[project @ Example server overhaul; add OpenID 2 features]

10 files changed, 103 insertions, 235 deletions

diff --git a/examples/server/lib/actions.php b/examples/server/lib/actions.php
index f38637f..b2a1a84 100644
--- a/examples/server/lib/actions.php
+++ b/examples/server/lib/actions.php
@@ -5,8 +5,8 @@ require_once "lib/session.php";
 require_once "lib/render.php";
 
 require_once "lib/render/login.php";
-require_once "lib/render/sites.php";
 require_once "lib/render/idpage.php";
+require_once "lib/render/idpXrds.php";
 
 require_once "Auth/OpenID.php";
 
@@ -15,6 +15,8 @@ require_once "Auth/OpenID.php";
  */
 function action_default()
 {
+    header('X-XRDS-Location: '.buildURL('idpXrds'));
+
     $server =& getServer();
     $method = $_SERVER['REQUEST_METHOD'];
     $request = null;
@@ -36,17 +38,20 @@ function action_default()
     if (in_array($request->mode,
                  array('checkid_immediate', 'checkid_setup'))) {
 
-        if (isTrusted($request->identity, $request->trust_root)) {
-            $response =& $request->answer(true);
-            $sreg = getSreg($request->identity);
-            if (is_array($sreg)) {
-                foreach ($sreg as $k => $v) {
-                    $response->addField('sreg', $k, 
-                                        $v);
-                }
+        if ($request->idSelect()) {
+            // Perform IDP-driven identifier selection
+            if ($request->mode == 'checkid_immediate') {
+                $response =& $request->answer(false);
+            } else {
+                return trust_render($request);
             }
+        } else if ((!$request->identity) &&
+                   (!$request->idSelect())) {
+            // No identifier used or desired; display a page saying
+            // so.
+            return noIdentifier_render();
         } else if ($request->immediate) {
-            $response =& $request->answer(false, getServerURL());
+            $response =& $request->answer(false, buildURL());
         } else {
             if (!getLoggedInUser()) {
                 return login_render();
@@ -131,36 +136,17 @@ function action_trust()
 {
     $info = getRequestInfo();
     $trusted = isset($_POST['trust']);
-    if ($info && isset($_POST['remember'])) {
-        $sites = getSessionSites();
-        $sites[$info->trust_root] = $trusted;
-        setSessionSites($sites);
-    }
-    return doAuth($info, $trusted, true);
+    return doAuth($info, $trusted, true, @$_POST['idSelect']);
 }
 
-function action_sites()
+function action_idpage()
 {
-    $sites = getSessionSites();
-    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
-        if (isset($_POST['forget'])) {
-            $sites = null;
-            setSessionSites($sites);
-        } elseif (isset($_POST['remove'])) {
-            foreach ($_POST as $k => $v) {
-                if (preg_match('/^site[0-9]+$/', $k) && isset($sites[$v])) {
-                    unset($sites[$v]);
-                }
-            }
-            setSessionSites($sites);
-        }
-    }
-    return sites_render($sites);
+    return idpage_render(getLoggedInUser());
 }
 
-function action_idpage()
+function action_idpXrds()
 {
-    return idpage_render(getLoggedInUser());
+    return idpXrds_render();
 }
 
 ?>
\ No newline at end of file
diff --git a/examples/server/lib/common.php b/examples/server/lib/common.php
index 147d74a..9fd8e67 100644
--- a/examples/server/lib/common.php
+++ b/examples/server/lib/common.php
@@ -21,29 +21,37 @@ function authCancel($info)
     return redirect_render($url);
 }
 
-function doAuth($info, $trusted=null, $fail_cancels=false)
+function doAuth($info, $trusted=null, $fail_cancels=false,
+                $idpSelect=null)
 {
     if (!$info) {
         // There is no authentication information, so bail
         return authCancel(null);
     }
 
-    $req_url = $info->identity;
+    if ($info->idSelect()) {
+        if ($idpSelect) {
+            $req_url = idURL($idpSelect);
+        } else {
+            $trusted = false;
+        }
+    } else {
+        $req_url = $info->identity;
+    }
+
     $user = getLoggedInUser();
     setRequestInfo($info);
 
-    if ($req_url != idURL($user)) {
+    if ((!$info->idSelect()) && ($req_url != idURL($user))) {
         return login_render(array(), $req_url, $req_url);
     }
 
-    $sites = getSessionSites();
     $trust_root = $info->trust_root;
-    $fail_cancels = $fail_cancels || isset($sites[$trust_root]);
-    $trusted = isset($trusted) ? $trusted : isTrusted($req_url, $trust_root);
+
     if ($trusted) {
         setRequestInfo();
         $server =& getServer();
-        $response =& $info->answer(true);
+        $response =& $info->answer(true, null, $req_url);
         $webresponse =& $server->encodeResponse($response);
 
         $new_headers = array();
diff --git a/examples/server/lib/render.php b/examples/server/lib/render.php
index 502e08c..ed94ee3 100644
--- a/examples/server/lib/render.php
+++ b/examples/server/lib/render.php
@@ -88,11 +88,10 @@ function page_render($body, $user, $title, $h1=null, $login=false)
     $h1 = $h1 ? $h1 : $title;
 
     if ($user) {
-        $msg = sprintf(logged_in_pat, link_render($user),
+        $msg = sprintf(logged_in_pat, link_render(idURL($user), $user),
                        link_render(idURL($user)));
-        $nav = array('logout' => 'Log Out',
-                     'sites' => 'Remembered Sites',
-                     );
+        $nav = array('logout' => 'Log Out');
+
         $navigation = navigation_render($msg, $nav);
     } else {
         if (!$login) {
diff --git a/examples/server/lib/render/idpXrds.php b/examples/server/lib/render/idpXrds.php
new file mode 100644
index 0000000..12ddd18
--- /dev/null
+++ b/examples/server/lib/render/idpXrds.php
@@ -0,0 +1,28 @@
+<?php
+
+require_once "lib/session.php";
+require_once "lib/render.php";
+
+define('xrds_pat', '<?xml version="1.0" encoding="UTF-8"?>
+<xrds:XRDS
+    xmlns:xrds="xri://$xrds"
+    xmlns="xri://$xrd*($v*2.0)">
+  <XRD>
+    <Service priority="0">
+      <Type>http://openid.net/server/2.0</Type>
+      <URI>%s</URI>
+    </Service>
+  </XRD>
+</xrds:XRDS>
+');
+
+function idpXrds_render()
+{
+    $headers = array('Content-type: application/xrds+xml');
+
+    $body = sprintf(xrds_pat, buildURL());
+
+    return array($headers, $body);
+}
+
+?>
\ No newline at end of file
diff --git a/examples/server/lib/render/idpage.php b/examples/server/lib/render/idpage.php
index 103ec3c..a4893c2 100644
--- a/examples/server/lib/render/idpage.php
+++ b/examples/server/lib/render/idpage.php
@@ -9,7 +9,7 @@ define('idpage_pat',
   <link rel="openid2.provider openid.server" href="%s"/>
 </head>
 <body>
-  This is the identity page for %s.
+  This is the identity page for users of this server.
 </body>
 </html>');
 
@@ -18,8 +18,7 @@ define('login_needed_pat',
 
 function idpage_render($identity)
 {
-    $esc_identity = htmlspecialchars($identity, ENT_QUOTES);
-    $body = sprintf(idpage_pat, buildURL(), $esc_identity);
+    $body = sprintf(idpage_pat, buildURL());
     return array(array(), $body);
 }
 
diff --git a/examples/server/lib/render/login.php b/examples/server/lib/render/login.php
index 19a242a..c6fea21 100644
--- a/examples/server/lib/render/login.php
+++ b/examples/server/lib/render/login.php
@@ -13,7 +13,7 @@ define('login_form_pat',
   <form method="post" action="%s">
     <table>
       <tr>
-        <th><label for="openid_url">OpenID URL:</label></th>
+        <th><label for="openid_url">Name:</label></th>
         <td><input type="text" name="openid_url"
                    value="%s" id="openid_url" /></td>
       </tr>
diff --git a/examples/server/lib/render/sites.php b/examples/server/lib/render/sites.php
deleted file mode 100644
index 90b557f..0000000
--- a/examples/server/lib/render/sites.php
+++ /dev/null
@@ -1,83 +0,0 @@
-<?php
-
-require_once "lib/session.php";
-
-define('sites_form',
-       '<p>These decisions have been remembered for this session. All decisions
-will be forgotten when the session ends.</p>
-<div class="form">
-<form method="post" action="%s">
-<table>
-<tbody>
-%s
-</tbody>
-</table>
-<input type="submit" name="remove" value="Remove Selected" />
-<input type="submit" name="refresh" value="Refresh List" />
-<input type="submit" name="forget" value="Forget All" />
-</form>
-</div>
-');
-
-define('sites_empty_message',
-       '<p>
-  No sites are remembered for this session. When you authenticate with a site,
-  you can choose to add it to this list by choosing <q>Remember this
-  decision</q>.
-</p>
-<p>%s</p>
-');
-
-define('sites_row',
-       '<tr>
-<td><input type="checkbox" name=%s value="%s" id=%s /></td>
-<td><label for=%s><code>%s</code></label></td>
-</tr>');
-
-function siteListRow_render($i, $site)
-{
-    $esc_site = htmlspecialchars($site, ENT_QUOTES);
-    $id = sprintf('"site%s"', $i);
-    return sprintf(sites_row, $id, $esc_site, $id, $id, $esc_site);
-}
-
-function siteList_render($sites)
-{
-    $trusted_sites = array();
-    $untrusted_sites = array();
-    foreach ($sites as $site => $trusted) {
-        if ($trusted) {
-            $trusted_sites[] = $site;
-        } else {
-            $untrusted_sites[] = $site;
-        }
-    }
-    $rows = '';
-    $i = 0;
-    foreach (array('Trusted Sites' => $trusted_sites,
-                   'Untrusted Sites' => $untrusted_sites) as
-             $name => $sites) {
-        if ($sites) {
-            $rows .= '<tr><th colspan="2">'. $name . '</th></tr>';
-            foreach ($sites as $site) {
-                $rows .= siteListRow_render($i, $site);
-                $i += 1;
-            }
-        }
-    }
-    return $rows;
-}
-
-function sites_render($sites)
-{
-    if ($sites) {
-        $rows = siteList_render($sites);
-        $form = sprintf(sites_form, buildURL('sites'), $rows);
-        $body = $pre . $form;
-    } else {
-        $body = sprintf(sites_empty_message, link_render(buildURL(''), 'Return home'));
-    }
-    return page_render($body, getLoggedInUser(), 'Remembered Sites');
-}
-
-?>
\ No newline at end of file
diff --git a/examples/server/lib/render/trust.php b/examples/server/lib/render/trust.php
index 9acfae7..681d456 100644
--- a/examples/server/lib/render/trust.php
+++ b/examples/server/lib/render/trust.php
@@ -5,25 +5,52 @@ require_once "lib/render.php";
 
 define('trust_form_pat',
        '<div class="form">
-  <p>Do you wish to confirm your identity (<code>%s</code>) with <code>%s</code>?</p>
   <form method="post" action="%s">
-    <input type="checkbox" name="remember" value="on" id="remember"><label
-        for="remember">Remember this decision</label>
-    <br />
+  %s
     <input type="submit" name="trust" value="Confirm" />
     <input type="submit" value="Do not confirm" />
   </form>
 </div>
 ');
 
+define('normal_pat',
+       '<p>Do you wish to confirm your identity ' .
+       '(<code>%s</code>) with <code>%s</code>?</p>');
+
+define('id_select_pat',
+       '<p>You entered the server URL at the RP.
+Please choose the name you wish to use.  If you enter nothing, the request will be cancelled.<br/>
+<input type="text" name="idSelect" /></p>
+');
+
+define('no_id_pat',
+'
+You did not send an identifier with the request,
+and it was not an identifier selection request.
+Please return to the relying party and try again.
+');
+
 function trust_render($info)
 {
     $current_user = getLoggedInUser();
     $lnk = link_render(idURL($current_user));
     $trust_root = htmlspecialchars($info->trust_root);
     $trust_url = buildURL('trust', true);
-    $form = sprintf(trust_form_pat, $lnk, $trust_root, $trust_url);
+
+    if ($info->idSelect()) {
+        $prompt = id_select_pat;
+    } else {
+        $prompt = sprintf(normal_pat, $lnk, $trust_root);
+    }
+
+    $form = sprintf(trust_form_pat, $trust_url, $prompt);
+
     return page_render($form, $current_user, 'Trust This Site');
 }
 
+function noIdentifier_render()
+{
+    return page_render(no_id_pat, null, 'No Identifier Sent');
+}
+
 ?>
\ No newline at end of file
diff --git a/examples/server/lib/session.php b/examples/server/lib/session.php
index 1a51d79..76b28bd 100644
--- a/examples/server/lib/session.php
+++ b/examples/server/lib/session.php
@@ -37,7 +37,7 @@ function getServerURL()
     } else {
         $p = ':' . $port;
     }
-    
+
     return "http$s://$host$p$path";
 }
 
@@ -83,32 +83,12 @@ function getServer()
     static $server = null;
     if (!isset($server)) {
         $server =& new Auth_OpenID_Server(getOpenIDStore(),
-                                          getServerURL());
+                                          buildURL());
     }
     return $server;
 }
 
 /**
- * Return whether the trust root is currently trusted
- */
-function isTrusted($identity_url, $trust_root)
-{
-    // from config.php
-    global $trusted_sites;
-
-    if ($identity_url != getLoggedInUser()) {
-        return false;
-    }
-
-    if (in_array($trust_root, $trusted_sites)) {
-        return true;
-    }
-
-    $sites = getSessionSites();
-    return isset($sites[$trust_root]) && $sites[$trust_root];
-}
-
-/**
  * Return a hashed form of the user's password
  */
 function hashPassword($password)
@@ -144,22 +124,6 @@ function setLoggedInUser($identity_url=null)
     }
 }
 
-function setSessionSites($sites=null)
-{
-    if (!isset($sites)) {
-        unset($_SESSION['session_sites']);
-    } else {
-        $_SESSION['session_sites'] = serialize($sites);
-    }
-}
-
-function getSessionSites()
-{
-    return isset($_SESSION['session_sites'])
-        ? unserialize($_SESSION['session_sites'])
-        : false;
-}
-
 function getRequestInfo()
 {
     return isset($_SESSION['request'])
diff --git a/examples/server/setup.php b/examples/server/setup.php
index 68be01b..2769939 100644
--- a/examples/server/setup.php
+++ b/examples/server/setup.php
@@ -369,34 +369,6 @@ configuration for use with the OpenID server example.
 </div>
 </div>
 
-<div>
-
-  <p>
-  Your OpenID server can be configured to trust a set of sites by default.  Enter those here.
-  </p>
-
-  <span class="label">Trusted sites:</span>
-
-  <div class="store_fields">
-<?
-if ($_SESSION['trust_roots']) {
-    print "<div><table><tr><th>Trusted site URL</th></tr>";
-    foreach ($_SESSION['trust_roots'] as $url) {
-        print "<tr><td>".$url."</td></tr>";
-    }
-    print "</table></div>";
-}
-?>
-   <div>
-    <span>Add a trusted site:</span>
-    <div>
-      <label for="i_tr" class="field">Trusted site URL:</label><input type="text" name="trust_root" id="i_tr">
-    </div>
-   </div>
-
-  </div>
-</div>
-
 <input type="submit" name="generate" value="Generate Configuration">
 </form>
 </body>
@@ -423,10 +395,6 @@ function init_session() {
         $_SESSION['store_data'] = array();
     }
 
-    if (!isset($_SESSION['trust_roots'])) {
-        $_SESSION['trust_roots'] = array();
-    }
-
     foreach (array('server_url', 'include_path', 'store_type') as $field) {
         if (array_key_exists($field, $_GET)) {
             $_SESSION[$field] = $_GET[$field];
@@ -438,14 +406,6 @@ function init_session() {
             $_SESSION['store_data'][$field] = $_GET[$field];
         }
     }
-
-    if ($_GET &&
-               isset($_GET['trust_root']) &&
-               $_GET['trust_root']) {
-        if (!in_array($_GET['trust_root'], $_SESSION['trust_roots'])) {
-            $_SESSION['trust_roots'][] = $_GET['trust_root'];
-        }
-    }
 }
 
 function generate_config($download = false) {
@@ -581,26 +541,6 @@ function getOpenIDStore()
     ?>
 }
 
-/**
- * Trusted sites is an array of trust roots.
- *
- * Sites in this list will not have to be approved by the user in
- * order to be used. It is OK to leave this value as-is.
- *
- * In a more robust server, this should be a per-user setting.
- */
-$trusted_sites = array(<?
-$i = 0;
-foreach ($_SESSION['trust_roots'] as $url) {
-    $i++;
-    print "\n    '$url'";
-    if ($i < count($_SESSION['trust_roots'])) {
-        print ",";
-    }
-}
-?>
-
-);
 <?
     if (!$download) {
 ?>