[project @ Added realm verification implementation]

2 files changed, 212 insertions, 9 deletions

diff --git a/Auth/OpenID/Discover.php b/Auth/OpenID/Discover.php
index 3284c25..8f4c80b 100644
--- a/Auth/OpenID/Discover.php
+++ b/Auth/OpenID/Discover.php
@@ -19,6 +19,8 @@ define('Auth_OpenID_TYPE_1_1', 'http://openid.net/signon/1.1');
 define('Auth_OpenID_TYPE_1_0', 'http://openid.net/signon/1.0');
 define('Auth_OpenID_TYPE_2_0_IDP', 'http://specs.openid.net/auth/2.0/server');
 define('Auth_OpenID_TYPE_2_0', 'http://specs.openid.net/auth/2.0/signon');
+define('Auth_OpenID_RP_RETURN_TO_URL_TYPE',
+       'http://specs.openid.net/auth/2.0/return_to');
 
 function Auth_OpenID_getOpenIDTypeURIs()
 {
@@ -26,7 +28,8 @@ function Auth_OpenID_getOpenIDTypeURIs()
                  Auth_OpenID_TYPE_2_0,
                  Auth_OpenID_TYPE_1_2,
                  Auth_OpenID_TYPE_1_1,
-                 Auth_OpenID_TYPE_1_0);
+                 Auth_OpenID_TYPE_1_0,
+                 Auth_OpenID_RP_RETURN_TO_URL_TYPE);
 }
 
 /**
@@ -58,6 +61,29 @@ class Auth_OpenID_ServiceEndpoint {
         }
     }
 
+    /*
+     * Query this endpoint to see if it has any of the given type
+     * URIs. This is useful for implementing other endpoint classes
+     * that e.g. need to check for the presence of multiple versions
+     * of a single protocol.
+     *
+     * @param $type_uris The URIs that you wish to check
+     *
+     * @return all types that are in both in type_uris and
+     * $this->type_uris
+     */
+    function matchTypes($type_uris)
+    {
+        $result = array();
+        foreach ($type_uris as $test_uri) {
+            if ($this->supportsType($test_uri)) {
+                $result[] = $test_uri;
+            }
+        }
+
+        return $result;
+    }
+
     function supportsType($type_uri)
     {
         // Does this endpoint support this type?
@@ -367,7 +393,9 @@ function Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services)
     return $s;
 }
 
-function Auth_OpenID_discoverWithYadis($uri, &$fetcher)
+function Auth_OpenID_discoverWithYadis($uri, &$fetcher,
+              $endpoint_filter='Auth_OpenID_getOPOrUserServices',
+              $discover_function=null)
 {
     // Discover OpenID services for a URI. Tries Yadis and falls back
     // on old-style <link rel='...'> discovery if Yadis fails.
@@ -376,8 +404,15 @@ function Auth_OpenID_discoverWithYadis($uri, &$fetcher)
     // came back for that URI at all.  I don't think falling back to
     // OpenID 1.0 discovery on the same URL will help, so don't bother
     // to catch it.
+    if ($discover_function === null) {
+        $discover_function = array('Auth_Yadis_Yadis', 'discover');
+    }
+
     $openid_services = array();
-    $response = Auth_Yadis_Yadis::discover($uri, $fetcher);
+
+    $response = call_user_func_array($discover_function,
+                                     array($uri, &$fetcher));
+
     $yadis_url = $response->normalized_uri;
     $yadis_services = array();
 
@@ -402,7 +437,9 @@ function Auth_OpenID_discoverWithYadis($uri, &$fetcher)
                                         $response->response_text);
     }
 
-    $openid_services = Auth_OpenID_getOPOrUserServices($openid_services);
+    $openid_services = call_user_func_array($endpoint_filter,
+                                            array(&$openid_services));
+
     return array($yadis_url, $openid_services);
 }
 
@@ -421,8 +458,7 @@ function Auth_OpenID_discoverURI($uri, &$fetcher)
     }
 
     $uri = Auth_OpenID::normalizeUrl($uri);
-    return Auth_OpenID_discoverWithYadis($uri,
-                                         $fetcher);
+    return Auth_OpenID_discoverWithYadis($uri, $fetcher);
 }
 
 function Auth_OpenID_discoverWithoutYadis($uri, &$fetcher)
diff --git a/Auth/OpenID/TrustRoot.php b/Auth/OpenID/TrustRoot.php
index 50db1d2..f0be2d6 100644
--- a/Auth/OpenID/TrustRoot.php
+++ b/Auth/OpenID/TrustRoot.php
@@ -12,6 +12,8 @@
  * @license http://www.gnu.org/copyleft/lesser.html LGPL
  */
 
+require_once 'Auth/OpenID/Discover.php';
+
 /**
  * A regular expression that matches a domain ending in a top-level domains.
  * Used in checking trust roots for sanity.
@@ -36,6 +38,40 @@ define('Auth_OpenID___TLDs',
  * A wrapper for trust-root related functions
  */
 class Auth_OpenID_TrustRoot {
+    /*
+     * Return a discovery URL for this realm.
+     *
+     * Return null if the realm could not be parsed or was not valid.
+     *
+     * @param return_to The relying party return URL of the OpenID
+     * authentication request
+     *
+     * @return The URL upon which relying party discovery should be
+     * run in order to verify the return_to URL
+     */
+    function buildDiscoveryURL($realm)
+    {
+        $parsed = Auth_OpenID_TrustRoot::_parse($realm);
+
+        if ($parsed === false) {
+            return false;
+        }
+
+        if ($parsed['wildcard']) {
+            // Use "www." in place of the star
+            if ($parsed['host'][0] != '.') {
+                return false;
+            }
+
+            $www_domain = 'www' . $parsed['host'];
+
+            return sprintf('%s://%s%s', $parsed['scheme'],
+                           $www_domain, $parsed['path']);
+        } else {
+            return $parsed['unparsed'];
+        }
+    }
+
     /**
      * Parse a URL into its trust_root parts.
      *
@@ -103,16 +139,17 @@ class Auth_OpenID_TrustRoot {
 
         if (isset($parts['path'])) {
             $path = strtolower($parts['path']);
-            if (substr($path, -1) != '/') {
-                $path .= '/';
-            }
         } else {
             $path = '/';
         }
+
         $parts['path'] = $path;
         if (!isset($parts['port'])) {
             $parts['port'] = false;
         }
+
+        $parts['unparsed'] = $trust_root;
+
         return $parts;
     }
 
@@ -240,4 +277,134 @@ class Auth_OpenID_TrustRoot {
                 $url_parsed['port'] === $trust_root_parsed['port']);
     }
 }
+
+/*
+ * If the endpoint is a relying party OpenID return_to endpoint,
+ * return the endpoint URL. Otherwise, return None.
+ *
+ * This function is intended to be used as a filter for the Yadis
+ * filtering interface.
+ *
+ * @see: C{L{openid.yadis.services}}
+ * @see: C{L{openid.yadis.filters}}
+ *
+ * @param endpoint: An XRDS BasicServiceEndpoint, as returned by
+ * performing Yadis dicovery.
+ *
+ * @returns: The endpoint URL or None if the endpoint is not a
+ * relying party endpoint.
+ */
+function filter_extractReturnURL(&$endpoint)
+{
+    if ($endpoint->matchTypes(array(Auth_OpenID_RP_RETURN_TO_URL_TYPE))) {
+        return $endpoint;
+    } else {
+        return null;
+    }
+}
+
+function &Auth_OpenID_extractReturnURL(&$endpoint_list)
+{
+    $result = array();
+
+    foreach ($endpoint_list as $endpoint) {
+        if (filter_extractReturnURL($endpoint)) {
+            $result[] = $endpoint;
+        }
+    }
+
+    return $result;
+}
+
+/*
+ * Is the return_to URL under one of the supplied allowed return_to
+ * URLs?
+ */
+function Auth_OpenID_returnToMatches($allowed_return_to_urls, $return_to)
+{
+    foreach ($allowed_return_to_urls as $allowed_return_to) {
+        // A return_to pattern works the same as a realm, except that
+        // it's not allowed to use a wildcard. We'll model this by
+        // parsing it as a realm, and not trying to match it if it has
+        // a wildcard.
+
+        $return_realm = Auth_OpenID_TrustRoot::_parse($allowed_return_to);
+        if (// Parses as a trust root
+            ($return_realm !== false) &&
+            // Does not have a wildcard
+            (!$return_realm['wildcard']) &&
+            // Matches the return_to that we passed in with it
+            (Auth_OpenID_TrustRoot::match($allowed_return_to, $return_to))) {
+            return true;
+        }
+    }
+
+    // No URL in the list matched
+    return false;
+}
+
+/*
+ * Given a relying party discovery URL return a list of return_to
+ * URLs.
+ */
+function Auth_OpenID_getAllowedReturnURLs($relying_party_url, &$fetcher,
+              $discover_function=null)
+{
+    if ($discover_function === null) {
+        $discover_function = array('Auth_Yadis_Yadis', 'discover');
+    }
+
+    list($rp_url_after_redirects, $endpoints) =
+      Auth_OpenID_discoverWithYadis($relying_party_url,
+                                    &$fetcher,
+                                    'Auth_OpenID_extractReturnURL',
+                                    $discover_function);
+
+    if ($rp_url_after_redirects != $relying_party_url) {
+        // Verification caused a redirect
+        return false;
+    }
+
+    $return_to_urls = array();
+    foreach ($endpoints as $e) {
+        $return_to_urls[] = $e->server_url;
+    }
+
+    return $return_to_urls;
+}
+
+/*
+ * Verify that a return_to URL is valid for the given realm.
+ *
+ * This function builds a discovery URL, performs Yadis discovery on
+ * it, makes sure that the URL does not redirect, parses out the
+ * return_to URLs, and finally checks to see if the current return_to
+ * URL matches the return_to.
+ *
+ * @return true if the return_to URL is valid for the realm
+ */
+function Auth_OpenID_verifyReturnTo($realm_str, $return_to, &$fetcher,
+              $_vrfy='Auth_OpenID_getAllowedReturnURLs')
+{
+    $disco_url = Auth_OpenID_TrustRoot::buildDiscoveryURL($realm_str);
+
+    if ($disco_url === false) {
+        return false;
+    }
+
+    $allowable_urls = call_user_func_array($_vrfy,
+                           array($disco_url, &$fetcher));
+
+    // The realm_str could not be parsed.
+    if ($allowable_urls === false) {
+        return false;
+    }
+
+    if (Auth_OpenID_returnToMatches($allowable_urls, $return_to)) {
+        return true;
+    } else {
+        return false;
+    }
+}
+
 ?>
\ No newline at end of file