsing HTML (looking for META tags).
- */
-require_once "Auth/Yadis/ParseHTML.php";
-
-/**
- * Need this to parse the XRDS document during Yadis discovery.
- */
-require_once "Auth/Yadis/XRDS.php";
-
-/**
- * XRDS (yadis) content type
- */
-define('Auth_Yadis_CONTENT_TYPE', 'application/xrds+xml');
-
-/**
- * Yadis header
- */
-define('Auth_Yadis_HEADER_NAME', 'X-XRDS-Location');
-
-/**
- * Contains the result of performing Yadis discovery on a URI.
- *
- * @package OpenID
- */
-class Auth_Yadis_DiscoveryResult {
-
- // The URI that was passed to the fetcher
- var $request_uri = null;
-
- // The result of following redirects from the request_uri
- var $normalized_uri = null;
-
- // The URI from which the response text was returned (set to
- // None if there was no XRDS document found)
- var $xrds_uri = null;
-
- var $xrds = null;
-
- // The content-type returned with the response_text
- var $content_type = null;
-
- // The document returned from the xrds_uri
- var $response_text = null;
-
- // Did the discovery fail miserably?
- var $failed = false;
-
- function Auth_Yadis_DiscoveryResult($request_uri)
- {
- // Initialize the state of the object
- // sets all attributes to None except the request_uri
- $this->request_uri = $request_uri;
- }
-
- function fail()
- {
- $this->failed = true;
- }
-
- function isFailure()
- {
- return $this->failed;
- }
-
- /**
- * Returns the list of service objects as described by the XRDS
- * document, if this yadis object represents a successful Yadis
- * discovery.
- *
- * @return array $services An array of {@link Auth_Yadis_Service}
- * objects
- */
- function services()
- {
- if ($this->xrds) {
- return $this->xrds->services();
- }
-
- return null;
- }
-
- function usedYadisLocation()
- {
- // Was the Yadis protocol's indirection used?
- return ($this->xrds_uri && $this->normalized_uri != $this->xrds_uri);
- }
-
- function isXRDS()
- {
- // Is the response text supposed to be an XRDS document?
- return ($this->usedYadisLocation() ||
- $this->content_type == Auth_Yadis_CONTENT_TYPE);
- }
-}
-
-/**
- *
- * Perform the Yadis protocol on the input URL and return an iterable
- * of resulting endpoint objects.
- *
- * input_url: The URL on which to perform the Yadis protocol
- *
- * @return: The normalized identity URL and an iterable of endpoint
- * objects generated by the filter function.
- *
- * xrds_parse_func: a callback which will take (uri, xrds_text) and
- * return an array of service endpoint objects or null. Usually
- * array('Auth_OpenID_ServiceEndpoint', 'fromXRDS').
- *
- * discover_func: if not null, a callback which should take (uri) and
- * return an Auth_Yadis_Yadis object or null.
- */
-function Auth_Yadis_getServiceEndpoints($input_url, $xrds_parse_func,
- $discover_func=null, $fetcher=null)
-{
- if ($discover_func === null) {
- $discover_function = array('Auth_Yadis_Yadis', 'discover');
- }
-
- $yadis_result = call_user_func_array($discover_func,
- array($input_url, &$fetcher));
-
- if ($yadis_result === null) {
- return array($input_url, array());
- }
-
- $endpoints = call_user_func_array($xrds_parse_func,
- array($yadis_result->normalized_uri,
- $yadis_result->response_text));
-
- if ($endpoints === null) {
- $endpoints = array();
- }
-
- return array($yadis_result->normalized_uri, $endpoints);
-}
-
-/**
- * This is the core of the PHP Yadis library. This is the only class
- * a user needs to use to perform Yadis discovery. This class
- * performs the discovery AND stores the result of the discovery.
- *
- * First, require this library into your program source:
- *
- * <pre> require_once "Auth/Yadis/Yadis.php";</pre>
- *
- * To perform Yadis discovery, first call the "discover" method
- * statically with a URI parameter:
- *
- * <pre> $http_response = array();
- * $fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
- * $yadis_object = Auth_Yadis_Yadis::discover($uri,
- * $http_response, $fetcher);</pre>
- *
- * If the discovery succeeds, $yadis_object will be an instance of
- * {@link Auth_Yadis_Yadis}. If not, it will be null. The XRDS
- * document found during discovery should have service descriptions,
- * which can be accessed by calling
- *
- * <pre> $service_list = $yadis_object->services();</pre>
- *
- * which returns an array of objects which describe each service.
- * These objects are instances of Auth_Yadis_Service. Each object
- * describes exactly one whole Service element, complete with all of
- * its Types and URIs (no expansion is performed). The common use
- * case for using the service objects returned by services() is to
- * write one or more filter functions and pass those to services():
- *
- * <pre> $service_list = $yadis_object->services(
- * array("filterByURI",
- * "filterByExtension"));</pre>
- *
- * The filter functions (whose names appear in the array passed to
- * services()) take the following form:
- *
- * <pre> function myFilter($service) {
- * // Query $service object here. Return true if the service
- * // matches your query; false if not.
- * }</pre>
- *
- * This is an example of a filter which uses a regular expression to
- * match the content of URI tags (note that the Auth_Yadis_Service
- * class provides a getURIs() method which you should use instead of
- * this contrived example):
- *
- * <pre>
- * function URIMatcher($service) {
- * foreach ($service->getElements('xrd:URI') as $uri) {
- * if (preg_match("/some_pattern/",
- * $service->parser->content($uri))) {
- * return true;
- * }
- * }
- * return false;
- * }</pre>
- *
- * The filter functions you pass will be called for each service
- * object to determine which ones match the criteria your filters
- * specify. The default behavior is that if a given service object
- * matches ANY of the filters specified in the services() call, it
- * will be returned. You can specify that a given service object will
- * be returned ONLY if it matches ALL specified filters by changing
- * the match mode of services():
- *
- * <pre> $yadis_object->services(array("filter1", "filter2"),
- * SERVICES_YADIS_MATCH_ALL);</pre>
- *
- * See {@link SERVICES_YADIS_MATCH_ALL} and {@link
- * SERVICES_YADIS_MATCH_ANY}.
- *
- * Services described in an XRDS should have a library which you'll
- * probably be using. Those libraries are responsible for defining
- * filters that can be used with the "services()" call. If you need
- * to write your own filter, see the documentation for {@link
- * Auth_Yadis_Service}.
- *
- * @package OpenID
- */
-class Auth_Yadis_Yadis {
-
- /**
- * Returns an HTTP fetcher object. If the CURL extension is
- * present, an instance of {@link Auth_Yadis_ParanoidHTTPFetcher}
- * is returned. If not, an instance of
- * {@link Auth_Yadis_PlainHTTPFetcher} is returned.
- *
- * If Auth_Yadis_CURL_OVERRIDE is defined, this method will always
- * return a {@link Auth_Yadis_PlainHTTPFetcher}.
- */
- static function getHTTPFetcher($timeout = 20)
- {
- if (Auth_Yadis_Yadis::curlPresent() &&
- (!defined('Auth_Yadis_CURL_OVERRIDE'))) {
- $fetcher = new Auth_Yadis_ParanoidHTTPFetcher($timeout);
- } else {
- $fetcher = new Auth_Yadis_PlainHTTPFetcher($timeout);
- }
- return $fetcher;
- }
-
- static function curlPresent()
- {
- return function_exists('curl_init');
- }
-
- /**
- * @access private
- */
- static function _getHeader($header_list, $names)
- {
- foreach ($header_list as $name => $value) {
- foreach ($names as $n) {
- if (strtolower($name) == strtolower($n)) {
- return $value;
- }
- }
- }
-
- return null;
- }
-
- /**
- * @access private
- */
- static function _getContentType($content_type_header)
- {
- if ($content_type_header) {
- $parts = explode(";", $content_type_header);
- return strtolower($parts[0]);
- }
- }
-
- /**
- * This should be called statically and will build a Yadis
- * instance if the discovery process succeeds. This implements
- * Yadis discovery as specified in the Yadis specification.
- *
- * @param string $uri The URI on which to perform Yadis discovery.
- *
- * @param array $http_response An array reference where the HTTP
- * response object will be stored (see {@link
- * Auth_Yadis_HTTPResponse}.
- *
- * @param Auth_Yadis_HTTPFetcher $fetcher An instance of a
- * Auth_Yadis_HTTPFetcher subclass.
- *
- * @param array $extra_ns_map An array which maps namespace names
- * to namespace URIs to be used when parsing the Yadis XRDS
- * document.
- *
- * @param integer $timeout An optional fetcher timeout, in seconds.
- *
- * @return mixed $obj Either null or an instance of
- * Auth_Yadis_Yadis, depending on whether the discovery
- * succeeded.
- */
- static function discover($uri, $fetcher,
- $extra_ns_map = null, $timeout = 20)
- {
- $result = new Auth_Yadis_DiscoveryResult($uri);
-
- $request_uri = $uri;
- $headers = array("Accept: " . Auth_Yadis_CONTENT_TYPE .
- ', text/html; q=0.3, application/xhtml+xml; q=0.5');
-
- if ($fetcher === null) {
- $fetcher = Auth_Yadis_Yadis::getHTTPFetcher($timeout);
- }
-
- $response = $fetcher->get($uri, $headers);
-
- if (!$response || ($response->status != 200 and
- $response->status != 206)) {
- $result->fail();
- return $result;
- }
-
- $result->normalized_uri = $response->final_url;
- $result->content_type = Auth_Yadis_Yadis::_getHeader(
- $response->headers,
- array('content-type'));
-
- if ($result->content_type &&
- (Auth_Yadis_Yadis::_getContentType($result->content_type) ==
- Auth_Yadis_CONTENT_TYPE)) {
- $result->xrds_uri = $result->normalized_uri;
- } else {
- $yadis_location = Auth_Yadis_Yadis::_getHeader(
- $response->headers,
- array(Auth_Yadis_HEADER_NAME));
-
- if (!$yadis_location) {
- $parser = new Auth_Yadis_ParseHTML();
- $yadis_location = $parser->getHTTPEquiv($response->body);
- }
-
- if ($yadis_location) {
- $result->xrds_uri = $yadis_location;
-
- $response = $fetcher->get($yadis_location);
-
- if ((!$response) || ($response->status != 200 and
- $response->status != 206)) {
- $result->fail();
- return $result;
- }
-
- $result->content_type = Auth_Yadis_Yadis::_getHeader(
- $response->headers,
- array('content-type'));
- }
- }
-
- $result->response_text = $response->body;
- return $result;
- }
-}
-
-
diff --git a/lib/SAML2/ArtifactResolve.php b/lib/SAML2/ArtifactResolve.php
deleted file mode 100644
index b0e100649cc6836733e8cb4160a4cd8f0f7e4a02..0000000000000000000000000000000000000000
--- a/lib/SAML2/ArtifactResolve.php
+++ /dev/null
@@ -1,65 +0,0 @@
-<?php
-/**
- * The Artifact is part of the SAML 2.0 IdP code, and it builds an artifact object.
- * I am using strings, because I find them easier to work with.
- * I want to use this, to be consistent with the other saml2_requests
- *
- * @author Danny Bollaert, UGent AS. <danny.bollaert@ugent.be>
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_ArtifactResolve extends SAML2_Request {
-
-
- private $artifact;
-
-
-
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('ArtifactResolve', $xml);
-
- if(!is_null($xml)){
- $results = SAML2_Utils::xpQuery($xml, './saml_protocol:Artifact');
- $this->artifact = $results[0]->textContent;
- }
-
- }
-
-
- /**
- * Retrieve the Artifact in this response.
- *
- * @return string artifact.
- */
- public function getArtifact() {
- return $this->artifact;
- }
-
-
- /**
- * Set the artifact that should be included in this response.
- *
- * @param String The $artifact.
- */
- public function setArtifact($artifact) {
- assert('is_string($artifact)');
- $this->artifact = $artifact;
- }
-
- /**
- * Convert the response message to an XML element.
- *
- * @return DOMElement This response.
- */
- public function toUnsignedXML() {
-
- $root = parent::toUnsignedXML();
- $artifactelement = $this->document->createElementNS(SAML2_Const::NS_SAMLP, 'Artifact', $this->artifact);
- $root->appendChild($artifactelement);
- return $root;
- }
-
-
-
-
-}
diff --git a/lib/SAML2/ArtifactResponse.php b/lib/SAML2/ArtifactResponse.php
deleted file mode 100644
index e8186826d371563fd73b571372197403d800b129..0000000000000000000000000000000000000000
--- a/lib/SAML2/ArtifactResponse.php
+++ /dev/null
@@ -1,71 +0,0 @@
-<?php
-
-/**
- * The SAML2_ArtifactResponse, is the response to the SAML2_ArtifactResolve.
- *
- * @author Danny Bollaert, UGent AS. <danny.bollaert@ugent.be>
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_ArtifactResponse extends SAML2_StatusResponse {
-
-
- /**
- * The DOMElement with the message the artifact refers
- * to, or NULL if we don't refer to any artifact.
- *
- * @var DOMElement|NULL
- */
- private $any;
-
-
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('ArtifactResponse', $xml);
-
- if(!is_null($xml)){
-
- $status = SAML2_Utils::xpQuery($xml, './saml_protocol:Status');
- assert('!empty($status)'); /* Will have failed during StatusResponse parsing. */
-
- $status = $status[0];
-
- for ($any = $status->nextSibling; $any !== NULL; $any = $any->nextSibling) {
- if ($any instanceof DOMElement) {
- $this->any = $any;
- break;
- }
- /* Ignore comments and text nodes. */
- }
- }
-
- }
-
-
- public function setAny(DOMElement $any = NULL) {
- $this->any = $any;
- }
-
-
- public function getAny() {
- return $this->any;
- }
-
-
- /**
- * Convert the response message to an XML element.
- *
- * @return DOMElement This response.
- */
- public function toUnsignedXML() {
-
- $root = parent::toUnsignedXML();
- if (isset($this->any)) {
- $node = $root->ownerDocument->importNode($this->any, TRUE);
- $root->appendChild($node);
-
- }
-
- return $root;
- }
-
-}
diff --git a/lib/SAML2/Assertion.php b/lib/SAML2/Assertion.php
deleted file mode 100644
index 630a60abf4dc23fc85f5acc92eacc4ddebf173fa..0000000000000000000000000000000000000000
--- a/lib/SAML2/Assertion.php
+++ /dev/null
@@ -1,1324 +0,0 @@
-<?php
-
-/**
- * Class representing a SAML 2 assertion.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_Assertion implements SAML2_SignedElement {
-
- /**
- * The identifier of this assertion.
- *
- * @var string
- */
- private $id;
-
-
- /**
- * The issue timestamp of this assertion, as an UNIX timestamp.
- *
- * @var int
- */
- private $issueInstant;
-
-
- /**
- * The entity id of the issuer of this assertion.
- *
- * @var string
- */
- private $issuer;
-
-
- /**
- * The NameId of the subject in the assertion.
- *
- * If the NameId is NULL, no subject was included in the assertion.
- *
- * @var array|NULL
- */
- private $nameId;
-
-
- /**
- * The encrypted NameId of the subject.
- *
- * If this is not NULL, the NameId needs decryption before it can be accessed.
- *
- * @var DOMElement|NULL
- */
- private $encryptedNameId;
-
-
- /**
- * The encrypted Attributes.
- *
- * If this is not NULL, the Attributes needs decryption before it can be accessed.
- *
- * @var array|NULL
- */
- private $encryptedAttribute;
-
-
- /**
- * The earliest time this assertion is valid, as an UNIX timestamp.
- *
- * @var int
- */
- private $notBefore;
-
-
- /**
- * The time this assertion expires, as an UNIX timestamp.
- *
- * @var int
- */
- private $notOnOrAfter;
-
-
- /**
- * The set of audiences that are allowed to receive this assertion.
- *
- * This is an array of valid service providers.
- *
- * If no restrictions on the audience are present, this variable contains NULL.
- *
- * @var array|NULL
- */
- private $validAudiences;
-
-
- /**
- * The session expiration timestamp.
- *
- * @var int|NULL
- */
- private $sessionNotOnOrAfter;
-
-
- /**
- * The session index for this user on the IdP.
- *
- * Contains NULL if no session index is present.
- *
- * @var string|NULL
- */
- private $sessionIndex;
-
-
- /**
- * The timestamp the user was authenticated, as an UNIX timestamp.
- *
- * @var int
- */
- private $authnInstant;
-
-
- /**
- * The authentication context for this assertion.
- *
- * @var string|NULL
- */
- private $authnContext;
-
- /**
- * The list of AuthenticatingAuthorities for this assertion.
- *
- * @var array
- */
- private $AuthenticatingAuthority;
-
-
- /**
- * The attributes, as an associative array.
- *
- * @var array
- */
- private $attributes;
-
-
- /**
- * The NameFormat used on all attributes.
- *
- * If more than one NameFormat is used, this will contain
- * the unspecified nameformat.
- *
- * @var string
- */
- private $nameFormat;
-
-
- /**
- * The private key we should use to sign the assertion.
- *
- * The private key can be NULL, in which case the assertion is sent unsigned.
- *
- * @var XMLSecurityKey|NULL
- */
- private $signatureKey;
-
-
- /**
- * List of certificates that should be included in the assertion.
- *
- * @var array
- */
- private $certificates;
-
-
- /**
- * The data needed to verify the signature.
- *
- * @var array|NULL
- */
- private $signatureData;
-
-
- /**
- * Boolean that indicates if attributes are encrypted in the
- * assertion or not.
- *
- * @var boolean
- */
- private $requiredEncAttributes;
-
-
- /**
- * The SubjectConfirmation elements of the Subject in the assertion.
- *
- * @var array Array of SAML2_XML_saml_SubjectConfirmation elements.
- */
- private $SubjectConfirmation;
-
-
- /**
- * Constructor for SAML 2 assertions.
- *
- * @param DOMElement|NULL $xml The input assertion.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- $this->id = SimpleSAML_Utilities::generateID();
- $this->issueInstant = time();
- $this->issuer = '';
- $this->authnInstant = time();
- $this->attributes = array();
- $this->nameFormat = SAML2_Const::NAMEFORMAT_UNSPECIFIED;
- $this->certificates = array();
- $this->AuthenticatingAuthority = array();
- $this->SubjectConfirmation = array();
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('ID')) {
- throw new Exception('Missing ID attribute on SAML assertion.');
- }
- $this->id = $xml->getAttribute('ID');
-
- if ($xml->getAttribute('Version') !== '2.0') {
- /* Currently a very strict check. */
- throw new Exception('Unsupported version: ' . $xml->getAttribute('Version'));
- }
-
- $this->issueInstant = SimpleSAML_Utilities::parseSAML2Time($xml->getAttribute('IssueInstant'));
-
- $issuer = SAML2_Utils::xpQuery($xml, './saml_assertion:Issuer');
- if (empty($issuer)) {
- throw new Exception('Missing <saml:Issuer> in assertion.');
- }
- $this->issuer = trim($issuer[0]->textContent);
-
- $this->parseSubject($xml);
- $this->parseConditions($xml);
- $this->parseAuthnStatement($xml);
- $this->parseAttributes($xml);
- $this->parseEncryptedAttributes($xml);
- $this->parseSignature($xml);
- }
-
-
- /**
- * Parse subject in assertion.
- *
- * @param DOMElement $xml The assertion XML element.
- */
- private function parseSubject(DOMElement $xml) {
-
- $subject = SAML2_Utils::xpQuery($xml, './saml_assertion:Subject');
- if (empty($subject)) {
- /* No Subject node. */
- return;
- } elseif (count($subject) > 1) {
- throw new Exception('More than one <saml:Subject> in <saml:Assertion>.');
- }
- $subject = $subject[0];
-
- $nameId = SAML2_Utils::xpQuery($subject, './saml_assertion:NameID | ./saml_assertion:EncryptedID/xenc:EncryptedData');
- if (empty($nameId)) {
- throw new Exception('Missing <saml:NameID> or <saml:EncryptedID> in <saml:Subject>.');
- } elseif (count($nameId) > 1) {
- throw new Exception('More than one <saml:NameID> or <saml:EncryptedD> in <saml:Subject>.');
- }
- $nameId = $nameId[0];
- if ($nameId->localName === 'EncryptedData') {
- /* The NameID element is encrypted. */
- $this->encryptedNameId = $nameId;
- } else {
- $this->nameId = SAML2_Utils::parseNameId($nameId);
- }
-
- $subjectConfirmation = SAML2_Utils::xpQuery($subject, './saml_assertion:SubjectConfirmation');
- if (empty($subjectConfirmation)) {
- throw new Exception('Missing <saml:SubjectConfirmation> in <saml:Subject>.');
- }
-
- foreach ($subjectConfirmation as $sc) {
- $this->SubjectConfirmation[] = new SAML2_XML_saml_SubjectConfirmation($sc);
- }
- }
-
-
- /**
- * Parse conditions in assertion.
- *
- * @param DOMElement $xml The assertion XML element.
- */
- private function parseConditions(DOMElement $xml) {
-
- $conditions = SAML2_Utils::xpQuery($xml, './saml_assertion:Conditions');
- if (empty($conditions)) {
- /* No <saml:Conditions> node. */
- return;
- } elseif (count($conditions) > 1) {
- throw new Exception('More than one <saml:Conditions> in <saml:Assertion>.');
- }
- $conditions = $conditions[0];
-
- if ($conditions->hasAttribute('NotBefore')) {
- $notBefore = SimpleSAML_Utilities::parseSAML2Time($conditions->getAttribute('NotBefore'));
- if ($this->notBefore === NULL || $this->notBefore < $notBefore) {
- $this->notBefore = $notBefore;
- }
- }
- if ($conditions->hasAttribute('NotOnOrAfter')) {
- $notOnOrAfter = SimpleSAML_Utilities::parseSAML2Time($conditions->getAttribute('NotOnOrAfter'));
- if ($this->notOnOrAfter === NULL || $this->notOnOrAfter > $notOnOrAfter) {
- $this->notOnOrAfter = $notOnOrAfter;
- }
- }
-
-
- for ($node = $conditions->firstChild; $node !== NULL; $node = $node->nextSibling) {
- if ($node instanceof DOMText) {
- continue;
- }
- if ($node->namespaceURI !== SAML2_Const::NS_SAML) {
- throw new Exception('Unknown namespace of condition: ' . var_export($node->namespaceURI, TRUE));
- }
- switch ($node->localName) {
- case 'AudienceRestriction':
- $audiences = SAML2_Utils::extractStrings($node, SAML2_Const::NS_SAML, 'Audience');
- if ($this->validAudiences === NULL) {
- /* The first (and probably last) AudienceRestriction element. */
- $this->validAudiences = $audiences;
-
- } else {
- /*
- * The set of AudienceRestriction are ANDed together, so we need
- * the subset that are present in all of them.
- */
- $this->validAudiences = array_intersect($this->validAudiences, $audiences);
- }
- break;
- case 'OneTimeUse':
- /* Currently ignored. */
- break;
- case 'ProxyRestriction':
- /* Currently ignored. */
- break;
- default:
- throw new Exception('Unknown condition: ' . var_export($node->localName, TRUE));
- }
- }
-
- }
-
-
- /**
- * Parse AuthnStatement in assertion.
- *
- * @param DOMElement $xml The assertion XML element.
- */
- private function parseAuthnStatement(DOMElement $xml) {
-
- $as = SAML2_Utils::xpQuery($xml, './saml_assertion:AuthnStatement');
- if (empty($as)) {
- $this->authnInstant = NULL;
- return;
- } elseif (count($as) > 1) {
- throw new Exception('More that one <saml:AuthnStatement> in <saml:Assertion> not supported.');
- }
- $as = $as[0];
- $this->authnStatement = array();
-
- if (!$as->hasAttribute('AuthnInstant')) {
- throw new Exception('Missing required AuthnInstant attribute on <saml:AuthnStatement>.');
- }
- $this->authnInstant = SimpleSAML_Utilities::parseSAML2Time($as->getAttribute('AuthnInstant'));
-
- if ($as->hasAttribute('SessionNotOnOrAfter')) {
- $this->sessionNotOnOrAfter = SimpleSAML_Utilities::parseSAML2Time($as->getAttribute('SessionNotOnOrAfter'));
- }
-
- if ($as->hasAttribute('SessionIndex')) {
- $this->sessionIndex = $as->getAttribute('SessionIndex');
- }
-
- $ac = SAML2_Utils::xpQuery($as, './saml_assertion:AuthnContext');
- if (empty($ac)) {
- throw new Exception('Missing required <saml:AuthnContext> in <saml:AuthnStatement>.');
- } elseif (count($ac) > 1) {
- throw new Exception('More than one <saml:AuthnContext> in <saml:AuthnStatement>.');
- }
- $ac = $ac[0];
-
- $accr = SAML2_Utils::xpQuery($ac, './saml_assertion:AuthnContextClassRef');
- if (empty($accr)) {
- $acdr = SAML2_Utils::xpQuery($ac, './saml_assertion:AuthnContextDeclRef');
- if (empty($acdr)) {
- throw new Exception('Neither <saml:AuthnContextClassRef> nor <saml:AuthnContextDeclRef> found in <saml:AuthnContext>.');
- } elseif (count($accr) > 1) {
- throw new Exception('More than one <saml:AuthnContextDeclRef> in <saml:AuthnContext>.');
- }
- $this->authnContext = trim($acdr[0]->textContent);
- } elseif (count($accr) > 1) {
- throw new Exception('More than one <saml:AuthnContextClassRef> in <saml:AuthnContext>.');
- } else {
- $this->authnContext = trim($accr[0]->textContent);
- }
-
- $this->AuthenticatingAuthority = SAML2_Utils::extractStrings($ac, SAML2_Const::NS_SAML, 'AuthenticatingAuthority');
- }
-
-
- /**
- * Parse attribute statements in assertion.
- *
- * @param DOMElement $xml The XML element with the assertion.
- */
- private function parseAttributes(DOMElement $xml) {
-
- $firstAttribute = TRUE;
- $attributes = SAML2_Utils::xpQuery($xml, './saml_assertion:AttributeStatement/saml_assertion:Attribute');
- foreach ($attributes as $attribute) {
- if (!$attribute->hasAttribute('Name')) {
- throw new Exception('Missing name on <saml:Attribute> element.');
- }
- $name = $attribute->getAttribute('Name');
-
- if ($attribute->hasAttribute('NameFormat')) {
- $nameFormat = $attribute->getAttribute('NameFormat');
- } else {
- $nameFormat = SAML2_Const::NAMEFORMAT_UNSPECIFIED;
- }
-
- if ($firstAttribute) {
- $this->nameFormat = $nameFormat;
- $firstAttribute = FALSE;
- } else {
- if ($this->nameFormat !== $nameFormat) {
- $this->nameFormat = SAML2_Const::NAMEFORMAT_UNSPECIFIED;
- }
- }
-
- if (!array_key_exists($name, $this->attributes)) {
- $this->attributes[$name] = array();
- }
-
- $values = SAML2_Utils::xpQuery($attribute, './saml_assertion:AttributeValue');
- foreach ($values as $value) {
- $this->attributes[$name][] = trim($value->textContent);
- }
- }
- }
-
-
- /**
- * Parse encrypted attribute statements in assertion.
- *
- * @param DOMElement $xml The XML element with the assertion.
- */
- private function parseEncryptedAttributes(DOMElement $xml) {
-
- $this->encryptedAttribute = SAML2_Utils::xpQuery($xml, './saml_assertion:AttributeStatement/saml_assertion:EncryptedAttribute');
- }
-
-
- /**
- * Parse signature on assertion.
- *
- * @param DOMElement $xml The assertion XML element.
- */
- private function parseSignature(DOMElement $xml) {
-
- /* Validate the signature element of the message. */
- $sig = SAML2_Utils::validateElement($xml);
- if ($sig !== FALSE) {
- $this->certificates = $sig['Certificates'];
- $this->signatureData = $sig;
- }
- }
-
-
- /**
- * Validate this assertion against a public key.
- *
- * If no signature was present on the assertion, we will return FALSE.
- * Otherwise, TRUE will be returned. An exception is thrown if the
- * signature validation fails.
- *
- * @param XMLSecurityKey $key The key we should check against.
- * @return boolean TRUE if successful, FALSE if it is unsigned.
- */
- public function validate(XMLSecurityKey $key) {
- assert('$key->type === XMLSecurityKey::RSA_SHA1');
-
- if ($this->signatureData === NULL) {
- return FALSE;
- }
-
- SAML2_Utils::validateSignature($this->signatureData, $key);
-
- return TRUE;
- }
-
-
- /**
- * Retrieve the identifier of this assertion.
- *
- * @return string The identifier of this assertion.
- */
- public function getId() {
- return $this->id;
- }
-
-
- /**
- * Set the identifier of this assertion.
- *
- * @param string $id The new identifier of this assertion.
- */
- public function setId($id) {
- assert('is_string($id)');
-
- $this->id = $id;
- }
-
-
- /**
- * Retrieve the issue timestamp of this assertion.
- *
- * @return int The issue timestamp of this assertion, as an UNIX timestamp.
- */
- public function getIssueInstant() {
- return $this->issueInstant;
- }
-
-
- /**
- * Set the issue timestamp of this assertion.
- *
- * @param int $issueInstant The new issue timestamp of this assertion, as an UNIX timestamp.
- */
- public function setIssueInstant($issueInstant) {
- assert('is_int($issueInstant)');
-
- $this->issueInstant = $issueInstant;
- }
-
-
- /**
- * Retrieve the issuer if this assertion.
- *
- * @return string The issuer of this assertion.
- */
- public function getIssuer() {
- return $this->issuer;
- }
-
-
- /**
- * Set the issuer of this message.
- *
- * @param string $issuer The new issuer of this assertion.
- */
- public function setIssuer($issuer) {
- assert('is_string($issuer)');
-
- $this->issuer = $issuer;
- }
-
-
- /**
- * Retrieve the NameId of the subject in the assertion.
- *
- * The returned NameId is in the format used by SAML2_Utils::addNameId().
- *
- * @see SAML2_Utils::addNameId()
- * @return array|NULL The name identifier of the assertion.
- */
- public function getNameId() {
-
- if ($this->encryptedNameId !== NULL) {
- throw new Exception('Attempted to retrieve encrypted NameID without decrypting it first.');
- }
-
- return $this->nameId;
- }
-
-
- /**
- * Set the NameId of the subject in the assertion.
- *
- * The NameId must be in the format accepted by SAML2_Utils::addNameId().
- *
- * @see SAML2_Utils::addNameId()
- * @param array|NULL $nameId The name identifier of the assertion.
- */
- public function setNameId($nameId) {
- assert('is_array($nameId) || is_null($nameId)');
-
- $this->nameId = $nameId;
- }
-
-
- /**
- * Check whether the NameId is encrypted.
- *
- * @return TRUE if the NameId is encrypted, FALSE if not.
- */
- public function isNameIdEncrypted() {
-
- if ($this->encryptedNameId !== NULL) {
- return TRUE;
- }
-
- return FALSE;
- }
-
-
- /**
- * Encrypt the NameID in the Assertion.
- *
- * @param XMLSecurityKey $key The encryption key.
- */
- public function encryptNameId(XMLSecurityKey $key) {
-
- /* First create a XML representation of the NameID. */
- $doc = new DOMDocument();
- $root = $doc->createElement('root');
- $doc->appendChild($root);
- SAML2_Utils::addNameId($root, $this->nameId);
- $nameId = $root->firstChild;
-
- SimpleSAML_Utilities::debugMessage($nameId, 'encrypt');
-
- /* Encrypt the NameID. */
- $enc = new XMLSecEnc();
- $enc->setNode($nameId);
- $enc->type = XMLSecEnc::Element;
-
- $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
- $symmetricKey->generateSessionKey();
- $enc->encryptKey($key, $symmetricKey);
-
- $this->encryptedNameId = $enc->encryptNode($symmetricKey);
- $this->nameId = NULL;
- }
-
-
- /**
- * Decrypt the NameId of the subject in the assertion.
- *
- * @param XMLSecurityKey $key The decryption key.
- * @param array $blacklist Blacklisted decryption algorithms.
- */
- public function decryptNameId(XMLSecurityKey $key, array $blacklist = array()) {
-
- if ($this->encryptedNameId === NULL) {
- /* No NameID to decrypt. */
- return;
- }
-
- $nameId = SAML2_Utils::decryptElement($this->encryptedNameId, $key, $blacklist);
- SimpleSAML_Utilities::debugMessage($nameId, 'decrypt');
- $this->nameId = SAML2_Utils::parseNameId($nameId);
-
- $this->encryptedNameId = NULL;
- }
-
-
- public function decryptAttributes($key, array $blacklist = array()){
- $firstAttribute = TRUE;
-
- if($this->encryptedAttribute === null){
- return;
- }
- $attributes = $this->encryptedAttribute;
- foreach ($attributes as $attributeEnc) {
- /*Decrypt node <EncryptedAttribute>*/
- $attribute = SAML2_Utils::decryptElement($attributeEnc->getElementsByTagName('EncryptedData')->item(0), $key, $blacklist);
-
- if (!$attribute->hasAttribute('Name')) {
- throw new Exception('Missing name on <saml:Attribute> element.');
- }
- $name = $attribute->getAttribute('Name');
-
- if ($attribute->hasAttribute('NameFormat')) {
- $nameFormat = $attribute->getAttribute('NameFormat');
- } else {
- $nameFormat = SAML2_Const::NAMEFORMAT_UNSPECIFIED;
- }
-
- if ($firstAttribute) {
- $this->nameFormat = $nameFormat;
- $firstAttribute = FALSE;
- } else {
- if ($this->nameFormat !== $nameFormat) {
- $this->nameFormat = SAML2_Const::NAMEFORMAT_UNSPECIFIED;
- }
- }
-
- if (!array_key_exists($name, $this->attributes)) {
- $this->attributes[$name] = array();
- }
-
- $values = SAML2_Utils::xpQuery($attribute, './saml_assertion:AttributeValue');
- foreach ($values as $value) {
- $this->attributes[$name][] = trim($value->textContent);
- }
- }
- }
-
-
- /**
- * Retrieve the earliest timestamp this assertion is valid.
- *
- * This function returns NULL if there are no restrictions on how early the
- * assertion can be used.
- *
- * @return int|NULL The earliest timestamp this assertion is valid.
- */
- public function getNotBefore() {
-
- return $this->notBefore;
- }
-
-
- /**
- * Set the earliest timestamp this assertion can be used.
- *
- * Set this to NULL if no limit is required.
- *
- * @param int|NULL $notBefore The earliest timestamp this assertion is valid.
- */
- public function setNotBefore($notBefore) {
- assert('is_int($notBefore) || is_null($notBefore)');
-
- $this->notBefore = $notBefore;
- }
-
-
- /**
- * Retrieve the expiration timestamp of this assertion.
- *
- * This function returns NULL if there are no restrictions on how
- * late the assertion can be used.
- *
- * @return int|NULL The latest timestamp this assertion is valid.
- */
- public function getNotOnOrAfter() {
-
- return $this->notOnOrAfter;
- }
-
-
- /**
- * Set the expiration timestamp of this assertion.
- *
- * Set this to NULL if no limit is required.
- *
- * @param int|NULL $notOnOrAfter The latest timestamp this assertion is valid.
- */
- public function setNotOnOrAfter($notOnOrAfter) {
- assert('is_int($notOnOrAfter) || is_null($notOnOrAfter)');
-
- $this->notOnOrAfter = $notOnOrAfter;
- }
-
-
- /**
- * Set $EncryptedAttributes if attributes will send encrypted
- *
- * @param boolean $ea TRUE to encrypt attributes in the assertion.
- */
- public function setEncryptedAttributes($ea) {
- $this->requiredEncAttributes = $ea;
- }
-
-
- /**
- * Retrieve the audiences that are allowed to receive this assertion.
- *
- * This may be NULL, in which case all audiences are allowed.
- *
- * @return array|NULL The allowed audiences.
- */
- public function getValidAudiences() {
-
- return $this->validAudiences;
- }
-
-
- /**
- * Set the audiences that are allowed to receive this assertion.
- *
- * This may be NULL, in which case all audiences are allowed.
- *
- * @param array|NULL $validAudiences The allowed audiences.
- */
- public function setValidAudiences(array $validAudiences = NULL) {
-
- $this->validAudiences = $validAudiences;
- }
-
-
- /**
- * Retrieve the AuthnInstant of the assertion.
- *
- * @return int|NULL The timestamp the user was authenticated, or NULL if the user isn't authenticated.
- */
- public function getAuthnInstant() {
-
- return $this->authnInstant;
- }
-
-
- /**
- * Set the AuthnInstant of the assertion.
- *
- * @param int|NULL $authnInstant The timestamp the user was authenticated, or NULL if we don't want an AuthnStatement.
- */
- public function setAuthnInstant($authnInstant) {
- assert('is_int($authnInstant) || is_null($authnInstant)');
-
- $this->authnInstant = $authnInstant;
- }
-
-
- /**
- * Retrieve the session expiration timestamp.
- *
- * This function returns NULL if there are no restrictions on the
- * session lifetime.
- *
- * @return int|NULL The latest timestamp this session is valid.
- */
- public function getSessionNotOnOrAfter() {
-
- return $this->sessionNotOnOrAfter;
- }
-
-
- /**
- * Set the session expiration timestamp.
- *
- * Set this to NULL if no limit is required.
- *
- * @param int|NULL $sessionLifetime The latest timestamp this session is valid.
- */
- public function setSessionNotOnOrAfter($sessionNotOnOrAfter) {
- assert('is_int($sessionNotOnOrAfter) || is_null($sessionNotOnOrAfter)');
-
- $this->sessionNotOnOrAfter = $sessionNotOnOrAfter;
- }
-
-
- /**
- * Retrieve the session index of the user at the IdP.
- *
- * @return string|NULL The session index of the user at the IdP.
- */
- public function getSessionIndex() {
-
- return $this->sessionIndex;
- }
-
-
- /**
- * Set the session index of the user at the IdP.
- *
- * Note that the authentication context must be set before the
- * session index can be inluded in the assertion.
- *
- * @param string|NULL $sessionIndex The session index of the user at the IdP.
- */
- public function setSessionIndex($sessionIndex) {
- assert('is_string($sessionIndex) || is_null($sessionIndex)');
-
- $this->sessionIndex = $sessionIndex;
- }
-
-
- /**
- * Retrieve the authentication method used to authenticate the user.
- *
- * This will return NULL if no authentication statement was
- * included in the assertion.
- *
- * @return string|NULL The authentication method.
- */
- public function getAuthnContext() {
-
- return $this->authnContext;
- }
-
-
- /**
- * Set the authentication method used to authenticate the user.
- *
- * If this is set to NULL, no authentication statement will be
- * included in the assertion. The default is NULL.
- *
- * @param string|NULL $authnContext The authentication method.
- */
- public function setAuthnContext($authnContext) {
- assert('is_string($authnContext) || is_null($authnContext)');
-
- $this->authnContext = $authnContext;
- }
-
-
- /**
- * Retrieve the AuthenticatingAuthority.
- *
- *
- * @return array
- */
- public function getAuthenticatingAuthority() {
-
- return $this->AuthenticatingAuthority;
- }
-
-
- /**
- * Set the AuthenticatingAuthority
- *
- *
- * @param array.
- */
- public function setAuthenticatingAuthority($AuthenticatingAuthority) {
- $this->AuthenticatingAuthority = $AuthenticatingAuthority;
- }
-
-
- /**
- * Retrieve all attributes.
- *
- * @return array All attributes, as an associative array.
- */
- public function getAttributes() {
-
- return $this->attributes;
- }
-
-
- /**
- * Replace all attributes.
- *
- * @param array $attributes All new attributes, as an associative array.
- */
- public function setAttributes(array $attributes) {
-
- $this->attributes = $attributes;
- }
-
-
- /**
- * Retrieve the NameFormat used on all attributes.
- *
- * If more than one NameFormat is used in the received attributes, this
- * returns the unspecified NameFormat.
- *
- * @return string The NameFormat used on all attributes.
- */
- public function getAttributeNameFormat() {
- return $this->nameFormat;
- }
-
-
- /**
- * Set the NameFormat used on all attributes.
- *
- * @param string $nameFormat The NameFormat used on all attributes.
- */
- public function setAttributeNameFormat($nameFormat) {
- assert('is_string($nameFormat)');
-
- $this->nameFormat = $nameFormat;
- }
-
-
- /**
- * Retrieve the SubjectConfirmation elements we have in our Subject element.
- *
- * @return array Array of SAML2_XML_saml_SubjectConfirmation elements.
- */
- public function getSubjectConfirmation() {
- return $this->SubjectConfirmation;
- }
-
-
- /**
- * Set the SubjectConfirmation elements that should be included in the assertion.
- *
- * @param array $SubjectConfirmation Array of SAML2_XML_saml_SubjectConfirmation elements.
- */
- public function setSubjectConfirmation(array $SubjectConfirmation) {
-
- $this->SubjectConfirmation = $SubjectConfirmation;
- }
-
-
- /**
- * Retrieve the private key we should use to sign the assertion.
- *
- * @return XMLSecurityKey|NULL The key, or NULL if no key is specified.
- */
- public function getSignatureKey() {
- return $this->signatureKey;
- }
-
-
- /**
- * Set the private key we should use to sign the assertion.
- *
- * If the key is NULL, the assertion will be sent unsigned.
- *
- * @param XMLSecurityKey|NULL $key
- */
- public function setSignatureKey(XMLsecurityKey $signatureKey = NULL) {
- $this->signatureKey = $signatureKey;
- }
-
-
- /**
- * Return the key we should use to encrypt the assertion.
- *
- * @return XMLSecurityKey|NULL The key, or NULL if no key is specified..
- *
- */
-
-
- public function getEncryptionKey() {
- return $this->encryptionKey;
- }
-
-
- /**
- * Set the private key we should use to encrypt the attributes.
- *
- * @param XMLSecurityKey|NULL $key
- */
- public function setEncryptionKey(XMLSecurityKey $Key = NULL) {
- $this->encryptionKey = $Key;
- }
-
- /**
- * Set the certificates that should be included in the assertion.
- *
- * The certificates should be strings with the PEM encoded data.
- *
- * @param array $certificates An array of certificates.
- */
- public function setCertificates(array $certificates) {
- $this->certificates = $certificates;
- }
-
-
- /**
- * Retrieve the certificates that are included in the assertion.
- *
- * @return array An array of certificates.
- */
- public function getCertificates() {
- return $this->certificates;
- }
-
-
- /**
- * Convert this assertion to an XML element.
- *
- * @param DOMNode|NULL $parentElement The DOM node the assertion should be created in.
- * @return DOMElement This assertion.
- */
- public function toXML(DOMNode $parentElement = NULL) {
-
- if ($parentElement === NULL) {
- $document = new DOMDocument();
- $parentElement = $document;
- } else {
- $document = $parentElement->ownerDocument;
- }
-
- $root = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:' . 'Assertion');
- $parentElement->appendChild($root);
-
- /* Ugly hack to add another namespace declaration to the root element. */
- $root->setAttributeNS(SAML2_Const::NS_SAMLP, 'samlp:tmp', 'tmp');
- $root->removeAttributeNS(SAML2_Const::NS_SAMLP, 'tmp');
- $root->setAttributeNS(SAML2_Const::NS_XSI, 'xsi:tmp', 'tmp');
- $root->removeAttributeNS(SAML2_Const::NS_XSI, 'tmp');
- $root->setAttributeNS(SAML2_Const::NS_XS, 'xs:tmp', 'tmp');
- $root->removeAttributeNS(SAML2_Const::NS_XS, 'tmp');
-
- $root->setAttribute('ID', $this->id);
- $root->setAttribute('Version', '2.0');
- $root->setAttribute('IssueInstant', gmdate('Y-m-d\TH:i:s\Z', $this->issueInstant));
-
- $issuer = SAML2_Utils::addString($root, SAML2_Const::NS_SAML, 'saml:Issuer', $this->issuer);
-
- $this->addSubject($root);
- $this->addConditions($root);
- $this->addAuthnStatement($root);
- if($this->requiredEncAttributes == false)
- $this->addAttributeStatement($root);
- else
- $this->addEncryptedAttributeStatement($root);
-
- if ($this->signatureKey !== NULL) {
- SAML2_Utils::insertSignature($this->signatureKey, $this->certificates, $root, $issuer->nextSibling);
- }
-
- return $root;
- }
-
-
- /**
- * Add a Subject-node to the assertion.
- *
- * @param DOMElement $root The assertion element we should add the subject to.
- */
- private function addSubject(DOMElement $root) {
-
- if ($this->nameId === NULL && $this->encryptedNameId === NULL) {
- /* We don't have anything to create a Subject node for. */
- return;
- }
-
- $subject = $root->ownerDocument->createElementNS(SAML2_Const::NS_SAML, 'saml:Subject');
- $root->appendChild($subject);
-
- if ($this->encryptedNameId === NULL) {
- SAML2_Utils::addNameId($subject, $this->nameId);
- } else {
- $eid = $subject->ownerDocument->createElementNS(SAML2_Const::NS_SAML, 'saml:' . 'EncryptedID');
- $subject->appendChild($eid);
- $eid->appendChild($subject->ownerDocument->importNode($this->encryptedNameId, TRUE));
- }
-
- foreach ($this->SubjectConfirmation as $sc) {
- $sc->toXML($subject);
- }
- }
-
-
- /**
- * Add a Conditions-node to the assertion.
- *
- * @param DOMElement $root The assertion element we should add the conditions to.
- */
- private function addConditions(DOMElement $root) {
-
- $document = $root->ownerDocument;
-
- $conditions = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:Conditions');
- $root->appendChild($conditions);
-
- if ($this->notBefore !== NULL) {
- $conditions->setAttribute('NotBefore', gmdate('Y-m-d\TH:i:s\Z', $this->notBefore));
- }
- if ($this->notOnOrAfter !== NULL) {
- $conditions->setAttribute('NotOnOrAfter', gmdate('Y-m-d\TH:i:s\Z', $this->notOnOrAfter));
- }
-
- if ($this->validAudiences !== NULL) {
- $ar = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:AudienceRestriction');
- $conditions->appendChild($ar);
-
- SAML2_Utils::addStrings($ar, SAML2_Const::NS_SAML, 'saml:Audience', FALSE, $this->validAudiences);
- }
- }
-
-
- /**
- * Add a AuthnStatement-node to the assertion.
- *
- * @param DOMElement $root The assertion element we should add the authentication statement to.
- */
- private function addAuthnStatement(DOMElement $root) {
-
- if ($this->authnContext === NULL || $this->authnInstant === NULL) {
- /* No authentication context or AuthnInstant => no authentication statement. */
- return;
- }
-
- $document = $root->ownerDocument;
-
- $as = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:AuthnStatement');
- $root->appendChild($as);
-
- $as->setAttribute('AuthnInstant', gmdate('Y-m-d\TH:i:s\Z', $this->authnInstant));
-
- if ($this->sessionNotOnOrAfter !== NULL) {
- $as->setAttribute('SessionNotOnOrAfter', gmdate('Y-m-d\TH:i:s\Z', $this->sessionNotOnOrAfter));
- }
- if ($this->sessionIndex !== NULL) {
- $as->setAttribute('SessionIndex', $this->sessionIndex);
- }
-
- $ac = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:AuthnContext');
- $as->appendChild($ac);
-
- SAML2_Utils::addString($ac, SAML2_Const::NS_SAML, 'saml:AuthnContextClassRef', $this->authnContext);
- SAML2_Utils::addStrings($ac, SAML2_Const::NS_SAML, 'saml:AuthenticatingAuthority', false, $this->AuthenticatingAuthority);
- }
-
-
- /**
- * Add an AttributeStatement-node to the assertion.
- *
- * @param DOMElement $root The assertion element we should add the subject to.
- */
- private function addAttributeStatement(DOMElement $root) {
-
- if (empty($this->attributes)) {
- return;
- }
-
- $document = $root->ownerDocument;
-
- $attributeStatement = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:AttributeStatement');
- $root->appendChild($attributeStatement);
-
- foreach ($this->attributes as $name => $values) {
- $attribute = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:Attribute');
- $attributeStatement->appendChild($attribute);
- $attribute->setAttribute('Name', $name);
-
- if ($this->nameFormat !== SAML2_Const::NAMEFORMAT_UNSPECIFIED) {
- $attribute->setAttribute('NameFormat', $this->nameFormat);
- }
-
- foreach ($values as $value) {
- if (is_string($value)) {
- $type = 'xs:string';
- } elseif (is_int($value)) {
- $type = 'xs:integer';
- } else {
- $type = NULL;
- }
-
- $attributeValue = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:AttributeValue');
- $attribute->appendChild($attributeValue);
- if ($type !== NULL) {
- $attributeValue->setAttributeNS(SAML2_Const::NS_XSI, 'xsi:type', $type);
- }
-
- if ($value instanceof DOMNodeList) {
- for ($i = 0; $i < $value->length; $i++) {
- $node = $document->importNode($value->item($i), TRUE);
- $attributeValue->appendChild($node);
- }
- } else {
- $attributeValue->appendChild($document->createTextNode($value));
- }
- }
- }
- }
-
-
- /**
- * Add an EncryptedAttribute Statement-node to the assertion.
- *
- * @param DOMElement $root The assertion element we should add the Encrypted Attribute Statement to.
- */
- private function addEncryptedAttributeStatement(DOMElement $root) {
-
- if ($this->requiredEncAttributes == FALSE)
- return;
-
- $document = $root->ownerDocument;
-
- $attributeStatement = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:AttributeStatement');
- $root->appendChild($attributeStatement);
-
- foreach ($this->attributes as $name => $values) {
- $document2 = new DOMDocument();
- $attribute = $document2->createElementNS(SAML2_Const::NS_SAML, 'saml:Attribute');
- $attribute->setAttribute('Name', $name);
- $document2->appendChild($attribute);
-
- if ($this->nameFormat !== SAML2_Const::NAMEFORMAT_UNSPECIFIED) {
- $attribute->setAttribute('NameFormat', $this->nameFormat);
- }
-
- foreach ($values as $value) {
- if (is_string($value)) {
- $type = 'xs:string';
- } elseif (is_int($value)) {
- $type = 'xs:integer';
- } else {
- $type = NULL;
- }
-
- $attributeValue = $document2->createElementNS(SAML2_Const::NS_SAML, 'saml:AttributeValue');
- $attribute->appendChild($attributeValue);
- if ($type !== NULL) {
- $attributeValue->setAttributeNS(SAML2_Const::NS_XSI, 'xsi:type', $type);
- }
-
- if ($value instanceof DOMNodeList) {
- for ($i = 0; $i < $value->length; $i++) {
- $node = $document2->importNode($value->item($i), TRUE);
- $attributeValue->appendChild($node);
- }
- } else {
- $attributeValue->appendChild($document2->createTextNode($value));
- }
- }
- /*Once the attribute nodes are built, the are encrypted*/
- $EncAssert = new XMLSecEnc();
- $EncAssert->setNode($document2->documentElement);
- $EncAssert->type = 'http://www.w3.org/2001/04/xmlenc#Element';
- /*
- * Attributes are encrypted with a session key and this one with
- * $EncryptionKey
- */
- $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES256_CBC);
- $symmetricKey->generateSessionKey();
- $EncAssert->encryptKey($this->encryptionKey, $symmetricKey);
- $EncrNode = $EncAssert->encryptNode($symmetricKey);
-
- $EncAttribute = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:EncryptedAttribute');
- $attributeStatement->appendChild($EncAttribute);
- $n = $document->importNode($EncrNode,true);
- $EncAttribute->appendChild($n);
- }
- }
-
-}
diff --git a/lib/SAML2/AttributeQuery.php b/lib/SAML2/AttributeQuery.php
deleted file mode 100644
index 09b70b7841a64c41784b752fe5ebd93b5f30729b..0000000000000000000000000000000000000000
--- a/lib/SAML2/AttributeQuery.php
+++ /dev/null
@@ -1,176 +0,0 @@
-<?php
-
-/**
- * Class for SAML 2 attribute query messages.
- *
- * An attribute query asks for a set of attributes. The following
- * rules apply:
- *
- * - If no attributes are present in the query, all attributes should be
- * returned.
- * - If any attributes are present, only those attributes which are present
- * in the query should be returned.
- * - If an attribute contains any attribute values, only the attribute values
- * which match those in the query should be returned.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_AttributeQuery extends SAML2_SubjectQuery {
-
-
- /**
- * The attributes, as an associative array.
- *
- * @var array
- */
- private $attributes;
-
-
- /**
- * The NameFormat used on all attributes.
- *
- * If more than one NameFormat is used, this will contain
- * the unspecified nameformat.
- *
- * @var string
- */
- private $nameFormat;
-
-
- /**
- * Constructor for SAML 2 attribute query messages.
- *
- * @param DOMElement|NULL $xml The input message.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('AttributeQuery', $xml);
-
- $this->attributes = array();
- $this->nameFormat = SAML2_Const::NAMEFORMAT_UNSPECIFIED;
-
- if ($xml === NULL) {
- return;
- }
-
- $firstAttribute = TRUE;
- $attributes = SAML2_Utils::xpQuery($xml, './saml_assertion:Attribute');
- foreach ($attributes as $attribute) {
- if (!$attribute->hasAttribute('Name')) {
- throw new Exception('Missing name on <saml:Attribute> element.');
- }
- $name = $attribute->getAttribute('Name');
-
- if ($attribute->hasAttribute('NameFormat')) {
- $nameFormat = $attribute->getAttribute('NameFormat');
- } else {
- $nameFormat = SAML2_Const::NAMEFORMAT_UNSPECIFIED;
- }
-
- if ($firstAttribute) {
- $this->nameFormat = $nameFormat;
- $firstAttribute = FALSE;
- } else {
- if ($this->nameFormat !== $nameFormat) {
- $this->nameFormat = SAML2_Const::NAMEFORMAT_UNSPECIFIED;
- }
- }
-
- if (!array_key_exists($name, $this->attributes)) {
- $this->attributes[$name] = array();
- }
-
- $values = SAML2_Utils::xpQuery($attribute, './saml_assertion:AttributeValue');
- foreach ($values as $value) {
- $this->attributes[$name][] = trim($value->textContent);
- }
- }
- }
-
-
- /**
- * Retrieve all requested attributes.
- *
- * @return array All requested attributes, as an associative array.
- */
- public function getAttributes() {
-
- return $this->attributes;
- }
-
-
- /**
- * Set all requested attributes.
- *
- * @param array $attributes All requested attributes, as an associative array.
- */
- public function setAttributes(array $attributes) {
-
- $this->attributes = $attributes;
- }
-
-
- /**
- * Retrieve the NameFormat used on all attributes.
- *
- * If more than one NameFormat is used in the received attributes, this
- * returns the unspecified NameFormat.
- *
- * @return string The NameFormat used on all attributes.
- */
- public function getAttributeNameFormat() {
- return $this->nameFormat;
- }
-
-
- /**
- * Set the NameFormat used on all attributes.
- *
- * @param string $nameFormat The NameFormat used on all attributes.
- */
- public function setAttributeNameFormat($nameFormat) {
- assert('is_string($nameFormat)');
-
- $this->nameFormat = $nameFormat;
- }
-
-
- /**
- * Convert the attribute query message to an XML element.
- *
- * @return DOMElement This attribute query.
- */
- public function toUnsignedXML() {
-
- $root = parent::toUnsignedXML();
-
- foreach ($this->attributes as $name => $values) {
- $attribute = $root->ownerDocument->createElementNS(SAML2_Const::NS_SAML, 'saml:Attribute');
- $root->appendChild($attribute);
- $attribute->setAttribute('Name', $name);
-
- if ($this->nameFormat !== SAML2_Const::NAMEFORMAT_UNSPECIFIED) {
- $attribute->setAttribute('NameFormat', $this->nameFormat);
- }
-
- foreach ($values as $value) {
- if (is_string($value)) {
- $type = 'xs:string';
- } elseif (is_int($value)) {
- $type = 'xs:integer';
- } else {
- $type = NULL;
- }
-
- $attributeValue = SAML2_Utils::addString($attribute, SAML2_Const::NS_SAML, 'saml:AttributeValue', $value);
- if ($type !== NULL) {
- $attributeValue->setAttributeNS(SAML2_Const::NS_XSI, 'xsi:type', $type);
- }
- }
- }
-
- return $root;
- }
-
-
-}
diff --git a/lib/SAML2/AuthnRequest.php b/lib/SAML2/AuthnRequest.php
deleted file mode 100644
index b536dce249231be4664e896397beae7d0c66e17d..0000000000000000000000000000000000000000
--- a/lib/SAML2/AuthnRequest.php
+++ /dev/null
@@ -1,533 +0,0 @@
-<?php
-
-/**
- * Class for SAML 2 authentication request messages.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_AuthnRequest extends SAML2_Request {
-
- /**
- * The options for what type of name identifier should be returned.
- *
- * @var array
- */
- private $nameIdPolicy;
-
- /**
- * Whether the Identity Provider must authenticate the user again.
- *
- * @var bool
- */
- private $forceAuthn;
-
-
- /**
- * Set to TRUE if this request is passive.
- *
- * @var bool.
- */
- private $isPassive;
-
- /**
- * The list of providerIDs in this request's scoping element
- *
- * @var array
- */
- private $IDPList = array();
-
- /**
- * The ProxyCount in this request's scoping element
- *
- * @var int
- */
- private $ProxyCount = null;
-
- /**
- * The RequesterID list in this request's scoping element
- *
- * @var array
- */
-
- private $RequesterID = array();
-
- /**
- * The URL of the asertion consumer service where the response should be delivered.
- *
- * @var string|NULL
- */
- private $assertionConsumerServiceURL;
-
-
- /**
- * What binding should be used when sending the response.
- *
- * @var string|NULL
- */
- private $protocolBinding;
-
-
- /**
- * The index of the AttributeConsumingService.
- *
- * @var int|NULL
- */
- private $attributeConsumingServiceIndex;
-
- /**
- * The index of the AssertionConsumerService.
- *
- * @var int|NULL
- */
- private $assertionConsumerServiceIndex;
-
-
- /**
- * What authentication context was requested.
- *
- * Array with the following elements.
- * - AuthnContextClassRef (required)
- * - Comparison (optinal)
- *
- * @var array
- */
- private $requestedAuthnContext;
-
- /**
- * Request extensions.
- *
- * @var array
- */
- private $extensions;
-
- /**
- * Constructor for SAML 2 authentication request messages.
- *
- * @param DOMElement|NULL $xml The input message.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('AuthnRequest', $xml);
-
- $this->nameIdPolicy = array();
- $this->forceAuthn = FALSE;
- $this->isPassive = FALSE;
-
- if ($xml === NULL) {
- return;
- }
-
- $this->forceAuthn = SAML2_Utils::parseBoolean($xml, 'ForceAuthn', FALSE);
- $this->isPassive = SAML2_Utils::parseBoolean($xml, 'IsPassive', FALSE);
-
- if ($xml->hasAttribute('AssertionConsumerServiceURL')) {
- $this->assertionConsumerServiceURL = $xml->getAttribute('AssertionConsumerServiceURL');
- }
-
- if ($xml->hasAttribute('ProtocolBinding')) {
- $this->protocolBinding = $xml->getAttribute('ProtocolBinding');
- }
-
- if ($xml->hasAttribute('AttributeConsumingServiceIndex')) {
- $this->attributeConsumingServiceIndex = (int)$xml->getAttribute('AttributeConsumingServiceIndex');
- }
-
- if ($xml->hasAttribute('AssertionConsumerServiceIndex')) {
- $this->assertionConsumerServiceIndex = (int)$xml->getAttribute('AssertionConsumerServiceIndex');
- }
-
- $nameIdPolicy = SAML2_Utils::xpQuery($xml, './saml_protocol:NameIDPolicy');
-
- if (!empty($nameIdPolicy)) {
- $nameIdPolicy = $nameIdPolicy[0];
- if ($nameIdPolicy->hasAttribute('Format')) {
- $this->nameIdPolicy['Format'] = $nameIdPolicy->getAttribute('Format');
- }
- if ($nameIdPolicy->hasAttribute('SPNameQualifier')) {
- $this->nameIdPolicy['SPNameQualifier'] = $nameIdPolicy->getAttribute('SPNameQualifier');
- }
- if ($nameIdPolicy->hasAttribute('AllowCreate')) {
- $this->nameIdPolicy['AllowCreate'] = SAML2_Utils::parseBoolean($nameIdPolicy, 'AllowCreate', FALSE);
- }
- }
-
- $requestedAuthnContext = SAML2_Utils::xpQuery($xml, './saml_protocol:RequestedAuthnContext');
- if (!empty($requestedAuthnContext)) {
- $requestedAuthnContext = $requestedAuthnContext[0];
-
- $rac = array(
- 'AuthnContextClassRef' => array(),
- 'Comparison' => 'exact',
- );
-
- $accr = SAML2_Utils::xpQuery($requestedAuthnContext, './saml_assertion:AuthnContextClassRef');
- foreach ($accr as $i) {
- $rac['AuthnContextClassRef'][] = trim($i->textContent);
- }
-
- if ($requestedAuthnContext->hasAttribute('Comparison')) {
- $rac['Comparison'] = $requestedAuthnContext->getAttribute('Comparison');
- }
-
- $this->requestedAuthnContext = $rac;
- }
-
- $scoping = SAML2_Utils::xpQuery($xml, './saml_protocol:Scoping');
- if (!empty($scoping)) {
- $scoping =$scoping[0];
-
- if ($scoping->hasAttribute('ProxyCount')) {
- $this->ProxyCount = (int)$scoping->getAttribute('ProxyCount');
- }
- $idpEntries = SAML2_Utils::xpQuery($scoping, './saml_protocol:IDPList/saml_protocol:IDPEntry');
-
- foreach($idpEntries as $idpEntry) {
- if (!$idpEntry->hasAttribute('ProviderID')) {
- throw new Exception("Could not get ProviderID from Scoping/IDPEntry element in AuthnRequest object");
- }
- $this->IDPList[] = $idpEntry->getAttribute('ProviderID');
- }
-
- $requesterIDs = SAML2_Utils::xpQuery($scoping, './saml_protocol:RequesterID');
- foreach ($requesterIDs as $requesterID) {
- $this->RequesterID[] = trim($requesterID->textContent);
- }
-
- }
-
- $this->extensions = SAML2_XML_samlp_Extensions::getList($xml);
- }
-
-
- /**
- * Retrieve the NameIdPolicy.
- *
- * @see SAML2_AuthnRequest::setNameIdPolicy()
- * @return array The NameIdPolicy.
- */
- public function getNameIdPolicy() {
- return $this->nameIdPolicy;
- }
-
-
- /**
- * Set the NameIDPolicy.
- *
- * This function accepts an array with the following options:
- * - 'Format'
- * - 'SPNameQualifier'
- * - 'AllowCreate'
- *
- * @param array $nameIdPolicy The NameIDPolicy.
- */
- public function setNameIdPolicy(array $nameIdPolicy) {
-
- $this->nameIdPolicy = $nameIdPolicy;
- }
-
-
- /**
- * Retrieve the value of the ForceAuthn attribute.
- *
- * @return bool The ForceAuthn attribute.
- */
- public function getForceAuthn() {
- return $this->forceAuthn;
- }
-
-
- /**
- * Set the value of the ForceAuthn attribute.
- *
- * @param bool $forceAuthn The ForceAuthn attribute.
- */
- public function setForceAuthn($forceAuthn) {
- assert('is_bool($forceAuthn)');
-
- $this->forceAuthn = $forceAuthn;
- }
-
-
- /**
- * Retrieve the value of the IsPassive attribute.
- *
- * @return bool The IsPassive attribute.
- */
- public function getIsPassive() {
- return $this->isPassive;
- }
-
-
- /**
- * Set the value of the IsPassive attribute.
- *
- * @param bool $isPassive The IsPassive attribute.
- */
- public function setIsPassive($isPassive) {
- assert('is_bool($isPassive)');
-
- $this->isPassive = $isPassive;
- }
-
-
- /**
- * This function sets the scoping for the request
- * See Core 3.4.1.2 for the definition of scoping
- * Currently we only support an IDPList of idpEntries
- * and only the required ProviderID in an IDPEntry
- * $providerIDs is an array of Entity Identifiers
- *
- */
- public function setIDPList($IDPList) {
- assert('is_array($IDPList)');
- $this->IDPList = $IDPList;
- }
-
-
- /**
- * This function retrieves the list of providerIDs from this authentication request.
- * Currently we only support a list of ipd ientity id's.
- * @return The list of idpidentityids from the request
- */
-
- public function getIDPList() {
- return $this->IDPList;
- }
-
- public function setProxyCount($ProxyCount) {
- assert('is_int($ProxyCount)');
- $this->ProxyCount = $ProxyCount;
- }
-
- public function getProxyCount() {
- return $this->ProxyCount;
- }
-
- public function setRequesterID(array $RequesterID) {
- $this->RequesterID = $RequesterID;
- }
-
- public function getRequesterID() {
- return $this->RequesterID;
- }
-
- /**
- * Retrieve the value of the AssertionConsumerServiceURL attribute.
- *
- * @return string|NULL The AssertionConsumerServiceURL attribute.
- */
- public function getAssertionConsumerServiceURL() {
- return $this->assertionConsumerServiceURL;
- }
-
-
- /**
- * Set the value of the AssertionConsumerServiceURL attribute.
- *
- * @param string|NULL $assertionConsumerServiceURL The AssertionConsumerServiceURL attribute.
- */
- public function setAssertionConsumerServiceURL($assertionConsumerServiceURL) {
- assert('is_string($assertionConsumerServiceURL) || is_null($assertionConsumerServiceURL)');
-
- $this->assertionConsumerServiceURL = $assertionConsumerServiceURL;
- }
-
-
- /**
- * Retrieve the value of the ProtocolBinding attribute.
- *
- * @return string|NULL The ProtocolBinding attribute.
- */
- public function getProtocolBinding() {
- return $this->protocolBinding;
- }
-
-
- /**
- * Set the value of the ProtocolBinding attribute.
- *
- * @param string $protocolBinding The ProtocolBinding attribute.
- */
- public function setProtocolBinding($protocolBinding) {
- assert('is_string($protocolBinding) || is_null($protocolBinding)');
-
- $this->protocolBinding = $protocolBinding;
- }
-
- /**
- * Retrieve the value of the AttributeConsumingServiceIndex attribute.
- *
- * @return int|NULL The AttributeConsumingServiceIndex attribute.
- */
- public function getAttributeConsumingServiceIndex() {
- return $this->attributeConsumingServiceIndex;
- }
-
-
- /**
- * Set the value of the AttributeConsumingServiceIndex attribute.
- *
- * @param int|NULL $attributeConsumingServiceIndex The AttributeConsumingServiceIndex attribute.
- */
- public function setAttributeConsumingServiceIndex($attributeConsumingServiceIndex) {
- assert('is_int($attributeConsumingServiceIndex) || is_null($attributeConsumingServiceIndex)');
-
- $this->attributeConsumingServiceIndex = $attributeConsumingServiceIndex;
- }
-
-
- /**
- * Retrieve the value of the AssertionConsumerServiceIndex attribute.
- *
- * @return int|NULL The AssertionConsumerServiceIndex attribute.
- */
- public function getAssertionConsumerServiceIndex() {
- return $this->assertionConsumerServiceIndex;
- }
-
-
- /**
- * Set the value of the AssertionConsumerServiceIndex attribute.
- *
- * @param int|NULL $assertionConsumerServiceIndex The AssertionConsumerServiceIndex attribute.
- */
- public function setAssertionConsumerServiceIndex($assertionConsumerServiceIndex) {
- assert('is_int($assertionConsumerServiceIndex) || is_null($assertionConsumerServiceIndex)');
-
- $this->assertionConsumerServiceIndex = $assertionConsumerServiceIndex;
- }
-
-
- /**
- * Retrieve the RequestedAuthnContext.
- *
- * @return array|NULL The RequestedAuthnContext.
- */
- public function getRequestedAuthnContext() {
- return $this->requestedAuthnContext;
- }
-
-
- /**
- * Set the RequestedAuthnContext.
- *
- * @param array|NULL $requestedAuthnContext The RequestedAuthnContext.
- */
- public function setRequestedAuthnContext($requestedAuthnContext) {
- assert('is_array($requestedAuthnContext) || is_null($requestedAuthnContext)');
-
- $this->requestedAuthnContext = $requestedAuthnContext;
- }
-
-
- /**
- * Retrieve the Extensions.
- *
- * @return SAML2_XML_samlp_Extensions.
- */
- public function getExtensions() {
- return $this->extensions;
- }
-
-
- /**
- * Set the Extensions.
- *
- * @param array|NULL $extensions The Extensions.
- */
- public function setExtensions($extensions) {
- assert('is_array($extensions) || is_null($extensions)');
-
- $this->extensions = $extensions;
- }
-
-
- /**
- * Convert this authentication request to an XML element.
- *
- * @return DOMElement This authentication request.
- */
- public function toUnsignedXML() {
-
- $root = parent::toUnsignedXML();
-
- if ($this->forceAuthn) {
- $root->setAttribute('ForceAuthn', 'true');
- }
-
- if ($this->isPassive) {
- $root->setAttribute('IsPassive', 'true');
- }
-
- if ($this->assertionConsumerServiceIndex !== NULL) {
- $root->setAttribute('AssertionConsumerServiceIndex', $this->assertionConsumerServiceIndex);
- } else {
- if ($this->assertionConsumerServiceURL !== NULL) {
- $root->setAttribute('AssertionConsumerServiceURL', $this->assertionConsumerServiceURL);
- }
- if ($this->protocolBinding !== NULL) {
- $root->setAttribute('ProtocolBinding', $this->protocolBinding);
- }
- }
-
- if ($this->attributeConsumingServiceIndex !== NULL) {
- $root->setAttribute('AttributeConsumingServiceIndex', $this->attributeConsumingServiceIndex);
- }
-
- if (!empty($this->nameIdPolicy)) {
- $nameIdPolicy = $this->document->createElementNS(SAML2_Const::NS_SAMLP, 'NameIDPolicy');
- if (array_key_exists('Format', $this->nameIdPolicy)) {
- $nameIdPolicy->setAttribute('Format', $this->nameIdPolicy['Format']);
- }
- if (array_key_exists('SPNameQualifier', $this->nameIdPolicy)) {
- $nameIdPolicy->setAttribute('SPNameQualifier', $this->nameIdPolicy['SPNameQualifier']);
- }
- if (array_key_exists('AllowCreate', $this->nameIdPolicy) && $this->nameIdPolicy['AllowCreate']) {
- $nameIdPolicy->setAttribute('AllowCreate', 'true');
- }
- $root->appendChild($nameIdPolicy);
- }
-
- $rac = $this->requestedAuthnContext;
- if (!empty($rac) && !empty($rac['AuthnContextClassRef'])) {
- $e = $this->document->createElementNS(SAML2_Const::NS_SAMLP, 'RequestedAuthnContext');
- $root->appendChild($e);
- if (isset($rac['Comparison']) && $rac['Comparison'] !== 'exact') {
- $e->setAttribute('Comparison', $rac['Comparison']);
- }
- foreach ($rac['AuthnContextClassRef'] as $accr) {
- SAML2_Utils::addString($e, SAML2_Const::NS_SAML, 'AuthnContextClassRef', $accr);
- }
- }
-
- if (!empty($this->extensions)) {
- SAML2_XML_samlp_Extensions::addList($root, $this->extensions);
- }
-
- if ($this->ProxyCount !== null || count($this->IDPList) > 0 || count($this->RequesterID) > 0) {
- $scoping = $this->document->createElementNS(SAML2_Const::NS_SAMLP, 'Scoping');
- $root->appendChild($scoping);
- if ($this->ProxyCount !== null) {
- $scoping->setAttribute('ProxyCount', $this->ProxyCount);
- }
- if (count($this->IDPList) > 0) {
- $idplist = $this->document->createElementNS(SAML2_Const::NS_SAMLP, 'IDPList');
- foreach ($this->IDPList as $provider) {
- $idpEntry = $this->document->createElementNS(SAML2_Const::NS_SAMLP, 'IDPEntry');
- $idpEntry->setAttribute('ProviderID', $provider);
- $idplist->appendChild($idpEntry);
- }
- $scoping->appendChild($idplist);
- }
- if (count($this->RequesterID) > 0) {
- SAML2_Utils::addStrings($scoping, SAML2_Const::NS_SAMLP, 'RequesterID', FALSE, $this->RequesterID);
- }
- }
-
- return $root;
- }
-
-}
-
-
-?>
\ No newline at end of file
diff --git a/lib/SAML2/Binding.php b/lib/SAML2/Binding.php
deleted file mode 100644
index cc5f1ccb9083a329330be97bb5ae94e28f34895c..0000000000000000000000000000000000000000
--- a/lib/SAML2/Binding.php
+++ /dev/null
@@ -1,147 +0,0 @@
-<?php
-
-/**
- * Base class for SAML 2 bindings.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-abstract class SAML2_Binding {
-
- /**
- * The destination of messages.
- *
- * This can be NULL, in which case the destination in the message is used.
- */
- protected $destination;
-
-
- /**
- * Retrieve a binding with the given URN.
- *
- * Will throw an exception if it is unable to locate the binding.
- *
- * @param string $urn The URN of the binding.
- * @return SAML2_Binding The binding.
- */
- public static function getBinding($urn) {
- assert('is_string($urn)');
-
- switch ($urn) {
- case SAML2_Const::BINDING_HTTP_POST:
- return new SAML2_HTTPPost();
- case SAML2_Const::BINDING_HTTP_REDIRECT:
- return new SAML2_HTTPRedirect();
- case SAML2_Const::BINDING_HTTP_ARTIFACT:
- return new SAML2_HTTPArtifact();
- case SAML2_Const::BINDING_HOK_SSO:
- return new SAML2_HTTPPost();
- default:
- throw new Exception('Unsupported binding: ' . var_export($urn, TRUE));
- }
- }
-
-
- /**
- * Guess the current binding.
- *
- * This function guesses the current binding and creates an instance
- * of SAML2_Binding matching that binding.
- *
- * An exception will be thrown if it is unable to guess the binding.
- *
- * @return SAML2_Binding The binding.
- */
- public static function getCurrentBinding() {
- switch ($_SERVER['REQUEST_METHOD']) {
- case 'GET':
- if (array_key_exists('SAMLRequest', $_GET) || array_key_exists('SAMLResponse', $_GET)) {
- return new SAML2_HTTPRedirect();
- } elseif (array_key_exists('SAMLart', $_GET) ){
- return new SAML2_HTTPArtifact();
- }
- break;
-
- case 'POST':
- if (isset($_SERVER['CONTENT_TYPE'])) {
- $contentType = $_SERVER['CONTENT_TYPE'];
- $contentType = explode(';', $contentType);
- $contentType = $contentType[0]; /* Remove charset. */
- } else {
- $contentType = NULL;
- }
- if (array_key_exists('SAMLRequest', $_POST) || array_key_exists('SAMLResponse', $_POST)) {
- return new SAML2_HTTPPost();
- } elseif (array_key_exists('SAMLart', $_POST) ){
- return new SAML2_HTTPArtifact();
- } elseif ($contentType === 'text/xml') {
- return new SAML2_SOAP();
- }
- break;
- }
-
- SimpleSAML_Logger::warning('Unable to find the SAML 2 binding used for this request.');
- SimpleSAML_Logger::warning('Request method: ' . var_export($_SERVER['REQUEST_METHOD'], TRUE));
- if (!empty($_GET)) {
- SimpleSAML_Logger::warning("GET parameters: '" . implode("', '", array_map('addslashes', array_keys($_GET))) . "'");
- }
- if (!empty($_POST)) {
- SimpleSAML_Logger::warning("POST parameters: '" . implode("', '", array_map('addslashes', array_keys($_POST))) . "'");
- }
- if (isset($_SERVER['CONTENT_TYPE'])) {
- SimpleSAML_Logger::warning('Content-Type: ' . var_export($_SERVER['CONTENT_TYPE'], TRUE));
- }
-
- throw new Exception('Unable to find the current binding.');
- }
-
-
- /**
- * Retrieve the destination of a message.
- *
- * @return string|NULL $destination The destination the message will be delivered to.
- */
- public function getDestination() {
-
- return $this->destination;
- }
-
-
- /**
- * Override the destination of a message.
- *
- * Set to NULL to use the destination set in the message.
- *
- * @param string|NULL $destination The destination the message should be delivered to.
- */
- public function setDestination($destination) {
- assert('is_string($destination) || is_null($destination)');
-
- $this->destination = $destination;
- }
-
-
- /**
- * Send a SAML 2 message.
- *
- * This function will send a message using the specified binding.
- * The message will be delivered to the destination set in the message.
- *
- * @param SAML2_Message $message The message which should be sent.
- */
- abstract public function send(SAML2_Message $message);
-
-
- /**
- * Receive a SAML 2 message.
- *
- * This function will extract the message from the current request.
- * An exception will be thrown if we are unable to process the message.
- *
- * @return SAML2_Message The received message.
- */
- abstract public function receive();
-
-}
-
-?>
\ No newline at end of file
diff --git a/lib/SAML2/Const.php b/lib/SAML2/Const.php
deleted file mode 100644
index c5361867becb0b98de4770ef115e920c1277841c..0000000000000000000000000000000000000000
--- a/lib/SAML2/Const.php
+++ /dev/null
@@ -1,160 +0,0 @@
-<?php
-
-/**
- * Various SAML 2 constants.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_Const {
-
- /**
- * Password authentication context.
- */
- const AC_PASSWORD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password';
-
- /**
- * Unspecified authentication context.
- */
- const AC_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified';
-
-
- /**
- * The URN for the HTTP-POST binding.
- */
- const BINDING_HTTP_POST = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST';
-
- /**
- * The URN for the HTTP-Redirect binding.
- */
- const BINDING_HTTP_REDIRECT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect';
-
- /**
- * The URN for the HTTP-ARTIFACT binding.
- */
- const BINDING_HTTP_ARTIFACT = 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact';
-
- /**
- * The URN for the SOAP binding.
- */
- const BINDING_SOAP = 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP';
-
- /**
- * The URN for the Holder-of-Key Web Browser SSO Profile binding
- */
- const BINDING_HOK_SSO = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
-
-
- /**
- * Bearer subject confirmation method.
- */
- const CM_BEARER = 'urn:oasis:names:tc:SAML:2.0:cm:bearer';
-
- /**
- * Holder-of-Key subject confirmation method.
- */
- const CM_HOK = 'urn:oasis:names:tc:SAML:2.0:cm:holder-of-key';
-
-
- /**
- * The URN for the unspecified attribute NameFormat.
- */
- const NAMEFORMAT_UNSPECIFIED = 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified';
-
-
- /**
- * Unspecified NameID format.
- */
- const NAMEID_UNSPECIFIED = 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified';
-
- /**
- * Persistent NameID format.
- */
- const NAMEID_PERSISTENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent';
-
- /**
- * Transient NameID format.
- */
- const NAMEID_TRANSIENT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient';
-
- /**
- * Encrypted NameID format.
- */
- const NAMEID_ENCRYPTED = 'urn:oasis:names:tc:SAML:2.0:nameid-format:encrypted';
-
-
- /**
- * The namespace for the SOAP protocol.
- */
- const NS_SOAP = 'http://schemas.xmlsoap.org/soap/envelope/';
-
- /**
- * The namespace for the SAML 2 protocol.
- */
- const NS_SAMLP = 'urn:oasis:names:tc:SAML:2.0:protocol';
-
- /**
- * The namespace for the SAML 2 assertions.
- */
- const NS_SAML = 'urn:oasis:names:tc:SAML:2.0:assertion';
-
- /**
- * The namespace for the SAML 2 metadata.
- */
- const NS_MD = 'urn:oasis:names:tc:SAML:2.0:metadata';
-
- /**
- * The namespace fox XML schema.
- */
- const NS_XS = 'http://www.w3.org/2001/XMLSchema';
-
- /**
- * The namespace for XML schema instance.
- */
- const NS_XSI = 'http://www.w3.org/2001/XMLSchema-instance';
-
- /**
- * The namespace for the SAML 2 HoK Web Browser SSO Profile.
- */
- const NS_HOK = 'urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browser';
-
- /**
- * Top-level status code indicating successful processing of the request.
- */
- const STATUS_SUCCESS = 'urn:oasis:names:tc:SAML:2.0:status:Success';
-
- /**
- * Top-level status code indicating that there was a problem with the request.
- */
- const STATUS_REQUESTER = 'urn:oasis:names:tc:SAML:2.0:status:Requester';
-
- /**
- * Top-level status code indicating that there was a problem generating the response.
- */
- const STATUS_RESPONDER = 'urn:oasis:names:tc:SAML:2.0:status:Responder';
-
- /**
- * Top-level status code indicating that the request was from an unsupported version of the SAML protocol.
- */
- const STATUS_VERSION_MISMATCH = 'urn:oasis:names:tc:SAML:2.0:status:VersionMismatch';
-
-
- /**
- * Second-level status code for NoPassive errors.
- */
- const STATUS_NO_PASSIVE = 'urn:oasis:names:tc:SAML:2.0:status:NoPassive';
-
- /**
- * Second-level status code for PartialLogout.
- */
- const STATUS_PARTIAL_LOGOUT = 'urn:oasis:names:tc:SAML:2.0:status:PartialLogout';
-
- /**
- * Second-level status code for ProxyCountExceeded.
- */
- const STATUS_PROXY_COUNT_EXCEEDED = 'urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded';
-
-
-}
-
-?>
\ No newline at end of file
diff --git a/lib/SAML2/EncryptedAssertion.php b/lib/SAML2/EncryptedAssertion.php
deleted file mode 100644
index dc831789e432c0d31a82957b5160ea4f89ce3aa9..0000000000000000000000000000000000000000
--- a/lib/SAML2/EncryptedAssertion.php
+++ /dev/null
@@ -1,120 +0,0 @@
-<?php
-
-/**
- * Class handling encrypted assertions.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_EncryptedAssertion {
-
- /**
- * The current encrypted assertion.
- *
- * @var DOMElement
- */
- private $encryptedData;
-
-
- /**
- * Constructor for SAML 2 encrypted assertions.
- *
- * @param DOMElement|NULL $xml The encrypted assertion XML element.
- */
- public function __construct(DOMElement $xml = NULL) {
- if ($xml === NULL) {
- return;
- }
-
- $data = SAML2_Utils::xpQuery($xml, './xenc:EncryptedData');
- if (count($data) === 0) {
- throw new Exception('Missing encrypted data in <saml:EncryptedAssertion>.');
- } elseif (count($data) > 1) {
- throw new Exception('More than one encrypted data element in <saml:EncryptedAssertion>.');
- }
- $this->encryptedData = $data[0];
- }
-
-
- /**
- * Set the assertion.
- *
- * @param SAML2_Assertion $assertion The assertion.
- * @param XMLSecurityKey $key The key we should use to encrypt the assertion.
- */
- public function setAssertion(SAML2_Assertion $assertion, XMLSecurityKey $key) {
-
- $xml = $assertion->toXML();
-
- SimpleSAML_Utilities::debugMessage($xml, 'encrypt');
-
- $enc = new XMLSecEnc();
- $enc->setNode($xml);
- $enc->type = XMLSecEnc::Element;
-
- switch ($key->type) {
- case XMLSecurityKey::TRIPLEDES_CBC:
- case XMLSecurityKey::AES128_CBC:
- case XMLSecurityKey::AES192_CBC:
- case XMLSecurityKey::AES256_CBC:
- $symmetricKey = $key;
- break;
-
- case XMLSecurityKey::RSA_1_5:
- case XMLSecurityKey::RSA_OAEP_MGF1P:
- $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
- $symmetricKey->generateSessionKey();
-
- $enc->encryptKey($key, $symmetricKey);
-
- break;
-
- default:
- throw new Exception('Unknown key type for encryption: ' . $key->type);
- }
-
- $this->encryptedData = $enc->encryptNode($symmetricKey);
- }
-
-
- /**
- * Retrieve the assertion.
- *
- * @param XMLSecurityKey $key The key we should use to decrypt the assertion.
- * @param array $blacklist Blacklisted decryption algorithms.
- * @return SAML2_Assertion The decrypted assertion.
- */
- public function getAssertion(XMLSecurityKey $inputKey, array $blacklist = array()) {
-
- $assertionXML = SAML2_Utils::decryptElement($this->encryptedData, $inputKey, $blacklist);
-
- SimpleSAML_Utilities::debugMessage($assertionXML, 'decrypt');
-
- return new SAML2_Assertion($assertionXML);
- }
-
-
- /**
- * Convert this encrypted assertion to an XML element.
- *
- * @param DOMNode|NULL $parentElement The DOM node the assertion should be created in.
- * @return DOMElement This encrypted assertion.
- */
- public function toXML(DOMNode $parentElement = NULL) {
-
- if ($parentElement === NULL) {
- $document = new DOMDocument();
- $parentElement = $document;
- } else {
- $document = $parentElement->ownerDocument;
- }
-
- $root = $document->createElementNS(SAML2_Const::NS_SAML, 'saml:' . 'EncryptedAssertion');
- $parentElement->appendChild($root);
-
- $root->appendChild($document->importNode($this->encryptedData, TRUE));
-
- return $root;
- }
-
-}
\ No newline at end of file
diff --git a/lib/SAML2/HTTPArtifact.php b/lib/SAML2/HTTPArtifact.php
deleted file mode 100644
index 2294c959b59b587a60e3976cdf5eb3788963e5b0..0000000000000000000000000000000000000000
--- a/lib/SAML2/HTTPArtifact.php
+++ /dev/null
@@ -1,155 +0,0 @@
-<?php
-
-
-/**
- * Class which implements the HTTP-Redirect binding.
- *
- * @author Danny Bollaert, UGent AS. <danny.bollaert@ugent.be>
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_HTTPArtifact extends SAML2_Binding {
-
- private $spMetadata;
-
- /**
- * Create the redirect URL for a message.
- *
- * @param SAML2_Message $message The message.
- * @return string The URL the user should be redirected to in order to send a message.
- */
- public function getRedirectURL(SAML2_Message $message) {
-
- $store = SimpleSAML_Store::getInstance();
- if ($store === FALSE) {
- throw new Exception('Unable to send artifact without a datastore configured.');
- }
-
- $generatedId = pack('H*', ((string) SimpleSAML_Utilities::stringToHex(SimpleSAML_Utilities::generateRandomBytes(20))));
- $artifact = base64_encode("\x00\x04\x00\x00" . sha1($message->getIssuer(), TRUE) . $generatedId) ;
- $artifactData = $message->toUnsignedXML();
- $artifactDataString = $artifactData->ownerDocument->saveXML($artifactData);
-
- $store->set('artifact', $artifact, $artifactDataString, time() + 15*60);
-
- $params = array(
- 'SAMLart' => $artifact,
- );
- $relayState = $message->getRelayState();
- if ($relayState !== NULL) {
- $params['RelayState'] = $relayState;
- }
-
- return SimpleSAML_Utilities::addURLparameter($message->getDestination(), $params);
- }
-
-
- /**
- * Send a SAML 2 message using the HTTP-Redirect binding.
- *
- * Note: This function never returns.
- *
- * @param SAML2_Message $message The message we should send.
- */
- public function send(SAML2_Message $message) {
-
- $destination = $this->getRedirectURL($message);
- SimpleSAML_Utilities::redirect($destination);
- }
-
-
- /**
- * Receive a SAML 2 message sent using the HTTP-Artifact binding.
- *
- * Throws an exception if it is unable receive the message.
- *
- * @return SAML2_Message The received message.
- */
- public function receive() {
-
- if (array_key_exists('SAMLart', $_REQUEST)) {
- $artifact = base64_decode($_REQUEST['SAMLart']);
- $endpointIndex = bin2hex(substr($artifact,2,2));
- $sourceId = bin2hex(substr($artifact,4,20));
-
- }else{
- throw new Exception('Missing SAMLArt parameter.');
- }
-
- $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
-
- $idpmetadata = $metadataHandler->getMetaDataConfigForSha1($sourceId, 'saml20-idp-remote');
-
- if ($idpmetadata === NULL) {
- throw new Exception('No metadata found for remote provider with SHA1 ID: ' . var_export($sourceId, TRUE));
- }
-
- $endpoint = NULL;
- foreach ($idpmetadata->getEndpoints('ArtifactResolutionService') as $ep) {
- if ($ep['index'] === hexdec($endpointIndex)) {
- $endpoint = $ep;
- break;
- }
- }
-
- if ($endpoint === NULL) {
- throw new Exception('No ArtifactResolutionService with the correct index.');
- }
-
- SimpleSAML_Logger::debug("ArtifactResolutionService endpoint being used is := " . $endpoint['Location']);
-
- //Construct the ArtifactResolve Request
- $ar = new SAML2_ArtifactResolve();
-
- /* Set the request attributes */
-
- $ar->setIssuer($this->spMetadata->getString('entityid'));
- $ar->setArtifact($_REQUEST['SAMLart']);
- $ar->setDestination($endpoint['Location']);
-
- /* Sign the request */
- sspmod_saml_Message::addSign($this->spMetadata, $idpmetadata, $ar); // Shoaib - moved from the SOAPClient.
-
- $soap = new SAML2_SOAPClient();
-
- // Send message through SoapClient
- $artifactResponse = $soap->send($ar, $this->spMetadata);
-
- if (!$artifactResponse->isSuccess()) {
- throw new Exception('Received error from ArtifactResolutionService.');
- }
-
- $xml = $artifactResponse->getAny();
- if ($xml === NULL) {
- /* Empty ArtifactResponse - possibly because of Artifact replay? */
- return NULL;
- }
-
- $samlresponse = SAML2_Message::fromXML($xml);
- $samlresponse->addValidator(array(get_class($this), 'validateSignature'), $artifactResponse);
-
-
- if (isset($_REQUEST['RelayState'])) {
- $samlresponse->setRelayState($_REQUEST['RelayState']);
- }
-
- return $samlresponse;
- }
-
-
- public function setSPMetadata($sp){
- $this->spMetadata = $sp;
- }
-
-
- /**
- * A validator which returns TRUE if the ArtifactResponse was signed with the given key
- *
- * @return TRUE
- */
- public static function validateSignature(SAML2_ArtifactResponse $message, XMLSecurityKey $key) {
-
- return $message->validate($key);
- }
-
-}
diff --git a/lib/SAML2/HTTPPost.php b/lib/SAML2/HTTPPost.php
deleted file mode 100644
index 951a88a8e18acba26189f67c00ac1011c50935f8..0000000000000000000000000000000000000000
--- a/lib/SAML2/HTTPPost.php
+++ /dev/null
@@ -1,87 +0,0 @@
-<?php
-
-/**
- * Class which implements the HTTP-POST binding.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_HTTPPost extends SAML2_Binding {
-
- /**
- * Send a SAML 2 message using the HTTP-POST binding.
- *
- * Note: This function never returns.
- *
- * @param SAML2_Message $message The message we should send.
- */
- public function send(SAML2_Message $message) {
-
- if ($this->destination === NULL) {
- $destination = $message->getDestination();
- } else {
- $destination = $this->destination;
- }
- $relayState = $message->getRelayState();
-
- $msgStr = $message->toSignedXML();
- $msgStr = $msgStr->ownerDocument->saveXML($msgStr);
-
- SimpleSAML_Utilities::debugMessage($msgStr, 'out');
-
- $msgStr = base64_encode($msgStr);
-
- if ($message instanceof SAML2_Request) {
- $msgType = 'SAMLRequest';
- } else {
- $msgType = 'SAMLResponse';
- }
-
- $post = array();
- $post[$msgType] = $msgStr;
-
- if ($relayState !== NULL) {
- $post['RelayState'] = $relayState;
- }
-
- SimpleSAML_Utilities::postRedirect($destination, $post);
- }
-
-
- /**
- * Receive a SAML 2 message sent using the HTTP-POST binding.
- *
- * Throws an exception if it is unable receive the message.
- *
- * @return SAML2_Message The received message.
- */
- public function receive() {
-
- if (array_key_exists('SAMLRequest', $_POST)) {
- $msg = $_POST['SAMLRequest'];
- } elseif (array_key_exists('SAMLResponse', $_POST)) {
- $msg = $_POST['SAMLResponse'];
- } else {
- throw new Exception('Missing SAMLRequest or SAMLResponse parameter.');
- }
-
- $msg = base64_decode($msg);
-
- SimpleSAML_Utilities::debugMessage($msg, 'in');
-
- $document = new DOMDocument();
- $document->loadXML($msg);
- $xml = $document->firstChild;
-
- $msg = SAML2_Message::fromXML($xml);
-
- if (array_key_exists('RelayState', $_POST)) {
- $msg->setRelayState($_POST['RelayState']);
- }
-
- return $msg;
- }
-
-}
-
-?>
\ No newline at end of file
diff --git a/lib/SAML2/HTTPRedirect.php b/lib/SAML2/HTTPRedirect.php
deleted file mode 100644
index ddafea9d3fd10539e0b4869583bdb77fbc484674..0000000000000000000000000000000000000000
--- a/lib/SAML2/HTTPRedirect.php
+++ /dev/null
@@ -1,240 +0,0 @@
-<?php
-
-/**
- * Class which implements the HTTP-Redirect binding.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_HTTPRedirect extends SAML2_Binding {
-
- const DEFLATE = 'urn:oasis:names:tc:SAML:2.0:bindings:URL-Encoding:DEFLATE';
-
- /**
- * Create the redirect URL for a message.
- *
- * @param SAML2_Message $message The message.
- * @return string The URL the user should be redirected to in order to send a message.
- */
- public function getRedirectURL(SAML2_Message $message) {
-
- if ($this->destination === NULL) {
- $destination = $message->getDestination();
- } else {
- $destination = $this->destination;
- }
-
- $relayState = $message->getRelayState();
-
- $key = $message->getSignatureKey();
-
- $msgStr = $message->toUnsignedXML();
- $msgStr = $msgStr->ownerDocument->saveXML($msgStr);
-
- SimpleSAML_Utilities::debugMessage($msgStr, 'out');
-
- $msgStr = gzdeflate($msgStr);
- $msgStr = base64_encode($msgStr);
-
- /* Build the query string. */
-
- if ($message instanceof SAML2_Request) {
- $msg = 'SAMLRequest=';
- } else {
- $msg = 'SAMLResponse=';
- }
- $msg .= urlencode($msgStr);
-
- if ($relayState !== NULL) {
- $msg .= '&RelayState=' . urlencode($relayState);
- }
-
- if ($key !== NULL) {
- /* Add the signature. */
- $msg .= '&SigAlg=' . urlencode($key->type);
-
- $signature = $key->signData($msg);
- $msg .= '&Signature=' . urlencode(base64_encode($signature));
- }
-
- if (strpos($destination, '?') === FALSE) {
- $destination .= '?' . $msg;
- } else {
- $destination .= '&' . $msg;
- }
-
- return $destination;
- }
-
-
- /**
- * Send a SAML 2 message using the HTTP-Redirect binding.
- *
- * Note: This function never returns.
- *
- * @param SAML2_Message $message The message we should send.
- */
- public function send(SAML2_Message $message) {
-
- $destination = $this->getRedirectURL($message);
- SimpleSAML_Logger::debug('Redirect to ' . strlen($destination) . ' byte URL: ' . $destination);
- SimpleSAML_Utilities::redirect($destination);
- }
-
-
- /**
- * Receive a SAML 2 message sent using the HTTP-Redirect binding.
- *
- * Throws an exception if it is unable receive the message.
- *
- * @return SAML2_Message The received message.
- */
- public function receive() {
-
- $data = self::parseQuery();
-
- if (array_key_exists('SAMLRequest', $data)) {
- $msg = $data['SAMLRequest'];
- } elseif (array_key_exists('SAMLResponse', $data)) {
- $msg = $data['SAMLResponse'];
- } else {
- throw new Exception('Missing SAMLRequest or SAMLResponse parameter.');
- }
-
- if (array_key_exists('SAMLEncoding', $data)) {
- $encoding = $data['SAMLEncoding'];
- } else {
- $encoding = self::DEFLATE;
- }
-
- $msg = base64_decode($msg);
- switch ($encoding) {
- case self::DEFLATE:
- $msg = gzinflate($msg);
- break;
- default:
- throw new Exception('Unknown SAMLEncoding: ' . var_export($encoding, TRUE));
- }
-
- SimpleSAML_Utilities::debugMessage($msg, 'in');
-
- $document = new DOMDocument();
- $document->loadXML($msg);
- $xml = $document->firstChild;
-
- $msg = SAML2_Message::fromXML($xml);
-
- if (array_key_exists('Signature', $data)) {
- /* Save the signature validation data until we need it. */
- $signatureValidationData = array(
- 'Signature' => $data['Signature'],
- 'Query' => $data['SignedQuery'],
- );
- }
-
-
- if (array_key_exists('RelayState', $data)) {
- $msg->setRelayState($data['RelayState']);
- }
-
- if (array_key_exists('Signature', $data)) {
- if (!array_key_exists('SigAlg', $data)) {
- throw new Exception('Missing signature algorithm.');
- }
-
- $signData = array(
- 'Signature' => $data['Signature'],
- 'SigAlg' => $data['SigAlg'],
- 'Query' => $data['SignedQuery'],
- );
- $msg->addValidator(array(get_class($this), 'validateSignature'), $signData);
- }
-
- return $msg;
- }
-
-
- /**
- * Helper function to parse query data.
- *
- * This function returns the query string split into key=>value pairs.
- * It also adds a new parameter, SignedQuery, which contains the data that is
- * signed.
- *
- * @return string The query data that is signed.
- */
- private static function parseQuery() {
- /*
- * Parse the query string. We need to do this ourself, so that we get access
- * to the raw (urlencoded) values. This is required because different software
- * can urlencode to different values.
- */
- $data = array();
- $relayState = '';
- $sigAlg = '';
- foreach (explode('&', $_SERVER['QUERY_STRING']) as $e) {
- $tmp = explode('=', $e, 2);
- $name = $tmp[0];
- if (count($tmp) === 2) {
- $value = $tmp[1];
- } else {
- /* No value for this paramter. */
- $value = '';
- }
- $name = urldecode($name);
- $data[$name] = urldecode($value);
-
- switch ($name) {
- case 'SAMLRequest':
- case 'SAMLResponse':
- $sigQuery = $name . '=' . $value;
- break;
- case 'RelayState':
- $relayState = '&RelayState=' . $value;
- break;
- case 'SigAlg':
- $sigAlg = '&SigAlg=' . $value;
- break;
- }
- }
-
- $data['SignedQuery'] = $sigQuery . $relayState . $sigAlg;
-
- return $data;
- }
-
-
- /**
- * Validate the signature on a HTTP-Redirect message.
- *
- * Throws an exception if we are unable to validate the signature.
- *
- * @param array $data The data we need to validate the query string.
- * @param XMLSecurityKey $key The key we should validate the query against.
- */
- public static function validateSignature(array $data, XMLSecurityKey $key) {
- assert('array_key_exists("Query", $data)');
- assert('array_key_exists("SigAlg", $data)');
- assert('array_key_exists("Signature", $data)');
-
- $query = $data['Query'];
- $sigAlg = $data['SigAlg'];
- $signature = $data['Signature'];
-
- $signature = base64_decode($signature);
-
- if ($key->type !== XMLSecurityKey::RSA_SHA1) {
- throw new Exception('Invalid key type for validating signature on query string.');
- }
- if ($key->type !== $sigAlg) {
- $key = SAML2_Utils::castKey($key, $sigAlg);
- }
-
- if (!$key->verifySignature($query,$signature)) {
- throw new Exception('Unable to validate signature on query string.');
- }
- }
-
-}
-
-?>
\ No newline at end of file
diff --git a/lib/SAML2/LogoutRequest.php b/lib/SAML2/LogoutRequest.php
deleted file mode 100644
index 1a9cf1e25f75c97853c08cfc0ef3f7b1dc8e7f75..0000000000000000000000000000000000000000
--- a/lib/SAML2/LogoutRequest.php
+++ /dev/null
@@ -1,282 +0,0 @@
-<?php
-
-/**
- * Class for SAML 2 logout request messages.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_LogoutRequest extends SAML2_Request {
-
- /**
- * The expiration time of this request.
- *
- * @var int|NULL
- */
- private $notOnOrAfter;
-
-
- /**
- * The encrypted NameID in the request.
- *
- * If this is not NULL, the NameID needs decryption before it can be accessed.
- *
- * @var DOMElement|NULL
- */
- private $encryptedNameId;
-
-
- /**
- * The name identifier of the session that should be terminated.
- *
- * @var array
- */
- private $nameId;
-
-
- /**
- * The SessionIndexes of the sessions that should be terminated.
- *
- * @var array
- */
- private $sessionIndexes;
-
-
- /**
- * Constructor for SAML 2 logout request messages.
- *
- * @param DOMElement|NULL $xml The input message.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('LogoutRequest', $xml);
-
- $this->sessionIndexes = array();
-
- if ($xml === NULL) {
- return;
- }
-
- if ($xml->hasAttribute('NotOnOrAfter')) {
- $this->notOnOrAfter = SimpleSAML_Utilities::parseSAML2Time($xml->getAttribute('NotOnOrAfter'));
- }
-
- $nameId = SAML2_Utils::xpQuery($xml, './saml_assertion:NameID | ./saml_assertion:EncryptedID/xenc:EncryptedData');
- if (empty($nameId)) {
- throw new Exception('Missing <saml:NameID> or <saml:EncryptedID> in <samlp:LogoutRequest>.');
- } elseif (count($nameId) > 1) {
- throw new Exception('More than one <saml:NameID> or <saml:EncryptedD> in <samlp:LogoutRequest>.');
- }
- $nameId = $nameId[0];
- if ($nameId->localName === 'EncryptedData') {
- /* The NameID element is encrypted. */
- $this->encryptedNameId = $nameId;
- } else {
- $this->nameId = SAML2_Utils::parseNameId($nameId);
- }
-
- $sessionIndexes = SAML2_Utils::xpQuery($xml, './saml_protocol:SessionIndex');
- foreach ($sessionIndexes as $sessionIndex) {
- $this->sessionIndexes[] = trim($sessionIndex->textContent);
- }
- }
-
-
- /**
- * Retrieve the expiration time of this request.
- *
- * @return int|NULL The expiration time of this request.
- */
- public function getNotOnOrAfter() {
-
- return $this->notOnOrAfter;
- }
-
-
- /**
- * Set the expiration time of this request.
- *
- * @param int|NULL $notOnOrAfter The expiration time of this request.
- */
- public function setNotOnOrAfter($notOnOrAfter) {
- assert('is_int($notOnOrAfter) || is_null($notOnOrAfter)');
-
- $this->notOnOrAfter = $notOnOrAfter;
- }
-
-
- /**
- * Check whether the NameId is encrypted.
- *
- * @return TRUE if the NameId is encrypted, FALSE if not.
- */
- public function isNameIdEncrypted() {
-
- if ($this->encryptedNameId !== NULL) {
- return TRUE;
- }
-
- return FALSE;
- }
-
-
- /**
- * Encrypt the NameID in the LogoutRequest.
- *
- * @param XMLSecurityKey $key The encryption key.
- */
- public function encryptNameId(XMLSecurityKey $key) {
-
- /* First create a XML representation of the NameID. */
- $doc = new DOMDocument();
- $root = $doc->createElement('root');
- $doc->appendChild($root);
- SAML2_Utils::addNameId($root, $this->nameId);
- $nameId = $root->firstChild;
-
- SimpleSAML_Utilities::debugMessage($nameId, 'encrypt');
-
- /* Encrypt the NameID. */
- $enc = new XMLSecEnc();
- $enc->setNode($nameId);
- $enc->type = XMLSecEnc::Element;
-
- $symmetricKey = new XMLSecurityKey(XMLSecurityKey::AES128_CBC);
- $symmetricKey->generateSessionKey();
- $enc->encryptKey($key, $symmetricKey);
-
- $this->encryptedNameId = $enc->encryptNode($symmetricKey);
- $this->nameId = NULL;
- }
-
-
- /**
- * Decrypt the NameID in the LogoutRequest.
- *
- * @param XMLSecurityKey $key The decryption key.
- * @param array $blacklist Blacklisted decryption algorithms.
- */
- public function decryptNameId(XMLSecurityKey $key, array $blacklist = array()) {
-
- if ($this->encryptedNameId === NULL) {
- /* No NameID to decrypt. */
- return;
- }
-
- $nameId = SAML2_Utils::decryptElement($this->encryptedNameId, $key, $blacklist);
- SimpleSAML_Utilities::debugMessage($nameId, 'decrypt');
- $this->nameId = SAML2_Utils::parseNameId($nameId);
-
- $this->encryptedNameId = NULL;
- }
-
-
- /**
- * Retrieve the name identifier of the session that should be terminated.
- *
- * @return array The name identifier of the session that should be terminated.
- */
- public function getNameId() {
-
- if ($this->encryptedNameId !== NULL) {
- throw new Exception('Attempted to retrieve encrypted NameID without decrypting it first.');
- }
-
- return $this->nameId;
- }
-
-
- /**
- * Set the name identifier of the session that should be terminated.
- *
- * The name identifier must be in the format accepted by SAML2_message::buildNameId().
- *
- * @see SAML2_message::buildNameId()
- * @param array $nameId The name identifier of the session that should be terminated.
- */
- public function setNameId($nameId) {
- assert('is_array($nameId)');
-
- $this->nameId = $nameId;
- }
-
-
- /**
- * Retrieve the SessionIndexes of the sessions that should be terminated.
- *
- * @return array The SessionIndexes, or an empty array if all sessions should be terminated.
- */
- public function getSessionIndexes() {
- return $this->sessionIndexes;
- }
-
-
- /**
- * Set the SessionIndexes of the sessions that should be terminated.
- *
- * @param array $sessionIndexes The SessionIndexes, or an empty array if all sessions should be terminated.
- */
- public function setSessionIndexes(array $sessionIndexes) {
- $this->sessionIndexes = $sessionIndexes;
- }
-
-
- /**
- * Retrieve the sesion index of the session that should be terminated.
- *
- * @return string|NULL The sesion index of the session that should be terminated.
- */
- public function getSessionIndex() {
-
- if (empty($this->sessionIndexes)) {
- return NULL;
- }
-
- return $this->sessionIndexes[0];
- }
-
-
- /**
- * Set the sesion index of the session that should be terminated.
- *
- * @param string|NULL $sessionIndex The sesion index of the session that should be terminated.
- */
- public function setSessionIndex($sessionIndex) {
- assert('is_string($sessionIndex) || is_null($sessionIndex)');
-
- if (is_null($sessionIndex)) {
- $this->sessionIndexes = array();
- } else {
- $this->sessionIndexes = array($sessionIndex);
- }
- }
-
-
- /**
- * Convert this logout request message to an XML element.
- *
- * @return DOMElement This logout request.
- */
- public function toUnsignedXML() {
-
- $root = parent::toUnsignedXML();
-
- if ($this->notOnOrAfter !== NULL) {
- $root->setAttribute('NotOnOrAfter', gmdate('Y-m-d\TH:i:s\Z', $this->notOnOrAfter));
- }
-
- if ($this->encryptedNameId === NULL) {
- SAML2_Utils::addNameId($root, $this->nameId);
- } else {
- $eid = $root->ownerDocument->createElementNS(SAML2_Const::NS_SAML, 'saml:' . 'EncryptedID');
- $root->appendChild($eid);
- $eid->appendChild($root->ownerDocument->importNode($this->encryptedNameId, TRUE));
- }
-
- foreach ($this->sessionIndexes as $sessionIndex) {
- SAML2_Utils::addString($root, SAML2_Const::NS_SAMLP, 'SessionIndex', $sessionIndex);
- }
-
- return $root;
- }
-
-}
diff --git a/lib/SAML2/LogoutResponse.php b/lib/SAML2/LogoutResponse.php
deleted file mode 100644
index b242d679aeb55f5a1e47a360beb9e1d1902e391f..0000000000000000000000000000000000000000
--- a/lib/SAML2/LogoutResponse.php
+++ /dev/null
@@ -1,25 +0,0 @@
-<?php
-
-/**
- * Class for SAML 2 LogoutResponse messages.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_LogoutResponse extends SAML2_StatusResponse {
-
- /**
- * Constructor for SAML 2 response messages.
- *
- * @param string $tagName The tag name of the root element.
- * @param DOMElement|NULL $xml The input message.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('LogoutResponse', $xml);
-
- /* No new fields added by LogoutResponse. */
- }
-
-}
-
-?>
\ No newline at end of file
diff --git a/lib/SAML2/Message.php b/lib/SAML2/Message.php
deleted file mode 100644
index c2d12a8ea355623585124f0e345a20f08054e29c..0000000000000000000000000000000000000000
--- a/lib/SAML2/Message.php
+++ /dev/null
@@ -1,484 +0,0 @@
-<?php
-
-/**
- * Base class for all SAML 2 messages.
- *
- * Implements what is common between the samlp:RequestAbstractType and
- * samlp:StatusResponseType element types.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-abstract class SAML2_Message implements SAML2_SignedElement {
-
- /**
- * The name of the root element of the DOM tree for the message.
- *
- * Used when creating a DOM tree from the message.
- *
- * @var string
- */
- private $tagName;
-
-
- /**
- * The identifier of this message.
- *
- * @var string
- */
- private $id;
-
-
- /**
- * The issue timestamp of this message, as an UNIX timestamp.
- *
- * @var int
- */
- private $issueInstant;
-
-
- /**
- * The destination URL of this message if it is known.
- *
- * @var string|NULL
- */
- private $destination;
-
-
- /**
- * The entity id of the issuer of this message, or NULL if unknown.
- *
- * @var string|NULL
- */
- private $issuer;
-
-
- /**
- * The RelayState associated with this message.
- *
- * @var string|NULL
- */
- private $relayState;
-
-
- /**
- * The DOMDocument we are currently building.
- *
- * This variable is used while generating XML from this message. It holds the
- * DOMDocument of the XML we are generating.
- *
- * @var DOMDocument
- */
- protected $document;
-
-
- /**
- * The private key we should use to sign the message.
- *
- * The private key can be NULL, in which case the message is sent unsigned.
- *
- * @var XMLSecurityKey|NULL
- */
- private $signatureKey;
-
-
- /**
- * List of certificates that should be included in the message.
- *
- * @var array
- */
- private $certificates;
-
-
- /**
- * Available methods for validating this message.
- *
- * @var array
- */
- private $validators;
-
-
- /**
- * Initialize a message.
- *
- * This constructor takes an optional parameter with a DOMElement. If this
- * parameter is given, the message will be initialized with data from that
- * XML element.
- *
- * If no XML element is given, the message is initialized with suitable
- * default values.
- *
- * @param string $tagName The tag name of the root element.
- * @param DOMElement|NULL $xml The input message.
- */
- protected function __construct($tagName, DOMElement $xml = NULL) {
- assert('is_string($tagName)');
- $this->tagName = $tagName;
-
- $this->id = SimpleSAML_Utilities::generateID();
- $this->issueInstant = time();
- $this->certificates = array();
- $this->validators = array();
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('ID')) {
- throw new Exception('Missing ID attribute on SAML message.');
- }
- $this->id = $xml->getAttribute('ID');
-
- if ($xml->getAttribute('Version') !== '2.0') {
- /* Currently a very strict check. */
- throw new Exception('Unsupported version: ' . $xml->getAttribute('Version'));
- }
-
- $this->issueInstant = SimpleSAML_Utilities::parseSAML2Time($xml->getAttribute('IssueInstant'));
-
- if ($xml->hasAttribute('Destination')) {
- $this->destination = $xml->getAttribute('Destination');
- }
-
- $issuer = SAML2_Utils::xpQuery($xml, './saml_assertion:Issuer');
- if (!empty($issuer)) {
- $this->issuer = trim($issuer[0]->textContent);
- }
-
-
- /* Validate the signature element of the message. */
- try {
- $sig = SAML2_Utils::validateElement($xml);
-
- if ($sig !== FALSE) {
- $this->certificates = $sig['Certificates'];
- $this->validators[] = array(
- 'Function' => array('SAML2_Utils', 'validateSignature'),
- 'Data' => $sig,
- );
- }
-
- } catch (Exception $e) {
- /* Ignore signature validation errors. */
- }
-
- }
-
-
- /**
- * Add a method for validating this message.
- *
- * This function is used by the HTTP-Redirect binding, to make it possible to
- * check the signature against the one included in the query string.
- *
- * @param callback $function The function which should be called.
- * @param mixed $data The data that should be included as the first parameter to the function.
- */
- public function addValidator($function, $data) {
- assert('is_callable($function)');
-
- $this->validators[] = array(
- 'Function' => $function,
- 'Data' => $data,
- );
- }
-
-
- /**
- * Validate this message against a public key.
- *
- * TRUE is returned on success, FALSE is returned if we don't have any
- * signature we can validate. An exception is thrown if the signature
- * validation fails.
- *
- * @param XMLSecurityKey $key The key we should check against.
- * @return boolean TRUE on success, FALSE when we don't have a signature.
- */
- public function validate(XMLSecurityKey $key) {
-
- if (count($this->validators) === 0) {
- return FALSE;
- }
-
- $exceptions = array();
-
- foreach ($this->validators as $validator) {
- $function = $validator['Function'];
- $data = $validator['Data'];
-
- try {
- call_user_func($function, $data, $key);
- /* We were able to validate the message with this validator. */
- return TRUE;
- } catch (Exception $e) {
- $exceptions[] = $e;
- }
- }
-
- /* No validators were able to validate the message. */
- throw $exceptions[0];
- }
-
-
- /**
- * Retrieve the identifier of this message.
- *
- * @return string The identifier of this message.
- */
- public function getId() {
- return $this->id;
- }
-
-
- /**
- * Set the identifier of this message.
- *
- * @param string $id The new identifier of this message.
- */
- public function setId($id) {
- assert('is_string($id)');
-
- $this->id = $id;
- }
-
-
- /**
- * Retrieve the issue timestamp of this message.
- *
- * @return int The issue timestamp of this message, as an UNIX timestamp.
- */
- public function getIssueInstant() {
- return $this->issueInstant;
- }
-
-
- /**
- * Set the issue timestamp of this message.
- *
- * @param int $issueInstant The new issue timestamp of this message, as an UNIX timestamp.
- */
- public function setIssueInstant($issueInstant) {
- assert('is_int($issueInstant)');
-
- $this->issueInstant = $issueInstant;
- }
-
-
- /**
- * Retrieve the destination of this message.
- *
- * @return string|NULL The destination of this message, or NULL if no destination is given.
- */
- public function getDestination() {
- return $this->destination;
- }
-
-
- /**
- * Set the destination of this message.
- *
- * @param string|NULL $destination The new destination of this message.
- */
- public function setDestination($destination) {
- assert('is_string($destination) || is_null($destination)');
-
- $this->destination = $destination;
- }
-
-
- /**
- * Retrieve the issuer if this message.
- *
- * @return string|NULL The issuer of this message, or NULL if no issuer is given.
- */
- public function getIssuer() {
- return $this->issuer;
- }
-
-
- /**
- * Set the issuer of this message.
- *
- * @param string|NULL $issuer The new issuer of this message.
- */
- public function setIssuer($issuer) {
- assert('is_string($issuer) || is_null($issuer)');
-
- $this->issuer = $issuer;
- }
-
-
- /**
- * Retrieve the RelayState associated with this message.
- *
- * @return string|NULL The RelayState, or NULL if no RelayState is given.
- */
- public function getRelayState() {
- return $this->relayState;
- }
-
-
- /**
- * Set the RelayState associated with this message.
- *
- * @param string|NULL $relayState The new RelayState.
- */
- public function setRelayState($relayState) {
- assert('is_string($relayState) || is_null($relayState)');
-
- $this->relayState = $relayState;
- }
-
-
- /**
- * Convert this message to an unsigned XML document.
- *
- * This method does not sign the resulting XML document.
- *
- * @return DOMElement The root element of the DOM tree.
- */
- public function toUnsignedXML() {
-
- $this->document = new DOMDocument();
-
- $root = $this->document->createElementNS(SAML2_Const::NS_SAMLP, 'samlp:' . $this->tagName);
- $this->document->appendChild($root);
-
- /* Ugly hack to add another namespace declaration to the root element. */
- $root->setAttributeNS(SAML2_Const::NS_SAML, 'saml:tmp', 'tmp');
- $root->removeAttributeNS(SAML2_Const::NS_SAML, 'tmp');
-
- $root->setAttribute('ID', $this->id);
- $root->setAttribute('Version', '2.0');
- $root->setAttribute('IssueInstant', gmdate('Y-m-d\TH:i:s\Z', $this->issueInstant));
-
- if ($this->destination !== NULL) {
- $root->setAttribute('Destination', $this->destination);
- }
-
- if ($this->issuer !== NULL) {
- SAML2_Utils::addString($root, SAML2_Const::NS_SAML, 'saml:Issuer', $this->issuer);
- }
-
- return $root;
- }
-
-
- /**
- * Convert this message to a signed XML document.
- *
- * This method sign the resulting XML document if the private key for
- * the signature is set.
- *
- * @return DOMElement The root element of the DOM tree.
- */
- public function toSignedXML() {
-
- $root = $this->toUnsignedXML();
-
- if ($this->signatureKey === NULL) {
- /* We don't have a key to sign it with. */
- return $root;
- }
-
-
- /* Find the position we should insert the signature node at. */
- if ($this->issuer !== NULL) {
- /*
- * We have an issuer node. The signature node should come
- * after the issuer node.
- */
- $issuerNode = $root->firstChild;
- $insertBefore = $issuerNode->nextSibling;
- } else {
- /* No issuer node - the signature element should be the first element. */
- $insertBefore = $root->firstChild;
- }
-
-
- SAML2_Utils::insertSignature($this->signatureKey, $this->certificates, $root, $insertBefore);
-
- return $root;
- }
-
-
- /**
- * Retrieve the private key we should use to sign the message.
- *
- * @return XMLSecurityKey|NULL The key, or NULL if no key is specified.
- */
- public function getSignatureKey() {
- return $this->signatureKey;
- }
-
-
- /**
- * Set the private key we should use to sign the message.
- *
- * If the key is NULL, the message will be sent unsigned.
- *
- * @param XMLSecurityKey|NULL $key
- */
- public function setSignatureKey(XMLsecurityKey $signatureKey = NULL) {
- $this->signatureKey = $signatureKey;
- }
-
-
- /**
- * Set the certificates that should be included in the message.
- *
- * The certificates should be strings with the PEM encoded data.
- *
- * @param array $certificates An array of certificates.
- */
- public function setCertificates(array $certificates) {
- $this->certificates = $certificates;
- }
-
-
- /**
- * Retrieve the certificates that are included in the message.
- *
- * @return array An array of certificates.
- */
- public function getCertificates() {
- return $this->certificates;
- }
-
-
- /**
- * Convert an XML element into a message.
- *
- * @param DOMElement $xml The root XML element.
- * @return SAML2_Message The message.
- */
- public static function fromXML(DOMElement $xml) {
-
- if ($xml->namespaceURI !== SAML2_Const::NS_SAMLP) {
- throw new Exception('Unknown namespace of SAML message: ' . var_export($xml->namespaceURI, TRUE));
- }
-
- switch ($xml->localName) {
- case 'AttributeQuery':
- return new SAML2_AttributeQuery($xml);
- case 'AuthnRequest':
- return new SAML2_AuthnRequest($xml);
- case 'LogoutResponse':
- return new SAML2_LogoutResponse($xml);
- case 'LogoutRequest':
- return new SAML2_LogoutRequest($xml);
- case 'Response':
- return new SAML2_Response($xml);
- case 'ArtifactResponse':
- return new SAML2_ArtifactResponse($xml);
- case 'ArtifactResolve':
- return new SAML2_ArtifactResolve($xml);
- default:
- throw new Exception('Unknown SAML message: ' . var_export($xml->localName, TRUE));
- }
-
- }
-
-}
-
-?>
\ No newline at end of file
diff --git a/lib/SAML2/Request.php b/lib/SAML2/Request.php
deleted file mode 100644
index a38f51f26cd455e0d43ed8af9c9de1380648d3ed..0000000000000000000000000000000000000000
--- a/lib/SAML2/Request.php
+++ /dev/null
@@ -1,17 +0,0 @@
-<?php
-
-/**
- * Base class for all SAML 2 request messages.
- *
- * Implements samlp:RequestAbstractType. All of the elements in that type is
- * stored in the SAML2_Message class, and this class is therefore empty. It
- * is included mainly to make it easy to separate requests from responses.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-abstract class SAML2_Request extends SAML2_Message {
-
-}
-
-?>
\ No newline at end of file
diff --git a/lib/SAML2/Response.php b/lib/SAML2/Response.php
deleted file mode 100644
index adae1fed0e0b0400f2c94190689087a2a4ffa588..0000000000000000000000000000000000000000
--- a/lib/SAML2/Response.php
+++ /dev/null
@@ -1,84 +0,0 @@
-<?php
-
-/**
- * Class for SAML 2 Response messages.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_Response extends SAML2_StatusResponse {
-
- /**
- * The assertions in this response.
- */
- private $assertions;
-
-
- /**
- * Constructor for SAML 2 response messages.
- *
- * @param DOMElement|NULL $xml The input message.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('Response', $xml);
-
- $this->assertions = array();
-
- if ($xml === NULL) {
- return;
- }
-
- for ($node = $xml->firstChild; $node !== NULL; $node = $node->nextSibling) {
- if ($node->namespaceURI !== SAML2_Const::NS_SAML) {
- continue;
- }
-
- if ($node->localName === 'Assertion') {
- $this->assertions[] = new SAML2_Assertion($node);
- } elseif($node->localName === 'EncryptedAssertion') {
- $this->assertions[] = new SAML2_EncryptedAssertion($node);
- }
- }
- }
-
-
- /**
- * Retrieve the assertions in this response.
- *
- * @return array Array of SAML2_Assertion and SAML2_EncryptedAssertion objects.
- */
- public function getAssertions() {
- return $this->assertions;
- }
-
-
- /**
- * Set the assertions that should be included in this response.
- *
- * @param array The assertions.
- */
- public function setAssertions(array $assertions) {
-
- $this->assertions = $assertions;
- }
-
-
- /**
- * Convert the response message to an XML element.
- *
- * @return DOMElement This response.
- */
- public function toUnsignedXML() {
-
- $root = parent::toUnsignedXML();
-
- foreach ($this->assertions as $assertion) {
- $node = $assertion->toXML($root);
- }
-
- return $root;
- }
-
-}
-
-?>
\ No newline at end of file
diff --git a/lib/SAML2/SOAP.php b/lib/SAML2/SOAP.php
deleted file mode 100644
index e55646c871a36c1ca5ce6ea20940504c1a278c6f..0000000000000000000000000000000000000000
--- a/lib/SAML2/SOAP.php
+++ /dev/null
@@ -1,57 +0,0 @@
-<?php
-
-/**
- * Class which implements the SOAP binding.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_SOAP extends SAML2_Binding {
-
- /**
- * Send a SAML 2 message using the SOAP binding.
- *
- * Note: This function never returns.
- *
- * @param SAML2_Message $message The message we should send.
- */
- public function send(SAML2_Message $message) {
- header('Content-Type: text/xml',true);
- $outputFromIdp = '<?xml version="1.0" encoding="UTF-8"?>';
- $outputFromIdp .= '<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">';
- $outputFromIdp .= '<SOAP-ENV:Body>';
- $xmlMessage = $message->toSignedXML();
- SimpleSAML_Utilities::debugMessage($xmlMessage, 'out');
- $tempOutputFromIdp = $xmlMessage->ownerDocument->saveXML($xmlMessage);
- $outputFromIdp .= $tempOutputFromIdp;
- $outputFromIdp .= '</SOAP-ENV:Body>';
- $outputFromIdp .= '</SOAP-ENV:Envelope>';
- print($outputFromIdp);
- exit(0);
- }
-
-
- /**
- * Receive a SAML 2 message sent using the HTTP-POST binding.
- *
- * Throws an exception if it is unable receive the message.
- *
- * @return SAML2_Message The received message.
- */
- public function receive() {
-
- $postText = file_get_contents('php://input');
-
- if(empty($postText)){
- throw new SimpleSAML_Error_BadRequest('Invalid message received to AssertionConsumerService endpoint.');
- }
-
- $document = new DOMDocument();
- $document->loadXML($postText);
- $xml = $document->firstChild;
- SimpleSAML_Utilities::debugMessage($xml, 'in');
- $results = SAML2_Utils::xpQuery($xml, '/soap-env:Envelope/soap-env:Body/*[1]');
- return SAML2_Message::fromXML($results[0]);
- }
-
-}
diff --git a/lib/SAML2/SOAPClient.php b/lib/SAML2/SOAPClient.php
deleted file mode 100644
index 0ba6ebea8fd984aa710b0ecab120ba9d411d1df8..0000000000000000000000000000000000000000
--- a/lib/SAML2/SOAPClient.php
+++ /dev/null
@@ -1,223 +0,0 @@
-<?php
-/**
- * Implementation of the SAML 2.0 SOAP binding.
- *
- * @author Shoaib Ali
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_SOAPClient {
-
- const START_SOAP_ENVELOPE = '<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/"><soap-env:Header/><soap-env:Body>';
- const END_SOAP_ENVELOPE = '</soap-env:Body></soap-env:Envelope>';
-
- /**
- * This function sends the SOAP message to the service location and returns SOAP response
- *
- * @param SAML2_Message $m The request that should be sent.
- * @param SimpleSAML_Configuration $srcMetadata The metadata of the issuer of the message.
- * @param SimpleSAML_Configuration $dstMetadata The metadata of the destination of the message.
- * @return SAML2_Message The response we received.
- */
- public function send(SAML2_Message $msg, SimpleSAML_Configuration $srcMetadata, SimpleSAML_Configuration $dstMetadata = NULL) {
-
- $issuer = $msg->getIssuer();
-
- $ctxOpts = array(
- 'ssl' => array(
- 'capture_peer_cert' => TRUE,
- ),
- );
-
- // Determine if we are going to do a MutualSSL connection between the IdP and SP - Shoaib
- if ($srcMetadata->hasValue('saml.SOAPClient.certificate')) {
- $cert = $srcMetadata->getValue('saml.SOAPClient.certificate');
- if ($cert !== FALSE) {
- $ctxOpts['ssl']['local_cert'] = SimpleSAML_Utilities::resolveCert($srcMetadata->getString('saml.SOAPClient.certificate'));
- if ($srcMetadata->hasValue('saml.SOAPClient.privatekey_pass')) {
- $ctxOpts['ssl']['passphrase'] = $srcMetadata->getString('saml.SOAPClient.privatekey_pass');
- }
- }
- } else {
- /* Use the SP certificate and privatekey if it is configured. */
- $privateKey = SimpleSAML_Utilities::loadPrivateKey($srcMetadata);
- $publicKey = SimpleSAML_Utilities::loadPublicKey($srcMetadata);
- if ($privateKey !== NULL && $publicKey !== NULL && isset($publicKey['PEM'])) {
- $keyCertData = $privateKey['PEM'] . $publicKey['PEM'];
- $file = SimpleSAML_Utilities::getTempDir() . '/' . sha1($keyCertData) . '.pem';
- if (!file_exists($file)) {
- SimpleSAML_Utilities::writeFile($file, $keyCertData);
- }
- $ctxOpts['ssl']['local_cert'] = $file;
- if (isset($privateKey['password'])) {
- $ctxOpts['ssl']['passphrase'] = $privateKey['password'];
- }
- }
- }
-
- // do peer certificate verification
- if ($dstMetadata !== NULL) {
- $peerPublicKeys = $dstMetadata->getPublicKeys('signing', TRUE);
- $certData = '';
- foreach ($peerPublicKeys as $key) {
- if ($key['type'] !== 'X509Certificate') {
- continue;
- }
- $certData .= "-----BEGIN CERTIFICATE-----\n" .
- chunk_split($key['X509Certificate'], 64) .
- "-----END CERTIFICATE-----\n";
- }
- $peerCertFile = SimpleSAML_Utilities::getTempDir() . '/' . sha1($certData) . '.pem';
- if (!file_exists($peerCertFile)) {
- SimpleSAML_Utilities::writeFile($peerCertFile, $certData);
- }
- // create ssl context
- $ctxOpts['ssl']['verify_peer'] = TRUE;
- $ctxOpts['ssl']['verify_depth'] = 1;
- $ctxOpts['ssl']['cafile'] = $peerCertFile;
- }
-
- $context = stream_context_create($ctxOpts);
- if ($context === NULL) {
- throw new Exception('Unable to create SSL stream context');
- }
-
- $options = array(
- 'uri' => $issuer,
- 'location' => $msg->getDestination(),
- 'stream_context' => $context,
- );
-
- $x = new SoapClient(NULL, $options);
-
- // Add soap-envelopes
- $request = $msg->toSignedXML();
- $request = self::START_SOAP_ENVELOPE . $request->ownerDocument->saveXML($request) . self::END_SOAP_ENVELOPE;
-
- SimpleSAML_Utilities::debugMessage($request, 'out');
-
- $action = 'http://www.oasis-open.org/committees/security';
- $version = '1.1';
- $destination = $msg->getDestination();
-
-
- /* Perform SOAP Request over HTTP */
- $soapresponsexml = $x->__doRequest($request, $destination, $action, $version);
- if ($soapresponsexml === NULL || $soapresponsexml === "") {
- throw new Exception('Empty SOAP response, check peer certificate.');
- }
-
- SimpleSAML_Utilities::debugMessage($soapresponsexml, 'in');
-
- // Convert to SAML2_Message (DOMElement)
- $dom = new DOMDocument();
- if (!$dom->loadXML($soapresponsexml)) {
- throw new Exception('Not a SOAP response.');
- }
-
- $soapfault = $this->getSOAPFault($dom);
- if (isset($soapfault)) {
- throw new Exception($soapfault);
- }
- //Extract the message from the response
- $xml = $dom->firstChild; /* Soap Envelope */
- $samlresponse = SAML2_Utils::xpQuery($dom->firstChild, '/soap-env:Envelope/soap-env:Body/*[1]');
- $samlresponse = SAML2_Message::fromXML($samlresponse[0]);
-
- /* Add validator to message which uses the SSL context. */
- self::addSSLValidator($samlresponse, $context);
-
- SimpleSAML_Logger::debug("Valid ArtifactResponse received from IdP");
-
- return $samlresponse;
-
- }
-
-
- /**
- * Add a signature validator based on a SSL context.
- *
- * @param SAML2_Message $msg The message we should add a validator to.
- * @param resource $context The stream context.
- */
- private static function addSSLValidator(SAML2_Message $msg, $context) {
- $options = stream_context_get_options($context);
- if (!isset($options['ssl']['peer_certificate'])) {
- return;
- }
-
- //$out = '';
- //openssl_x509_export($options['ssl']['peer_certificate'], $out);
-
- $key = openssl_pkey_get_public($options['ssl']['peer_certificate']);
- if ($key === FALSE) {
- SimpleSAML_Logger::warning('Unable to get public key from peer certificate.');
- return;
- }
-
- $keyInfo = openssl_pkey_get_details($key);
- if ($keyInfo === FALSE) {
- SimpleSAML_Logger::warning('Unable to get key details from public key.');
- return;
- }
-
- if (!isset($keyInfo['key'])) {
- SimpleSAML_Logger::warning('Missing key in public key details.');
- return;
- }
-
- $msg->addValidator(array('SAML2_SOAPClient', 'validateSSL'), $keyInfo['key']);
- }
-
-
- /**
- * Validate a SOAP message against the certificate on the SSL connection.
- *
- * @param string $data The public key that was used on the connection.
- * @param XMLSecurityKey $key The key we should validate the certificate against.
- */
- public static function validateSSL($data, XMLSecurityKey $key) {
- assert('is_string($data)');
-
- $keyInfo = openssl_pkey_get_details($key->key);
- if ($keyInfo === FALSE) {
- throw new Exception('Unable to get key details from XMLSecurityKey.');
- }
-
- if (!isset($keyInfo['key'])) {
- throw new Exception('Missing key in public key details.');
- }
-
- if ($keyInfo['key'] !== $data) {
- SimpleSAML_Logger::debug('Key on SSL connection did not match key we validated against.');
- return FALSE;
- }
-
- SimpleSAML_Logger::debug('Message validated based on SSL certificate.');
- }
-
-
- /*
- * Extracts the SOAP Fault from SOAP message
- * @param $soapmessage Soap response needs to be type DOMDocument
- * @return $soapfaultstring string|NULL
- */
- private function getSOAPFault($soapmessage) {
-
- $soapfault = SAML2_Utils::xpQuery($soapmessage->firstChild, '/soap-env:Envelope/soap-env:Body/soap-env:Fault');
-
- if (empty($soapfault)) {
- /* No fault. */
- return NULL;
- }
- $soapfaultelement = $soapfault[0];
- $soapfaultstring = "Unknown fault string found"; // There is a fault element but we havn't found out what the fault string is
- // find out the fault string
- $faultstringelement = SAML2_Utils::xpQuery($soapfaultelement, './soap-env:faultstring') ;
- if (!empty($faultstringelement)) {
- return $faultstringelement[0]->textContent;
- }
- return $soapfaultstring;
- }
-
-}
diff --git a/lib/SAML2/SignedElement.php b/lib/SAML2/SignedElement.php
deleted file mode 100644
index 903cf568cce09d2835fde9e62db029d77f5f5b93..0000000000000000000000000000000000000000
--- a/lib/SAML2/SignedElement.php
+++ /dev/null
@@ -1,58 +0,0 @@
-<?php
-
-
-/**
- * Interface to a SAML 2 element which may be signed.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-interface SAML2_SignedElement {
-
- /**
- * Validate this element against a public key.
- *
- * If no signature is present, FALSE is returned. If a signature is present,
- * but cannot be verified, an exception will be thrown.
- *
- * @param XMLSecurityKey $key The key we should check against.
- * @return boolean TRUE if successful, FALSE if we don't have a signature that can be verified.
- */
- public function validate(XMLSecurityKey $key);
-
-
- /**
- * Set the certificates that should be included in the element.
- *
- * The certificates should be strings with the PEM encoded data.
- *
- * @param array $certificates An array of certificates.
- */
- public function setCertificates(array $certificates);
-
-
- /**
- * Retrieve the certificates that are included in the element (if any).
- *
- * @return array An array of certificates.
- */
- public function getCertificates();
-
-
- /**
- * Retrieve the private key we should use to sign the element.
- *
- * @return XMLSecurityKey|NULL The key, or NULL if no key is specified.
- */
- public function getSignatureKey();
-
-
- /**
- * Set the private key we should use to sign the element.
- *
- * If the key is NULL, the message will be sent unsigned.
- *
- * @param XMLSecurityKey|NULL $key
- */
- public function setSignatureKey(XMLsecurityKey $signatureKey = NULL);
-}
\ No newline at end of file
diff --git a/lib/SAML2/SignedElementHelper.php b/lib/SAML2/SignedElementHelper.php
deleted file mode 100644
index 8036f4f4baf0c21b5fb0a78436c81d5ae01ca4bf..0000000000000000000000000000000000000000
--- a/lib/SAML2/SignedElementHelper.php
+++ /dev/null
@@ -1,220 +0,0 @@
-<?php
-
-/**
- * Helper class for processing signed elements.
- *
- * Can either be inherited from, or can be used by proxy.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_SignedElementHelper implements SAML2_SignedElement {
-
- /**
- * The private key we should use to sign the message.
- *
- * The private key can be NULL, in which case the message is sent unsigned.
- *
- * @var XMLSecurityKey|NULL
- */
- private $signatureKey;
-
-
- /**
- * List of certificates that should be included in the message.
- *
- * @var array
- */
- private $certificates;
-
-
- /**
- * Available methods for validating this message.
- *
- * @var array
- */
- private $validators;
-
-
- /**
- * Initialize the helper class.
- *
- * @param DOMElement|NULL $xml The XML element which may be signed.
- */
- protected function __construct(DOMElement $xml = NULL) {
-
- $this->certificates = array();
- $this->validators = array();
-
- if ($xml === NULL) {
- return;
- }
-
- /* Validate the signature element of the message. */
- try {
- $sig = SAML2_Utils::validateElement($xml);
-
- if ($sig !== FALSE) {
- $this->certificates = $sig['Certificates'];
- $this->validators[] = array(
- 'Function' => array('SAML2_Utils', 'validateSignature'),
- 'Data' => $sig,
- );
- }
-
- } catch (Exception $e) {
- /* Ignore signature validation errors. */
- }
- }
-
-
- /**
- * Add a method for validating this element.
- *
- * This function is used for custom validation extensions
- *
- * @param callback $function The function which should be called.
- * @param mixed $data The data that should be included as the first parameter to the function.
- */
- public function addValidator($function, $data) {
- assert('is_callable($function)');
-
- $this->validators[] = array(
- 'Function' => $function,
- 'Data' => $data,
- );
- }
-
-
- /**
- * Validate this element against a public key.
- *
- * TRUE is returned on success, FALSE is returned if we don't have any
- * signature we can validate. An exception is thrown if the signature
- * validation fails.
- *
- * @param XMLSecurityKey $key The key we should check against.
- * @return boolean TRUE on success, FALSE when we don't have a signature.
- */
- public function validate(XMLSecurityKey $key) {
-
- if (count($this->validators) === 0) {
- return FALSE;
- }
-
- $exceptions = array();
-
- foreach ($this->validators as $validator) {
- $function = $validator['Function'];
- $data = $validator['Data'];
-
- try {
- call_user_func($function, $data, $key);
- /* We were able to validate the message with this validator. */
- return TRUE;
- } catch (Exception $e) {
- $exceptions[] = $e;
- }
- }
-
- /* No validators were able to validate the message. */
- throw $exceptions[0];
- }
-
-
- /**
- * Retrieve the private key we should use to sign the message.
- *
- * @return XMLSecurityKey|NULL The key, or NULL if no key is specified.
- */
- public function getSignatureKey() {
- return $this->signatureKey;
- }
-
-
- /**
- * Set the private key we should use to sign the message.
- *
- * If the key is NULL, the message will be sent unsigned.
- *
- * @param XMLSecurityKey|NULL $key
- */
- public function setSignatureKey(XMLsecurityKey $signatureKey = NULL) {
- $this->signatureKey = $signatureKey;
- }
-
-
- /**
- * Set the certificates that should be included in the message.
- *
- * The certificates should be strings with the PEM encoded data.
- *
- * @param array $certificates An array of certificates.
- */
- public function setCertificates(array $certificates) {
- $this->certificates = $certificates;
- }
-
-
- /**
- * Retrieve the certificates that are included in the message.
- *
- * @return array An array of certificates.
- */
- public function getCertificates() {
- return $this->certificates;
- }
-
-
- /**
- * Retrieve certificates that sign this element.
- *
- * @return array Array with certificates.
- */
- public function getValidatingCertificates() {
-
- $ret = array();
- foreach ($this->certificates as $cert) {
-
- /* We have found a matching fingerprint. */
- $pemCert = "-----BEGIN CERTIFICATE-----\n" .
- chunk_split($cert, 64) .
- "-----END CERTIFICATE-----\n";
-
- /* Extract the public key from the certificate for validation. */
- $key = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'public'));
- $key->loadKey($pemCert);
-
- try {
- /* Check the signature. */
- if ($this->validate($key)) {
- $ret[] = $cert;
- }
- } catch (Exception $e) {
- /* This certificate does not sign this element. */
- }
- }
-
- return $ret;
- }
-
-
- /**
- * Sign the given XML element.
- *
- * @param DOMElement $root The element we should sign.
- * @param DOMElement|NULL $insertBefore The element we should insert the signature node before.
- */
- protected function signElement(DOMElement $root, DOMElement $insertBefore = NULL) {
-
- if ($this->signatureKey === NULL) {
- /* We cannot sign this element. */
- return;
- }
-
- SAML2_Utils::insertSignature($this->signatureKey, $this->certificates, $root, $insertBefore);
-
- return $root;
- }
-
-}
diff --git a/lib/SAML2/StatusResponse.php b/lib/SAML2/StatusResponse.php
deleted file mode 100644
index bc264fbf0e4629e09ea2d7957329dfe251d658ae..0000000000000000000000000000000000000000
--- a/lib/SAML2/StatusResponse.php
+++ /dev/null
@@ -1,193 +0,0 @@
-<?php
-
-/**
- * Base class for all SAML 2 response messages.
- *
- * Implements samlp:StatusResponseType. All of the elements in that type is
- * stored in the SAML2_Message class, and this class is therefore more
- * or less empty. It is included mainly to make it easy to separate requests from
- * responses.
- *
- * The status code is represented as an array on the following form:
- * array(
- * 'Code' => '<top-level status code>',
- * 'SubCode' => '<second-level status code>',
- * 'Message' => '<status message>',
- * )
- *
- * Only the 'Code' field is required. The others will be set to NULL if they
- * aren't present.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-abstract class SAML2_StatusResponse extends SAML2_Message {
-
- /**
- * The ID of the request this is a response to, or NULL if this is an unsolicited response.
- *
- * @var string|NULL
- */
- private $inResponseTo;
-
-
- /**
- * The status code of the response.
- *
- * @var array
- */
- private $status;
-
-
- /**
- * Constructor for SAML 2 response messages.
- *
- * @param string $tagName The tag name of the root element.
- * @param DOMElement|NULL $xml The input message.
- */
- protected function __construct($tagName, DOMElement $xml = NULL) {
- parent::__construct($tagName, $xml);
-
- $this->status = array(
- 'Code' => SAML2_Const::STATUS_SUCCESS,
- 'SubCode' => NULL,
- 'Message' => NULL,
- );
-
- if ($xml === NULL) {
- return;
- }
-
- if ($xml->hasAttribute('InResponseTo')) {
- $this->inResponseTo = $xml->getAttribute('InResponseTo');
- }
-
- $status = SAML2_Utils::xpQuery($xml, './saml_protocol:Status');
- if (empty($status)) {
- throw new Exception('Missing status code on response.');
- }
- $status = $status[0];
-
- $statusCode = SAML2_Utils::xpQuery($status, './saml_protocol:StatusCode');
- if (empty($statusCode)) {
- throw new Exception('Missing status code in status element.');
- }
- $statusCode = $statusCode[0];
-
- $this->status['Code'] = $statusCode->getAttribute('Value');
-
- $subCode = SAML2_Utils::xpQuery($statusCode, './saml_protocol:StatusCode');
- if (!empty($subCode)) {
- $this->status['SubCode'] = $subCode[0]->getAttribute('Value');
- }
-
- $message = SAML2_Utils::xpQuery($status, './saml_protocol:StatusMessage');
- if (!empty($message)) {
- $this->status['Message'] = trim($message[0]->textContent);
- }
- }
-
-
- /**
- * Determine whether this is a successful response.
- *
- * @return boolean TRUE if the status code is success, FALSE if not.
- */
- public function isSuccess() {
- assert('array_key_exists("Code", $this->status)');
-
- if ($this->status['Code'] === SAML2_Const::STATUS_SUCCESS) {
- return TRUE;
- }
-
- return FALSE;
- }
-
-
- /**
- * Retrieve the ID of the request this is a response to.
- *
- * @return string|NULL The ID of the request.
- */
- public function getInResponseTo() {
- return $this->inResponseTo;
- }
-
-
- /**
- * Set the ID of the request this is a response to.
- *
- * @param string|NULL $inResponseTo The ID of the request.
- */
- public function setInResponseTo($inResponseTo) {
- assert('is_string($inResponseTo) || is_null($inResponseTo)');
-
- $this->inResponseTo = $inResponseTo;
- }
-
-
- /**
- * Retrieve the status code.
- *
- * @return array The status code.
- */
- public function getStatus() {
- return $this->status;
- }
-
-
- /**
- * Set the status code.
- *
- * @param array $status The status code.
- */
- public function setStatus(array $status) {
- assert('array_key_exists("Code", $status)');
-
- $this->status = $status;
- if (!array_key_exists('SubCode', $status)) {
- $this->status['SubCode'] = NULL;
- }
- if (!array_key_exists('Message', $status)) {
- $this->status['Message'] = NULL;
- }
- }
-
-
- /**
- * Convert status response message to an XML element.
- *
- * @return DOMElement This status response.
- */
- public function toUnsignedXML() {
-
- $root = parent::toUnsignedXML();
-
- if ($this->inResponseTo !== NULL) {
- $root->setAttribute('InResponseTo', $this->inResponseTo);
- }
-
- $status = $this->document->createElementNS(SAML2_Const::NS_SAMLP, 'Status');
- $root->appendChild($status);
-
- $statusCode = $this->document->createElementNS(SAML2_Const::NS_SAMLP, 'StatusCode');
- $statusCode->setAttribute('Value', $this->status['Code']);
- $status->appendChild($statusCode);
-
- if (!is_null($this->status['SubCode'])) {
- $subStatusCode = $this->document->createElementNS(SAML2_Const::NS_SAMLP, 'StatusCode');
- $subStatusCode->setAttribute('Value', $this->status['SubCode']);
- $statusCode->appendChild($subStatusCode);
- }
-
- if (!is_null($this->status['Message'])) {
- SAML2_Utils::addString($status, SAML2_Const::NS_SAMLP, 'StatusMessage', $this->status['Message']);
- }
-
- return $root;
- }
-
-
-}
-
-?>
\ No newline at end of file
diff --git a/lib/SAML2/SubjectQuery.php b/lib/SAML2/SubjectQuery.php
deleted file mode 100644
index 6591f7f7bd2e19bf9c4103d359c1508cc5ba6a4b..0000000000000000000000000000000000000000
--- a/lib/SAML2/SubjectQuery.php
+++ /dev/null
@@ -1,116 +0,0 @@
-<?php
-
-/**
- * Base class for SAML 2 subject query messages.
- *
- * This base class can be used for various requests which ask for
- * information about a particular subject.
- *
- * Note that this class currently only handles the simple case - where the
- * subject doesn't contain any sort of subject confirmation requirements.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-abstract class SAML2_SubjectQuery extends SAML2_Request {
-
- /**
- * The NameId of the subject in the query.
- *
- * @var array
- */
- private $nameId;
-
-
- /**
- * Constructor for SAML 2 subject query messages.
- *
- * @param string $tagName The tag name of the root element.
- * @param DOMElement|NULL $xml The input message.
- */
- protected function __construct($tagName, DOMElement $xml = NULL) {
- parent::__construct($tagName, $xml);
-
- $nameId = array();
-
- if ($xml === NULL) {
- return;
- }
-
- $this->parseSubject($xml);
- }
-
-
- /**
- * Parse subject in query.
- *
- * @param DOMElement $xml The SubjectQuery XML element.
- */
- private function parseSubject(DOMElement $xml) {
-
- $subject = SAML2_Utils::xpQuery($xml, './saml_assertion:Subject');
- if (empty($subject)) {
- /* No Subject node. */
- throw new Exception('Missing subject in subject query.');
- } elseif (count($subject) > 1) {
- throw new Exception('More than one <saml:Subject> in <saml:Assertion>.');
- }
- $subject = $subject[0];
-
- $nameId = SAML2_Utils::xpQuery($subject, './saml_assertion:NameID');
- if (empty($nameId)) {
- throw new Exception('Missing <saml:NameID> in <saml:Subject>.');
- } elseif (count($nameId) > 1) {
- throw new Exception('More than one <saml:NameID> in <saml:Subject>.');
- }
- $nameId = $nameId[0];
- $this->nameId = SAML2_Utils::parseNameId($nameId);
- }
-
-
- /**
- * Retrieve the NameId of the subject in the query.
- *
- * The returned NameId is in the format used by SAML2_Utils::addNameId().
- *
- * @see SAML2_Utils::addNameId()
- * @return array|NULL The name identifier of the assertion.
- */
- public function getNameId() {
- return $this->nameId;
- }
-
-
- /**
- * Set the NameId of the subject in the query.
- *
- * The NameId must be in the format accepted by SAML2_Utils::addNameId().
- *
- * @see SAML2_Utils::addNameId()
- * @param array|NULL $nameId The name identifier of the assertion.
- */
- public function setNameId($nameId) {
- assert('is_array($nameId) || is_null($nameId)');
-
- $this->nameId = $nameId;
- }
-
-
- /**
- * Convert subject query message to an XML element.
- *
- * @return DOMElement This subject query.
- */
- public function toUnsignedXML() {
-
- $root = parent::toUnsignedXML();
-
- $subject = $root->ownerDocument->createElementNS(SAML2_Const::NS_SAML, 'saml:Subject');
- $root->appendChild($subject);
-
- SAML2_Utils::addNameId($subject, $this->nameId);
-
- return $root;
- }
-
-}
\ No newline at end of file
diff --git a/lib/SAML2/Utils.php b/lib/SAML2/Utils.php
deleted file mode 100644
index 5120639cc9a57159ef1de7d65daa5af823691b12..0000000000000000000000000000000000000000
--- a/lib/SAML2/Utils.php
+++ /dev/null
@@ -1,641 +0,0 @@
-<?php
-
-/**
- * Helper functions for the SAML2 library.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_Utils {
-
- /**
- * Check the Signature in a XML element.
- *
- * This function expects the XML element to contain a Signature-element
- * which contains a reference to the XML-element. This is common for both
- * messages and assertions.
- *
- * Note that this function only validates the element itself. It does not
- * check this against any local keys.
- *
- * If no Signature-element is located, this function will return FALSE. All
- * other validation errors result in an exception. On successful validation
- * an array will be returned. This array contains the information required to
- * check the signature against a public key.
- *
- * @param DOMElement $root The element which should be validated.
- * @return array|FALSE An array with information about the Signature-element.
- */
- public static function validateElement(DOMElement $root) {
-
- /* Create an XML security object. */
- $objXMLSecDSig = new XMLSecurityDSig();
-
- /* Both SAML messages and SAML assertions use the 'ID' attribute. */
- $objXMLSecDSig->idKeys[] = 'ID';
-
- /* Locate the XMLDSig Signature element to be used. */
- $signatureElement = self::xpQuery($root, './ds:Signature');
- if (count($signatureElement) === 0) {
- /* We don't have a signature element ot validate. */
- return FALSE;
- } elseif (count($signatureElement) > 1) {
- throw new Exception('XMLSec: more than one signature element in root.');
- }
- $signatureElement = $signatureElement[0];
- $objXMLSecDSig->sigNode = $signatureElement;
-
- /* Canonicalize the XMLDSig SignedInfo element in the message. */
- $objXMLSecDSig->canonicalizeSignedInfo();
-
- /* Validate referenced xml nodes. */
- if (!$objXMLSecDSig->validateReference()) {
- throw new Exception('XMLsec: digest validation failed');
- }
-
- /* Check that $root is one of the signed nodes. */
- $rootSigned = FALSE;
- foreach ($objXMLSecDSig->getValidatedNodes() as $signedNode) {
- if ($signedNode->isSameNode($root)) {
- $rootSigned = TRUE;
- break;
- } elseif ($root->parentNode instanceof DOMDocument && $signedNode->isSameNode($root->ownerDocument)) {
- /* $root is the root element of a signed document. */
- $rootSigned = TRUE;
- break;
- }
- }
- if (!$rootSigned) {
- throw new Exception('XMLSec: The root element is not signed.');
- }
-
- /* Now we extract all available X509 certificates in the signature element. */
- $certificates = array();
- foreach (self::xpQuery($signatureElement, './ds:KeyInfo/ds:X509Data/ds:X509Certificate') as $certNode) {
- $certData = trim($certNode->textContent);
- $certData = str_replace(array("\r", "\n", "\t", ' '), '', $certData);
- $certificates[] = $certData;
- }
-
- $ret = array(
- 'Signature' => $objXMLSecDSig,
- 'Certificates' => $certificates,
- );
-
- return $ret;
- }
-
-
- /**
- * Helper function to convert a XMLSecurityKey to the correct algorithm.
- *
- * @param XMLSecurityKey $key The key.
- * @param string $algorithm The desired algorithm.
- * @param string $types Public or private key, defaults to public.
- * @return XMLSecurityKey The new key.
- */
- public static function castKey(XMLSecurityKey $key, $algorithm, $type = 'public') {
- assert('is_string($algorithm)');
- assert('$type === "public" || $type === "private"');
-
- // do nothing if algorithm is already the type of the key
- if ($key->type === $algorithm) {
- return $key;
- }
-
- $keyInfo = openssl_pkey_get_details($key->key);
- if ($keyInfo === FALSE) {
- throw new Exception('Unable to get key details from XMLSecurityKey.');
- }
- if (!isset($keyInfo['key'])) {
- throw new Exception('Missing key in public key details.');
- }
-
- $newKey = new XMLSecurityKey($algorithm, array('type'=>$type));
- $newKey->loadKey($keyInfo['key']);
- return $newKey;
- }
-
-
- /**
- * Check a signature against a key.
- *
- * An exception is thrown if we are unable to validate the signature.
- *
- * @param array $info The information returned by the validateElement()-function.
- * @param XMLSecurityKey $key The publickey that should validate the Signature object.
- */
- public static function validateSignature(array $info, XMLSecurityKey $key) {
- assert('array_key_exists("Signature", $info)');
-
- $objXMLSecDSig = $info['Signature'];
-
- $sigMethod = self::xpQuery($objXMLSecDSig->sigNode, './ds:SignedInfo/ds:SignatureMethod');
- if (empty($sigMethod)) {
- throw new Exception('Missing SignatureMethod element.');
- }
- $sigMethod = $sigMethod[0];
- if (!$sigMethod->hasAttribute('Algorithm')) {
- throw new Exception('Missing Algorithm-attribute on SignatureMethod element.');
- }
- $algo = $sigMethod->getAttribute('Algorithm');
-
- if ($key->type === XMLSecurityKey::RSA_SHA1 && $algo !== $key->type) {
- $key = self::castKey($key, $algo);
- }
-
- /* Check the signature. */
- if (! $objXMLSecDSig->verify($key)) {
- throw new Exception("Unable to validate Signature");
- }
- }
-
-
- /**
- * Do an XPath query on an XML node.
- *
- * @param DOMNode $node The XML node.
- * @param string $query The query.
- * @return array Array with matching DOM nodes.
- */
- public static function xpQuery(DOMNode $node, $query) {
- assert('is_string($query)');
- static $xpCache = NULL;
-
- if ($node instanceof DOMDocument) {
- $doc = $node;
- } else {
- $doc = $node->ownerDocument;
- }
-
- if ($xpCache === NULL || !$xpCache->document->isSameNode($doc)) {
- $xpCache = new DOMXPath($doc);
- $xpCache->registerNamespace('soap-env', SAML2_Const::NS_SOAP);
- $xpCache->registerNamespace('saml_protocol', SAML2_Const::NS_SAMLP);
- $xpCache->registerNamespace('saml_assertion', SAML2_Const::NS_SAML);
- $xpCache->registerNamespace('saml_metadata', SAML2_Const::NS_MD);
- $xpCache->registerNamespace('ds', XMLSecurityDSig::XMLDSIGNS);
- $xpCache->registerNamespace('xenc', XMLSecEnc::XMLENCNS);
- }
-
- $results = $xpCache->query($query, $node);
- $ret = array();
- for ($i = 0; $i < $results->length; $i++) {
- $ret[$i] = $results->item($i);
- }
-
- return $ret;
- }
-
-
- /**
- * Make an exact copy the specific DOMElement.
- *
- * @param DOMElement $element The element we should copy.
- * @param DOMElement|NULL $parent The target parent element.
- * @return DOMElement The copied element.
- */
- public static function copyElement(DOMElement $element, DOMElement $parent = NULL) {
-
- if ($parent === NULL) {
- $document = new DOMDocument();
- } else {
- $document = $parent->ownerDocument;
- }
-
- $namespaces = array();
- for ($e = $element; $e !== NULL; $e = $e->parentNode) {
- foreach (SAML2_Utils::xpQuery($e, './namespace::*') as $ns) {
- $prefix = $ns->localName;
- if ($prefix === 'xml' || $prefix === 'xmlns') {
- continue;
- }
- $uri = $ns->nodeValue;
- if (!isset($namespaces[$prefix])) {
- $namespaces[$prefix] = $uri;
- }
- }
- }
-
- $newElement = $document->importNode($element, TRUE);
- if ($parent !== NULL) {
- /* We need to append the child to the parent before we add the namespaces. */
- $parent->appendChild($newElement);
- }
-
- foreach ($namespaces as $prefix => $uri) {
- $newElement->setAttributeNS($uri, $prefix . ':__ns_workaround__', 'tmp');
- $newElement->removeAttributeNS($uri, '__ns_workaround__');
- }
-
- return $newElement;
- }
-
-
- /**
- * Parse a boolean attribute.
- *
- * @param DOMElement $node The element we should fetch the attribute from.
- * @param string $attributeName The name of the attribute.
- * @param mixed $default The value that should be returned if the attribute doesn't exist.
- * @return bool|mixed The value of the attribute, or $default if the attribute doesn't exist.
- */
- public static function parseBoolean(DOMElement $node, $attributeName, $default = NULL) {
- assert('is_string($attributeName)');
-
- if (!$node->hasAttribute($attributeName)) {
- return $default;
- }
- $value = $node->getAttribute($attributeName);
- switch (strtolower($value)) {
- case '0':
- case 'false':
- return FALSE;
- case '1':
- case 'true':
- return TRUE;
- default:
- throw new Exception('Invalid value of boolean attribute ' . var_export($attributeName, TRUE) . ': ' . var_export($value, TRUE));
- }
- }
-
-
- /**
- * Create a NameID element.
- *
- * The NameId array can have the following elements: 'Value', 'Format',
- * 'NameQualifier, 'SPNameQualifier'
- *
- * Only the 'Value'-element is required.
- *
- * @param DOMElement $node The DOM node we should append the NameId to.
- * @param array $nameId The name identifier.
- */
- public static function addNameId(DOMElement $node, array $nameId) {
- assert('array_key_exists("Value", $nameId)');
-
- $xml = SAML2_Utils::addString($node, SAML2_Const::NS_SAML, 'saml:NameID', $nameId['Value']);
-
- if (array_key_exists('NameQualifier', $nameId) && $nameId['NameQualifier'] !== NULL) {
- $xml->setAttribute('NameQualifier', $nameId['NameQualifier']);
- }
- if (array_key_exists('SPNameQualifier', $nameId) && $nameId['SPNameQualifier'] !== NULL) {
- $xml->setAttribute('SPNameQualifier', $nameId['SPNameQualifier']);
- }
- if (array_key_exists('Format', $nameId) && $nameId['Format'] !== NULL) {
- $xml->setAttribute('Format', $nameId['Format']);
- }
- }
-
-
- /**
- * Parse a NameID element.
- *
- * @param DOMElement $xml The DOM element we should parse.
- * @return array The parsed name identifier.
- */
- public static function parseNameId(DOMElement $xml) {
-
- $ret = array('Value' => trim($xml->textContent));
-
- foreach (array('NameQualifier', 'SPNameQualifier', 'Format') as $attr) {
- if ($xml->hasAttribute($attr)) {
- $ret[$attr] = $xml->getAttribute($attr);
- }
- }
-
- return $ret;
- }
-
-
- /**
- * Insert a Signature-node.
- *
- * @param XMLSecurityKey $key The key we should use to sign the message.
- * @param array $certificates The certificates we should add to the signature node.
- * @param DOMElement $root The XML node we should sign.
- * @param DomElement $insertBefore The XML element we should insert the signature element before.
- */
- public static function insertSignature(XMLSecurityKey $key, array $certificates, DOMElement $root, DOMNode $insertBefore = NULL) {
-
- $objXMLSecDSig = new XMLSecurityDSig();
- $objXMLSecDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
-
- switch ($key->type) {
- case XMLSecurityKey::RSA_SHA256:
- $type = XMLSecurityDSig::SHA256;
- break;
- case XMLSecurityKey::RSA_SHA384:
- $type = XMLSecurityDSig::SHA384;
- break;
- case XMLSecurityKey::RSA_SHA512:
- $type = XMLSecurityDSig::SHA512;
- break;
- default:
- $type = XMLSecurityDSig::SHA1;
- }
-
- $objXMLSecDSig->addReferenceList(
- array($root),
- $type,
- array('http://www.w3.org/2000/09/xmldsig#enveloped-signature', XMLSecurityDSig::EXC_C14N),
- array('id_name' => 'ID', 'overwrite' => FALSE)
- );
-
- $objXMLSecDSig->sign($key);
-
- foreach ($certificates as $certificate) {
- $objXMLSecDSig->add509Cert($certificate, TRUE);
- }
-
- $objXMLSecDSig->insertSignature($root, $insertBefore);
-
- }
-
-
- /**
- * Decrypt an encrypted element.
- *
- * This is an internal helper function.
- *
- * @param DOMElement $encryptedData The encrypted data.
- * @param XMLSecurityKey $inputKey The decryption key.
- * @param array &$blacklist Blacklisted decryption algorithms.
- * @return DOMElement The decrypted element.
- */
- private static function _decryptElement(DOMElement $encryptedData, XMLSecurityKey $inputKey, array &$blacklist) {
-
- $enc = new XMLSecEnc();
-
- $enc->setNode($encryptedData);
- $enc->type = $encryptedData->getAttribute("Type");
-
- $symmetricKey = $enc->locateKey($encryptedData);
- if (!$symmetricKey) {
- throw new Exception('Could not locate key algorithm in encrypted data.');
- }
-
- $symmetricKeyInfo = $enc->locateKeyInfo($symmetricKey);
- if (!$symmetricKeyInfo) {
- throw new Exception('Could not locate <dsig:KeyInfo> for the encrypted key.');
- }
-
- $inputKeyAlgo = $inputKey->getAlgorith();
- if ($symmetricKeyInfo->isEncrypted) {
- $symKeyInfoAlgo = $symmetricKeyInfo->getAlgorith();
-
- if (in_array($symKeyInfoAlgo, $blacklist, TRUE)) {
- throw new Exception('Algorithm disabled: ' . var_export($symKeyInfoAlgo, TRUE));
- }
-
- if ($symKeyInfoAlgo === XMLSecurityKey::RSA_OAEP_MGF1P && $inputKeyAlgo === XMLSecurityKey::RSA_1_5) {
- /*
- * The RSA key formats are equal, so loading an RSA_1_5 key
- * into an RSA_OAEP_MGF1P key can be done without problems.
- * We therefore pretend that the input key is an
- * RSA_OAEP_MGF1P key.
- */
- $inputKeyAlgo = XMLSecurityKey::RSA_OAEP_MGF1P;
- }
-
- /* Make sure that the input key format is the same as the one used to encrypt the key. */
- if ($inputKeyAlgo !== $symKeyInfoAlgo) {
- throw new Exception('Algorithm mismatch between input key and key used to encrypt ' .
- ' the symmetric key for the message. Key was: ' .
- var_export($inputKeyAlgo, TRUE) . '; message was: ' .
- var_export($symKeyInfoAlgo, TRUE));
- }
-
- $encKey = $symmetricKeyInfo->encryptedCtx;
- $symmetricKeyInfo->key = $inputKey->key;
-
- $keySize = $symmetricKey->getSymmetricKeySize();
- if ($keySize === NULL) {
- /* To protect against "key oracle" attacks, we need to be able to create a
- * symmetric key, and for that we need to know the key size.
- */
- throw new Exception('Unknown key size for encryption algorithm: ' . var_export($symmetricKey->type, TRUE));
- }
-
- try {
- $key = $encKey->decryptKey($symmetricKeyInfo);
- if (strlen($key) != $keySize) {
- throw new Exception('Unexpected key size (' . strlen($key) * 8 . 'bits) for encryption algorithm: ' .
- var_export($symmetricKey->type, TRUE));
- }
- } catch (Exception $e) {
- /* We failed to decrypt this key. Log it, and substitute a "random" key. */
- SimpleSAML_Logger::error('Failed to decrypt symmetric key: ' . $e->getMessage());
- /* Create a replacement key, so that it looks like we fail in the same way as if the key was correctly padded. */
-
- /* We base the symmetric key on the encrypted key and private key, so that we always behave the
- * same way for a given input key.
- */
- $encryptedKey = $encKey->getCipherValue();
- $pkey = openssl_pkey_get_details($symmetricKeyInfo->key);
- $pkey = sha1(serialize($pkey), TRUE);
- $key = sha1($encryptedKey . $pkey, TRUE);
-
- /* Make sure that the key has the correct length. */
- if (strlen($key) > $keySize) {
- $key = substr($key, 0, $keySize);
- } elseif (strlen($key) < $keySize) {
- $key = str_pad($key, $keySize);
- }
- }
- $symmetricKey->loadkey($key);
-
- } else {
- $symKeyAlgo = $symmetricKey->getAlgorith();
- /* Make sure that the input key has the correct format. */
- if ($inputKeyAlgo !== $symKeyAlgo) {
- throw new Exception('Algorithm mismatch between input key and key in message. ' .
- 'Key was: ' . var_export($inputKeyAlgo, TRUE) . '; message was: ' .
- var_export($symKeyAlgo, TRUE));
- }
- $symmetricKey = $inputKey;
- }
-
- $algorithm = $symmetricKey->getAlgorith();
- if (in_array($algorithm, $blacklist, TRUE)) {
- throw new Exception('Algorithm disabled: ' . var_export($algorithm, TRUE));
- }
-
- $decrypted = $enc->decryptNode($symmetricKey, FALSE);
-
- /*
- * This is a workaround for the case where only a subset of the XML
- * tree was serialized for encryption. In that case, we may miss the
- * namespaces needed to parse the XML.
- */
- $xml = '<root xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'.$decrypted.'</root>';
- $newDoc = new DOMDocument();
- if (!@$newDoc->loadXML($xml)) {
- throw new Exception('Failed to parse decrypted XML. Maybe the wrong sharedkey was used?');
- }
- $decryptedElement = $newDoc->firstChild->firstChild;
- if ($decryptedElement === NULL) {
- throw new Exception('Missing encrypted element.');
- }
-
- if (!($decryptedElement instanceof DOMElement)) {
- throw new Exception('Decrypted element was not actually a DOMElement.');
- }
-
- return $decryptedElement;
- }
-
-
- /**
- * Decrypt an encrypted element.
- *
- * @param DOMElement $encryptedData The encrypted data.
- * @param XMLSecurityKey $inputKey The decryption key.
- * @param array $blacklist Blacklisted decryption algorithms.
- * @return DOMElement The decrypted element.
- */
- public static function decryptElement(DOMElement $encryptedData, XMLSecurityKey $inputKey, array $blacklist = array()) {
-
- try {
- return self::_decryptElement($encryptedData, $inputKey, $blacklist);
- } catch (Exception $e) {
- /*
- * Something went wrong during decryption, but for security
- * reasons we cannot tell the user what failed.
- */
- SimpleSAML_Logger::error('Decryption failed: ' . $e->getMessage());
- throw new Exception('Failed to decrypt XML element.');
- }
- }
-
-
- /**
- * Extract localized strings from a set of nodes.
- *
- * @param DOMElement $parent The element that contains the localized strings.
- * @param string $namespaceURI The namespace URI the localized strings should have.
- * @param string $localName The localName of the localized strings.
- * @return array Localized strings.
- */
- public static function extractLocalizedStrings(DOMElement $parent, $namespaceURI, $localName) {
- assert('is_string($namespaceURI)');
- assert('is_string($localName)');
-
- $ret = array();
- for ($node = $parent->firstChild; $node !== NULL; $node = $node->nextSibling) {
- if ($node->namespaceURI !== $namespaceURI || $node->localName !== $localName) {
- continue;
- }
-
- if ($node->hasAttribute('xml:lang')) {
- $language = $node->getAttribute('xml:lang');
- } else {
- $language = 'en';
- }
- $ret[$language] = trim($node->textContent);
- }
-
- return $ret;
- }
-
-
- /**
- * Extract strings from a set of nodes.
- *
- * @param DOMElement $parent The element that contains the localized strings.
- * @param string $namespaceURI The namespace URI the string elements should have.
- * @param string $localName The localName of the string elements.
- * @return array The string values of the various nodes.
- */
- public static function extractStrings(DOMElement $parent, $namespaceURI, $localName) {
- assert('is_string($namespaceURI)');
- assert('is_string($localName)');
-
- $ret = array();
- for ($node = $parent->firstChild; $node !== NULL; $node = $node->nextSibling) {
- if ($node->namespaceURI !== $namespaceURI || $node->localName !== $localName) {
- continue;
- }
- $ret[] = trim($node->textContent);
- }
-
- return $ret;
- }
-
-
- /**
- * Append string element.
- *
- * @param DOMElement $parent The parent element we should append the new nodes to.
- * @param string $namespace The namespace of the created element.
- * @param string $name The name of the created element.
- * @param string $value The value of the element.
- * @return DOMElement The generated element.
- */
- public static function addString(DOMElement $parent, $namespace, $name, $value) {
- assert('is_string($namespace)');
- assert('is_string($name)');
- assert('is_string($value)');
-
- $doc = $parent->ownerDocument;
-
- $n = $doc->createElementNS($namespace, $name);
- $n->appendChild($doc->createTextNode($value));
- $parent->appendChild($n);
-
- return $n;
- }
-
-
- /**
- * Append string elements.
- *
- * @param DOMElement $parent The parent element we should append the new nodes to.
- * @param string $namespace The namespace of the created elements
- * @param string $name The name of the created elements
- * @param bool $localized Whether the strings are localized, and should include the xml:lang attribute.
- * @param array $values The values we should create the elements from.
- */
- public static function addStrings(DOMElement $parent, $namespace, $name, $localized, array $values) {
- assert('is_string($namespace)');
- assert('is_string($name)');
- assert('is_bool($localized)');
-
- $doc = $parent->ownerDocument;
-
- foreach ($values as $index => $value) {
- $n = $doc->createElementNS($namespace, $name);
- $n->appendChild($doc->createTextNode($value));
- if ($localized) {
- $n->setAttribute('xml:lang', $index);
- }
- $parent->appendChild($n);
- }
- }
-
-
- /**
- * Create a KeyDescriptor with the given certificate.
- *
- * @param string $x509Data The certificate, as a base64-encoded DER data.
- * @return SAML2_XML_md_KeyDescriptor The keydescriptor.
- */
- public static function createKeyDescriptor($x509Data) {
- assert('is_string($x509Data)');
-
- $x509Certificate = new SAML2_XML_ds_X509Certificate();
- $x509Certificate->certificate = $x509Data;
-
- $x509Data = new SAML2_XML_ds_X509Data();
- $x509Data->data[] = $x509Certificate;
-
- $keyInfo = new SAML2_XML_ds_KeyInfo();
- $keyInfo->info[] = $x509Data;
-
- $keyDescriptor = new SAML2_XML_md_KeyDescriptor();
- $keyDescriptor->KeyInfo = $keyInfo;
-
- return $keyDescriptor;
- }
-
-}
diff --git a/lib/SAML2/XML/Chunk.php b/lib/SAML2/XML/Chunk.php
deleted file mode 100644
index 9f614d3dc180547ddcb2f0b7b00fd71115336fce..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/Chunk.php
+++ /dev/null
@@ -1,104 +0,0 @@
-<?php
-
-/**
- * Serializable class used to hold an XML element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_Chunk {
-
- /**
- * The localName of the element.
- *
- * @var string
- */
- public $localName;
-
-
- /**
- * The namespaceURI of this element.
- *
- * @var string
- */
- public $namespaceURI;
-
-
- /**
- * The DOMElement we contain.
- *
- * @var DOMElement
- */
- private $xml;
-
-
- /**
- * The DOMElement as a text string. Used during serialization.
- *
- * @var string|NULL
- */
- private $xmlString;
-
-
- /**
- * Create a XMLChunk from a copy of the given DOMElement.
- *
- * @param DOMElement $xml The element we should copy.
- */
- public function __construct(DOMElement $xml) {
-
- $this->localName = $xml->localName;
- $this->namespaceURI = $xml->namespaceURI;
-
- $this->xml = SAML2_Utils::copyElement($xml);
- }
-
-
- /**
- * Get this DOMElement.
- *
- * @return DOMElement This element.
- */
- public function getXML() {
- assert('$this->xml instanceof DOMElement || is_string($this->xmlString)');
-
- if ($this->xml === NULL) {
- $doc = new DOMDocument();
- $doc->loadXML($this->xmlString);
- $this->xml = $doc->firstChild;
- }
-
- return $this->xml;
- }
-
-
- /**
- * Append this XML element to a different XML element.
- *
- * @param DOMElement $parent The element we should append this element to.
- * @return DOMElement The new element.
- */
- public function toXML(DOMElement $parent) {
-
- return SAML2_Utils::copyElement($this->getXML(), $parent);
- }
-
-
- /**
- * Serialization handler.
- *
- * Converts the XML data to a string that can be serialized
- *
- * @return array List of properties that should be serialized.
- */
- public function __sleep() {
- assert('$this->xml instanceof DOMElement || is_string($this->xmlString)');
-
- if ($this->xmlString === NULL) {
- $this->xmlString = $this->xml->ownerDocument->saveXML($this->xml);
- }
-
- return array('xmlString', 'localName', 'namespaceURI');
- }
-
-}
diff --git a/lib/SAML2/XML/ds/KeyInfo.php b/lib/SAML2/XML/ds/KeyInfo.php
deleted file mode 100644
index 44b4b0d0ed3af3e48392a45d0066400a1387388a..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/ds/KeyInfo.php
+++ /dev/null
@@ -1,94 +0,0 @@
-<?php
-
-/**
- * Class representing a ds:KeyInfo element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_ds_KeyInfo {
-
- /**
- * The Id attribute on this element.
- *
- * @var string|NULL
- */
- public $Id = NULL;
-
-
- /**
- * The various key information elements.
- *
- * Array with various elements describing this key.
- * Unknown elements will be represented by SAML2_XML_Chunk.
- *
- * @var array
- */
- public $info = array();
-
-
- /**
- * Initialize a KeyInfo element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if ($xml->hasAttribute('Id')) {
- $this->Id = $xml->getAttribute('Id');
- }
-
- for ($n = $xml->firstChild; $n !== NULL; $n = $n->nextSibling) {
- if (!($n instanceof DOMElement)) {
- continue;
- }
-
- if ($n->namespaceURI !== XMLSecurityDSig::XMLDSIGNS) {
- $this->info[] = new SAML2_XML_Chunk($n);
- continue;
- }
- switch ($n->localName) {
- case 'KeyName':
- $this->info[] = new SAML2_XML_ds_KeyName($n);
- break;
- case 'X509Data':
- $this->info[] = new SAML2_XML_ds_X509Data($n);
- break;
- default:
- $this->info[] = new SAML2_XML_Chunk($n);
- break;
- }
- }
- }
-
-
- /**
- * Convert this KeyInfo to XML.
- *
- * @param DOMElement $parent The element we should append this KeyInfo to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_null($this->Id) || is_string($this->Id)');
- assert('is_array($this->info)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:KeyInfo');
- $parent->appendChild($e);
-
- if (isset($this->Id)) {
- $e->setAttribute('Id', $this->Id);
- }
-
- foreach ($this->info as $n) {
- $n->toXML($e);
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/ds/KeyName.php b/lib/SAML2/XML/ds/KeyName.php
deleted file mode 100644
index 6eae3a4f2addb5cbe4304495da5ac2f4d0f6334e..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/ds/KeyName.php
+++ /dev/null
@@ -1,45 +0,0 @@
-<?php
-
-/**
- * Class representing a ds:KeyName element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_ds_KeyName {
-
- /**
- * The key name.
- *
- * @var string
- */
- public $name;
-
-
- /**
- * Initialize a KeyName element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- $this->name = $xml->textContent;
- }
-
-
- /**
- * Convert this KeyName element to XML.
- *
- * @param DOMElement $parent The element we should append this KeyName element to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_string($this->name)');
-
- return SAML2_Utils::addString($parent, XMLSecurityDSig::XMLDSIGNS, 'ds:KeyName', $this->name);
- }
-
-}
diff --git a/lib/SAML2/XML/ds/X509Certificate.php b/lib/SAML2/XML/ds/X509Certificate.php
deleted file mode 100644
index c4dcac197951b0e1c87b28814f845d45acf90c87..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/ds/X509Certificate.php
+++ /dev/null
@@ -1,45 +0,0 @@
-<?php
-
-/**
- * Class representing a ds:X509Certificate element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_ds_X509Certificate {
-
- /**
- * The base64-encoded certificate.
- *
- * @var string
- */
- public $certificate;
-
-
- /**
- * Initialize an X509Certificate element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- $this->certificate = $xml->textContent;
- }
-
-
- /**
- * Convert this X509Certificate element to XML.
- *
- * @param DOMElement $parent The element we should append this X509Certificate element to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_string($this->certificate)');
-
- return SAML2_Utils::addString($parent, XMLSecurityDSig::XMLDSIGNS, 'ds:X509Certificate', $this->certificate);
- }
-
-}
diff --git a/lib/SAML2/XML/ds/X509Data.php b/lib/SAML2/XML/ds/X509Data.php
deleted file mode 100644
index e6b3c066f59461fb335cd337ee87a08ae19c364c..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/ds/X509Data.php
+++ /dev/null
@@ -1,74 +0,0 @@
-<?php
-
-/**
- * Class representing a ds:X509Data element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_ds_X509Data {
-
- /**
- * The various X509 data elements.
- *
- * Array with various elements describing this certificate.
- * Unknown elements will be represented by SAML2_XML_Chunk.
- *
- * @var array
- */
- public $data = array();
-
-
- /**
- * Initialize a X509Data.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- for ($n = $xml->firstChild; $n !== NULL; $n = $n->nextSibling) {
- if (!($n instanceof DOMElement)) {
- continue;
- }
-
- if ($n->namespaceURI !== XMLSecurityDSig::XMLDSIGNS) {
- $this->data[] = new SAML2_XML_Chunk($n);
- continue;
- }
- switch ($n->localName) {
- case 'X509Certificate':
- $this->data[] = new SAML2_XML_ds_X509Certificate($n);
- break;
- default:
- $this->data[] = new SAML2_XML_Chunk($n);
- break;
- }
- }
- }
-
-
- /**
- * Convert this X509Data element to XML.
- *
- * @param DOMElement $parent The element we should append this X509Data element to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_array($this->data)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Data');
- $parent->appendChild($e);
-
- foreach ($this->data as $n) {
- $n->toXML($e);
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/AdditionalMetadataLocation.php b/lib/SAML2/XML/md/AdditionalMetadataLocation.php
deleted file mode 100644
index 3bdb6ba72354877bc177ca4a289f8b6b2a7a0d70..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/AdditionalMetadataLocation.php
+++ /dev/null
@@ -1,62 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 metadata AdditionalMetadataLocation element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_AdditionalMetadataLocation {
-
- /**
- * The namespace of this metadata.
- *
- * @var string
- */
- public $namespace;
-
- /**
- * The URI where the metadata is located.
- *
- * @var string
- */
- public $location;
-
-
- /**
- * Initialize an AdditionalMetadataLocation element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('namespace')) {
- throw new Exception('Missing namespace attribute on AdditionalMetadataLocation element.');
- }
- $this->namespace = $xml->getAttribute('namespace');
-
- $this->location = $xml->textContent;
- }
-
-
- /**
- * Convert this AdditionalMetadataLocation to XML.
- *
- * @param DOMElement $parent The element we should append to.
- * @return DOMElement This AdditionalMetadataLocation-element.
- */
- public function toXML(DOMElement $parent) {
- assert('is_string($this->namespace)');
- assert('is_string($this->location)');
-
- $e = SAML2_Utils::addString($parent, SAML2_Const::NS_MD, 'md:AdditionalMetadataLocation', $this->location);
- $e->setAttribute('namespace', $this->namespace);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/AffiliationDescriptor.php b/lib/SAML2/XML/md/AffiliationDescriptor.php
deleted file mode 100644
index 927ad1f8387de3f75e285e4fd83548cc3181b316..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/AffiliationDescriptor.php
+++ /dev/null
@@ -1,162 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 AffiliationDescriptor element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_AffiliationDescriptor extends SAML2_SignedElementHelper {
-
- /**
- * The affiliationOwnerID.
- *
- * @var string
- */
- public $affiliationOwnerID;
-
-
- /**
- * The ID of this element.
- *
- * @var string|NULL
- */
- public $ID;
-
-
- /**
- * How long this element is valid, as a unix timestamp.
- *
- * @var int|NULL
- */
- public $validUntil;
-
-
- /**
- * The length of time this element can be cached, as string.
- *
- * @var string|NULL
- */
- public $cacheDuration;
-
-
- /**
- * Extensions on this element.
- *
- * Array of extension elements.
- *
- * @var array
- */
- public $Extensions = array();
-
-
- /**
- * The AffiliateMember(s).
- *
- * Array of entity ID strings.
- *
- * @var array
- */
- public $AffiliateMember = array();
-
-
- /**
- * KeyDescriptor elements.
- *
- * Array of SAML2_XML_md_KeyDescriptor elements.
- *
- * @var array
- */
- public $KeyDescriptor = array();
-
-
- /**
- * Initialize a AffiliationDescriptor.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- parent::__construct($xml);
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('affiliationOwnerID')) {
- throw new Exception('Missing affiliationOwnerID on AffiliationDescriptor.');
- }
- $this->affiliationOwnerID = $xml->getAttribute('affiliationOwnerID');
-
- if ($xml->hasAttribute('ID')) {
- $this->ID = $xml->getAttribute('ID');
- }
-
- if ($xml->hasAttribute('validUntil')) {
- $this->validUntil = SimpleSAML_Utilities::parseSAML2Time($xml->getAttribute('validUntil'));
- }
-
- if ($xml->hasAttribute('cacheDuration')) {
- $this->cacheDuration = $xml->getAttribute('cacheDuration');
- }
-
- $this->Extensions = SAML2_XML_md_Extensions::getList($xml);
-
- $this->AffiliateMember = SAML2_Utils::extractStrings($xml, SAML2_Const::NS_MD, 'AffiliateMember');
- if (empty($this->AffiliateMember)) {
- throw new Exception('Missing AffiliateMember in AffiliationDescriptor.');
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:KeyDescriptor') as $kd) {
- $this->KeyDescriptor[] = new SAML2_XML_md_KeyDescriptor($kd);
- }
- }
-
-
- /**
- * Add this AffiliationDescriptor to an EntityDescriptor.
- *
- * @param DOMElement $parent The EntityDescriptor we should append this endpoint to.
- * @param string $name The name of the element we should create.
- */
- public function toXML(DOMElement $parent) {
- assert('is_string($this->affiliationOwnerID)');
- assert('is_null($this->ID) || is_string($this->ID)');
- assert('is_null($this->validUntil) || is_int($this->validUntil)');
- assert('is_null($this->cacheDuration) || is_string($this->cacheDuration)');
- assert('is_array($this->Extensions)');
- assert('is_array($this->AffiliateMember)');
- assert('!empty($this->AffiliateMember)');
- assert('is_array($this->KeyDescriptor)');
-
- $e = $parent->ownerDocument->createElementNS(SAML2_Const::NS_MD, 'md:AffiliationDescriptor');
- $parent->appendChild($e);
-
- $e->setAttribute('affiliationOwnerID', $this->affiliationOwnerID);
-
- if (isset($this->ID)) {
- $e->setAttribute('ID', $this->ID);
- }
-
- if (isset($this->validUntil)) {
- $e->setAttribute('validUntil', gmdate('Y-m-d\TH:i:s\Z', $this->validUntil));
- }
-
- if (isset($this->cacheDuration)) {
- $e->setAttribute('cacheDuration', $this->cacheDuration);
- }
-
- SAML2_XML_md_Extensions::addList($e, $this->Extensions);
-
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:AffiliateMember', FALSE, $this->AffiliateMember);
-
- foreach ($this->KeyDescriptor as $kd) {
- $kd->toXML($e);
- }
-
- $this->signElement($e, $e->firstChild);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/AttributeAuthorityDescriptor.php b/lib/SAML2/XML/md/AttributeAuthorityDescriptor.php
deleted file mode 100644
index 68eefee68fff4ed676ef4b95327d4fb00644e7ff..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/AttributeAuthorityDescriptor.php
+++ /dev/null
@@ -1,128 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 metadata AttributeAuthorityDescriptor.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_AttributeAuthorityDescriptor extends SAML2_XML_md_RoleDescriptor {
-
- /**
- * List of AttributeService endpoints.
- *
- * Array with EndpointType objects.
- *
- * @var array
- */
- public $AttributeService = array();
-
-
- /**
- * List of AssertionIDRequestService endpoints.
- *
- * Array with EndpointType objects.
- *
- * @var array
- */
- public $AssertionIDRequestService = array();
-
-
- /**
- * List of supported NameID formats.
- *
- * Array of strings.
- *
- * @var array
- */
- public $NameIDFormat = array();
-
-
- /**
- * List of supported attribute profiles.
- *
- * Array with strings.
- *
- * @var array
- */
- public $AttributeProfile = array();
-
-
- /**
- * List of supported attributes.
- *
- * Array with SAML2_XML_saml_Attribute objects.
- *
- * @var array
- */
- public $Attribute = array();
-
-
- /**
- * Initialize an IDPSSODescriptor.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('md:AttributeAuthorityDescriptor', $xml);
-
- if ($xml === NULL) {
- return;
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:AttributeService') as $ep) {
- $this->AttributeService[] = new SAML2_XML_md_EndpointType($ep);
- }
- if (empty($this->AttributeService)) {
- throw new Exception('Must have at least one AttributeService in AttributeAuthorityDescriptor.');
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:AssertionIDRequestService') as $ep) {
- $this->AssertionIDRequestService[] = new SAML2_XML_md_EndpointType($ep);
- }
-
- $this->NameIDFormat = SAML2_Utils::extractStrings($xml, SAML2_Const::NS_MD, 'NameIDFormat');
-
- $this->AttributeProfile = SAML2_Utils::extractStrings($xml, SAML2_Const::NS_MD, 'AttributeProfile');
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_assertion:Attribute') as $a) {
- $this->Attribute[] = new SAML2_XML_saml_Attribute($a);
- }
- }
-
-
- /**
- * Add this AttributeAuthorityDescriptor to an EntityDescriptor.
- *
- * @param DOMElement $parent The EntityDescriptor we should append this IDPSSODescriptor to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_array($this->AttributeService)');
- assert('!empty($this->AttributeService)');
- assert('is_array($this->AssertionIDRequestService)');
- assert('is_array($this->NameIDFormat)');
- assert('is_array($this->AttributeProfile)');
- assert('is_array($this->Attribute)');
-
- $e = parent::toXML($parent);
-
- foreach ($this->AttributeService as $ep) {
- $ep->toXML($e, 'md:AttributeService');
- }
-
- foreach ($this->AssertionIDRequestService as $ep) {
- $ep->toXML($e, 'md:AssertionIDRequestService');
- }
-
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:NameIDFormat', FALSE, $this->NameIDFormat);
-
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:AttributeProfile', FALSE, $this->AttributeProfile);
-
- foreach ($this->Attribute as $a) {
- $a->toXML($e);
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/AttributeConsumingService.php b/lib/SAML2/XML/md/AttributeConsumingService.php
deleted file mode 100644
index 427fd28533303b3e12f729fc352b6ed803e02565..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/AttributeConsumingService.php
+++ /dev/null
@@ -1,124 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 Metadata AttributeConsumingService element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_AttributeConsumingService {
-
- /**
- * The index of this AttributeConsumingService.
- *
- * @var int
- */
- public $index;
-
-
- /**
- * Whether this is the default AttributeConsumingService.
- *
- * @var bool|NULL
- */
- public $isDefault = NULL;
-
-
- /**
- * The ServiceName of this AttributeConsumingService.
- *
- * This is an associative array with language => translation.
- *
- * @var array
- */
- public $ServiceName = array();
-
-
- /**
- * The ServiceDescription of this AttributeConsumingService.
- *
- * This is an associative array with language => translation.
- *
- * @var array
- */
- public $ServiceDescription = array();
-
-
- /**
- * The RequestedAttribute elements.
- *
- * This is an array of SAML_RequestedAttributeType elements.
- *
- * @var array
- */
- public $RequestedAttribute = array();
-
-
- /**
- * Initialize / parse an AttributeConsumingService.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
-
- if (!$xml->hasAttribute('index')) {
- throw new Exception('Missing index on AttributeConsumingService.');
- }
- $this->index = (int)$xml->getAttribute('index');
-
- $this->isDefault = SAML2_Utils::parseBoolean($xml, 'isDefault', NULL);
-
- $this->ServiceName = SAML2_Utils::extractLocalizedStrings($xml, SAML2_Const::NS_MD, 'ServiceName');
- if (empty($this->ServiceName)) {
- throw new Exception('Missing ServiceName in AttributeConsumingService.');
- }
-
- $this->ServiceDescription = SAML2_Utils::extractLocalizedStrings($xml, SAML2_Const::NS_MD, 'ServiceDescription');
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:RequestedAttribute') as $ra) {
- $this->RequestedAttribute[] = new SAML2_XML_md_RequestedAttribute($ra);
- }
- }
-
-
- /**
- * Convert to DOMElement.
- *
- * @param DOMElement $parent The element we should append this AttributeConsumingService to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_int($this->index)');
- assert('is_null($this->isDefault) || is_bool($this->isDefault)');
- assert('is_array($this->ServiceName)');
- assert('is_array($this->ServiceDescription)');
- assert('is_array($this->RequestedAttribute)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(SAML2_Const::NS_MD, 'md:AttributeConsumingService');
- $parent->appendChild($e);
-
- $e->setAttribute('index', (string)$this->index);
-
- if ($this->isDefault === TRUE) {
- $e->setAttribute('isDefault', 'true');
- } elseif ($this->isDefault === FALSE) {
- $e->setAttribute('isDefault', 'false');
- }
-
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:ServiceName', TRUE, $this->ServiceName);
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:ServiceDescription', TRUE, $this->ServiceDescription);
-
- foreach ($this->RequestedAttribute as $ra) {
- $ra->toXML($e);
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/AuthnAuthorityDescriptor.php b/lib/SAML2/XML/md/AuthnAuthorityDescriptor.php
deleted file mode 100644
index 52124abc99cb0e1b19f694b73dad7202353e3d53..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/AuthnAuthorityDescriptor.php
+++ /dev/null
@@ -1,94 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 metadata AuthnAuthorityDescriptor.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_AuthnAuthorityDescriptor extends SAML2_XML_md_RoleDescriptor {
-
- /**
- * List of AuthnQueryService endpoints.
- *
- * Array with EndpointType objects.
- *
- * @var array
- */
- public $AuthnQueryService = array();
-
-
- /**
- * List of AssertionIDRequestService endpoints.
- *
- * Array with EndpointType objects.
- *
- * @var array
- */
- public $AssertionIDRequestService = array();
-
-
- /**
- * List of supported NameID formats.
- *
- * Array of strings.
- *
- * @var array
- */
- public $NameIDFormat = array();
-
-
- /**
- * Initialize an IDPSSODescriptor.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('md:AuthnAuthorityDescriptor', $xml);
-
- if ($xml === NULL) {
- return;
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:AuthnQueryService') as $ep) {
- $this->AuthnQueryService[] = new SAML2_XML_md_EndpointType($ep);
- }
- if (empty($this->AuthnQueryService)) {
- throw new Exception('Must have at least one AuthnQueryService in AuthnAuthorityDescriptor.');
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:AssertionIDRequestService') as $ep) {
- $this->AssertionIDRequestService[] = new SAML2_XML_md_EndpointType($ep);
- }
-
- $this->NameIDFormat = SAML2_Utils::extractStrings($xml, SAML2_Const::NS_MD, 'NameIDFormat');
- }
-
-
- /**
- * Add this IDPSSODescriptor to an EntityDescriptor.
- *
- * @param DOMElement $parent The EntityDescriptor we should append this AuthnAuthorityDescriptor to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_array($this->AuthnQueryService)');
- assert('!empty($this->AuthnQueryService)');
- assert('is_array($this->AssertionIDRequestService)');
- assert('is_array($this->NameIDFormat)');
-
- $e = parent::toXML($parent);
-
- foreach ($this->AuthnQueryService as $ep) {
- $ep->toXML($e, 'md:AuthnQueryService');
- }
-
- foreach ($this->AssertionIDRequestService as $ep) {
- $ep->toXML($e, 'md:AssertionIDRequestService');
- }
-
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:NameIDFormat', FALSE, $this->NameIDFormat);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/ContactPerson.php b/lib/SAML2/XML/md/ContactPerson.php
deleted file mode 100644
index ea347c3f908ff0724357604b8da8fa6c6160c5e2..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/ContactPerson.php
+++ /dev/null
@@ -1,182 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 ContactPerson.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_ContactPerson {
-
- /**
- * The contact type.
- *
- * @var string
- */
- public $contactType;
-
-
- /**
- * Extensions on this element.
- *
- * Array of extension elements.
- *
- * @var array
- */
- public $Extensions = array();
-
-
- /**
- * The Company of this contact.
- *
- * @var string
- */
- public $Company = NULL;
-
-
- /**
- * The GivenName of this contact.
- *
- * @var string
- */
- public $GivenName = NULL;
-
-
- /**
- * The SurName of this contact.
- *
- * @var string
- */
- public $SurName = NULL;
-
-
- /**
- * The EmailAddresses of this contact.
- *
- * @var array
- */
- public $EmailAddress = array();
-
-
- /**
- * The TelephoneNumbers of this contact.
- *
- * @var array
- */
- public $TelephoneNumber = array();
-
-
- /**
- * Initialize a ContactPerson element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('contactType')) {
- throw new Exception('Missing contactType on ContactPerson.');
- }
- $this->contactType = $xml->getAttribute('contactType');
-
- $this->Extensions = SAML2_XML_md_Extensions::getList($xml);
-
-
- $this->Company = self::getStringElement($xml, 'Company');
- $this->GivenName = self::getStringElement($xml, 'GivenName');
- $this->SurName = self::getStringElement($xml, 'SurName');
- $this->EmailAddress = self::getStringElements($xml, 'EmailAddress');
- $this->TelephoneNumber = self::getStringElements($xml, 'TelephoneNumber');
- }
-
-
- /**
- * Retrieve the value of a child DOMElements as an array of strings.
- *
- * @param DOMElement $parent The parent element.
- * @param string $name The name of the child elements.
- * @return array The value of the child elements.
- */
- private static function getStringElements(DOMElement $parent, $name) {
- assert('is_string($name)');
-
- $e = SAML2_Utils::xpQuery($parent, './saml_metadata:' . $name);
-
- $ret = array();
- foreach ($e as $i) {
- $ret[] = $i->textContent;
- }
-
- return $ret;
- }
-
-
- /**
- * Retrieve the value of a child DOMElement as a string.
- *
- * @param DOMElement $parent The parent element.
- * @param string $name The name of the child element.
- * @return string|NULL The value of the child element.
- */
- private static function getStringElement(DOMElement $parent, $name) {
- assert('is_string($name)');
-
- $e = self::getStringElements($parent, $name);
- if (empty($e)) {
- return NULL;
- }
- if (count($e) > 1) {
- throw new Exception('More than one ' . $name . ' in ' . $parent->tagName);
- }
-
- return $e[0];
- }
-
-
- /**
- * Convert this ContactPerson to XML.
- *
- * @param DOMElement $parent The element we should add this contact to.
- * @return DOMElement The new ContactPerson-element.
- */
- public function toXML(DOMElement $parent) {
- assert('is_string($this->contactType)');
- assert('is_array($this->Extensions)');
- assert('is_null($this->Company) || is_string($this->Company)');
- assert('is_null($this->GivenName) || is_string($this->GivenName)');
- assert('is_null($this->SurName) || is_string($this->SurName)');
- assert('is_array($this->EmailAddress)');
- assert('is_array($this->TelephoneNumber)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(SAML2_Const::NS_MD, 'md:ContactPerson');
- $parent->appendChild($e);
-
- $e->setAttribute('contactType', $this->contactType);
-
- SAML2_XML_md_Extensions::addList($e, $this->Extensions);
-
- if (isset($this->Company)) {
- SAML2_Utils::addString($e, SAML2_Const::NS_MD, 'md:Company', $this->Company);
- }
- if (isset($this->GivenName)) {
- SAML2_Utils::addString($e, SAML2_Const::NS_MD, 'md:GivenName', $this->GivenName);
- }
- if (isset($this->SurName)) {
- SAML2_Utils::addString($e, SAML2_Const::NS_MD, 'md:SurName', $this->SurName);
- }
- if (!empty($this->EmailAddress)) {
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:EmailAddress', FALSE, $this->EmailAddress);
- }
- if (!empty($this->TelephoneNumber)) {
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:TelephoneNumber', FALSE, $this->TelephoneNumber);
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/EndpointType.php b/lib/SAML2/XML/md/EndpointType.php
deleted file mode 100644
index e4317e607a8057e86dda4963ecf656dcadd3eb42..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/EndpointType.php
+++ /dev/null
@@ -1,187 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 EndpointType.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_EndpointType {
-
- /**
- * The binding for this endpoint.
- *
- * @var string
- */
- public $Binding;
-
-
- /**
- * The URI to this endpoint.
- *
- * @var string
- */
- public $Location;
-
-
- /**
- * The URI where responses can be delivered.
- *
- * @var string|NULL
- */
- public $ResponseLocation = NULL;
-
-
- /**
- * Extra (namespace qualified) attributes.
- *
- * @var array
- */
- private $attributes = array();
-
-
- /**
- * Initialize an EndpointType.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('Binding')) {
- throw new Exception('Missing Binding on ' . $xml->tagName);
- }
- $this->Binding = $xml->getAttribute('Binding');
-
- if (!$xml->hasAttribute('Location')) {
- throw new Exception('Missing Location on ' . $xml->tagName);
- }
- $this->Location = $xml->getAttribute('Location');
-
- if ($xml->hasAttribute('ResponseLocation')) {
- $this->ResponseLocation = $xml->getAttribute('ResponseLocation');
- }
-
- foreach ($xml->attributes as $a) {
- if ($a->namespaceURI === NULL) {
- continue; /* Not namespace-qualified -- skip. */
- }
- $fullName = '{' . $a->namespaceURI . '}' . $a->localName;
- $this->attributes[$fullName] = array(
- 'qualifiedName' => $a->nodeName,
- 'namespaceURI' => $a->namespaceURI,
- 'value' => $a->value,
- );
- }
- }
-
-
- /**
- * Check if a namespace-qualified attribute exists.
- *
- * @param string $namespaceURI The namespace URI.
- * @param string $localName The local name.
- * @return boolean TRUE if the attribute exists, FALSE if not.
- */
- public function hasAttributeNS($namespaceURI, $localName) {
- assert('is_string($namespaceURI)');
- assert('is_string($localName)');
-
- $fullName = '{' . $namespaceURI . '}' . $localName;
- return isset($this->attributes[$fullName]);
- }
-
-
- /**
- * Get a namespace-qualified attribute.
- *
- * @param string $namespaceURI The namespace URI.
- * @param string $localName The local name.
- * @return string The value of the attribute, or an empty string if the attribute does not exist.
- */
- public function getAttributeNS($namespaceURI, $localName) {
- assert('is_string($namespaceURI)');
- assert('is_string($localName)');
-
- $fullName = '{' . $namespaceURI . '}' . $localName;
- if (!isset($this->attributes[$fullName])) {
- return '';
- }
- return $this->attributes[$fullName]['value'];
- }
-
-
- /**
- * Get a namespace-qualified attribute.
- *
- * @param string $namespaceURI The namespace URI.
- * @param string $qualifiedName The local name.
- * @param string $value The attribute value.
- */
- public function setAttributeNS($namespaceURI, $qualifiedName, $value) {
- assert('is_string($namespaceURI)');
- assert('is_string($qualifiedName)');
-
- $name = explode(':', $qualifiedName, 2);
- if (count($name) < 2) {
- throw new Exception('Not a qualified name.');
- }
- $localName = $name[1];
-
- $fullName = '{' . $namespaceURI . '}' . $localName;
- $this->attributes[$fullName] = array(
- 'qualifiedName' => $qualifiedName,
- 'namespaceURI' => $namespaceURI,
- 'value' => $value,
- );
- }
-
-
- /**
- * Remove a namespace-qualified attribute.
- *
- * @param string $namespaceURI The namespace URI.
- * @param string $localName The local name.
- */
- public function removeAttributeNS($namespaceURI, $localName) {
- assert('is_string($namespaceURI)');
- assert('is_string($localName)');
-
- $fullName = '{' . $namespaceURI . '}' . $localName;
- unset($this->attributes[$fullName]);
- }
-
-
- /**
- * Add this endpoint to an XML element.
- *
- * @param DOMElement $parent The element we should append this endpoint to.
- * @param string $name The name of the element we should create.
- */
- public function toXML(DOMElement $parent, $name) {
- assert('is_string($name)');
- assert('is_string($this->Binding)');
- assert('is_string($this->Location)');
- assert('is_null($this->ResponseLocation) || is_string($this->ResponseLocation)');
-
- $e = $parent->ownerDocument->createElementNS(SAML2_Const::NS_MD, $name);
- $parent->appendChild($e);
-
- $e->setAttribute('Binding', $this->Binding);
- $e->setAttribute('Location', $this->Location);
-
- if (isset($this->ResponseLocation)) {
- $e->setAttribute('ResponseLocation', $this->ResponseLocation);
- }
-
- foreach ($this->attributes as $a) {
- $e->setAttributeNS($a['namespaceURI'], $a['qualifiedName'], $a['value']);
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/EntitiesDescriptor.php b/lib/SAML2/XML/md/EntitiesDescriptor.php
deleted file mode 100644
index c0e91345f691a7b43587cd1c9bd3722c762bd644..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/EntitiesDescriptor.php
+++ /dev/null
@@ -1,147 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 EntitiesDescriptor element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_EntitiesDescriptor extends SAML2_SignedElementHelper {
-
- /**
- * The ID of this element.
- *
- * @var string|NULL
- */
- public $ID;
-
-
- /**
- * How long this element is valid, as a unix timestamp.
- *
- * @var int|NULL
- */
- public $validUntil;
-
-
- /**
- * The length of time this element can be cached, as string.
- *
- * @var string|NULL
- */
- public $cacheDuration;
-
-
- /**
- * The name of this entity collection.
- *
- * @var string|NULL
- */
- public $Name;
-
-
- /**
- * Extensions on this element.
- *
- * Array of extension elements.
- *
- * @var array
- */
- public $Extensions = array();
-
-
- /**
- * Child EntityDescriptor and EntitiesDescriptor elements.
- *
- * @var array
- */
- public $children = array();
-
-
- /**
- * Initialize an EntitiesDescriptor.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct($xml);
-
- if ($xml === NULL) {
- return;
- }
-
- if ($xml->hasAttribute('ID')) {
- $this->ID = $xml->getAttribute('ID');
- }
- if ($xml->hasAttribute('validUntil')) {
- $this->validUntil = SimpleSAML_Utilities::parseSAML2Time($xml->getAttribute('validUntil'));
- }
- if ($xml->hasAttribute('cacheDuration')) {
- $this->cacheDuration = $xml->getAttribute('cacheDuration');
- }
- if ($xml->hasAttribute('Name')) {
- $this->Name = $xml->getAttribute('Name');
- }
-
- $this->Extensions = SAML2_XML_md_Extensions::getList($xml);
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:EntityDescriptor|./saml_metadata:EntitiesDescriptor') as $node) {
- if ($node->localName === 'EntityDescriptor') {
- $this->children[] = new SAML2_XML_md_EntityDescriptor($node);
- } else {
- $this->children[] = new SAML2_XML_md_EntitiesDescriptor($node);
- }
- }
- }
-
-
- /**
- * Convert this EntitiesDescriptor to XML.
- *
- * @param DOMElement|NULL $parent The EntitiesDescriptor we should append this EntitiesDescriptor to.
- */
- public function toXML(DOMElement $parent = NULL) {
- assert('is_null($this->ID) || is_string($this->ID)');
- assert('is_null($this->validUntil) || is_int($this->validUntil)');
- assert('is_null($this->cacheDuration) || is_string($this->cacheDuration)');
- assert('is_null($this->Name) || is_string($this->Name)');
- assert('is_array($this->Extensions)');
- assert('is_array($this->children)');
-
- if ($parent === NULL) {
- $doc = new DOMDocument();
- $e = $doc->createElementNS(SAML2_Const::NS_MD, 'md:EntitiesDescriptor');
- $doc->appendChild($e);
- } else {
- $e = $parent->ownerDocument->createElementNS(SAML2_Const::NS_MD, 'md:EntitiesDescriptor');
- $parent->appendChild($e);
- }
-
- if (isset($this->ID)) {
- $e->setAttribute('ID', $this->ID);
- }
-
- if (isset($this->validUntil)) {
- $e->setAttribute('validUntil', gmdate('Y-m-d\TH:i:s\Z', $this->validUntil));
- }
-
- if (isset($this->cacheDuration)) {
- $e->setAttribute('cacheDuration', $this->cacheDuration);
- }
-
- if (isset($this->Name)) {
- $e->setAttribute('Name', $this->Name);
- }
-
- SAML2_XML_md_Extensions::addList($e, $this->Extensions);
-
- foreach ($this->children as $node) {
- $node->toXML($e);
- }
-
- $this->signElement($e, $e->firstChild);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/EntityDescriptor.php b/lib/SAML2/XML/md/EntityDescriptor.php
deleted file mode 100644
index 89c7dcefc8ab082c24248195a46ced036b70681e..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/EntityDescriptor.php
+++ /dev/null
@@ -1,252 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 EntityDescriptor element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_EntityDescriptor extends SAML2_SignedElementHelper {
-
- /**
- * The entityID this EntityDescriptor represents.
- *
- * @var string
- */
- public $entityID;
-
-
- /**
- * The ID of this element.
- *
- * @var string|NULL
- */
- public $ID;
-
-
- /**
- * How long this element is valid, as a unix timestamp.
- *
- * @var int|NULL
- */
- public $validUntil;
-
-
- /**
- * The length of time this element can be cached, as string.
- *
- * @var string|NULL
- */
- public $cacheDuration;
-
-
- /**
- * Extensions on this element.
- *
- * Array of extension elements.
- *
- * @var array
- */
- public $Extensions = array();
-
-
- /**
- * Array with all roles for this entity.
- *
- * Array of SAML2_XML_md_RoleDescriptor objects (and subclasses of RoleDescriptor).
- *
- * @var array
- */
- public $RoleDescriptor = array();
-
-
- /**
- * AffiliationDescriptor of this entity.
- *
- * @var SAML2_XML_md_AffiliationDescriptor|NULL
- */
- public $AffiliationDescriptor = NULL;
-
-
- /**
- * Organization of this entity.
- *
- * @var SAML2_XML_md_Organization|NULL
- */
- public $Organization = NULL;
-
-
- /**
- * ContactPerson elements for this entity.
- *
- * @var array
- */
- public $ContactPerson = array();
-
-
- /**
- * AdditionalMetadataLocation elements for this entity.
- *
- * @var array
- */
- public $AdditionalMetadataLocation = array();
-
-
- /**
- * Initialize an EntitiyDescriptor.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct($xml);
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('entityID')) {
- throw new Exception('Missing required attribute entityID on EntityDescriptor.');
- }
- $this->entityID = $xml->getAttribute('entityID');
-
- if ($xml->hasAttribute('ID')) {
- $this->ID = $xml->getAttribute('ID');
- }
- if ($xml->hasAttribute('validUntil')) {
- $this->validUntil = SimpleSAML_Utilities::parseSAML2Time($xml->getAttribute('validUntil'));
- }
- if ($xml->hasAttribute('cacheDuration')) {
- $this->cacheDuration = $xml->getAttribute('cacheDuration');
- }
-
- $this->Extensions = SAML2_XML_md_Extensions::getList($xml);
-
- for ($node = $xml->firstChild; $node !== NULL; $node = $node->nextSibling) {
- if (!($node instanceof DOMElement)) {
- continue;
- }
-
- if ($node->namespaceURI !== SAML2_Const::NS_MD) {
- continue;
- }
-
- switch ($node->localName) {
- case 'RoleDescriptor':
- $this->RoleDescriptor[] = new SAML2_XML_md_UnknownRoleDescriptor($node);
- break;
- case 'IDPSSODescriptor':
- $this->RoleDescriptor[] = new SAML2_XML_md_IDPSSODescriptor($node);
- break;
- case 'SPSSODescriptor':
- $this->RoleDescriptor[] = new SAML2_XML_md_SPSSODescriptor($node);
- break;
- case 'AuthnAuthorityDescriptor':
- $this->RoleDescriptor[] = new SAML2_XML_md_AuthnAuthorityDescriptor($node);
- break;
- case 'AttributeAuthorityDescriptor':
- $this->RoleDescriptor[] = new SAML2_XML_md_AttributeAuthorityDescriptor($node);
- break;
- case 'PDPDescriptor':
- $this->RoleDescriptor[] = new SAML2_XML_md_PDPDescriptor($node);
- break;
- }
- }
-
- $affiliationDescriptor = SAML2_Utils::xpQuery($xml, './saml_metadata:AffiliationDescriptor');
- if (count($affiliationDescriptor) > 1) {
- throw new Exception('More than one AffiliationDescriptor in the entity.');
- } elseif (!empty($affiliationDescriptor)) {
- $this->AffiliationDescriptor = new SAML2_XML_md_AffiliationDescriptor($affiliationDescriptor[0]);
- }
-
- if (empty($this->RoleDescriptor) && is_null($this->AffiliationDescriptor)) {
- throw new Exception('Must have either one of the RoleDescriptors or an AffiliationDescriptor in EntityDescriptor.');
- } elseif (!empty($this->RoleDescriptor) && !is_null($this->AffiliationDescriptor)) {
- throw new Exception('AffiliationDescriptor cannot be combined with other RoleDescriptor elements in EntityDescriptor.');
- }
-
- $organization = SAML2_Utils::xpQuery($xml, './saml_metadata:Organization');
- if (count($organization) > 1) {
- throw new Exception('More than one Organization in the entity.');
- } elseif (!empty($organization)) {
- $this->Organization = new SAML2_XML_md_Organization($organization[0]);
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:ContactPerson') as $cp) {
- $this->ContactPerson[] = new SAML2_XML_md_ContactPerson($cp);
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:AdditionalMetadataLocation') as $aml) {
- $this->AdditionalMetadataLocation[] = new SAML2_XML_md_AdditionalMetadataLocation($aml);
- }
- }
-
-
- /**
- * Create this EntityDescriptor.
- *
- * @param DOMElement|NULL $parent The EntitiesDescriptor we should append this EntityDescriptor to.
- */
- public function toXML(DOMElement $parent = NULL) {
- assert('is_string($this->entityID)');
- assert('is_null($this->ID) || is_string($this->ID)');
- assert('is_null($this->validUntil) || is_int($this->validUntil)');
- assert('is_null($this->cacheDuration) || is_string($this->cacheDuration)');
- assert('is_array($this->Extensions)');
- assert('is_array($this->RoleDescriptor)');
- assert('is_null($this->AffiliationDescriptor) || $this->AffiliationDescriptor instanceof SAML2_XML_md_AffiliationDescriptor');
- assert('is_null($this->Organization) || $this->Organization instanceof SAML2_XML_md_Organization');
- assert('is_array($this->ContactPerson)');
- assert('is_array($this->AdditionalMetadataLocation)');
-
- if ($parent === NULL) {
- $doc = new DOMDocument();
- $e = $doc->createElementNS(SAML2_Const::NS_MD, 'md:EntityDescriptor');
- $doc->appendChild($e);
- } else {
- $e = $parent->ownerDocument->createElementNS(SAML2_Const::NS_MD, 'md:EntityDescriptor');
- $parent->appendChild($e);
- }
-
- $e->setAttribute('entityID', $this->entityID);
-
- if (isset($this->ID)) {
- $e->setAttribute('ID', $this->ID);
- }
-
- if (isset($this->validUntil)) {
- $e->setAttribute('validUntil', gmdate('Y-m-d\TH:i:s\Z', $this->validUntil));
- }
-
- if (isset($this->cacheDuration)) {
- $e->setAttribute('cacheDuration', $this->cacheDuration);
- }
-
- SAML2_XML_md_Extensions::addList($e, $this->Extensions);
-
- foreach ($this->RoleDescriptor as $n) {
- $n->toXML($e);
- }
-
- if (isset($this->AffiliationDescriptor)) {
- $this->AffiliationDescriptor->toXML($e);
- }
-
- if (isset($this->Organization)) {
- $this->Organization->toXML($e);
- }
-
- foreach ($this->ContactPerson as $cp) {
- $cp->toXML($e);
- }
-
- foreach ($this->AdditionalMetadataLocation as $n) {
- $n->toXML($e);
- }
-
- $this->signElement($e, $e->firstChild);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/Extensions.php b/lib/SAML2/XML/md/Extensions.php
deleted file mode 100644
index 797bdaf09e3ffc13505d20ebfae3897708e27d80..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/Extensions.php
+++ /dev/null
@@ -1,62 +0,0 @@
-<?php
-
-/**
- * Class for handling SAML2 metadata extensions.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_Extensions {
-
- /**
- * Get a list of Extensions in the given element.
- *
- * @param DOMElement $parent The element that may contain the md:Extensions element.
- * @return array Array of extensions.
- */
- public static function getList(DOMElement $parent) {
-
- $ret = array();
- foreach (SAML2_Utils::xpQuery($parent, './saml_metadata:Extensions/*') as $node) {
- if ($node->namespaceURI === SAML2_XML_shibmd_Scope::NS && $node->localName === 'Scope') {
- $ret[] = new SAML2_XML_shibmd_Scope($node);
- } elseif ($node->namespaceURI === SAML2_XML_mdattr_EntityAttributes::NS && $node->localName === 'EntityAttributes') {
- $ret[] = new SAML2_XML_mdattr_EntityAttributes($node);
- } elseif ($node->namespaceURI === SAML2_XML_mdrpi_Common::NS_MDRPI && $node->localName === 'RegistrationInfo') {
- $ret[] = new SAML2_XML_mdrpi_RegistrationInfo($node);
- } elseif ($node->namespaceURI === SAML2_XML_mdrpi_Common::NS_MDRPI && $node->localName === 'PublicationInfo') {
- $ret[] = new SAML2_XML_mdrpi_PublicationInfo($node);
- } elseif ($node->namespaceURI === SAML2_XML_mdui_UIInfo::NS && $node->localName === 'UIInfo') {
- $ret[] = new SAML2_XML_mdui_UIInfo($node);
- } elseif ($node->namespaceURI === SAML2_XML_mdui_DiscoHints::NS && $node->localName === 'DiscoHints') {
- $ret[] = new SAML2_XML_mdui_DiscoHints($node);
- } else {
- $ret[] = new SAML2_XML_Chunk($node);
- }
- }
-
- return $ret;
- }
-
-
- /**
- * Add a list of Extensions to the given element.
- *
- * @param DOMElement $parent The element we should add the extensions to.
- * @param array $extensions List of extension objects.
- */
- public static function addList(DOMElement $parent, array $extensions) {
-
- if (empty($extensions)) {
- return;
- }
-
- $extElement = $parent->ownerDocument->createElementNS(SAML2_Const::NS_MD, 'md:Extensions');
- $parent->appendChild($extElement);
-
- foreach ($extensions as $ext) {
- $ext->toXML($extElement);
- }
- }
-
-}
diff --git a/lib/SAML2/XML/md/IDPSSODescriptor.php b/lib/SAML2/XML/md/IDPSSODescriptor.php
deleted file mode 100644
index 0479d98123231e5880c8d3e2b1383bf0fb95ce15..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/IDPSSODescriptor.php
+++ /dev/null
@@ -1,145 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 IDPSSODescriptor.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_IDPSSODescriptor extends SAML2_XML_md_SSODescriptorType {
-
- /**
- * Whether AuthnRequests sent to this IdP should be signed.
- *
- * @var bool|NULL
- */
- public $WantAuthnRequestsSigned = NULL;
-
-
- /**
- * List of SingleSignOnService endpoints.
- *
- * Array with EndpointType objects.
- *
- * @var array
- */
- public $SingleSignOnService = array();
-
-
- /**
- * List of NameIDMappingService endpoints.
- *
- * Array with EndpointType objects.
- *
- * @var array
- */
- public $NameIDMappingService = array();
-
-
- /**
- * List of AssertionIDRequestService endpoints.
- *
- * Array with EndpointType objects.
- *
- * @var array
- */
- public $AssertionIDRequestService = array();
-
-
- /**
- * List of supported attribute profiles.
- *
- * Array with strings.
- *
- * @var array
- */
- public $AttributeProfile = array();
-
-
- /**
- * List of supported attributes.
- *
- * Array with SAML2_XML_saml_Attribute objects.
- *
- * @var array
- */
- public $Attribute = array();
-
-
- /**
- * Initialize an IDPSSODescriptor.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('md:IDPSSODescriptor', $xml);
-
- if ($xml === NULL) {
- return;
- }
-
- $this->WantAuthnRequestsSigned = SAML2_Utils::parseBoolean($xml, 'WantAuthnRequestsSigned', NULL);
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:SingleSignOnService') as $ep) {
- $this->SingleSignOnService[] = new SAML2_XML_md_EndpointType($ep);
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:NameIDMappingService') as $ep) {
- $this->NameIDMappingService[] = new SAML2_XML_md_EndpointType($ep);
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:AssertionIDRequestService') as $ep) {
- $this->AssertionIDRequestService[] = new SAML2_XML_md_EndpointType($ep);
- }
-
- $this->AttributeProfile = SAML2_Utils::extractStrings($xml, SAML2_Const::NS_MD, 'AttributeProfile');
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_assertion:Attribute') as $a) {
- $this->Attribute[] = new SAML2_XML_saml_Attribute($a);
- }
- }
-
-
- /**
- * Add this IDPSSODescriptor to an EntityDescriptor.
- *
- * @param DOMElement $parent The EntityDescriptor we should append this IDPSSODescriptor to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_null($this->WantAuthnRequestsSigned) || is_bool($this->WantAuthnRequestsSigned)');
- assert('is_array($this->SingleSignOnService)');
- assert('is_array($this->NameIDMappingService)');
- assert('is_array($this->AssertionIDRequestService)');
- assert('is_array($this->AttributeProfile)');
- assert('is_array($this->Attribute)');
-
- $e = parent::toXML($parent);
-
- if ($this->WantAuthnRequestsSigned === TRUE) {
- $e->setAttribute('WantAuthnRequestsSigned', 'true');
- } elseif ($this->WantAuthnRequestsSigned === FALSE) {
- $e->setAttribute('WantAuthnRequestsSigned', 'false');
- }
-
- foreach ($this->SingleSignOnService as $ep) {
- $ep->toXML($e, 'md:SingleSignOnService');
- }
-
- foreach ($this->NameIDMappingService as $ep) {
- $ep->toXML($e, 'md:NameIDMappingService');
- }
-
- foreach ($this->AssertionIDRequestService as $ep) {
- $ep->toXML($e, 'md:AssertionIDRequestService');
- }
-
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:AttributeProfile', FALSE, $this->AttributeProfile);
-
- foreach ($this->Attribute as $a) {
- $a->toXML($e);
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/IndexedEndpointType.php b/lib/SAML2/XML/md/IndexedEndpointType.php
deleted file mode 100644
index c0191525c945d2bcf935cbbad1747a31b48101ab..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/IndexedEndpointType.php
+++ /dev/null
@@ -1,71 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 IndexedEndpointType.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_IndexedEndpointType extends SAML2_XML_md_EndpointType {
-
- /**
- * The index for this endpoint.
- *
- * @var int
- */
- public $index;
-
-
- /**
- * Whether this endpoint is the default.
- *
- * @var bool|NULL
- */
- public $isDefault = NULL;
-
-
- /**
- * Initialize an IndexedEndpointType.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct($xml);
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('index')) {
- throw new Exception('Missing index on ' . $xml->tagName);
- }
- $this->index = (int)$xml->getAttribute('index');
-
- $this->isDefault = SAML2_Utils::parseBoolean($xml, 'isDefault', NULL);
- }
-
-
- /**
- * Add this endpoint to an XML element.
- *
- * @param DOMElement $parent The element we should append this endpoint to.
- * @param string $name The name of the element we should create.
- */
- public function toXML(DOMElement $parent, $name) {
- assert('is_string($name)');
- assert('is_int($this->index)');
- assert('is_null($this->isDefault) || is_bool($this->isDefault)');
-
- $e = parent::toXML($parent, $name);
- $e->setAttribute('index', (string)$this->index);
-
- if ($this->isDefault === TRUE) {
- $e->setAttribute('isDefault', 'true');
- } elseif ($this->isDefault === FALSE) {
- $e->setAttribute('isDefault', 'false');
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/KeyDescriptor.php b/lib/SAML2/XML/md/KeyDescriptor.php
deleted file mode 100644
index aeaffe9a53cc424fd19c24cf475f6fa9c010a39d..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/KeyDescriptor.php
+++ /dev/null
@@ -1,97 +0,0 @@
-<?php
-
-/**
- * Class representing a KeyDescriptor element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_KeyDescriptor {
-
- /**
- * What this key can be used for.
- *
- * 'encryption', 'signing' or NULL.
- *
- * @var string|NULL
- */
- public $use;
-
-
- /**
- * The KeyInfo for this key.
- *
- * @var SAML2_XML_ds_KeyInfo
- */
- public $KeyInfo;
-
-
- /**
- * Supported EncryptionMethods.
- *
- * Array of SAML2_XML_Chunk objects.
- *
- * @var array
- */
- public $EncryptionMethod = array();
-
-
- /**
- * Initialize an KeyDescriptor.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if ($xml->hasAttribute('use')) {
- $this->use = $xml->getAttribute('use');
- }
-
- $keyInfo = SAML2_Utils::xpQuery($xml, './ds:KeyInfo');
- if (count($keyInfo) > 1) {
- throw new Exception('More than one ds:KeyInfo in the KeyDescriptor.');
- } elseif (empty($keyInfo)) {
- throw new Exception('No ds:KeyInfo in the KeyDescriptor.');
- }
- $this->KeyInfo = new SAML2_XML_ds_KeyInfo($keyInfo[0]);
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:EncryptionMethod') as $em) {
- $this->EncryptionMethod[] = new SAML2_XML_Chunk($em);
- }
-
- }
-
-
- /**
- * Convert this KeyDescriptor to XML.
- *
- * @param DOMElement $parent The element we should append this KeyDescriptor to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_null($this->use) || is_string($this->use)');
- assert('$this->KeyInfo instanceof SAML2_XML_ds_KeyInfo');
- assert('is_array($this->EncryptionMethod)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(SAML2_Const::NS_MD, 'md:KeyDescriptor');
- $parent->appendChild($e);
-
- if (isset($this->use)) {
- $e->setAttribute('use', $this->use);
- }
-
- $this->KeyInfo->toXML($e);
-
- foreach ($this->EncryptionMethod as $em) {
- $em->toXML($e);
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/Organization.php b/lib/SAML2/XML/md/Organization.php
deleted file mode 100644
index 5ceaeed5bca1dcce75757ca44468feaadaf84bba..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/Organization.php
+++ /dev/null
@@ -1,105 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 Organization element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_Organization {
-
- /**
- * Extensions on this element.
- *
- * Array of extension elements.
- *
- * @var array
- */
- public $Extensions = array();
-
-
- /**
- * The OrganizationName, as an array of language => translation.
- *
- * @var array
- */
- public $OrganizationName = array();
-
-
- /**
- * The OrganizationDisplayName, as an array of language => translation.
- *
- * @var array
- */
- public $OrganizationDisplayName = array();
-
-
- /**
- * The OrganizationURL, as an array of language => translation.
- *
- * @var array
- */
- public $OrganizationURL = array();
-
-
- /**
- * Initialize an Organization element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- $this->Extensions = SAML2_XML_md_Extensions::getList($xml);
-
-
- $this->OrganizationName = SAML2_Utils::extractLocalizedStrings($xml, SAML2_Const::NS_MD, 'OrganizationName');
- if (empty($this->OrganizationName)) {
- $this->OrganizationName = array('invalid' => '');
- }
-
- $this->OrganizationDisplayName = SAML2_Utils::extractLocalizedStrings($xml, SAML2_Const::NS_MD, 'OrganizationDisplayName');
- if (empty($this->OrganizationDisplayName)) {
- $this->OrganizationDisplayName = array('invalid' => '');
- }
-
- $this->OrganizationURL = SAML2_Utils::extractLocalizedStrings($xml, SAML2_Const::NS_MD, 'OrganizationURL');
- if (empty($this->OrganizationURL)) {
- $this->OrganizationURL = array('invalid' => '');
- }
- }
-
-
- /**
- * Convert this Organization to XML.
- *
- * @param DOMElement $parent The element we should add this organization to.
- * @return DOMElement This Organization-element.
- */
- public function toXML(DOMElement $parent) {
- assert('is_array($this->Extensions)');
- assert('is_array($this->OrganizationName)');
- assert('!empty($this->OrganizationName)');
- assert('is_array($this->OrganizationDisplayName)');
- assert('!empty($this->OrganizationDisplayName)');
- assert('is_array($this->OrganizationURL)');
- assert('!empty($this->OrganizationURL)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(SAML2_Const::NS_MD, 'md:Organization');
- $parent->appendChild($e);
-
- SAML2_XML_md_Extensions::addList($e, $this->Extensions);
-
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:OrganizationName', TRUE, $this->OrganizationName);
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:OrganizationDisplayName', TRUE, $this->OrganizationDisplayName);
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:OrganizationURL', TRUE, $this->OrganizationURL);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/PDPDescriptor.php b/lib/SAML2/XML/md/PDPDescriptor.php
deleted file mode 100644
index f09d054cd1469d8e58e8b8258811cb46102358d6..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/PDPDescriptor.php
+++ /dev/null
@@ -1,94 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 metadata PDPDescriptor.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_PDPDescriptor extends SAML2_XML_md_RoleDescriptor {
-
- /**
- * List of AuthzService endpoints.
- *
- * Array with EndpointType objects.
- *
- * @var array
- */
- public $AuthzService = array();
-
-
- /**
- * List of AssertionIDRequestService endpoints.
- *
- * Array with EndpointType objects.
- *
- * @var array
- */
- public $AssertionIDRequestService = array();
-
-
- /**
- * List of supported NameID formats.
- *
- * Array of strings.
- *
- * @var array
- */
- public $NameIDFormat = array();
-
-
- /**
- * Initialize an IDPSSODescriptor.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('md:PDPDescriptor', $xml);
-
- if ($xml === NULL) {
- return;
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:AuthzService') as $ep) {
- $this->AuthzService[] = new SAML2_XML_md_EndpointType($ep);
- }
- if (empty($this->AuthzService)) {
- throw new Exception('Must have at least one AuthzService in PDPDescriptor.');
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:AssertionIDRequestService') as $ep) {
- $this->AssertionIDRequestService[] = new SAML2_XML_md_EndpointType($ep);
- }
-
- $this->NameIDFormat = SAML2_Utils::extractStrings($xml, SAML2_Const::NS_MD, 'NameIDFormat');
- }
-
-
- /**
- * Add this PDPDescriptor to an EntityDescriptor.
- *
- * @param DOMElement $parent The EntityDescriptor we should append this IDPSSODescriptor to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_array($this->AuthzService)');
- assert('!empty($this->AuthzService)');
- assert('is_array($this->AssertionIDRequestService)');
- assert('is_array($this->NameIDFormat)');
-
- $e = parent::toXML($parent);
-
- foreach ($this->AuthzService as $ep) {
- $ep->toXML($e, 'md:AuthzService');
- }
-
- foreach ($this->AssertionIDRequestService as $ep) {
- $ep->toXML($e, 'md:AssertionIDRequestService');
- }
-
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:NameIDFormat', FALSE, $this->NameIDFormat);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/RequestedAttribute.php b/lib/SAML2/XML/md/RequestedAttribute.php
deleted file mode 100644
index 124a25daa2139633865241a4d6f9116dc54462e8..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/RequestedAttribute.php
+++ /dev/null
@@ -1,54 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 metadata RequestedAttribute.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_RequestedAttribute extends SAML2_XML_saml_Attribute {
-
- /**
- * Whether this attribute is required.
- *
- * @var bool|NULL
- */
- public $isRequired = NULL;
-
-
- /**
- * Initialize an RequestedAttribute.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct($xml);
-
- if ($xml === NULL) {
- return;
- }
-
- $this->isRequired = SAML2_Utils::parseBoolean($xml, 'isRequired', NULL);
- }
-
-
- /**
- * Convert this RequestedAttribute to XML.
- *
- * @param DOMElement $parent The element we should append this RequestedAttribute to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_bool($this->isRequired) || is_null($this->isRequired)');
-
- $e = $this->toXMLInternal($parent, SAML2_Const::NS_MD, 'md:RequestedAttribute');
-
- if ($this->isRequired === TRUE) {
- $e->setAttribute('isRequired', 'true');
- } elseif ($this->isRequired === FALSE) {
- $e->setAttribute('isRequired', 'false');
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/RoleDescriptor.php b/lib/SAML2/XML/md/RoleDescriptor.php
deleted file mode 100644
index 346d34cc1376419d54f29c1c775dc212e24b93d0..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/RoleDescriptor.php
+++ /dev/null
@@ -1,208 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 RoleDescriptor element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_RoleDescriptor extends SAML2_SignedElementHelper {
-
- /**
- * The name of this descriptor element.
- *
- * @var string
- */
- private $elementName;
-
-
- /**
- * The ID of this element.
- *
- * @var string|NULL
- */
- public $ID;
-
-
- /**
- * How long this element is valid, as a unix timestamp.
- *
- * @var int|NULL
- */
- public $validUntil;
-
-
- /**
- * The length of time this element can be cached, as string.
- *
- * @var string|NULL
- */
- public $cacheDuration;
-
-
- /**
- * List of supported protocols.
- *
- * @var array
- */
- public $protocolSupportEnumeration = array();
-
-
- /**
- * Error URL for this role.
- *
- * @var string|NULL
- */
- public $errorURL;
-
-
- /**
- * Extensions on this element.
- *
- * Array of extension elements.
- *
- * @var array
- */
- public $Extensions = array();
-
-
- /**
- * KeyDescriptor elements.
- *
- * Array of SAML2_XML_md_KeyDescriptor elements.
- *
- * @var array
- */
- public $KeyDescriptor = array();
-
-
- /**
- * Organization of this role.
- *
- * @var SAML2_XML_md_Organization|NULL
- */
- public $Organization = NULL;
-
-
- /**
- * ContactPerson elements for this role.
- *
- * Array of SAML2_XML_md_ContactPerson objects.
- *
- * @var array
- */
- public $ContactPerson = array();
-
-
- /**
- * Initialize a RoleDescriptor.
- *
- * @param string $elementName The name of this element.
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- protected function __construct($elementName, DOMElement $xml = NULL) {
- assert('is_string($elementName)');
-
- parent::__construct($xml);
- $this->elementName = $elementName;
-
- if ($xml === NULL) {
- return;
- }
-
- if ($xml->hasAttribute('ID')) {
- $this->ID = $xml->getAttribute('ID');
- }
- if ($xml->hasAttribute('validUntil')) {
- $this->validUntil = SimpleSAML_Utilities::parseSAML2Time($xml->getAttribute('validUntil'));
- }
- if ($xml->hasAttribute('cacheDuration')) {
- $this->cacheDuration = $xml->getAttribute('cacheDuration');
- }
-
- if (!$xml->hasAttribute('protocolSupportEnumeration')) {
- throw new Exception('Missing protocolSupportEnumeration attribute on ' . $xml->localName);
- }
- $this->protocolSupportEnumeration = preg_split('/[\s]+/', $xml->getAttribute('protocolSupportEnumeration'));
-
- if ($xml->hasAttribute('errorURL')) {
- $this->errorURL = $xml->getAttribute('errorURL');
- }
-
-
- $this->Extensions = SAML2_XML_md_Extensions::getList($xml);
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:KeyDescriptor') as $kd) {
- $this->KeyDescriptor[] = new SAML2_XML_md_KeyDescriptor($kd);
- }
-
- $organization = SAML2_Utils::xpQuery($xml, './saml_metadata:Organization');
- if (count($organization) > 1) {
- throw new Exception('More than one Organization in the entity.');
- } elseif (!empty($organization)) {
- $this->Organization = new SAML2_XML_md_Organization($organization[0]);
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:ContactPerson') as $cp) {
- $this->contactPersons[] = new SAML2_XML_md_ContactPerson($cp);
- }
- }
-
-
- /**
- * Add this RoleDescriptor to an EntityDescriptor.
- *
- * @param DOMElement $parent The EntityDescriptor we should append this endpoint to.
- * @param string $name The name of the element we should create.
- */
- protected function toXML(DOMElement $parent) {
- assert('is_null($this->ID) || is_string($this->ID)');
- assert('is_null($this->validUntil) || is_int($this->validUntil)');
- assert('is_null($this->cacheDuration) || is_string($this->cacheDuration)');
- assert('is_array($this->protocolSupportEnumeration)');
- assert('is_null($this->errorURL) || is_string($this->errorURL)');
- assert('is_array($this->Extensions)');
- assert('is_array($this->KeyDescriptor)');
- assert('is_null($this->Organization) || $this->Organization instanceof SAML2_XML_md_Organization');
- assert('is_array($this->ContactPerson)');
-
- $e = $parent->ownerDocument->createElementNS(SAML2_Const::NS_MD, $this->elementName);
- $parent->appendChild($e);
-
- if (isset($this->ID)) {
- $e->setAttribute('ID', $this->ID);
- }
-
- if (isset($this->validUntil)) {
- $e->setAttribute('validUntil', gmdate('Y-m-d\TH:i:s\Z', $this->validUntil));
- }
-
- if (isset($this->cacheDuration)) {
- $e->setAttribute('cacheDuration', $this->cacheDuration);
- }
-
- $e->setAttribute('protocolSupportEnumeration', implode(' ', $this->protocolSupportEnumeration));
-
- if (isset($this->errorURL)) {
- $e->setAttribute('errorURL', $this->errorURL);
- }
-
-
- SAML2_XML_md_Extensions::addList($e, $this->Extensions);
-
- foreach ($this->KeyDescriptor as $kd) {
- $kd->toXML($e);
- }
-
- if (isset($this->Organization)) {
- $this->Organization->toXML($e);
- }
-
- foreach ($this->ContactPerson as $cp) {
- $cp->toXML($e);
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/SPSSODescriptor.php b/lib/SAML2/XML/md/SPSSODescriptor.php
deleted file mode 100644
index da7077e0028d6ff82d31314867d72141c2a5f72b..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/SPSSODescriptor.php
+++ /dev/null
@@ -1,107 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 SPSSODescriptor.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_SPSSODescriptor extends SAML2_XML_md_SSODescriptorType {
-
- /**
- * Whether this SP signs authentication requests.
- *
- * @var bool|NULL
- */
- public $AuthnRequestsSigned = NULL;
-
-
- /**
- * Whether this SP wants the Assertion elements to be signed.
- *
- * @var bool|NULL
- */
- public $WantAssertionsSigned = NULL;
-
-
- /**
- * List of AssertionConsumerService endpoints for this SP.
- *
- * Array with IndexedEndpointType objects.
- *
- * @var array
- */
- public $AssertionConsumerService = array();
-
-
- /**
- * List of AttributeConsumingService descriptors for this SP.
- *
- * Array with SAML2_XML_md_AttribteConsumingService objects.
- *
- * @var array
- */
- public $AttributeConsumingService = array();
-
-
- /**
- * Initialize a SPSSODescriptor.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
- parent::__construct('md:SPSSODescriptor', $xml);
-
- if ($xml === NULL) {
- return;
- }
-
- $this->AuthnRequestsSigned = SAML2_Utils::parseBoolean($xml, 'AuthnRequestsSigned', NULL);
- $this->WantAssertionsSigned = SAML2_Utils::parseBoolean($xml, 'WantAssertionsSigned', NULL);
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:AssertionConsumerService') as $ep) {
- $this->AssertionConsumerService[] = new SAML2_XML_md_IndexedEndpointType($ep);
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:AttributeConsumingService') as $acs) {
- $this->AttributeConsumingService[] = new SAML2_XML_md_AttributeConsumingService($acs);
- }
- }
-
-
- /**
- * Add this SPSSODescriptor to an EntityDescriptor.
- *
- * @param DOMElement $parent The EntityDescriptor we should append this SPSSODescriptor to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_null($this->AuthnRequestsSigned) || is_bool($this->AuthnRequestsSigned)');
- assert('is_null($this->WantAssertionsSigned) || is_bool($this->WantAssertionsSigned)');
- assert('is_array($this->AssertionConsumerService)');
- assert('is_array($this->AttributeConsumingService)');
-
- $e = parent::toXML($parent);
-
- if ($this->AuthnRequestsSigned === TRUE) {
- $e->setAttribute('AuthnRequestsSigned', 'true');
- } elseif ($this->AuthnRequestsSigned === FALSE) {
- $e->setAttribute('AuthnRequestsSigned', 'false');
- }
-
- if ($this->WantAssertionsSigned === TRUE) {
- $e->setAttribute('WantAssertionsSigned', 'true');
- } elseif ($this->WantAssertionsSigned === FALSE) {
- $e->setAttribute('WantAssertionsSigned', 'false');
- }
-
-
- foreach ($this->AssertionConsumerService as $ep) {
- $ep->toXML($e, 'md:AssertionConsumerService');
- }
-
- foreach ($this->AttributeConsumingService as $acs) {
- $acs->toXML($e);
- }
- }
-
-}
diff --git a/lib/SAML2/XML/md/SSODescriptorType.php b/lib/SAML2/XML/md/SSODescriptorType.php
deleted file mode 100644
index bdb8e965ff69b5d2550e632463bce734e6d3fe9c..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/SSODescriptorType.php
+++ /dev/null
@@ -1,114 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 SSODescriptorType.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-abstract class SAML2_XML_md_SSODescriptorType extends SAML2_XML_md_RoleDescriptor {
-
- /**
- * List of ArtifactResolutionService endpoints.
- *
- * Array with IndexedEndpointType objects.
- *
- * @var array
- */
- public $ArtifactResolutionService = array();
-
-
- /**
- * List of SingleLogoutService endpoints.
- *
- * Array with EndpointType objects.
- *
- * @var array
- */
- public $SingleLogoutService = array();
-
-
- /**
- * List of ManageNameIDService endpoints.
- *
- * Array with EndpointType objects.
- *
- * @var array
- */
- public $ManageNameIDService = array();
-
-
- /**
- * List of supported NameID formats.
- *
- * Array of strings.
- *
- * @var array
- */
- public $NameIDFormat = array();
-
-
- /**
- * Initialize a SSODescriptor.
- *
- * @param string $elementName The name of this element.
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- protected function __construct($elementName, DOMElement $xml = NULL) {
- assert('is_string($elementName)');
-
- parent::__construct($elementName, $xml);
-
- if ($xml === NULL) {
- return;
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:ArtifactResolutionService') as $ep) {
- $this->ArtifactResolutionService[] = new SAML2_XML_md_IndexedEndpointType($ep);
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:SingleLogoutService') as $ep) {
- $this->SingleLogoutService[] = new SAML2_XML_md_EndpointType($ep);
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_metadata:ManageNameIDService') as $ep) {
- $this->ManageNameIDService[] = new SAML2_XML_md_EndpointType($ep);
- }
-
- $this->NameIDFormat = SAML2_Utils::extractStrings($xml, SAML2_Const::NS_MD, 'NameIDFormat');
- }
-
-
- /**
- * Add this SSODescriptorType to an EntityDescriptor.
- *
- * @param DOMElement $parent The EntityDescriptor we should append this SSODescriptorType to.
- * @param string $name The name of the element we should create.
- * @return DOMElement The generated SSODescriptor DOMElement.
- */
- protected function toXML(DOMElement $parent) {
- assert('is_array($this->ArtifactResolutionService)');
- assert('is_array($this->SingleLogoutService)');
- assert('is_array($this->ManageNameIDService)');
- assert('is_array($this->NameIDFormat)');
-
- $e = parent::toXML($parent);
-
- foreach ($this->ArtifactResolutionService as $ep) {
- $ep->toXML($e, 'md:ArtifactResolutionService');
- }
-
- foreach ($this->SingleLogoutService as $ep) {
- $ep->toXML($e, 'md:SingleLogoutService');
- }
-
- foreach ($this->ManageNameIDService as $ep) {
- $ep->toXML($e, 'md:ManageNameIDService');
- }
-
- SAML2_Utils::addStrings($e, SAML2_Const::NS_MD, 'md:NameIDFormat', FALSE, $this->NameIDFormat);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/md/UnknownRoleDescriptor.php b/lib/SAML2/XML/md/UnknownRoleDescriptor.php
deleted file mode 100644
index 66e3a7986a643a46ca52afbe9dfcb44b820ec529..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/md/UnknownRoleDescriptor.php
+++ /dev/null
@@ -1,41 +0,0 @@
-<?php
-
-/**
- * Class representing unknown RoleDescriptors.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_md_UnknownRoleDescriptor extends SAML2_XML_md_RoleDescriptor {
-
- /**
- * This RoleDescriptor as XML
- *
- * @var SAML2_XML_Chunk
- */
- private $xml;
-
-
- /**
- * Initialize an unknown RoleDescriptor.
- *
- * @param DOMElement $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml) {
- parent::__construct('md:RoleDescriptor', $xml);
-
- $this->xml = new SAML2_XML_Chunk($xml);
- }
-
-
- /**
- * Add this RoleDescriptor to an EntityDescriptor.
- *
- * @param DOMElement $parent The EntityDescriptor we should append this RoleDescriptor to.
- */
- public function toXML(DOMElement $parent) {
-
- $this->xml->toXML($parent);
- }
-
-}
diff --git a/lib/SAML2/XML/mdattr/EntityAttributes.php b/lib/SAML2/XML/mdattr/EntityAttributes.php
deleted file mode 100644
index 93590081cde847bed2334e5864e5599099d74761..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/mdattr/EntityAttributes.php
+++ /dev/null
@@ -1,72 +0,0 @@
-<?php
-
-/**
- * Class for handling the EntityAttributes metadata extension.
- *
- * @link: http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-attr-cs-01.pdf
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_mdattr_EntityAttributes {
-
- /**
- * The namespace used for the EntityAttributes extension.
- */
- const NS = 'urn:oasis:names:tc:SAML:metadata:attribute';
-
-
- /**
- * Array with child elements.
- *
- * The elements can be SAML2_XML_saml_Attribute or SAML2_XML_Chunk elements.
- *
- * @var array
- */
- public $children;
-
-
- /**
- * Create a EntityAttributes element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_assertion:Attribute|./saml_assertion:Assertion') as $node) {
- if ($node->localName === 'Attribute') {
- $this->children[] = new SAML2_XML_saml_Attribute($node);
- } else {
- $this->children[] = new SAML2_XML_Chunk($node);
- }
- }
-
- }
-
-
- /**
- * Convert this EntityAttributes to XML.
- *
- * @param DOMElement $parent The element we should append to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_array($this->children)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(SAML2_XML_mdattr_EntityAttributes::NS, 'mdattr:EntityAttributes');
- $parent->appendChild($e);
-
- if (!empty($this->children)) {
- foreach ($this->children as $child) {
- $child->toXML($e);
- }
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/mdrpi/Common.php b/lib/SAML2/XML/mdrpi/Common.php
deleted file mode 100644
index f6a4dc3d3976955ec9f5609a28098e87e6affb03..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/mdrpi/Common.php
+++ /dev/null
@@ -1,14 +0,0 @@
-<?php
-
-/**
- * Common definitions for the mdrpi metadata extension.
- *
- * @link: http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.pdf
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_mdrpi_Common {
-
- const NS_MDRPI = 'urn:oasis:names:tc:SAML:metadata:rpi';
-
-}
diff --git a/lib/SAML2/XML/mdrpi/PublicationInfo.php b/lib/SAML2/XML/mdrpi/PublicationInfo.php
deleted file mode 100644
index bf6bff8d39d6f876fe9b3c81dcb67c756ea4532f..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/mdrpi/PublicationInfo.php
+++ /dev/null
@@ -1,102 +0,0 @@
-<?php
-
-/**
- * Class for handling the mdrpi:PublicationInfo element.
- *
- * @link: http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.pdf
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_mdrpi_PublicationInfo {
-
- /**
- * The identifier of the metadata publisher.
- *
- * @var string
- */
- public $publisher;
-
- /**
- * The creation timestamp for the metadata, as a UNIX timestamp.
- *
- * @var int|NULL
- */
- public $creationInstant;
-
- /**
- * Identifier for this metadata publication.
- *
- * @var string|NULL
- */
- public $publicationId;
-
- /**
- * Link to usage policy for this metadata.
- *
- * This is an associative array with language=>URL.
- *
- * @var array
- */
- public $UsagePolicy = array();
-
-
- /**
- * Create/parse a mdrpi:PublicationInfo element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('publisher')) {
- throw new Exception('Missing required attribute "publisher" in mdrpi:PublicationInfo element.');
- }
- $this->publisher = $xml->getAttribute('publisher');
-
- if ($xml->hasAttribute('creationInstant')) {
- $this->creationInstant = SimpleSAML_Utilities::parseSAML2Time($xml->getAttribute('creationInstant'));
- }
-
- if ($xml->hasAttribute('publicationId')) {
- $this->publicationId = $xml->getAttribute('publicationId');
- }
-
- $this->UsagePolicy = SAML2_Utils::extractLocalizedStrings($xml, SAML2_XML_mdrpi_Common::NS_MDRPI, 'UsagePolicy');
- }
-
-
- /**
- * Convert this element to XML.
- *
- * @param DOMElement $parent The element we should append to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_string($this->publisher)');
- assert('is_int($this->creationInstant) || is_null($this->creationInstant)');
- assert('is_string($this->publicationId) || is_null($this->publicationId)');
- assert('is_array($this->UsagePolicy)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(SAML2_XML_mdrpi_Common::NS_MDRPI, 'mdrpi:PublicationInfo');
- $parent->appendChild($e);
-
- $e->setAttribute('publisher', $this->publisher);
-
- if ($this->creationInstant !== NULL) {
- $e->setAttribute('creationInstant', gmdate('Y-m-d\TH:i:s\Z', $this->creationInstant));
- }
-
- if ($this->publicationId !== NULL) {
- $e->setAttribute('publicationId', $this->publicationId);
- }
-
- SAML2_Utils::addStrings($e, SAML2_XML_mdrpi_Common::NS_MDRPI, 'mdrpi:UsagePolicy', TRUE, $this->UsagePolicy);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/mdrpi/RegistrationInfo.php b/lib/SAML2/XML/mdrpi/RegistrationInfo.php
deleted file mode 100644
index 4bb334a4d038c14ec44895c08cae2015b10b9656..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/mdrpi/RegistrationInfo.php
+++ /dev/null
@@ -1,86 +0,0 @@
-<?php
-
-/**
- * Class for handling the mdrpi:RegistrationInfo element.
- *
- * @link: http://docs.oasis-open.org/security/saml/Post2.0/saml-metadata-rpi/v1.0/saml-metadata-rpi-v1.0.pdf
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_mdrpi_RegistrationInfo {
-
- /**
- * The identifier of the metadata registration authority.
- *
- * @var string
- */
- public $registrationAuthority;
-
- /**
- * The registration timestamp for the metadata, as a UNIX timestamp.
- *
- * @var int|NULL
- */
- public $registrationInstant;
-
- /**
- * Link to registration policy for this metadata.
- *
- * This is an associative array with language=>URL.
- *
- * @var array
- */
- public $RegistrationPolicy = array();
-
-
- /**
- * Create/parse a mdrpi:RegistrationInfo element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('registrationAuthority')) {
- throw new Exception('Missing required attribute "registrationAuthority" in mdrpi:RegistrationInfo element.');
- }
- $this->registrationAuthority = $xml->getAttribute('registrationAuthority');
-
- if ($xml->hasAttribute('registrationInstant')) {
- $this->registrationInstant = SimpleSAML_Utilities::parseSAML2Time($xml->getAttribute('registrationInstant'));
- }
-
- $this->RegistrationPolicy = SAML2_Utils::extractLocalizedStrings($xml, SAML2_XML_mdrpi_Common::NS_MDRPI, 'RegistrationPolicy');
- }
-
-
- /**
- * Convert this element to XML.
- *
- * @param DOMElement $parent The element we should append to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_string($this->registrationAuthority)');
- assert('is_int($this->registrationInstant) || is_null($this->registrationInstant)');
- assert('is_array($this->RegistrationPolicy)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(SAML2_XML_mdrpi_Common::NS_MDRPI, 'mdrpi:RegistrationInfo');
- $parent->appendChild($e);
-
- $e->setAttribute('registrationAuthority', $this->registrationAuthority);
-
- if ($this->registrationInstant !== NULL) {
- $e->setAttribute('registrationInstant', gmdate('Y-m-d\TH:i:s\Z', $this->registrationInstant));
- }
-
- SAML2_Utils::addStrings($e, SAML2_XML_mdrpi_Common::NS_MDRPI, 'mdrpi:RegistrationPolicy', TRUE, $this->RegistrationPolicy);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/mdui/DiscoHints.php b/lib/SAML2/XML/mdui/DiscoHints.php
deleted file mode 100644
index 8ff510d96fb50a98f6994698248a9ee54bbea46e..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/mdui/DiscoHints.php
+++ /dev/null
@@ -1,106 +0,0 @@
-<?php
-
-/**
- * Class for handling the metadata extensions for login and discovery user interface
- *
- * @link: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_mdui_DiscoHints {
-
- /**
- * The namespace used for the DiscoHints extension.
- */
- const NS = 'urn:oasis:names:tc:SAML:metadata:ui';
-
-
- /**
- * Array with child elements.
- *
- * The elements can be any of the other SAML2_XML_mdui_* elements.
- *
- * @var array
- */
- public $children = array();
-
-
- /**
- * The IPHint, as an array of strings.
- *
- * @var array
- */
- public $IPHint = array();
-
-
- /**
- * The DomainHint, as an array of strings.
- *
- * @var array
- */
- public $DomainHint = array();
-
-
- /**
- * The GeolocationHint, as an array of strings.
- *
- * @var array
- */
- public $GeolocationHint = array();
-
- /**
- * Create a DiscoHints element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- $this->IPHint = SAML2_Utils::extractStrings($xml, self::NS, 'IPHint');
- $this->DomainHint = SAML2_Utils::extractStrings($xml, self::NS, 'DomainHint');
- $this->GeolocationHint = SAML2_Utils::extractStrings($xml, self::NS, 'GeolocationHint');
-
- foreach (SAML2_Utils::xpQuery($xml, "./*[namespace-uri()!='".self::NS."']") as $node) {
- $this->children[] = new SAML2_XML_Chunk($node);
- }
- }
-
-
- /**
- * Convert this DiscoHints to XML.
- *
- * @param DOMElement $parent The element we should append to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_array($this->IPHint)');
- assert('is_array($this->DomainHint)');
- assert('is_array($this->GeolocationHint)');
- assert('is_array($this->children)');
-
- if (!empty($this->IPHint)
- || !empty($this->DomainHint)
- || !empty($this->GeolocationHint)
- || !empty($this->children)) {
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(self::NS, 'mdui:DiscoHints');
- $parent->appendChild($e);
-
- if (!empty($this->children)) {
- foreach ($this->children as $child) {
- $child->toXML($e);
- }
- }
-
- SAML2_Utils::addStrings($e, self::NS, 'mdui:IPHint', FALSE, $this->IPHint);
- SAML2_Utils::addStrings($e, self::NS, 'mdui:DomainHint', FALSE, $this->DomainHint);
- SAML2_Utils::addStrings($e, self::NS, 'mdui:GeolocationHint', FALSE, $this->GeolocationHint);
-
- return $e;
- }
- }
-
-}
diff --git a/lib/SAML2/XML/mdui/Keywords.php b/lib/SAML2/XML/mdui/Keywords.php
deleted file mode 100644
index 161f5e97341a48a298378259c626c80ead4356e0..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/mdui/Keywords.php
+++ /dev/null
@@ -1,80 +0,0 @@
-<?php
-
-/**
- * Class for handling the Keywords metadata extensions for login and discovery user interface
- *
- * @link: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_mdui_Keywords {
-
- /**
- * The keywords of this item.
- *
- * @var string
- */
- public $Keywords;
-
-
- /**
- * The language of this item.
- *
- * @var string
- */
- public $lang;
-
-
- /**
- * Initialize a Keywords.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('xml:lang')) {
- throw new Exception('Missing lang on Keywords.');
- }
- if (!is_string($xml->textContent) || !strlen($xml->textContent)) {
- throw new Exception('Missing value for Keywords.');
- }
- $this->Keywords = array();
- foreach (explode(' ', $xml->textContent) as $keyword) {
- $this->Keywords[] = str_replace('+', ' ', $keyword);
- }
- $this->lang = $xml->getAttribute('xml:lang');
- }
-
-
- /**
- * Convert this Keywords to XML.
- *
- * @param DOMElement $parent The element we should append this Keywords to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_string($this->lang)');
- assert('is_array($this->Keywords)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(SAML2_XML_mdui_UIInfo::NS, 'mdui:Keywords');
- $e->setAttribute('xml:lang', $this->lang);
- $value = '';
- foreach ($this->Keywords as $keyword) {
- if (strpos($keyword, "+") !== false) {
- throw new Exception('Keywords may not contain a "+" character.');
- }
- $value .= str_replace(' ', '+', $keyword) . ' ';
- }
- $value = rtrim($value);
- $e->appendChild($doc->createTextNode($value));
- $parent->appendChild($e);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/mdui/Logo.php b/lib/SAML2/XML/mdui/Logo.php
deleted file mode 100644
index 93bcf533404838cb4b64ac61d90d010402b60e5b..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/mdui/Logo.php
+++ /dev/null
@@ -1,94 +0,0 @@
-<?php
-
-/**
- * Class for handling the Logo metadata extensions for login and discovery user interface
- *
- * @link: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_mdui_Logo {
-
- /**
- * The url of this logo.
- *
- * @var string
- */
- public $url;
-
-
- /**
- * The width of this logo.
- *
- * @var string
- */
- public $width;
-
-
- /**
- * The height of this logo.
- *
- * @var string
- */
- public $height;
-
- /**
- * The language of this item.
- *
- * @var string
- */
- public $lang;
-
-
- /**
- * Initialize a Logo.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('width')) {
- throw new Exception('Missing width of Logo.');
- }
- if (!$xml->hasAttribute('height')) {
- throw new Exception('Missing height of Logo.');
- }
- if (!is_string($xml->textContent) || !strlen($xml->textContent)) {
- throw new Exception('Missing url value for Logo.');
- }
- $this->url = $xml->textContent;
- $this->width = (int)$xml->getAttribute('width');
- $this->height = (int)$xml->getAttribute('height');
- $this->lang = $xml->hasAttribute('xml:lang') ? $xml->getAttribute('xml:lang') : NULL;
- }
-
-
- /**
- * Convert this Logo to XML.
- *
- * @param DOMElement $parent The element we should append this Logo to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_int($this->width)');
- assert('is_int($this->height)');
- assert('is_string($this->url)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(SAML2_XML_mdui_UIInfo::NS, 'mdui:Logo');
- $e->appendChild($doc->createTextNode($this->url));
- $e->setAttribute('width', (int)$this->width);
- $e->setAttribute('height', (int)$this->height);
- if (isset($this->lang)) {
- $e->setAttribute('xml:lang', $this->lang);
- }
- $parent->appendChild($e);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/mdui/UIInfo.php b/lib/SAML2/XML/mdui/UIInfo.php
deleted file mode 100644
index 2023abe73884aa2d68b20858c65531cff5e0b60f..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/mdui/UIInfo.php
+++ /dev/null
@@ -1,154 +0,0 @@
-<?php
-
-/**
- * Class for handling the metadata extensions for login and discovery user interface
- *
- * @link: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-metadata-ui/v1.0/sstc-saml-metadata-ui-v1.0.pdf
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_mdui_UIInfo {
-
- /**
- * The namespace used for the UIInfo extension.
- */
- const NS = 'urn:oasis:names:tc:SAML:metadata:ui';
-
-
- /**
- * Array with child elements.
- *
- * The elements can be any of the other SAML2_XML_mdui_* elements.
- *
- * @var array
- */
- public $children = array();
-
- /**
- * The DisplayName, as an array of language => translation.
- *
- * @var array
- */
- public $DisplayName = array();
-
- /**
- * The Description, as an array of language => translation.
- *
- * @var array
- */
- public $Description = array();
-
- /**
- * The InformationURL, as an array of language => url.
- *
- * @var array
- */
- public $InformationURL = array();
-
- /**
- * The PrivacyStatementURL, as an array of language => url.
- *
- * @var array
- */
- public $PrivacyStatementURL = array();
-
- /**
- * The Keywords, as an array of language => array of strings.
- *
- * @var array
- */
- public $Keywords = array();
-
- /**
- * The Logo, as an array of associative arrays containing url, width, height, and optional lang.
- *
- * @var array
- */
- public $Logo = array();
-
-
- /**
- * Create a UIInfo element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- $this->DisplayName = SAML2_Utils::extractLocalizedStrings($xml, self::NS, 'DisplayName');
- $this->Description = SAML2_Utils::extractLocalizedStrings($xml, self::NS, 'Description');
- $this->InformationURL = SAML2_Utils::extractLocalizedStrings($xml, self::NS, 'InformationURL');
- $this->PrivacyStatementURL = SAML2_Utils::extractLocalizedStrings($xml, self::NS, 'PrivacyStatementURL');
-
- foreach (SAML2_Utils::xpQuery($xml, './*') as $node) {
- if ($node->namespaceURI === self::NS) {
- switch ($node->localName) {
- case 'Keywords':
- $this->Keywords[] = new SAML2_XML_mdui_Keywords($node);
- break;
- case 'Logo':
- $this->Logo[] = new SAML2_XML_mdui_Logo($node);
- break;
- }
- } else {
- $this->children[] = new SAML2_XML_Chunk($node);
- }
- }
- }
-
-
- /**
- * Convert this UIInfo to XML.
- *
- * @param DOMElement $parent The element we should append to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_array($this->DisplayName)');
- assert('is_array($this->InformationURL)');
- assert('is_array($this->PrivacyStatementURL)');
- assert('is_array($this->Keywords)');
- assert('is_array($this->Logo)');
- assert('is_array($this->children)');
-
- if (!empty($this->DisplayName)
- || !empty($this->Description)
- || !empty($this->InformationURL)
- || !empty($this->PrivacyStatementURL)
- || !empty($this->Keywords)
- || !empty($this->Logo)
- || !empty($this->children)) {
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(self::NS, 'mdui:UIInfo');
- $parent->appendChild($e);
-
- SAML2_Utils::addStrings($e, self::NS, 'mdui:DisplayName', TRUE, $this->DisplayName);
- SAML2_Utils::addStrings($e, self::NS, 'mdui:Description', TRUE, $this->Description);
- SAML2_Utils::addStrings($e, self::NS, 'mdui:InformationURL', TRUE, $this->InformationURL);
- SAML2_Utils::addStrings($e, self::NS, 'mdui:PrivacyStatementURL', TRUE, $this->PrivacyStatementURL);
-
- if (!empty($this->Keywords)) {
- foreach ($this->Keywords as $child) {
- $child->toXML($e);
- }
- }
-
- if (!empty($this->Logo)) {
- foreach ($this->Logo as $child) {
- $child->toXML($e);
- }
- }
-
- if (!empty($this->children)) {
- foreach ($this->children as $child) {
- $child->toXML($e);
- }
- }
- }
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/saml/Attribute.php b/lib/SAML2/XML/saml/Attribute.php
deleted file mode 100644
index afbf0cbbe5f5c22a84813e6f53497604e31bc845..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/saml/Attribute.php
+++ /dev/null
@@ -1,121 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 Attribute.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_saml_Attribute {
-
- /**
- * The Name of this attribute.
- *
- * @var string
- */
- public $Name;
-
-
- /**
- * The NameFormat of this attribute.
- *
- * @var string|NULL
- */
- public $NameFormat;
-
-
- /**
- * The FriendlyName of this attribute.
- *
- * @var string|NULL
- */
- public $FriendlyName = NULL;
-
-
- /**
- * List of attribute values.
- *
- * Array of SAML2_XML_saml_AttributeValue elements.
- *
- * @var array
- */
- public $AttributeValue = array();
-
-
- /**
- * Initialize an Attribute.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('Name')) {
- throw new Exception('Missing Name on Attribute.');
- }
- $this->Name = $xml->getAttribute('Name');
-
- if ($xml->hasAttribute('NameFormat')) {
- $this->NameFormat = $xml->getAttribute('NameFormat');
- }
-
- if ($xml->hasAttribute('FriendlyName')) {
- $this->FriendlyName = $xml->getAttribute('FriendlyName');
- }
-
- foreach (SAML2_Utils::xpQuery($xml, './saml_assertion:AttributeValue') as $av) {
- $this->AttributeValue[] = new SAML2_XML_saml_AttributeValue($av);
- }
- }
-
-
- /**
- * Internal implementation of toXML.
- * This function allows RequestedAttribute to specify the element name and namespace.
- *
- * @param DOMElement $parent The element we should append this Attribute to.
- * @param string $namespace The namespace the element should be created in.
- * @param string $name The name of the element.
- */
- protected function toXMLInternal(DOMElement $parent, $namespace, $name) {
- assert('is_string($namespace)');
- assert('is_string($name)');
- assert('is_string($this->Name)');
- assert('is_null($this->NameFormat) || is_string($this->NameFormat)');
- assert('is_null($this->FriendlyName) || is_string($this->FriendlyName)');
- assert('is_array($this->AttributeValue)');
-
- $e = $parent->ownerDocument->createElementNS($namespace, $name);
- $parent->appendChild($e);
-
- $e->setAttribute('Name', $this->Name);
-
- if (isset($this->NameFormat)) {
- $e->setAttribute('NameFormat', $this->NameFormat);
- }
-
- if (isset($this->FriendlyName)) {
- $e->setAttribute('FriendlyName', $this->FriendlyName);
- }
-
- foreach ($this->AttributeValue as $av) {
- $av->toXML($e);
- }
-
- return $e;
- }
-
-
- /**
- * Convert this Attribute to XML.
- *
- * @param DOMElement $parent The element we should append this Attribute to.
- */
- public function toXML(DOMElement $parent) {
- return $this->toXMLInternal($parent, SAML2_Const::NS_SAML, 'saml:Attribute');
- }
-
-}
diff --git a/lib/SAML2/XML/saml/AttributeValue.php b/lib/SAML2/XML/saml/AttributeValue.php
deleted file mode 100644
index bc890559260d34be7868996613d6964a21eb23c4..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/saml/AttributeValue.php
+++ /dev/null
@@ -1,99 +0,0 @@
-<?php
-
-/**
- * Class representing an AttributeValue.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_saml_AttributeValue {
-
- /**
- * The raw DOMElement representing this value.
- *
- * @var DOMElement
- */
- public $element;
-
-
- /**
- * Create an AttributeValue.
- *
- * @param mixed $value
- * The value of this element.
- * Can be one of:
- * - string Create an attribute value with a simple string.
- * - DOMElement(AttributeValue) Create an attribute value of the given DOMElement.
- * - DOMElement Create an attribute value with the given DOMElement as a child.
- */
- public function __construct($value) {
- assert('is_string($value) || $value instanceof DOMElement');
-
- if (is_string($value)) {
- $doc = new DOMDocument();
- $this->element = $doc->createElementNS(SAML2_Const::NS_SAML, 'saml:AttributeValue');
- $this->element->setAttributeNS(SAML2_Const::NS_XSI, 'xsi:type', 'xs:string');
- $this->element->appendChild($doc->createTextNode($value));
-
- /* Make sure that the xs-namespace is available in the AttributeValue (for xs:string). */
- $this->element->setAttributeNS(SAML2_Const::NS_XS, 'xs:tmp', 'tmp');
- $this->element->removeAttributeNS(SAML2_Const::NS_XS, 'tmp');
-
- return;
- }
-
- if ($value->namespaceURI === SAML2_Const::NS_SAML && $value->localName === 'AttributeValue') {
- $this->element = SAML2_Utils::copyElement($value);
- return;
- }
-
- $doc = new DOMDocument();
- $this->element = $doc->createElementNS(SAML2_Const::NS_SAML, 'saml:AttributeValue');
- SAML2_Utils::copyElement($value, $this->element);
- }
-
-
- /**
- * Append this attribute value to an element.
- *
- * @param DOMElement $parent The element we should append this attribute value to.
- * @return DOMElement The generated AttributeValue element.
- */
- public function toXML(DOMElement $parent) {
- assert('$this->element instanceof DOMElement');
- assert('$this->element->namespaceURI === SAML2_Const::NS_SAML && $this->element->localName === "AttributeValue"');
-
- $v = SAML2_Utils::copyElement($this->element, $parent);
-
- return $v;
- }
-
- /*
- * Returns a plain text content of the attribute value.
- */
- public function getString() {
- return $this->element->textContent;
- }
-
-
- /**
- * Convert this attribute value to a string.
- *
- * If this element contains XML data, that data vil be encoded as a string and returned.
- *
- * @return string This attribute value.
- */
- public function __toString() {
- assert('$this->element instanceof DOMElement');
-
- $doc = $this->element->ownerDocument;
-
- $ret = '';
- foreach ($this->element->childNodes as $c) {
- $ret .= $doc->saveXML($c);
- }
-
- return $ret;
- }
-
-}
diff --git a/lib/SAML2/XML/saml/NameID.php b/lib/SAML2/XML/saml/NameID.php
deleted file mode 100644
index b31a00c91efd44f5b93504e1026ed132eaa10170..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/saml/NameID.php
+++ /dev/null
@@ -1,125 +0,0 @@
-<?php
-
-/**
- * Class representing the saml:NameID element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_saml_NameID {
-
- /**
- * The NameQualifier or the NameID.
- *
- * @var string|NULL
- */
- public $NameQualifier;
-
- /**
- * The SPNameQualifier or the NameID.
- *
- * @var string|NULL
- */
- public $SPNameQualifier;
-
-
- /**
- * The Format or the NameID.
- *
- * @var string|NULL
- */
- public $Format;
-
-
- /**
- * The SPProvidedID or the NameID.
- *
- * @var string|NULL
- */
- public $SPProvidedID;
-
-
- /**
- * The value of this NameID.
- *
- * @var string
- */
- public $value;
-
-
- /**
- * Initialize a saml:NameID.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if ($xml->hasAttribute('SPNameQualifier')) {
- $this->SPNameQualifier = $xml->getAttribute('SPNameQualifier');
- }
-
- if ($xml->hasAttribute('NameQualifier')) {
- $this->NameQualifier = $xml->getAttribute('NameQualifier');
- }
-
- if ($xml->hasAttribute('Format')) {
- $this->Format = $xml->getAttribute('Format');
- }
-
- if ($xml->hasAttribute('SPProvidedID')) {
- $this->SPProvidedID = $xml->getAttribute('SPProvidedID');
- }
-
- $this->value = trim($xml->textContent);
- }
-
-
- /**
- * Convert this NameID to XML.
- *
- * @param DOMElement|NULL $parent The element we should append to.
- * @return DOMElement This AdditionalMetadataLocation-element.
- */
- public function toXML(DOMElement $parent = NULL) {
- assert('is_string($this->NameQualifier) || is_null($this->NameQualifier)');
- assert('is_string($this->SPNameQualifier) || is_null($this->SPNameQualifier)');
- assert('is_string($this->Format) || is_null($this->Format)');
- assert('is_string($this->SPProvidedID) || is_null($this->SPProvidedID)');
- assert('is_string($this->value)');
-
- if ($parent === NULL) {
- $parent = new DOMDocument();
- $doc = $parent;
- } else {
- $doc = $parent->ownerDocument;
- }
- $e = $doc->createElementNS(SAML2_Const::NS_SAML, 'saml:NameID');
- $parent->appendChild($e);
-
- if ($this->NameQualifier !== NULL) {
- $e->setAttribute('NameQualifier', $this->NameQualifier);
- }
-
- if ($this->SPNameQualifier !== NULL) {
- $e->setAttribute('SPNameQualifier', $this->SPNameQualifier);
- }
-
- if ($this->Format !== NULL) {
- $e->setAttribute('Format', $this->Format);
- }
-
- if ($this->SPProvidedID !== NULL) {
- $e->setAttribute('SPProvidedID', $this->SPProvidedID);
- }
-
- $t = $doc->createTextNode($this->value);
- $e->appendChild($t);
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/saml/SubjectConfirmation.php b/lib/SAML2/XML/saml/SubjectConfirmation.php
deleted file mode 100644
index 857ee4b44c8811fcc6e7b717713923e6ae69c7ce..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/saml/SubjectConfirmation.php
+++ /dev/null
@@ -1,93 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 SubjectConfirmation element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_saml_SubjectConfirmation {
-
- /**
- * The method we can use to verify this Subject.
- *
- * @var string
- */
- public $Method;
-
-
- /**
- * The NameID of the entity that can use this element to verify the Subject.
- *
- * @var SAML2_XML_saml_NameID|NULL
- */
- public $NameID;
-
-
- /**
- * SubjectConfirmationData element with extra data for verification of the Subject.
- *
- * @var SAML2_XML_saml_SubjectConfirmationData|NULL
- */
- public $SubjectConfirmationData;
-
-
- /**
- * Initialize (and parse? a SubjectConfirmation element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if (!$xml->hasAttribute('Method')) {
- throw new Exception('SubjectConfirmation element without Method attribute.');
- }
- $this->Method = $xml->getAttribute('Method');
-
- $nid = SAML2_Utils::xpQuery($xml, './saml_assertion:NameID');
- if (count($nid) > 1) {
- throw new Exception('More than one NameID in a SubjectConfirmation element.');
- } elseif (!empty($nid)) {
- $this->NameID = new SAML2_XML_saml_NameID($nid[0]);
- }
-
- $scd = SAML2_Utils::xpQuery($xml, './saml_assertion:SubjectConfirmationData');
- if (count($scd) > 1) {
- throw new Exception('More than one SubjectConfirmationData child in a SubjectConfirmation element.');
- } elseif (!empty($scd)) {
- $this->SubjectConfirmationData = new SAML2_XML_saml_SubjectConfirmationData($scd[0]);
- }
- }
-
-
- /**
- * Convert this element to XML.
- *
- * @param DOMElement $parent The parent element we should append this element to.
- * @return DOMElement This element, as XML.
- */
- public function toXML(DOMElement $parent) {
- assert('is_string($this->Method)');
- assert('is_null($this->NameID) || $this->NameID instanceof SAML2_XML_saml_NameID');
- assert('is_null($this->SubjectConfirmationData) || $this->SubjectConfirmationData instanceof SAML2_XML_saml_SubjectConfirmationData');
-
- $e = $parent->ownerDocument->createElementNS(SAML2_Const::NS_SAML, 'saml:SubjectConfirmation');
- $parent->appendChild($e);
-
- $e->setAttribute('Method', $this->Method);
-
- if (isset($this->NameID)) {
- $this->NameID->toXML($e);
- }
- if (isset($this->SubjectConfirmationData)) {
- $this->SubjectConfirmationData->toXML($e);
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/saml/SubjectConfirmationData.php b/lib/SAML2/XML/saml/SubjectConfirmationData.php
deleted file mode 100644
index 1c28c65c8df37559c5977d1a8893763eb64efd6f..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/saml/SubjectConfirmationData.php
+++ /dev/null
@@ -1,146 +0,0 @@
-<?php
-
-/**
- * Class representing SAML 2 SubjectConfirmationData element.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_saml_SubjectConfirmationData {
-
- /**
- * The time before this element is valid, as an unix timestamp.
- *
- * @var int|NULL
- */
- public $NotBefore;
-
-
- /**
- * The time after which this element is invalid, as an unix timestamp.
- *
- * @var int|NULL
- */
- public $NotOnOrAfter;
-
-
- /**
- * The Recipient this Subject is valid for. Either an entity or a location.
- *
- * @var string|NULL
- */
- public $Recipient;
-
-
- /**
- * The ID of the AuthnRequest this is a response to.
- *
- * @var string|NULL
- */
- public $InResponseTo;
-
-
- /**
- * The IP(v6) address of the user.
- *
- * @var string|NULL
- */
- public $Address;
-
-
- /**
- * The various key information elements.
- *
- * Array with various elements describing this key.
- * Unknown elements will be represented by SAML2_XML_Chunk.
- *
- * @var array
- */
- public $info = array();
-
-
- /**
- * Initialize (and parse) a SubjectConfirmationData element.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- if ($xml->hasAttribute('NotBefore')) {
- $this->NotBefore = SimpleSAML_Utilities::parseSAML2Time($xml->getAttribute('NotBefore'));
- }
- if ($xml->hasAttribute('NotOnOrAfter')) {
- $this->NotOnOrAfter = SimpleSAML_Utilities::parseSAML2Time($xml->getAttribute('NotOnOrAfter'));
- }
- if ($xml->hasAttribute('Recipient')) {
- $this->Recipient = $xml->getAttribute('Recipient');
- }
- if ($xml->hasAttribute('InResponseTo')) {
- $this->InResponseTo = $xml->getAttribute('InResponseTo');
- }
- if ($xml->hasAttribute('Address')) {
- $this->Address = $xml->getAttribute('Address');
- }
- for ($n = $xml->firstChild; $n !== NULL; $n = $n->nextSibling) {
- if (!($n instanceof DOMElement)) {
- continue;
- }
- if ($n->namespaceURI !== XMLSecurityDSig::XMLDSIGNS) {
- $this->info[] = new SAML2_XML_Chunk($n);
- continue;
- }
- switch ($n->localName) {
- case 'KeyInfo':
- $this->info[] = new SAML2_XML_ds_KeyInfo($n);
- break;
- default:
- $this->info[] = new SAML2_XML_Chunk($n);
- break;
- }
- }
- }
-
-
- /**
- * Convert this element to XML.
- *
- * @param DOMElement $parent The parent element we should append this element to.
- * @return DOMElement This element, as XML.
- */
- public function toXML(DOMElement $parent) {
- assert('is_null($this->NotBefore) || is_int($this->NotBefore)');
- assert('is_null($this->NotOnOrAfter) || is_int($this->NotOnOrAfter)');
- assert('is_null($this->Recipient) || is_string($this->Recipient)');
- assert('is_null($this->InResponseTo) || is_string($this->InResponseTo)');
- assert('is_null($this->Address) || is_string($this->Address)');
-
- $e = $parent->ownerDocument->createElementNS(SAML2_Const::NS_SAML, 'saml:SubjectConfirmationData');
- $parent->appendChild($e);
-
- if (isset($this->NotBefore)) {
- $e->setAttribute('NotBefore', gmdate('Y-m-d\TH:i:s\Z', $this->NotBefore));
- }
- if (isset($this->NotOnOrAfter)) {
- $e->setAttribute('NotOnOrAfter', gmdate('Y-m-d\TH:i:s\Z', $this->NotOnOrAfter));
- }
- if (isset($this->Recipient)) {
- $e->setAttribute('Recipient', $this->Recipient);
- }
- if (isset($this->InResponseTo)) {
- $e->setAttribute('InResponseTo', $this->InResponseTo);
- }
- if (isset($this->Address)) {
- $e->setAttribute('Address', $this->Address);
- }
- foreach ($this->info as $n) {
- $n->toXML($e);
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SAML2/XML/samlp/Extensions.php b/lib/SAML2/XML/samlp/Extensions.php
deleted file mode 100644
index ad86c3f5852fa63bca8b68693ba9d105fbc7504e..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/samlp/Extensions.php
+++ /dev/null
@@ -1,48 +0,0 @@
-<?php
-
-/**
- * Class for handling SAML2 extensions.
- *
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_samlp_Extensions {
-
- /**
- * Get a list of Extensions in the given element.
- *
- * @param DOMElement $parent The element that may contain the samlp:Extensions element.
- * @return array Array of extensions.
- */
- public static function getList(DOMElement $parent) {
-
- $ret = array();
- foreach (SAML2_Utils::xpQuery($parent, './saml_protocol:Extensions/*') as $node) {
- $ret[] = new SAML2_XML_Chunk($node);
- }
-
- return $ret;
- }
-
-
- /**
- * Add a list of Extensions to the given element.
- *
- * @param DOMElement $parent The element we should add the extensions to.
- * @param array $extensions List of extension objects.
- */
- public static function addList(DOMElement $parent, array $extensions) {
-
- if (empty($extensions)) {
- return;
- }
-
- $extElement = $parent->ownerDocument->createElementNS(SAML2_Const::NS_SAMLP, 'samlp:Extensions');
- $parent->appendChild($extElement);
-
- foreach ($extensions as $ext) {
- $ext->toXML($extElement);
- }
- }
-
-}
diff --git a/lib/SAML2/XML/shibmd/Scope.php b/lib/SAML2/XML/shibmd/Scope.php
deleted file mode 100644
index 9847546775078963c821012f9460914749ca7e4e..0000000000000000000000000000000000000000
--- a/lib/SAML2/XML/shibmd/Scope.php
+++ /dev/null
@@ -1,74 +0,0 @@
-<?php
-
-/**
- * Class which represents the Scope element found in Shibboleth metadata.
- *
- * @link https://wiki.shibboleth.net/confluence/display/SHIB/ShibbolethMetadataProfile
- * @package simpleSAMLphp
- * @version $Id$
- */
-class SAML2_XML_shibmd_Scope {
-
- /**
- * The namespace used for the Scope extension element.
- */
- const NS = 'urn:mace:shibboleth:metadata:1.0';
-
-
- /**
- * The scope.
- *
- * @var string
- */
- public $scope;
-
- /**
- * Whether this is a regexp scope.
- *
- * @var bool|NULL
- */
- public $regexp = NULL;
-
-
- /**
- * Create a Scope.
- *
- * @param DOMElement|NULL $xml The XML element we should load.
- */
- public function __construct(DOMElement $xml = NULL) {
-
- if ($xml === NULL) {
- return;
- }
-
- $this->scope = $xml->textContent;
- $this->regexp = SAML2_Utils::parseBoolean($xml, 'regexp', NULL);
- }
-
-
- /**
- * Convert this Scope to XML.
- *
- * @param DOMElement $parent The element we should append this Scope to.
- */
- public function toXML(DOMElement $parent) {
- assert('is_string($this->scope)');
- assert('is_bool($this->regexp) || is_null($this->regexp)');
-
- $doc = $parent->ownerDocument;
-
- $e = $doc->createElementNS(SAML2_XML_shibmd_Scope::NS, 'shibmd:Scope');
- $parent->appendChild($e);
-
- $e->appendChild($doc->createTextNode($this->scope));
-
- if ($this->regexp === TRUE) {
- $e->setAttribute('regexp', 'true');
- } elseif ($this->regexp === FALSE) {
- $e->setAttribute('regexp', 'false');
- }
-
- return $e;
- }
-
-}
diff --git a/lib/SimpleSAML/Utilities.php b/lib/SimpleSAML/Utilities.php
index ad814918c9afcb41b0c9244c4442e13a05696a35..1635da3a9d9d5a4d64bc79631e0ae2c3bb026099 100644
--- a/lib/SimpleSAML/Utilities.php
+++ b/lib/SimpleSAML/Utilities.php
@@ -302,14 +302,14 @@ class SimpleSAML_Utilities {
$currentTime = time();
if (! empty($start)) {
- $startTime = self::parseSAML2Time($start);
+ $startTime = SAML2_Utils::parseSAML2Time($start);
/* Allow for a 10 minute difference in Time */
if (($startTime < 0) || (($startTime - 600) > $currentTime)) {
return FALSE;
}
}
if (! empty($end)) {
- $endTime = self::parseSAML2Time($end);
+ $endTime = SAML2_Utils::parseSAML2Time($end);
if (($endTime < 0) || ($endTime <= $currentTime)) {
return FALSE;
}
@@ -337,55 +337,6 @@ class SimpleSAML_Utilities {
}
- /* This function converts a SAML2 timestamp on the form
- * yyyy-mm-ddThh:mm:ss(\.s+)?Z to a UNIX timestamp. The sub-second
- * part is ignored.
- *
- * Andreas comments:
- * I got this timestamp from Shibboleth 1.3 IdP: 2008-01-17T11:28:03.577Z
- * Therefore I added to possibliity to have microseconds to the format.
- * Added: (\.\\d{1,3})? to the regex.
- *
- *
- * Parameters:
- * $time The time we should convert.
- *
- * Returns:
- * $time converted to a unix timestamp.
- */
- public static function parseSAML2Time($time) {
- $matches = array();
-
-
- /* We use a very strict regex to parse the timestamp. */
- if(preg_match('/^(\\d\\d\\d\\d)-(\\d\\d)-(\\d\\d)' .
- 'T(\\d\\d):(\\d\\d):(\\d\\d)(?:\\.\\d+)?Z$/D',
- $time, $matches) == 0) {
- throw new Exception(
- 'Invalid SAML2 timestamp passed to' .
- ' parseSAML2Time: ' . $time);
- }
-
- /* Extract the different components of the time from the
- * matches in the regex. intval will ignore leading zeroes
- * in the string.
- */
- $year = intval($matches[1]);
- $month = intval($matches[2]);
- $day = intval($matches[3]);
- $hour = intval($matches[4]);
- $minute = intval($matches[5]);
- $second = intval($matches[6]);
-
- /* We use gmmktime because the timestamp will always be given
- * in UTC.
- */
- $ts = gmmktime($hour, $minute, $second, $month, $day, $year);
-
- return $ts;
- }
-
-
/**
* Interpret a ISO8601 duration value relative to a given timestamp.
*
diff --git a/lib/_autoload.php b/lib/_autoload.php
index 8e0ec7c123d2c51f811e11208b3ce74b9707eb49..ec9947970e270badedaf96895ad9cc14fb42c530 100644
--- a/lib/_autoload.php
+++ b/lib/_autoload.php
@@ -1,70 +1,22 @@
<?php
/**
- * This file implements a autoloader for simpleSAMLphp. This autoloader
- * will search for files under the simpleSAMLphp directory.
+ * This file is a backwards compatible autoloader for simpleSAMLphp.
+ * Loads the Composer autoloader.
*
* @author Olav Morken, UNINETT AS.
* @package simpleSAMLphp
* @version $Id$
*/
-
-/**
- * Autoload function for simpleSAMLphp.
- *
- * It will autoload all classes stored in the lib-directory.
- *
- * @param $className The name of the class.
- */
-function SimpleSAML_autoload($className) {
-
- $libDir = dirname(__FILE__) . '/';
-
- /* Special handling for xmlseclibs.php. */
- if(in_array($className, array('XMLSecurityKey', 'XMLSecurityDSig', 'XMLSecEnc'), TRUE)) {
- require_once($libDir . 'xmlseclibs.php');
- return;
- }
-
- /* Handlig of modules. */
- if(substr($className, 0, 7) === 'sspmod_') {
- $modNameEnd = strpos($className, '_', 7);
- $module = substr($className, 7, $modNameEnd - 7);
- $moduleClass = substr($className, $modNameEnd + 1);
-
- if(!SimpleSAML_Module::isModuleEnabled($module)) {
- return;
- }
-
- $file = SimpleSAML_Module::getModuleDir($module) . '/lib/' . str_replace('_', '/', $moduleClass) . '.php';
- } else {
- $file = $libDir . str_replace('_', '/', $className) . '.php';
- }
-
- if(file_exists($file)) {
- require_once($file);
- }
+// SSP is loaded as a separate project
+if (file_exists(dirname(dirname(__FILE__)) . '/vendor/autoload.php')) {
+ require_once dirname(dirname(__FILE__)) . '/vendor/autoload.php';
}
-
-/* Register autoload function for simpleSAMLphp. */
-if(function_exists('spl_autoload_register')) {
- /* Use the spl_autoload_register function if it is available. It should be available
- * for PHP versions >= 5.1.2.
- */
- spl_autoload_register('SimpleSAML_autoload');
-} else {
-
- /* spl_autoload_register is unavailable - let us hope that no one else uses the __autoload function. */
-
- /**
- * Autoload function for those who don't have spl_autoload_register.
- *
- * @param $className The name of the requested class.
- */
- function __autoload($className) {
- SimpleSAML_autoload($className);
- }
+// SSP is loaded as a library.
+else if (file_exists(dirname(dirname(__FILE__)) . '/../../autoload.php')) {
+ require_once dirname(dirname(__FILE__)) . '/../../autoload.php';
+}
+else {
+ throw new Exception('Unable to load Composer autoloader');
}
-
-?>
\ No newline at end of file
diff --git a/lib/_autoload_modules.php b/lib/_autoload_modules.php
new file mode 100644
index 0000000000000000000000000000000000000000..1ea5da05c330c99b9157713345ad5f5e8f8b6477
--- /dev/null
+++ b/lib/_autoload_modules.php
@@ -0,0 +1,39 @@
+<?php
+
+/**
+ * This file implements a autoloader for simpleSAMLphp modules.
+ *
+ * @author Boy Baukema, SURFnet
+ * @package simpleSAMLphp
+ * @version $Id$
+ */
+
+/**
+ * Autoload function for simpleSAMLphp modules.
+ *
+ * @param string $className Name of the class.
+ */
+function SimpleSAML_autoload($className)
+{
+ $modulePrefixLength = strlen('sspmod_');
+ $classPrefix = substr($className, 0, $modulePrefixLength);
+ if ($classPrefix !== 'sspmod_') {
+ return;
+ }
+
+ $modNameEnd = strpos($className, '_', $modulePrefixLength);
+ $module = substr($className, $modulePrefixLength, $modNameEnd - $modulePrefixLength);
+ $moduleClass = substr($className, $modNameEnd + 1);
+
+ if (!SimpleSAML_Module::isModuleEnabled($module)) {
+ return;
+ }
+
+ $file = SimpleSAML_Module::getModuleDir($module) . '/lib/' . str_replace('_', '/', $moduleClass) . '.php';
+
+ if (file_exists($file)) {
+ require_once($file);
+ }
+}
+
+spl_autoload_register('SimpleSAML_autoload');
diff --git a/lib/xmlseclibs.php b/lib/xmlseclibs.php
deleted file mode 100644
index 75de0b64f0a1eb641001f2488380f208a9146bbc..0000000000000000000000000000000000000000
--- a/lib/xmlseclibs.php
+++ /dev/null
@@ -1,1768 +0,0 @@
-<?php
-/**
- * xmlseclibs.php
- *
- * Copyright (c) 2007-2010, Robert Richards <rrichards@cdatazone.org>.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * * Neither the name of Robert Richards nor the names of his
- * contributors may be used to endorse or promote products derived
- * from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
- * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
- * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
- * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
- * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- *
- * @author Robert Richards <rrichards@cdatazone.org>
- * @copyright 2007-2011 Robert Richards <rrichards@cdatazone.org>
- * @license http://www.opensource.org/licenses/bsd-license.php BSD License
- * @version 1.3.0
- */
-
-/*
-Functions to generate simple cases of Exclusive Canonical XML - Callable function is C14NGeneral()
-i.e.: $canonical = C14NGeneral($domelement, TRUE);
-*/
-
-/* helper function */
-function sortAndAddAttrs($element, $arAtts) {
- $newAtts = array();
- foreach ($arAtts AS $attnode) {
- $newAtts[$attnode->nodeName] = $attnode;
- }
- ksort($newAtts);
- foreach ($newAtts as $attnode) {
- $element->setAttribute($attnode->nodeName, $attnode->nodeValue);
- }
-}
-
-/* helper function */
-function canonical($tree, $element, $withcomments) {
- if ($tree->nodeType != XML_DOCUMENT_NODE) {
- $dom = $tree->ownerDocument;
- } else {
- $dom = $tree;
- }
- if ($element->nodeType != XML_ELEMENT_NODE) {
- if ($element->nodeType == XML_DOCUMENT_NODE) {
- foreach ($element->childNodes AS $node) {
- canonical($dom, $node, $withcomments);
- }
- return;
- }
- if ($element->nodeType == XML_COMMENT_NODE && ! $withcomments) {
- return;
- }
- $tree->appendChild($dom->importNode($element, TRUE));
- return;
- }
- $arNS = array();
- if ($element->namespaceURI != "") {
- if ($element->prefix == "") {
- $elCopy = $dom->createElementNS($element->namespaceURI, $element->nodeName);
- } else {
- $prefix = $tree->lookupPrefix($element->namespaceURI);
- if ($prefix == $element->prefix) {
- $elCopy = $dom->createElementNS($element->namespaceURI, $element->nodeName);
- } else {
- $elCopy = $dom->createElement($element->nodeName);
- $arNS[$element->namespaceURI] = $element->prefix;
- }
- }
- } else {
- $elCopy = $dom->createElement($element->nodeName);
- }
- $tree->appendChild($elCopy);
-
- /* Create DOMXPath based on original document */
- $xPath = new DOMXPath($element->ownerDocument);
-
- /* Get namespaced attributes */
- $arAtts = $xPath->query('attribute::*[namespace-uri(.) != ""]', $element);
-
- /* Create an array with namespace URIs as keys, and sort them */
- foreach ($arAtts AS $attnode) {
- if (array_key_exists($attnode->namespaceURI, $arNS) &&
- ($arNS[$attnode->namespaceURI] == $attnode->prefix)) {
- continue;
- }
- $prefix = $tree->lookupPrefix($attnode->namespaceURI);
- if ($prefix != $attnode->prefix) {
- $arNS[$attnode->namespaceURI] = $attnode->prefix;
- } else {
- $arNS[$attnode->namespaceURI] = NULL;
- }
- }
- if (count($arNS) > 0) {
- asort($arNS);
- }
-
- /* Add namespace nodes */
- foreach ($arNS AS $namespaceURI=>$prefix) {
- if ($prefix != NULL) {
- $elCopy->setAttributeNS("http://www.w3.org/2000/xmlns/",
- "xmlns:".$prefix, $namespaceURI);
- }
- }
- if (count($arNS) > 0) {
- ksort($arNS);
- }
-
- /* Get attributes not in a namespace, and then sort and add them */
- $arAtts = $xPath->query('attribute::*[namespace-uri(.) = ""]', $element);
- sortAndAddAttrs($elCopy, $arAtts);
-
- /* Loop through the URIs, and then sort and add attributes within that namespace */
- foreach ($arNS as $nsURI=>$prefix) {
- $arAtts = $xPath->query('attribute::*[namespace-uri(.) = "'.$nsURI.'"]', $element);
- sortAndAddAttrs($elCopy, $arAtts);
- }
-
- foreach ($element->childNodes AS $node) {
- canonical($elCopy, $node, $withcomments);
- }
-}
-
-/*
-$element - DOMElement for which to produce the canonical version of
-$exclusive - boolean to indicate exclusive canonicalization (must pass TRUE)
-$withcomments - boolean indicating wether or not to include comments in canonicalized form
-*/
-function C14NGeneral($element, $exclusive=FALSE, $withcomments=FALSE) {
- /* IF PHP 5.2+ then use built in canonical functionality */
- $php_version = explode('.', PHP_VERSION);
- if (($php_version[0] > 5) || ($php_version[0] == 5 && $php_version[1] >= 2) ) {
- return $element->C14N($exclusive, $withcomments);
- }
-
- /* Must be element or document */
- if (! $element instanceof DOMElement && ! $element instanceof DOMDocument) {
- return NULL;
- }
- /* Currently only exclusive XML is supported */
- if ($exclusive == FALSE) {
- throw new Exception("Only exclusive canonicalization is supported in this version of PHP");
- }
-
- $copyDoc = new DOMDocument();
- canonical($copyDoc, $element, $withcomments);
- return $copyDoc->saveXML($copyDoc->documentElement, LIBXML_NOEMPTYTAG);
-}
-
-class XMLSecurityKey {
- const TRIPLEDES_CBC = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc';
- const AES128_CBC = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc';
- const AES192_CBC = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc';
- const AES256_CBC = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc';
- const RSA_1_5 = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5';
- const RSA_OAEP_MGF1P = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p';
- const DSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#dsa-sha1';
- const RSA_SHA1 = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1';
- const RSA_SHA256 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
- const RSA_SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384';
- const RSA_SHA512 = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512';
-
- private $cryptParams = array();
- public $type = 0;
- public $key = NULL;
- public $passphrase = "";
- public $iv = NULL;
- public $name = NULL;
- public $keyChain = NULL;
- public $isEncrypted = FALSE;
- public $encryptedCtx = NULL;
- public $guid = NULL;
-
- /**
- * This variable contains the certificate as a string if this key represents an X509-certificate.
- * If this key doesn't represent a certificate, this will be NULL.
- */
- private $x509Certificate = NULL;
-
- /* This variable contains the certificate thunbprint if we have loaded an X509-certificate. */
- private $X509Thumbprint = NULL;
-
- public function __construct($type, $params=NULL) {
- srand();
- switch ($type) {
- case (XMLSecurityKey::TRIPLEDES_CBC):
- $this->cryptParams['library'] = 'mcrypt';
- $this->cryptParams['cipher'] = MCRYPT_TRIPLEDES;
- $this->cryptParams['mode'] = MCRYPT_MODE_CBC;
- $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc';
- $this->cryptParams['keysize'] = 24;
- break;
- case (XMLSecurityKey::AES128_CBC):
- $this->cryptParams['library'] = 'mcrypt';
- $this->cryptParams['cipher'] = MCRYPT_RIJNDAEL_128;
- $this->cryptParams['mode'] = MCRYPT_MODE_CBC;
- $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#aes128-cbc';
- $this->cryptParams['keysize'] = 16;
- break;
- case (XMLSecurityKey::AES192_CBC):
- $this->cryptParams['library'] = 'mcrypt';
- $this->cryptParams['cipher'] = MCRYPT_RIJNDAEL_128;
- $this->cryptParams['mode'] = MCRYPT_MODE_CBC;
- $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#aes192-cbc';
- $this->cryptParams['keysize'] = 24;
- break;
- case (XMLSecurityKey::AES256_CBC):
- $this->cryptParams['library'] = 'mcrypt';
- $this->cryptParams['cipher'] = MCRYPT_RIJNDAEL_128;
- $this->cryptParams['mode'] = MCRYPT_MODE_CBC;
- $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#aes256-cbc';
- $this->cryptParams['keysize'] = 32;
- break;
- case (XMLSecurityKey::RSA_1_5):
- $this->cryptParams['library'] = 'openssl';
- $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING;
- $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#rsa-1_5';
- if (is_array($params) && ! empty($params['type'])) {
- if ($params['type'] == 'public' || $params['type'] == 'private') {
- $this->cryptParams['type'] = $params['type'];
- break;
- }
- }
- throw new Exception('Certificate "type" (private/public) must be passed via parameters');
- return;
- case (XMLSecurityKey::RSA_OAEP_MGF1P):
- $this->cryptParams['library'] = 'openssl';
- $this->cryptParams['padding'] = OPENSSL_PKCS1_OAEP_PADDING;
- $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p';
- $this->cryptParams['hash'] = NULL;
- if (is_array($params) && ! empty($params['type'])) {
- if ($params['type'] == 'public' || $params['type'] == 'private') {
- $this->cryptParams['type'] = $params['type'];
- break;
- }
- }
- throw new Exception('Certificate "type" (private/public) must be passed via parameters');
- return;
- case (XMLSecurityKey::RSA_SHA1):
- $this->cryptParams['library'] = 'openssl';
- $this->cryptParams['method'] = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1';
- $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING;
- if (is_array($params) && ! empty($params['type'])) {
- if ($params['type'] == 'public' || $params['type'] == 'private') {
- $this->cryptParams['type'] = $params['type'];
- break;
- }
- }
- throw new Exception('Certificate "type" (private/public) must be passed via parameters');
- break;
- case (XMLSecurityKey::RSA_SHA256):
- $this->cryptParams['library'] = 'openssl';
- $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256';
- $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING;
- $this->cryptParams['digest'] = 'SHA256';
- if (is_array($params) && ! empty($params['type'])) {
- if ($params['type'] == 'public' || $params['type'] == 'private') {
- $this->cryptParams['type'] = $params['type'];
- break;
- }
- }
- throw new Exception('Certificate "type" (private/public) must be passed via parameters');
- break;
- case (XMLSecurityKey::RSA_SHA384):
- $this->cryptParams['library'] = 'openssl';
- $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384';
- $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING;
- $this->cryptParams['digest'] = 'SHA384';
- if (is_array($params) && ! empty($params['type'])) {
- if ($params['type'] == 'public' || $params['type'] == 'private') {
- $this->cryptParams['type'] = $params['type'];
- break;
- }
- }
- case (XMLSecurityKey::RSA_SHA512):
- $this->cryptParams['library'] = 'openssl';
- $this->cryptParams['method'] = 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512';
- $this->cryptParams['padding'] = OPENSSL_PKCS1_PADDING;
- $this->cryptParams['digest'] = 'SHA512';
- if (is_array($params) && ! empty($params['type'])) {
- if ($params['type'] == 'public' || $params['type'] == 'private') {
- $this->cryptParams['type'] = $params['type'];
- break;
- }
- }
- default:
- throw new Exception('Invalid Key Type');
- return;
- }
- $this->type = $type;
- }
-
- /**
- * Retrieve the key size for the symmetric encryption algorithm..
- *
- * If the key size is unknown, or this isn't a symmetric encryption algorithm,
- * NULL is returned.
- *
- * @return int|NULL The number of bytes in the key.
- */
- public function getSymmetricKeySize() {
- if (! isset($this->cryptParams['keysize'])) {
- return NULL;
- }
- return $this->cryptParams['keysize'];
- }
-
- public function generateSessionKey() {
- if (!isset($this->cryptParams['keysize'])) {
- throw new Exception('Unknown key size for type "' . $this->type . '".');
- }
- $keysize = $this->cryptParams['keysize'];
-
- if (function_exists('openssl_random_pseudo_bytes')) {
- /* We have PHP >= 5.3 - use openssl to generate session key. */
- $key = openssl_random_pseudo_bytes($keysize);
- } else {
- /* Generating random key using iv generation routines */
- $key = mcrypt_create_iv($keysize, MCRYPT_RAND);
- }
-
- if ($this->type === XMLSecurityKey::TRIPLEDES_CBC) {
- /* Make sure that the generated key has the proper parity bits set.
- * Mcrypt doesn't care about the parity bits, but others may care.
- */
- for ($i = 0; $i < strlen($key); $i++) {
- $byte = ord($key[$i]) & 0xfe;
- $parity = 1;
- for ($j = 1; $j < 8; $j++) {
- $parity ^= ($byte >> $j) & 1;
- }
- $byte |= $parity;
- $key[$i] = chr($byte);
- }
- }
-
- $this->key = $key;
- return $key;
- }
-
- public static function getRawThumbprint($cert) {
-
- $arCert = explode("\n", $cert);
- $data = '';
- $inData = FALSE;
-
- foreach ($arCert AS $curData) {
- if (! $inData) {
- if (strncmp($curData, '-----BEGIN CERTIFICATE', 22) == 0) {
- $inData = TRUE;
- }
- } else {
- if (strncmp($curData, '-----END CERTIFICATE', 20) == 0) {
- $inData = FALSE;
- break;
- }
- $data .= trim($curData);
- }
- }
-
- if (! empty($data)) {
- return strtolower(sha1(base64_decode($data)));
- }
-
- return NULL;
- }
-
- public function loadKey($key, $isFile=FALSE, $isCert = FALSE) {
- if ($isFile) {
- $this->key = file_get_contents($key);
- } else {
- $this->key = $key;
- }
- if ($isCert) {
- $this->key = openssl_x509_read($this->key);
- openssl_x509_export($this->key, $str_cert);
- $this->x509Certificate = $str_cert;
- $this->key = $str_cert;
- } else {
- $this->x509Certificate = NULL;
- }
- if ($this->cryptParams['library'] == 'openssl') {
- if ($this->cryptParams['type'] == 'public') {
- if ($isCert) {
- /* Load the thumbprint if this is an X509 certificate. */
- $this->X509Thumbprint = self::getRawThumbprint($this->key);
- }
- $this->key = openssl_get_publickey($this->key);
- } else {
- $this->key = openssl_get_privatekey($this->key, $this->passphrase);
- }
- } else if ($this->cryptParams['cipher'] == MCRYPT_RIJNDAEL_128) {
- /* Check key length */
- switch ($this->type) {
- case (XMLSecurityKey::AES256_CBC):
- if (strlen($this->key) < 25) {
- throw new Exception('Key must contain at least 25 characters for this cipher');
- }
- break;
- case (XMLSecurityKey::AES192_CBC):
- if (strlen($this->key) < 17) {
- throw new Exception('Key must contain at least 17 characters for this cipher');
- }
- break;
- }
- }
- }
-
- private function encryptMcrypt($data) {
- $td = mcrypt_module_open($this->cryptParams['cipher'], '', $this->cryptParams['mode'], '');
- $this->iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
- mcrypt_generic_init($td, $this->key, $this->iv);
- if ($this->cryptParams['mode'] == MCRYPT_MODE_CBC) {
- $bs = mcrypt_enc_get_block_size($td);
- for ($datalen0=$datalen=strlen($data); (($datalen%$bs)!=($bs-1)); $datalen++)
- $data.=chr(rand(1, 127));
- $data.=chr($datalen-$datalen0+1);
- }
- $encrypted_data = $this->iv.mcrypt_generic($td, $data);
- mcrypt_generic_deinit($td);
- mcrypt_module_close($td);
- return $encrypted_data;
- }
-
- private function decryptMcrypt($data) {
- $td = mcrypt_module_open($this->cryptParams['cipher'], '', $this->cryptParams['mode'], '');
- $iv_length = mcrypt_enc_get_iv_size($td);
-
- $this->iv = substr($data, 0, $iv_length);
- $data = substr($data, $iv_length);
-
- mcrypt_generic_init($td, $this->key, $this->iv);
- $decrypted_data = mdecrypt_generic($td, $data);
- mcrypt_generic_deinit($td);
- mcrypt_module_close($td);
- if ($this->cryptParams['mode'] == MCRYPT_MODE_CBC) {
- $dataLen = strlen($decrypted_data);
- $paddingLength = substr($decrypted_data, $dataLen - 1, 1);
- $decrypted_data = substr($decrypted_data, 0, $dataLen - ord($paddingLength));
- }
- return $decrypted_data;
- }
-
- private function encryptOpenSSL($data) {
- if ($this->cryptParams['type'] == 'public') {
- if (! openssl_public_encrypt($data, $encrypted_data, $this->key, $this->cryptParams['padding'])) {
- throw new Exception('Failure encrypting Data');
- return;
- }
- } else {
- if (! openssl_private_encrypt($data, $encrypted_data, $this->key, $this->cryptParams['padding'])) {
- throw new Exception('Failure encrypting Data');
- return;
- }
- }
- return $encrypted_data;
- }
-
- private function decryptOpenSSL($data) {
- if ($this->cryptParams['type'] == 'public') {
- if (! openssl_public_decrypt($data, $decrypted, $this->key, $this->cryptParams['padding'])) {
- throw new Exception('Failure decrypting Data');
- return;
- }
- } else {
- if (! openssl_private_decrypt($data, $decrypted, $this->key, $this->cryptParams['padding'])) {
- throw new Exception('Failure decrypting Data');
- return;
- }
- }
- return $decrypted;
- }
-
- private function signOpenSSL($data) {
- $algo = OPENSSL_ALGO_SHA1;
- if (! empty($this->cryptParams['digest'])) {
- $algo = $this->cryptParams['digest'];
- }
- if (! openssl_sign ($data, $signature, $this->key, $algo)) {
- throw new Exception('Failure Signing Data: ' . openssl_error_string() . ' - ' . $algo);
- return;
- }
- return $signature;
- }
-
- private function verifyOpenSSL($data, $signature) {
- $algo = OPENSSL_ALGO_SHA1;
- if (! empty($this->cryptParams['digest'])) {
- $algo = $this->cryptParams['digest'];
- }
- return openssl_verify ($data, $signature, $this->key, $algo);
- }
-
- public function encryptData($data) {
- switch ($this->cryptParams['library']) {
- case 'mcrypt':
- return $this->encryptMcrypt($data);
- break;
- case 'openssl':
- return $this->encryptOpenSSL($data);
- break;
- }
- }
-
- public function decryptData($data) {
- switch ($this->cryptParams['library']) {
- case 'mcrypt':
- return $this->decryptMcrypt($data);
- break;
- case 'openssl':
- return $this->decryptOpenSSL($data);
- break;
- }
- }
-
- public function signData($data) {
- switch ($this->cryptParams['library']) {
- case 'openssl':
- return $this->signOpenSSL($data);
- break;
- }
- }
-
- public function verifySignature($data, $signature) {
- switch ($this->cryptParams['library']) {
- case 'openssl':
- return $this->verifyOpenSSL($data, $signature);
- break;
- }
- }
-
- public function getAlgorith() {
- return $this->cryptParams['method'];
- }
-
- static function makeAsnSegment($type, $string) {
- switch ($type){
- case 0x02:
- if (ord($string) > 0x7f)
- $string = chr(0).$string;
- break;
- case 0x03:
- $string = chr(0).$string;
- break;
- }
-
- $length = strlen($string);
-
- if ($length < 128){
- $output = sprintf("%c%c%s", $type, $length, $string);
- } else if ($length < 0x0100){
- $output = sprintf("%c%c%c%s", $type, 0x81, $length, $string);
- } else if ($length < 0x010000) {
- $output = sprintf("%c%c%c%c%s", $type, 0x82, $length/0x0100, $length%0x0100, $string);
- } else {
- $output = NULL;
- }
- return($output);
- }
-
- /* Modulus and Exponent must already be base64 decoded */
- static function convertRSA($modulus, $exponent) {
- /* make an ASN publicKeyInfo */
- $exponentEncoding = XMLSecurityKey::makeAsnSegment(0x02, $exponent);
- $modulusEncoding = XMLSecurityKey::makeAsnSegment(0x02, $modulus);
- $sequenceEncoding = XMLSecurityKey:: makeAsnSegment(0x30, $modulusEncoding.$exponentEncoding);
- $bitstringEncoding = XMLSecurityKey::makeAsnSegment(0x03, $sequenceEncoding);
- $rsaAlgorithmIdentifier = pack("H*", "300D06092A864886F70D0101010500");
- $publicKeyInfo = XMLSecurityKey::makeAsnSegment (0x30, $rsaAlgorithmIdentifier.$bitstringEncoding);
-
- /* encode the publicKeyInfo in base64 and add PEM brackets */
- $publicKeyInfoBase64 = base64_encode($publicKeyInfo);
- $encoding = "-----BEGIN PUBLIC KEY-----\n";
- $offset = 0;
- while ($segment=substr($publicKeyInfoBase64, $offset, 64)){
- $encoding = $encoding.$segment."\n";
- $offset += 64;
- }
- return $encoding."-----END PUBLIC KEY-----\n";
- }
-
- public function serializeKey($parent) {
-
- }
-
-
-
- /**
- * Retrieve the X509 certificate this key represents.
- *
- * Will return the X509 certificate in PEM-format if this key represents
- * an X509 certificate.
- *
- * @return The X509 certificate or NULL if this key doesn't represent an X509-certificate.
- */
- public function getX509Certificate() {
- return $this->x509Certificate;
- }
-
- /* Get the thumbprint of this X509 certificate.
- *
- * Returns:
- * The thumbprint as a lowercase 40-character hexadecimal number, or NULL
- * if this isn't a X509 certificate.
- */
- public function getX509Thumbprint() {
- return $this->X509Thumbprint;
- }
-
-
- /**
- * Create key from an EncryptedKey-element.
- *
- * @param DOMElement $element The EncryptedKey-element.
- * @return XMLSecurityKey The new key.
- */
- public static function fromEncryptedKeyElement(DOMElement $element) {
-
- $objenc = new XMLSecEnc();
- $objenc->setNode($element);
- if (! $objKey = $objenc->locateKey()) {
- throw new Exception("Unable to locate algorithm for this Encrypted Key");
- }
- $objKey->isEncrypted = TRUE;
- $objKey->encryptedCtx = $objenc;
- XMLSecEnc::staticLocateKeyInfo($objKey, $element);
- return $objKey;
- }
-
-}
-
-class XMLSecurityDSig {
- const XMLDSIGNS = 'http://www.w3.org/2000/09/xmldsig#';
- const SHA1 = 'http://www.w3.org/2000/09/xmldsig#sha1';
- const SHA256 = 'http://www.w3.org/2001/04/xmlenc#sha256';
- const SHA384 = 'http://www.w3.org/2001/04/xmldsig-more#sha384';
- const SHA512 = 'http://www.w3.org/2001/04/xmlenc#sha512';
- const RIPEMD160 = 'http://www.w3.org/2001/04/xmlenc#ripemd160';
-
- const C14N = 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315';
- const C14N_COMMENTS = 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments';
- const EXC_C14N = 'http://www.w3.org/2001/10/xml-exc-c14n#';
- const EXC_C14N_COMMENTS = 'http://www.w3.org/2001/10/xml-exc-c14n#WithComments';
-
- const template = '<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
- <ds:SignedInfo>
- <ds:SignatureMethod />
- </ds:SignedInfo>
-</ds:Signature>';
-
- public $sigNode = NULL;
- public $idKeys = array();
- public $idNS = array();
- private $signedInfo = NULL;
- private $xPathCtx = NULL;
- private $canonicalMethod = NULL;
- private $prefix = 'ds';
- private $searchpfx = 'secdsig';
-
- /* This variable contains an associative array of validated nodes. */
- private $validatedNodes = NULL;
-
- public function __construct() {
- $sigdoc = new DOMDocument();
- $sigdoc->loadXML(XMLSecurityDSig::template);
- $this->sigNode = $sigdoc->documentElement;
- }
-
- private function resetXPathObj() {
- $this->xPathCtx = NULL;
- }
-
- private function getXPathObj() {
- if (empty($this->xPathCtx) && ! empty($this->sigNode)) {
- $xpath = new DOMXPath($this->sigNode->ownerDocument);
- $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS);
- $this->xPathCtx = $xpath;
- }
- return $this->xPathCtx;
- }
-
- static function generate_GUID($prefix='pfx') {
- $uuid = md5(uniqid(rand(), true));
- $guid = $prefix.substr($uuid,0,8)."-".
- substr($uuid,8,4)."-".
- substr($uuid,12,4)."-".
- substr($uuid,16,4)."-".
- substr($uuid,20,12);
- return $guid;
- }
-
- public function locateSignature($objDoc) {
- if ($objDoc instanceof DOMDocument) {
- $doc = $objDoc;
- } else {
- $doc = $objDoc->ownerDocument;
- }
- if ($doc) {
- $xpath = new DOMXPath($doc);
- $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS);
- $query = ".//secdsig:Signature";
- $nodeset = $xpath->query($query, $objDoc);
- $this->sigNode = $nodeset->item(0);
- return $this->sigNode;
- }
- return NULL;
- }
-
- public function createNewSignNode($name, $value=NULL) {
- $doc = $this->sigNode->ownerDocument;
- if (! is_null($value)) {
- $node = $doc->createElementNS(XMLSecurityDSig::XMLDSIGNS, $this->prefix.':'.$name, $value);
- } else {
- $node = $doc->createElementNS(XMLSecurityDSig::XMLDSIGNS, $this->prefix.':'.$name);
- }
- return $node;
- }
-
- public function setCanonicalMethod($method) {
- switch ($method) {
- case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315':
- case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments':
- case 'http://www.w3.org/2001/10/xml-exc-c14n#':
- case 'http://www.w3.org/2001/10/xml-exc-c14n#WithComments':
- $this->canonicalMethod = $method;
- break;
- default:
- throw new Exception('Invalid Canonical Method');
- }
- if ($xpath = $this->getXPathObj()) {
- $query = './'.$this->searchpfx.':SignedInfo';
- $nodeset = $xpath->query($query, $this->sigNode);
- if ($sinfo = $nodeset->item(0)) {
- $query = './'.$this->searchpfx.'CanonicalizationMethod';
- $nodeset = $xpath->query($query, $sinfo);
- if (! ($canonNode = $nodeset->item(0))) {
- $canonNode = $this->createNewSignNode('CanonicalizationMethod');
- $sinfo->insertBefore($canonNode, $sinfo->firstChild);
- }
- $canonNode->setAttribute('Algorithm', $this->canonicalMethod);
- }
- }
- }
-
- private function canonicalizeData($node, $canonicalmethod, $arXPath=NULL, $prefixList=NULL) {
- $exclusive = FALSE;
- $withComments = FALSE;
- switch ($canonicalmethod) {
- case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315':
- $exclusive = FALSE;
- $withComments = FALSE;
- break;
- case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments':
- $withComments = TRUE;
- break;
- case 'http://www.w3.org/2001/10/xml-exc-c14n#':
- $exclusive = TRUE;
- break;
- case 'http://www.w3.org/2001/10/xml-exc-c14n#WithComments':
- $exclusive = TRUE;
- $withComments = TRUE;
- break;
- }
-/* Support PHP versions < 5.2 not containing C14N methods in DOM extension */
- $php_version = explode('.', PHP_VERSION);
- if (($php_version[0] < 5) || ($php_version[0] == 5 && $php_version[1] < 2) ) {
- if (! is_null($arXPath)) {
- throw new Exception("PHP 5.2.0 or higher is required to perform XPath Transformations");
- }
- return C14NGeneral($node, $exclusive, $withComments);
- }
- return $node->C14N($exclusive, $withComments, $arXPath, $prefixList);
- }
-
- public function canonicalizeSignedInfo() {
-
- $doc = $this->sigNode->ownerDocument;
- $canonicalmethod = NULL;
- if ($doc) {
- $xpath = $this->getXPathObj();
- $query = "./secdsig:SignedInfo";
- $nodeset = $xpath->query($query, $this->sigNode);
- if ($signInfoNode = $nodeset->item(0)) {
- $query = "./secdsig:CanonicalizationMethod";
- $nodeset = $xpath->query($query, $signInfoNode);
- if ($canonNode = $nodeset->item(0)) {
- $canonicalmethod = $canonNode->getAttribute('Algorithm');
- }
- $this->signedInfo = $this->canonicalizeData($signInfoNode, $canonicalmethod);
- return $this->signedInfo;
- }
- }
- return NULL;
- }
-
- public function calculateDigest ($digestAlgorithm, $data) {
- switch ($digestAlgorithm) {
- case XMLSecurityDSig::SHA1:
- $alg = 'sha1';
- break;
- case XMLSecurityDSig::SHA256:
- $alg = 'sha256';
- break;
- case XMLSecurityDSig::SHA384:
- $alg = 'sha384';
- break;
- case XMLSecurityDSig::SHA512:
- $alg = 'sha512';
- break;
- case XMLSecurityDSig::RIPEMD160:
- $alg = 'ripemd160';
- break;
- default:
- throw new Exception("Cannot validate digest: Unsupported Algorith <$digestAlgorithm>");
- }
- if (function_exists('hash')) {
- return base64_encode(hash($alg, $data, TRUE));
- } elseif (function_exists('mhash')) {
- $alg = "MHASH_" . strtoupper($alg);
- return base64_encode(mhash(constant($alg), $data));
- } elseif ($alg === 'sha1') {
- return base64_encode(sha1($data, TRUE));
- } else {
- throw new Exception('xmlseclibs is unable to calculate a digest. Maybe you need the mhash library?');
- }
- }
-
- public function validateDigest($refNode, $data) {
- $xpath = new DOMXPath($refNode->ownerDocument);
- $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS);
- $query = 'string(./secdsig:DigestMethod/@Algorithm)';
- $digestAlgorithm = $xpath->evaluate($query, $refNode);
- $digValue = $this->calculateDigest($digestAlgorithm, $data);
- $query = 'string(./secdsig:DigestValue)';
- $digestValue = $xpath->evaluate($query, $refNode);
- return ($digValue == $digestValue);
- }
-
- public function processTransforms($refNode, $objData, $includeCommentNodes = TRUE) {
- $data = $objData;
- $xpath = new DOMXPath($refNode->ownerDocument);
- $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS);
- $query = './secdsig:Transforms/secdsig:Transform';
- $nodelist = $xpath->query($query, $refNode);
- $canonicalMethod = 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315';
- $arXPath = NULL;
- $prefixList = NULL;
- foreach ($nodelist AS $transform) {
- $algorithm = $transform->getAttribute("Algorithm");
- switch ($algorithm) {
- case 'http://www.w3.org/2001/10/xml-exc-c14n#':
- case 'http://www.w3.org/2001/10/xml-exc-c14n#WithComments':
-
- if(!$includeCommentNodes) {
- /* We remove comment nodes by forcing it to use a canonicalization
- * without comments.
- */
- $canonicalMethod = 'http://www.w3.org/2001/10/xml-exc-c14n#';
- } else {
- $canonicalMethod = $algorithm;
- }
-
- $node = $transform->firstChild;
- while ($node) {
- if ($node->localName == 'InclusiveNamespaces') {
- if ($pfx = $node->getAttribute('PrefixList')) {
- $arpfx = array();
- $pfxlist = explode(" ", $pfx);
- foreach ($pfxlist AS $pfx) {
- $val = trim($pfx);
- if (! empty($val)) {
- $arpfx[] = $val;
- }
- }
- if (count($arpfx) > 0) {
- $prefixList = $arpfx;
- }
- }
- break;
- }
- $node = $node->nextSibling;
- }
- break;
- case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315':
- case 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments':
- if(!$includeCommentNodes) {
- /* We remove comment nodes by forcing it to use a canonicalization
- * without comments.
- */
- $canonicalMethod = 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315';
- } else {
- $canonicalMethod = $algorithm;
- }
-
- break;
- case 'http://www.w3.org/TR/1999/REC-xpath-19991116':
- $node = $transform->firstChild;
- while ($node) {
- if ($node->localName == 'XPath') {
- $arXPath = array();
- $arXPath['query'] = '(.//. | .//@* | .//namespace::*)['.$node->nodeValue.']';
- $arXpath['namespaces'] = array();
- $nslist = $xpath->query('./namespace::*', $node);
- foreach ($nslist AS $nsnode) {
- if ($nsnode->localName != "xml") {
- $arXPath['namespaces'][$nsnode->localName] = $nsnode->nodeValue;
- }
- }
- break;
- }
- $node = $node->nextSibling;
- }
- break;
- }
- }
- if ($data instanceof DOMNode) {
- $data = $this->canonicalizeData($objData, $canonicalMethod, $arXPath, $prefixList);
- }
- return $data;
- }
-
- public function processRefNode($refNode) {
- $dataObject = NULL;
-
- /*
- * Depending on the URI, we may not want to include comments in the result
- * See: http://www.w3.org/TR/xmldsig-core/#sec-ReferenceProcessingModel
- */
- $includeCommentNodes = TRUE;
-
- if ($uri = $refNode->getAttribute("URI")) {
- $arUrl = parse_url($uri);
- if (empty($arUrl['path'])) {
- if ($identifier = $arUrl['fragment']) {
-
- /* This reference identifies a node with the given id by using
- * a URI on the form "#identifier". This should not include comments.
- */
- $includeCommentNodes = FALSE;
-
- $xPath = new DOMXPath($refNode->ownerDocument);
- if ($this->idNS && is_array($this->idNS)) {
- foreach ($this->idNS AS $nspf=>$ns) {
- $xPath->registerNamespace($nspf, $ns);
- }
- }
- $iDlist = '@Id="'.$identifier.'"';
- if (is_array($this->idKeys)) {
- foreach ($this->idKeys AS $idKey) {
- $iDlist .= " or @$idKey='$identifier'";
- }
- }
- $query = '//*['.$iDlist.']';
- $dataObject = $xPath->query($query)->item(0);
- } else {
- $dataObject = $refNode->ownerDocument;
- }
- } else {
- $dataObject = file_get_contents($arUrl);
- }
- } else {
- /* This reference identifies the root node with an empty URI. This should
- * not include comments.
- */
- $includeCommentNodes = FALSE;
-
- $dataObject = $refNode->ownerDocument;
- }
- $data = $this->processTransforms($refNode, $dataObject, $includeCommentNodes);
- if (!$this->validateDigest($refNode, $data)) {
- return FALSE;
- }
-
- if ($dataObject instanceof DOMNode) {
- /* Add this node to the list of validated nodes. */
- if(! empty($identifier)) {
- $this->validatedNodes[$identifier] = $dataObject;
- } else {
- $this->validatedNodes[] = $dataObject;
- }
- }
-
- return TRUE;
- }
-
- public function getRefNodeID($refNode) {
- if ($uri = $refNode->getAttribute("URI")) {
- $arUrl = parse_url($uri);
- if (empty($arUrl['path'])) {
- if ($identifier = $arUrl['fragment']) {
- return $identifier;
- }
- }
- }
- return null;
- }
-
- public function getRefIDs() {
- $refids = array();
- $doc = $this->sigNode->ownerDocument;
-
- $xpath = $this->getXPathObj();
- $query = "./secdsig:SignedInfo/secdsig:Reference";
- $nodeset = $xpath->query($query, $this->sigNode);
- if ($nodeset->length == 0) {
- throw new Exception("Reference nodes not found");
- }
- foreach ($nodeset AS $refNode) {
- $refids[] = $this->getRefNodeID($refNode);
- }
- return $refids;
- }
-
- public function validateReference() {
- $doc = $this->sigNode->ownerDocument;
- if (! $doc->isSameNode($this->sigNode)) {
- $this->sigNode->parentNode->removeChild($this->sigNode);
- }
- $xpath = $this->getXPathObj();
- $query = "./secdsig:SignedInfo/secdsig:Reference";
- $nodeset = $xpath->query($query, $this->sigNode);
- if ($nodeset->length == 0) {
- throw new Exception("Reference nodes not found");
- }
-
- /* Initialize/reset the list of validated nodes. */
- $this->validatedNodes = array();
-
- foreach ($nodeset AS $refNode) {
- if (! $this->processRefNode($refNode)) {
- /* Clear the list of validated nodes. */
- $this->validatedNodes = NULL;
- throw new Exception("Reference validation failed");
- }
- }
- return TRUE;
- }
-
- private function addRefInternal($sinfoNode, $node, $algorithm, $arTransforms=NULL, $options=NULL) {
- $prefix = NULL;
- $prefix_ns = NULL;
- $id_name = 'Id';
- $overwrite_id = TRUE;
- $force_uri = FALSE;
-
- if (is_array($options)) {
- $prefix = empty($options['prefix'])?NULL:$options['prefix'];
- $prefix_ns = empty($options['prefix_ns'])?NULL:$options['prefix_ns'];
- $id_name = empty($options['id_name'])?'Id':$options['id_name'];
- $overwrite_id = !isset($options['overwrite'])?TRUE:(bool)$options['overwrite'];
- $force_uri = !isset($options['force_uri'])?FALSE:(bool)$options['force_uri'];
- }
-
- $attname = $id_name;
- if (! empty($prefix)) {
- $attname = $prefix.':'.$attname;
- }
-
- $refNode = $this->createNewSignNode('Reference');
- $sinfoNode->appendChild($refNode);
-
- if (! $node instanceof DOMDocument) {
- $uri = NULL;
- if (! $overwrite_id) {
- $uri = $node->getAttributeNS($prefix_ns, $attname);
- }
- if (empty($uri)) {
- $uri = XMLSecurityDSig::generate_GUID();
- $node->setAttributeNS($prefix_ns, $attname, $uri);
- }
- $refNode->setAttribute("URI", '#'.$uri);
- } elseif ($force_uri) {
- $refNode->setAttribute("URI", '');
- }
-
- $transNodes = $this->createNewSignNode('Transforms');
- $refNode->appendChild($transNodes);
-
- if (is_array($arTransforms)) {
- foreach ($arTransforms AS $transform) {
- $transNode = $this->createNewSignNode('Transform');
- $transNodes->appendChild($transNode);
- if (is_array($transform) &&
- (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116'])) &&
- (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['query']))) {
- $transNode->setAttribute('Algorithm', 'http://www.w3.org/TR/1999/REC-xpath-19991116');
- $XPathNode = $this->createNewSignNode('XPath', $transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['query']);
- $transNode->appendChild($XPathNode);
- if (! empty($transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['namespaces'])) {
- foreach ($transform['http://www.w3.org/TR/1999/REC-xpath-19991116']['namespaces'] AS $prefix => $namespace) {
- $XPathNode->setAttributeNS("http://www.w3.org/2000/xmlns/", "xmlns:$prefix", $namespace);
- }
- }
- } else {
- $transNode->setAttribute('Algorithm', $transform);
- }
- }
- } elseif (! empty($this->canonicalMethod)) {
- $transNode = $this->createNewSignNode('Transform');
- $transNodes->appendChild($transNode);
- $transNode->setAttribute('Algorithm', $this->canonicalMethod);
- }
-
- $canonicalData = $this->processTransforms($refNode, $node);
- $digValue = $this->calculateDigest($algorithm, $canonicalData);
-
- $digestMethod = $this->createNewSignNode('DigestMethod');
- $refNode->appendChild($digestMethod);
- $digestMethod->setAttribute('Algorithm', $algorithm);
-
- $digestValue = $this->createNewSignNode('DigestValue', $digValue);
- $refNode->appendChild($digestValue);
- }
-
- public function addReference($node, $algorithm, $arTransforms=NULL, $options=NULL) {
- if ($xpath = $this->getXPathObj()) {
- $query = "./secdsig:SignedInfo";
- $nodeset = $xpath->query($query, $this->sigNode);
- if ($sInfo = $nodeset->item(0)) {
- $this->addRefInternal($sInfo, $node, $algorithm, $arTransforms, $options);
- }
- }
- }
-
- public function addReferenceList($arNodes, $algorithm, $arTransforms=NULL, $options=NULL) {
- if ($xpath = $this->getXPathObj()) {
- $query = "./secdsig:SignedInfo";
- $nodeset = $xpath->query($query, $this->sigNode);
- if ($sInfo = $nodeset->item(0)) {
- foreach ($arNodes AS $node) {
- $this->addRefInternal($sInfo, $node, $algorithm, $arTransforms, $options);
- }
- }
- }
- }
-
- public function addObject($data, $mimetype=NULL, $encoding=NULL) {
- $objNode = $this->createNewSignNode('Object');
- $this->sigNode->appendChild($objNode);
- if (! empty($mimetype)) {
- $objNode->setAtribute('MimeType', $mimetype);
- }
- if (! empty($encoding)) {
- $objNode->setAttribute('Encoding', $encoding);
- }
-
- if ($data instanceof DOMElement) {
- $newData = $this->sigNode->ownerDocument->importNode($data, TRUE);
- } else {
- $newData = $this->sigNode->ownerDocument->createTextNode($data);
- }
- $objNode->appendChild($newData);
-
- return $objNode;
- }
-
- public function locateKey($node=NULL) {
- if (empty($node)) {
- $node = $this->sigNode;
- }
- if (! $node instanceof DOMNode) {
- return NULL;
- }
- if ($doc = $node->ownerDocument) {
- $xpath = new DOMXPath($doc);
- $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS);
- $query = "string(./secdsig:SignedInfo/secdsig:SignatureMethod/@Algorithm)";
- $algorithm = $xpath->evaluate($query, $node);
- if ($algorithm) {
- try {
- $objKey = new XMLSecurityKey($algorithm, array('type'=>'public'));
- } catch (Exception $e) {
- return NULL;
- }
- return $objKey;
- }
- }
- return NULL;
- }
-
- public function verify($objKey) {
- $doc = $this->sigNode->ownerDocument;
- $xpath = new DOMXPath($doc);
- $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS);
- $query = "string(./secdsig:SignatureValue)";
- $sigValue = $xpath->evaluate($query, $this->sigNode);
- if (empty($sigValue)) {
- throw new Exception("Unable to locate SignatureValue");
- }
- return $objKey->verifySignature($this->signedInfo, base64_decode($sigValue));
- }
-
- public function signData($objKey, $data) {
- return $objKey->signData($data);
- }
-
- public function sign($objKey, $appendToNode = NULL) {
- // If we have a parent node append it now so C14N properly works
- if ($appendToNode != NULL) {
- $this->resetXPathObj();
- $this->appendSignature($appendToNode);
- $this->sigNode = $appendToNode->lastChild;
- }
- if ($xpath = $this->getXPathObj()) {
- $query = "./secdsig:SignedInfo";
- $nodeset = $xpath->query($query, $this->sigNode);
- if ($sInfo = $nodeset->item(0)) {
- $query = "./secdsig:SignatureMethod";
- $nodeset = $xpath->query($query, $sInfo);
- $sMethod = $nodeset->item(0);
- $sMethod->setAttribute('Algorithm', $objKey->type);
- $data = $this->canonicalizeData($sInfo, $this->canonicalMethod);
- $sigValue = base64_encode($this->signData($objKey, $data));
- $sigValueNode = $this->createNewSignNode('SignatureValue', $sigValue);
- if ($infoSibling = $sInfo->nextSibling) {
- $infoSibling->parentNode->insertBefore($sigValueNode, $infoSibling);
- } else {
- $this->sigNode->appendChild($sigValueNode);
- }
- }
- }
- }
-
- public function appendCert() {
-
- }
-
- public function appendKey($objKey, $parent=NULL) {
- $objKey->serializeKey($parent);
- }
-
-
- /**
- * This function inserts the signature element.
- *
- * The signature element will be appended to the element, unless $beforeNode is specified. If $beforeNode
- * is specified, the signature element will be inserted as the last element before $beforeNode.
- *
- * @param $node The node the signature element should be inserted into.
- * @param $beforeNode The node the signature element should be located before.
- *
- * @return DOMNode The signature element node
- */
- public function insertSignature($node, $beforeNode = NULL) {
-
- $document = $node->ownerDocument;
- $signatureElement = $document->importNode($this->sigNode, TRUE);
-
- if($beforeNode == NULL) {
- return $node->insertBefore($signatureElement);
- } else {
- return $node->insertBefore($signatureElement, $beforeNode);
- }
- }
-
- public function appendSignature($parentNode, $insertBefore = FALSE) {
- $beforeNode = $insertBefore ? $parentNode->firstChild : NULL;
- return $this->insertSignature($parentNode, $beforeNode);
- }
-
- static function get509XCert($cert, $isPEMFormat=TRUE) {
- $certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat);
- if (! empty($certs)) {
- return $certs[0];
- }
- return '';
- }
-
- static function staticGet509XCerts($certs, $isPEMFormat=TRUE) {
- if ($isPEMFormat) {
- $data = '';
- $certlist = array();
- $arCert = explode("\n", $certs);
- $inData = FALSE;
- foreach ($arCert AS $curData) {
- if (! $inData) {
- if (strncmp($curData, '-----BEGIN CERTIFICATE', 22) == 0) {
- $inData = TRUE;
- }
- } else {
- if (strncmp($curData, '-----END CERTIFICATE', 20) == 0) {
- $inData = FALSE;
- $certlist[] = $data;
- $data = '';
- continue;
- }
- $data .= trim($curData);
- }
- }
- return $certlist;
- } else {
- return array($certs);
- }
- }
-
- static function staticAdd509Cert($parentRef, $cert, $isPEMFormat=TRUE, $isURL=False, $xpath=NULL) {
- if ($isURL) {
- $cert = file_get_contents($cert);
- }
- if (! $parentRef instanceof DOMElement) {
- throw new Exception('Invalid parent Node parameter');
- }
- $baseDoc = $parentRef->ownerDocument;
-
- if (empty($xpath)) {
- $xpath = new DOMXPath($parentRef->ownerDocument);
- $xpath->registerNamespace('secdsig', XMLSecurityDSig::XMLDSIGNS);
- }
-
- $query = "./secdsig:KeyInfo";
- $nodeset = $xpath->query($query, $parentRef);
- $keyInfo = $nodeset->item(0);
- if (! $keyInfo) {
- $inserted = FALSE;
- $keyInfo = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:KeyInfo');
-
- $query = "./secdsig:Object";
- $nodeset = $xpath->query($query, $parentRef);
- if ($sObject = $nodeset->item(0)) {
- $sObject->parentNode->insertBefore($keyInfo, $sObject);
- $inserted = TRUE;
- }
-
- if (! $inserted) {
- $parentRef->appendChild($keyInfo);
- }
- }
-
- // Add all certs if there are more than one
- $certs = XMLSecurityDSig::staticGet509XCerts($cert, $isPEMFormat);
-
- // Atach X509 data node
- $x509DataNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Data');
- $keyInfo->appendChild($x509DataNode);
-
- // Atach all certificate nodes
- foreach ($certs as $X509Cert){
- $x509CertNode = $baseDoc->createElementNS(XMLSecurityDSig::XMLDSIGNS, 'ds:X509Certificate', $X509Cert);
- $x509DataNode->appendChild($x509CertNode);
- }
- }
-
- public function add509Cert($cert, $isPEMFormat=TRUE, $isURL=False) {
- if ($xpath = $this->getXPathObj()) {
- self::staticAdd509Cert($this->sigNode, $cert, $isPEMFormat, $isURL, $xpath);
- }
- }
-
- /* This function retrieves an associative array of the validated nodes.
- *
- * The array will contain the id of the referenced node as the key and the node itself
- * as the value.
- *
- * Returns:
- * An associative array of validated nodes or NULL if no nodes have been validated.
- */
- public function getValidatedNodes() {
- return $this->validatedNodes;
- }
-}
-
-class XMLSecEnc {
- const template = "<xenc:EncryptedData xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'>
- <xenc:CipherData>
- <xenc:CipherValue></xenc:CipherValue>
- </xenc:CipherData>
-</xenc:EncryptedData>";
-
- const Element = 'http://www.w3.org/2001/04/xmlenc#Element';
- const Content = 'http://www.w3.org/2001/04/xmlenc#Content';
- const URI = 3;
- const XMLENCNS = 'http://www.w3.org/2001/04/xmlenc#';
-
- private $encdoc = NULL;
- private $rawNode = NULL;
- public $type = NULL;
- public $encKey = NULL;
- private $references = array();
-
- public function __construct() {
- $this->_resetTemplate();
- }
-
- private function _resetTemplate(){
- $this->encdoc = new DOMDocument();
- $this->encdoc->loadXML(XMLSecEnc::template);
- }
-
- public function addReference($name, $node, $type) {
- if (! $node instanceOf DOMNode) {
- throw new Exception('$node is not of type DOMNode');
- }
- $curencdoc = $this->encdoc;
- $this->_resetTemplate();
- $encdoc = $this->encdoc;
- $this->encdoc = $curencdoc;
- $refuri = XMLSecurityDSig::generate_GUID();
- $element = $encdoc->documentElement;
- $element->setAttribute("Id", $refuri);
- $this->references[$name] = array("node" => $node, "type" => $type, "encnode" => $encdoc, "refuri" => $refuri);
- }
-
- public function setNode($node) {
- $this->rawNode = $node;
- }
-
- public function encryptNode($objKey, $replace=TRUE) {
- $data = '';
- if (empty($this->rawNode)) {
- throw new Exception('Node to encrypt has not been set');
- }
- if (! $objKey instanceof XMLSecurityKey) {
- throw new Exception('Invalid Key');
- }
- $doc = $this->rawNode->ownerDocument;
- $xPath = new DOMXPath($this->encdoc);
- $objList = $xPath->query('/xenc:EncryptedData/xenc:CipherData/xenc:CipherValue');
- $cipherValue = $objList->item(0);
- if ($cipherValue == NULL) {
- throw new Exception('Error locating CipherValue element within template');
- }
- switch ($this->type) {
- case (XMLSecEnc::Element):
- $data = $doc->saveXML($this->rawNode);
- $this->encdoc->documentElement->setAttribute('Type', XMLSecEnc::Element);
- break;
- case (XMLSecEnc::Content):
- $children = $this->rawNode->childNodes;
- foreach ($children AS $child) {
- $data .= $doc->saveXML($child);
- }
- $this->encdoc->documentElement->setAttribute('Type', XMLSecEnc::Content);
- break;
- default:
- throw new Exception('Type is currently not supported');
- return;
- }
-
- $encMethod = $this->encdoc->documentElement->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:EncryptionMethod'));
- $encMethod->setAttribute('Algorithm', $objKey->getAlgorith());
- $cipherValue->parentNode->parentNode->insertBefore($encMethod, $cipherValue->parentNode->parentNode->firstChild);
-
- $strEncrypt = base64_encode($objKey->encryptData($data));
- $value = $this->encdoc->createTextNode($strEncrypt);
- $cipherValue->appendChild($value);
-
- if ($replace) {
- switch ($this->type) {
- case (XMLSecEnc::Element):
- if ($this->rawNode->nodeType == XML_DOCUMENT_NODE) {
- return $this->encdoc;
- }
- $importEnc = $this->rawNode->ownerDocument->importNode($this->encdoc->documentElement, TRUE);
- $this->rawNode->parentNode->replaceChild($importEnc, $this->rawNode);
- return $importEnc;
- break;
- case (XMLSecEnc::Content):
- $importEnc = $this->rawNode->ownerDocument->importNode($this->encdoc->documentElement, TRUE);
- while($this->rawNode->firstChild) {
- $this->rawNode->removeChild($this->rawNode->firstChild);
- }
- $this->rawNode->appendChild($importEnc);
- return $importEnc;
- break;
- }
- }
- }
-
- public function encryptReferences($objKey) {
- $curRawNode = $this->rawNode;
- $curType = $this->type;
- foreach ($this->references AS $name=>$reference) {
- $this->encdoc = $reference["encnode"];
- $this->rawNode = $reference["node"];
- $this->type = $reference["type"];
- try {
- $encNode = $this->encryptNode($objKey);
- $this->references[$name]["encnode"] = $encNode;
- } catch (Exception $e) {
- $this->rawNode = $curRawNode;
- $this->type = $curType;
- throw $e;
- }
- }
- $this->rawNode = $curRawNode;
- $this->type = $curType;
- }
-
- /**
- * Retrieve the CipherValue text from this encrypted node.
- *
- * @return string|NULL The Ciphervalue text, or NULL if no CipherValue is found.
- */
- public function getCipherValue() {
- if (empty($this->rawNode)) {
- throw new Exception('Node to decrypt has not been set');
- }
-
- $doc = $this->rawNode->ownerDocument;
- $xPath = new DOMXPath($doc);
- $xPath->registerNamespace('xmlencr', XMLSecEnc::XMLENCNS);
- /* Only handles embedded content right now and not a reference */
- $query = "./xmlencr:CipherData/xmlencr:CipherValue";
- $nodeset = $xPath->query($query, $this->rawNode);
- $node = $nodeset->item(0);
-
- if (!$node) {
- return NULL;
- }
-
- return base64_decode($node->nodeValue);
- }
-
- /**
- * Decrypt this encrypted node.
- *
- * The behaviour of this function depends on the value of $replace.
- * If $replace is FALSE, we will return the decrypted data as a string.
- * If $replace is TRUE, we will insert the decrypted element(s) into the
- * document, and return the decrypted element(s).
- *
- * @params XMLSecurityKey $objKey The decryption key that should be used when decrypting the node.
- * @params boolean $replace Whether we should replace the encrypted node in the XML document with the decrypted data. The default is TRUE.
- * @return string|DOMElement The decrypted data.
- */
- public function decryptNode($objKey, $replace=TRUE) {
- if (! $objKey instanceof XMLSecurityKey) {
- throw new Exception('Invalid Key');
- }
-
- $encryptedData = $this->getCipherValue();
- if ($encryptedData) {
- $decrypted = $objKey->decryptData($encryptedData);
- if ($replace) {
- switch ($this->type) {
- case (XMLSecEnc::Element):
- $newdoc = new DOMDocument();
- $newdoc->loadXML($decrypted);
- if ($this->rawNode->nodeType == XML_DOCUMENT_NODE) {
- return $newdoc;
- }
- $importEnc = $this->rawNode->ownerDocument->importNode($newdoc->documentElement, TRUE);
- $this->rawNode->parentNode->replaceChild($importEnc, $this->rawNode);
- return $importEnc;
- break;
- case (XMLSecEnc::Content):
- if ($this->rawNode->nodeType == XML_DOCUMENT_NODE) {
- $doc = $this->rawNode;
- } else {
- $doc = $this->rawNode->ownerDocument;
- }
- $newFrag = $doc->createDocumentFragment();
- $newFrag->appendXML($decrypted);
- $parent = $this->rawNode->parentNode;
- $parent->replaceChild($newFrag, $this->rawNode);
- return $parent;
- break;
- default:
- return $decrypted;
- }
- } else {
- return $decrypted;
- }
- } else {
- throw new Exception("Cannot locate encrypted data");
- }
- }
-
- public function encryptKey($srcKey, $rawKey, $append=TRUE) {
- if ((! $srcKey instanceof XMLSecurityKey) || (! $rawKey instanceof XMLSecurityKey)) {
- throw new Exception('Invalid Key');
- }
- $strEncKey = base64_encode($srcKey->encryptData($rawKey->key));
- $root = $this->encdoc->documentElement;
- $encKey = $this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:EncryptedKey');
- if ($append) {
- $keyInfo = $root->insertBefore($this->encdoc->createElementNS('http://www.w3.org/2000/09/xmldsig#', 'dsig:KeyInfo'), $root->firstChild);
- $keyInfo->appendChild($encKey);
- } else {
- $this->encKey = $encKey;
- }
- $encMethod = $encKey->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:EncryptionMethod'));
- $encMethod->setAttribute('Algorithm', $srcKey->getAlgorith());
- if (! empty($srcKey->name)) {
- $keyInfo = $encKey->appendChild($this->encdoc->createElementNS('http://www.w3.org/2000/09/xmldsig#', 'dsig:KeyInfo'));
- $keyInfo->appendChild($this->encdoc->createElementNS('http://www.w3.org/2000/09/xmldsig#', 'dsig:KeyName', $srcKey->name));
- }
- $cipherData = $encKey->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:CipherData'));
- $cipherData->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:CipherValue', $strEncKey));
- if (is_array($this->references) && count($this->references) > 0) {
- $refList = $encKey->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:ReferenceList'));
- foreach ($this->references AS $name=>$reference) {
- $refuri = $reference["refuri"];
- $dataRef = $refList->appendChild($this->encdoc->createElementNS(XMLSecEnc::XMLENCNS, 'xenc:DataReference'));
- $dataRef->setAttribute("URI", '#' . $refuri);
- }
- }
- return;
- }
-
- public function decryptKey($encKey) {
- if (! $encKey->isEncrypted) {
- throw new Exception("Key is not Encrypted");
- }
- if (empty($encKey->key)) {
- throw new Exception("Key is missing data to perform the decryption");
- }
- return $this->decryptNode($encKey, FALSE);
- }
-
- public function locateEncryptedData($element) {
- if ($element instanceof DOMDocument) {
- $doc = $element;
- } else {
- $doc = $element->ownerDocument;
- }
- if ($doc) {
- $xpath = new DOMXPath($doc);
- $query = "//*[local-name()='EncryptedData' and namespace-uri()='".XMLSecEnc::XMLENCNS."']";
- $nodeset = $xpath->query($query);
- return $nodeset->item(0);
- }
- return NULL;
- }
-
- public function locateKey($node=NULL) {
- if (empty($node)) {
- $node = $this->rawNode;
- }
- if (! $node instanceof DOMNode) {
- return NULL;
- }
- if ($doc = $node->ownerDocument) {
- $xpath = new DOMXPath($doc);
- $xpath->registerNamespace('xmlsecenc', XMLSecEnc::XMLENCNS);
- $query = ".//xmlsecenc:EncryptionMethod";
- $nodeset = $xpath->query($query, $node);
- if ($encmeth = $nodeset->item(0)) {
- $attrAlgorithm = $encmeth->getAttribute("Algorithm");
- try {
- $objKey = new XMLSecurityKey($attrAlgorithm, array('type'=>'private'));
- } catch (Exception $e) {
- return NULL;
- }
- return $objKey;
- }
- }
- return NULL;
- }
-
- static function staticLocateKeyInfo($objBaseKey=NULL, $node=NULL) {
- if (empty($node) || (! $node instanceof DOMNode)) {
- return NULL;
- }
- $doc = $node->ownerDocument;
- if (!$doc) {
- return NULL;
- }
-
- $xpath = new DOMXPath($doc);
- $xpath->registerNamespace('xmlsecenc', XMLSecEnc::XMLENCNS);
- $xpath->registerNamespace('xmlsecdsig', XMLSecurityDSig::XMLDSIGNS);
- $query = "./xmlsecdsig:KeyInfo";
- $nodeset = $xpath->query($query, $node);
- $encmeth = $nodeset->item(0);
- if (!$encmeth) {
- /* No KeyInfo in EncryptedData / EncryptedKey. */
- return $objBaseKey;
- }
-
- foreach ($encmeth->childNodes AS $child) {
- switch ($child->localName) {
- case 'KeyName':
- if (! empty($objBaseKey)) {
- $objBaseKey->name = $child->nodeValue;
- }
- break;
- case 'KeyValue':
- foreach ($child->childNodes AS $keyval) {
- switch ($keyval->localName) {
- case 'DSAKeyValue':
- throw new Exception("DSAKeyValue currently not supported");
- break;
- case 'RSAKeyValue':
- $modulus = NULL;
- $exponent = NULL;
- if ($modulusNode = $keyval->getElementsByTagName('Modulus')->item(0)) {
- $modulus = base64_decode($modulusNode->nodeValue);
- }
- if ($exponentNode = $keyval->getElementsByTagName('Exponent')->item(0)) {
- $exponent = base64_decode($exponentNode->nodeValue);
- }
- if (empty($modulus) || empty($exponent)) {
- throw new Exception("Missing Modulus or Exponent");
- }
- $publicKey = XMLSecurityKey::convertRSA($modulus, $exponent);
- $objBaseKey->loadKey($publicKey);
- break;
- }
- }
- break;
- case 'RetrievalMethod':
- $type = $child->getAttribute('Type');
- if ($type !== 'http://www.w3.org/2001/04/xmlenc#EncryptedKey') {
- /* Unsupported key type. */
- break;
- }
- $uri = $child->getAttribute('URI');
- if ($uri[0] !== '#') {
- /* URI not a reference - unsupported. */
- break;
- }
- $id = substr($uri, 1);
-
- $query = "//xmlsecenc:EncryptedKey[@Id='$id']";
- $keyElement = $xpath->query($query)->item(0);
- if (!$keyElement) {
- throw new Exception("Unable to locate EncryptedKey with @Id='$id'.");
- }
-
- return XMLSecurityKey::fromEncryptedKeyElement($keyElement);
- case 'EncryptedKey':
- return XMLSecurityKey::fromEncryptedKeyElement($child);
- case 'X509Data':
- if ($x509certNodes = $child->getElementsByTagName('X509Certificate')) {
- if ($x509certNodes->length > 0) {
- $x509cert = $x509certNodes->item(0)->textContent;
- $x509cert = str_replace(array("\r", "\n"), "", $x509cert);
- $x509cert = "-----BEGIN CERTIFICATE-----\n".chunk_split($x509cert, 64, "\n")."-----END CERTIFICATE-----\n";
- $objBaseKey->loadKey($x509cert, FALSE, TRUE);
- }
- }
- break;
- }
- }
- return $objBaseKey;
- }
-
- public function locateKeyInfo($objBaseKey=NULL, $node=NULL) {
- if (empty($node)) {
- $node = $this->rawNode;
- }
- return XMLSecEnc::staticLocateKeyInfo($objBaseKey, $node);
- }
-}