[project @ Add association tests]

2 files changed, 132 insertions, 8 deletions

diff --git a/Auth/OpenID/Server.php b/Auth/OpenID/Server.php
index 01a1268..213ccf3 100644
--- a/Auth/OpenID/Server.php
+++ b/Auth/OpenID/Server.php
@@ -217,7 +217,8 @@ class Auth_OpenID_ServerError {
         }
 
         if ($this->reference !== null) {
-            $reply->setArg(Auth_OpenID_OPENID_NS, 'reference', $this->reference);
+            $reply->setArg(Auth_OpenID_OPENID_NS, 'reference',
+                           $this->reference);
         }
 
         return $reply;
@@ -444,7 +445,7 @@ class Auth_OpenID_DiffieHellmanSHA1ServerSession {
         $this->consumer_pubkey = $consumer_pubkey;
     }
 
-    function fromMessage($message)
+    function getDH($message)
     {
         $dh_modulus = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_modulus');
         $dh_gen = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_gen');
@@ -495,8 +496,20 @@ class Auth_OpenID_DiffieHellmanSHA1ServerSession {
                                        "dh_consumer_public is not base64");
         }
 
-        return new Auth_OpenID_DiffieHellmanSHA1ServerSession($dh,
-                                                              $consumer_pubkey);
+        return array($dh, $consumer_pubkey);
+    }
+
+    function fromMessage($message)
+    {
+        $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message);
+
+        if (is_a($result, 'Auth_OpenID_ServerError')) {
+            return $result;
+        } else {
+            list($dh, $consumer_pubkey) = $result;
+            return new Auth_OpenID_DiffieHellmanSHA1ServerSession($dh,
+                                                    $consumer_pubkey);
+        }
     }
 
     function answer($secret)
@@ -517,6 +530,19 @@ class Auth_OpenID_DiffieHellmanSHA256ServerSession
     var $session_type = 'DH-SHA256';
     var $hash_func = 'Auth_OpenID_SHA256';
     var $allowed_assoc_types = array('HMAC-SHA256');
+
+    function fromMessage($message)
+    {
+        $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message);
+
+        if (is_a($result, 'Auth_OpenID_ServerError')) {
+            return $result;
+        } else {
+            list($dh, $consumer_pubkey) = $result;
+            return new Auth_OpenID_DiffieHellmanSHA256ServerSession($dh,
+                                                      $consumer_pubkey);
+        }
+    }
 }
 
 /**
@@ -582,6 +608,7 @@ class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request {
 
         $assoc_type = $message->getArg(Auth_OpenID_OPENID_NS,
                                        'assoc_type', 'HMAC-SHA1');
+
         if (!in_array($assoc_type, $session->allowed_assoc_types)) {
             $fmt = "Session type %s does not support association type %s";
             return new Auth_OpenID_ServerError($message,
@@ -1439,6 +1466,7 @@ class Auth_OpenID_Server {
         $this->encoder =& new Auth_OpenID_SigningEncoder($this->signatory);
         $this->decoder =& new Auth_OpenID_Decoder($this);
         $this->op_endpoint = $op_endpoint;
+        $this->negotiator =& Auth_OpenID_getDefaultNegotiator();
     }
 
     /**
@@ -1478,8 +1506,21 @@ class Auth_OpenID_Server {
      */
     function openid_associate(&$request)
     {
-        $assoc = $this->signatory->createAssociation(false);
-        return $request->answer($assoc);
+        $assoc_type = $request->assoc_type;
+        $session_type = $request->session->session_type;
+        if ($this->negotiator->isAllowed($assoc_type, $session_type)) {
+            $assoc = $this->signatory->createAssociation(false,
+                                                         $assoc_type);
+            return $request->answer($assoc);
+        } else {
+            $message = sprintf('Association type %s is not supported with '.
+                               'session type %s', $assoc_type, $session_type);
+            list($preferred_assoc_type, $preferred_session_type) = \
+                $this->negotiator->getAllowedType();
+            return $request->answerUnsupported($message,
+                                               $preferred_assoc_type,
+                                               $preferred_session_type);
+        }
     }
 
     /**
diff --git a/Tests/Auth/OpenID/Server.php b/Tests/Auth/OpenID/Server.php
index 31314c5..b2fa167 100644
--- a/Tests/Auth/OpenID/Server.php
+++ b/Tests/Auth/OpenID/Server.php
@@ -1366,7 +1366,6 @@ class Tests_Auth_OpenID_Associate extends PHPUnit_TestCase {
         $this->request = new Auth_OpenID_AssociateRequest($session, 'HMAC-SHA256');
         $response = $this->request->answer($this->assoc);
 
-        // $rfg = lambda f: response->fields->getArg(OPENID_NS, f)
         $this->assertFalse($response->fields->getArg(Auth_OpenID_OPENID_NS, "mac_key"));
         $this->assertTrue($response->fields->getArg(Auth_OpenID_OPENID_NS, "enc_mac_key"));
         $this->assertTrue($response->fields->getArg(Auth_OpenID_OPENID_NS, "dh_server_public"));
@@ -1545,7 +1544,6 @@ class Tests_Auth_OpenID_Associate extends PHPUnit_TestCase {
         $this->assoc = $this->signatory->createAssociation(false,
                                                            'HMAC-SHA256');
         $response = $this->request->answer($this->assoc);
-        // rfg = lambda f: response.fields.getArg(OPENID_NS, f)
         $f = $response->fields;
 
         $this->assertEquals($f->getArg(Auth_OpenID_OPENID_NS, "assoc_type"),
@@ -1641,6 +1639,91 @@ class Tests_Auth_OpenID_ServerTest extends PHPUnit_TestCase {
         }
     }
 
+    function test_associate2()
+    {
+        // Associate when the server has no allowed association types
+        //
+        // Gives back an error with error_code and no fallback session
+        // or assoc types.
+        $this->server->negotiator->setAllowedTypes(array());
+
+        $msg = Auth_OpenID_Message::fromPostArgs(array(
+                 'openid.ns' => Auth_OpenID_OPENID2_NS,
+                 'openid.session_type' => 'no-encryption'));
+
+        $request = Auth_OpenID_AssociateRequest::fromMessage($msg);
+
+        $response = $this->server->openid_associate($request);
+        $this->assertTrue($response->fields->hasKey(Auth_OpenID_OPENID_NS, "error"));
+        $this->assertTrue($response->fields->hasKey(Auth_OpenID_OPENID_NS, "error_code"));
+        $this->assertFalse($response->fields->hasKey(Auth_OpenID_OPENID_NS, "assoc_handle"));
+        $this->assertFalse($response->fields->hasKey(Auth_OpenID_OPENID_NS, "assoc_type"));
+        $this->assertFalse($response->fields->hasKey(Auth_OpenID_OPENID_NS, "session_type"));
+    }
+
+    function test_associate3()
+    {
+        if (!Auth_OpenID_HMACSHA256_SUPPORTED) {
+            print "Warning: Not running test_associate3 (no HMACSHA-256 support)";
+            return;
+        }
+
+        // Request an assoc type that is not supported when there are
+        // supported types.
+        //
+        // Should give back an error message with a fallback type.
+        $this->server->negotiator->setAllowedTypes(array(array('HMAC-SHA256', 'DH-SHA256')));
+
+        $msg = Auth_OpenID_Message::fromPostArgs(array(
+                 'openid.ns' => Auth_OpenID_OPENID2_NS,
+                 'openid.session_type' => 'no-encryption'));
+
+        $request = Auth_OpenID_AssociateRequest::fromMessage($msg);
+        $response = $this->server->openid_associate($request);
+
+        $this->assertTrue($response->fields->hasKey(Auth_OpenID_OPENID_NS, "error"));
+        $this->assertTrue($response->fields->hasKey(Auth_OpenID_OPENID_NS, "error_code"));
+        $this->assertFalse($response->fields->hasKey(Auth_OpenID_OPENID_NS, "assoc_handle"));
+        $this->assertEquals($response->fields->getArg(Auth_OpenID_OPENID_NS, "assoc_type"),
+                            'HMAC-SHA256');
+        $this->assertEquals($response->fields->getArg(Auth_OpenID_OPENID_NS, "session_type"),
+                            'DH-SHA256');
+    }
+
+    function test_associate4()
+    {
+        if (!Auth_OpenID_HMACSHA256_SUPPORTED) {
+            print "Warning: Not running test_associate4 (no HMACSHA-256 support)";
+            return;
+        }
+
+        $this->assertTrue($this->server->negotiator->setAllowedTypes(
+           array(array('HMAC-SHA256', 'DH-SHA256'))));
+
+        $query = array(
+                       'openid.dh_consumer_public' =>
+                       'ALZgnx8N5Lgd7pCj8K86T/DDMFjJXSss1SKoLmxE72kJTzOtG6I2PaYrHX'.
+                       'xku4jMQWSsGfLJxwCZ6280uYjUST/9NWmuAfcrBfmDHIBc3H8xh6RBnlXJ'.
+                       '1WxJY3jHd5k1/ZReyRZOxZTKdF/dnIqwF8ZXUwI6peV0TyS/K1fOfF/s',
+                       'openid.assoc_type' => 'HMAC-SHA256',
+                       'openid.session_type' => 'DH-SHA256');
+
+        $message = Auth_OpenID_Message::fromPostArgs($query);
+        $request = Auth_OpenID_AssociateRequest::fromMessage($message);
+        $response = $this->server->openid_associate($request);
+        $this->assertTrue($response->fields->hasKey(Auth_OpenID_OPENID_NS, "assoc_handle"));
+    }
+
+    function test_missingSessionTypeOpenID2()
+    {
+        // Make sure session_type is required in OpenID 2
+        $msg = Auth_OpenID_Message::fromPostArgs(array('openid.ns' => Auth_OpenID_OPENID2_NS));
+
+        $result = Auth_OpenID_AssociateRequest::fromMessage($msg);
+
+        $this->assertTrue(is_a($result, 'Auth_OpenID_ServerError'));
+    }
+
     function test_checkAuth()
     {
         $request = new Auth_OpenID_CheckAuthRequest('arrrrrf',