diff options
| -rw-r--r-- | Auth/OpenID/PAPE.php | 38 | ||||
| -rw-r--r-- | Tests/Auth/OpenID/PAPE.php | 42 |
2 files changed, 35 insertions, 45 deletions
diff --git a/Auth/OpenID/PAPE.php b/Auth/OpenID/PAPE.php index ba9f9f6..6b2e3f4 100644 --- a/Auth/OpenID/PAPE.php +++ b/Auth/OpenID/PAPE.php @@ -20,6 +20,8 @@ define('PAPE_AUTH_MULTI_FACTOR', define('PAPE_AUTH_PHISHING_RESISTANT', 'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant'); +define('PAPE_TIME_VALIDATOR', + '^[0-9]{4,4}-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9]Z$'); /** * A Provider Authentication Policy request, sent from a relying party * to a provider @@ -159,7 +161,7 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { var $ns_alias = 'pape'; var $ns_uri = Auth_OpenID_PAPE_NS_URI; - function Auth_OpenID_PAPE_Response($auth_policies=null, $auth_age=null, + function Auth_OpenID_PAPE_Response($auth_policies=null, $auth_time=null, $nist_auth_level=null) { if ($auth_policies) { @@ -168,7 +170,7 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { $this->auth_policies = array(); } - $this->auth_age = $auth_age; + $this->auth_time = $auth_time; $this->nist_auth_level = $nist_auth_level; } @@ -258,19 +260,12 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { } } - $auth_age_str = Auth_OpenID::arrayGet($args, 'auth_age'); - if ($auth_age_str !== null) { - $auth_age = Auth_OpenID::intval($auth_age_str); - if ($auth_age === false) { - if ($strict) { - return false; - } - } else { - if ($auth_age >= 0) { - $this->auth_age = $auth_age; - } else if ($strict) { - return false; - } + $auth_time = Auth_OpenID::arrayGet($args, 'auth_time'); + if ($auth_time !== null) { + if (ereg(PAPE_TIME_VALIDATOR, $auth_time)) { + $this->auth_time = $auth_time; + } else if ($strict) { + return false; } } } @@ -289,19 +284,12 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { $ns_args['nist_auth_level'] = strval($this->nist_auth_level); } - if ($this->auth_age !== null) { - if ($this->auth_age < 0) { - return false; - } - - $result = Auth_OpenID::intval($this->auth_age); - - if ($result === false) { + if ($this->auth_time !== null) { + if (!ereg(PAPE_TIME_VALIDATOR, $this->auth_time)) { return false; } - $ns_args['auth_age'] = - strval($result); + $ns_args['auth_time'] = $this->auth_time; } return $ns_args; diff --git a/Tests/Auth/OpenID/PAPE.php b/Tests/Auth/OpenID/PAPE.php index 52e6c7a..07d3b41 100644 --- a/Tests/Auth/OpenID/PAPE.php +++ b/Tests/Auth/OpenID/PAPE.php @@ -114,13 +114,15 @@ class PapeResponseTestCase extends PHPUnit_TestCase { function test_construct() { $this->assertEquals(array(), $this->req->auth_policies); - $this->assertEquals(null, $this->req->auth_age); + $this->assertEquals(null, $this->req->auth_time); $this->assertEquals('pape', $this->req->ns_alias); $this->assertEquals(null, $this->req->nist_auth_level); - $req2 = new Auth_OpenID_PAPE_Response(array(PAPE_AUTH_MULTI_FACTOR), 1000, 3); + $req2 = new Auth_OpenID_PAPE_Response(array(PAPE_AUTH_MULTI_FACTOR), + '2001-01-01T04:05:23Z', + 3); $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR), $req2->auth_policies); - $this->assertEquals(1000, $req2->auth_age); + $this->assertEquals('2001-01-01T04:05:23Z', $req2->auth_time); $this->assertEquals(3, $req2->nist_auth_level); } @@ -142,16 +144,16 @@ class PapeResponseTestCase extends PHPUnit_TestCase { $this->assertEquals(array('auth_policies' => 'http://uri'), $this->req->getExtensionArgs()); $this->req->addPolicyURI('http://zig'); $this->assertEquals(array('auth_policies' => 'http://uri http://zig'), $this->req->getExtensionArgs()); - $this->req->auth_age = 789; - $this->assertEquals(array('auth_policies' => 'http://uri http://zig', 'auth_age' => '789'), $this->req->getExtensionArgs()); + $this->req->auth_time = '2008-03-02T12:34:56Z'; + $this->assertEquals(array('auth_policies' => 'http://uri http://zig', 'auth_time' => '2008-03-02T12:34:56Z'), $this->req->getExtensionArgs()); $this->req->nist_auth_level = 3; - $this->assertEquals(array('auth_policies' => 'http://uri http://zig', 'auth_age' => '789', 'nist_auth_level' => '3'), $this->req->getExtensionArgs()); + $this->assertEquals(array('auth_policies' => 'http://uri http://zig', 'auth_time' => '2008-03-02T12:34:56Z', 'nist_auth_level' => '3'), $this->req->getExtensionArgs()); } function test_getExtensionArgs_error_auth_age() { - $this->req->auth_age = "older than the sun"; + $this->req->auth_time = "foo2008-03-02T12:34:56Z"; $this->assertEquals(false, $this->req->getExtensionArgs()); - $this->req->auth_age = -10; + $this->req->auth_time = "2008-03-02T12:34:56Zbar"; $this->assertEquals(false, $this->req->getExtensionArgs()); } @@ -166,48 +168,48 @@ class PapeResponseTestCase extends PHPUnit_TestCase { function test_parseExtensionArgs() { $args = array('auth_policies' => 'http://foo http://bar', - 'auth_age' => '9'); + 'auth_time' => '2008-03-02T12:34:56Z'); $this->req->parseExtensionArgs($args); - $this->assertEquals(9, $this->req->auth_age); + $this->assertEquals('2008-03-02T12:34:56Z', $this->req->auth_time); $this->assertEquals(array('http://foo','http://bar'), $this->req->auth_policies); } function test_parseExtensionArgs_empty() { $this->req->parseExtensionArgs(array()); - $this->assertEquals(null, $this->req->auth_age); + $this->assertEquals(null, $this->req->auth_time); $this->assertEquals(array(), $this->req->auth_policies); } function test_parseExtensionArgs_strict_bogus1() { $args = array('auth_policies' => 'http://foo http://bar', - 'auth_age' => 'not too old'); + 'auth_time' => 'yesterday'); $this->assertEquals(false, $this->req->parseExtensionArgs($args, true)); } function test_parseExtensionArgs_strict_bogus2() { $args = array('auth_policies' => 'http://foo http://bar', - 'auth_age' => '63', + 'auth_time' => '63', 'nist_auth_level' => 'some'); $this->assertEquals(false, $this->req->parseExtensionArgs($args, true)); } function test_parseExtensionArgs_strict_good() { $args = array('auth_policies' => 'http://foo http://bar', - 'auth_age' => '0', + 'auth_time' => '2008-03-02T12:34:56Z', 'nist_auth_level' => '0'); $this->req->parseExtensionArgs($args, true); $this->assertEquals(array('http://foo','http://bar'), $this->req->auth_policies); - $this->assertEquals(0, $this->req->auth_age); + $this->assertEquals('2008-03-02T12:34:56Z', $this->req->auth_time); $this->assertEquals(0, $this->req->nist_auth_level); } function test_parseExtensionArgs_nostrict_bogus() { $args = array('auth_policies' => 'http://foo http://bar', - 'auth_age' => 'old', + 'auth_time' => 'the other day', 'nist_auth_level' => 'some'); $this->req->parseExtensionArgs($args); $this->assertEquals(array('http://foo','http://bar'), $this->req->auth_policies); - $this->assertEquals(null, $this->req->auth_age); + $this->assertEquals(null, $this->req->auth_time); $this->assertEquals(null, $this->req->nist_auth_level); } @@ -217,16 +219,16 @@ class PapeResponseTestCase extends PHPUnit_TestCase { 'ns' => Auth_OpenID_OPENID2_NS, 'ns.pape' => Auth_OpenID_PAPE_NS_URI, 'auth_policies' => implode(' ', array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT)), - 'auth_age' => '5476' + 'auth_time' => '2008-03-02T12:34:56Z' )); $signed_stuff = array( 'auth_policies' => implode(' ', array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT)), - 'auth_age' => '5476' + 'auth_time' => '2008-03-02T12:34:56Z' ); $oid_req = new PAPE_DummySuccessResponse($openid_req_msg, $signed_stuff); $req = Auth_OpenID_PAPE_Response::fromSuccessResponse($oid_req); $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT), $req->auth_policies); - $this->assertEquals(5476, $req->auth_age); + $this->assertEquals('2008-03-02T12:34:56Z', $req->auth_time); } } |