summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Auth/OpenID/PAPE.php42
-rw-r--r--Tests/Auth/OpenID/PAPE.php244
-rw-r--r--Tests/TestDriver.php1
3 files changed, 279 insertions, 8 deletions
diff --git a/Auth/OpenID/PAPE.php b/Auth/OpenID/PAPE.php
index 214deb1..ba9f9f6 100644
--- a/Auth/OpenID/PAPE.php
+++ b/Auth/OpenID/PAPE.php
@@ -84,6 +84,11 @@ class Auth_OpenID_PAPE_Request extends Auth_OpenID_Extension {
{
$obj = new Auth_OpenID_PAPE_Request();
$args = $request->message->getArgs(Auth_OpenID_PAPE_NS_URI);
+
+ if ($args === null || $args === array()) {
+ return null;
+ }
+
$obj->parseExtensionArgs($args);
return $obj;
}
@@ -112,7 +117,7 @@ class Auth_OpenID_PAPE_Request extends Auth_OpenID_Extension {
// max_auth_age is base-10 integer number of seconds
$max_auth_age_str = Auth_OpenID::arrayGet($args, 'max_auth_age');
if ($max_auth_age_str) {
- $this->max_auth_age = intval($max_auth_age_str);
+ $this->max_auth_age = Auth_OpenID::intval($max_auth_age_str);
} else {
$this->max_auth_age = null;
}
@@ -201,7 +206,13 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension {
// PAPE requires that the args be signed.
$args = $success_response->getSignedNS(Auth_OpenID_PAPE_NS_URI);
- if ($obj->parseExtensionArgs($args) === false) {
+ if ($args === null || $args === array()) {
+ return null;
+ }
+
+ $result = $obj->parseExtensionArgs($args);
+
+ if ($result === false) {
return null;
} else {
return $obj;
@@ -229,8 +240,17 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension {
}
$nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level');
- if ($nist_level_str) {
- $nist_level = intval($nist_level_str);
+ if ($nist_level_str !== null) {
+ $nist_level = Auth_OpenID::intval($nist_level_str);
+
+ if ($nist_level === false) {
+ if ($strict) {
+ return false;
+ } else {
+ $nist_level = null;
+ }
+ }
+
if (0 <= $nist_level && $nist_level < 5) {
$this->nist_auth_level = $nist_level;
} else if ($strict) {
@@ -239,8 +259,8 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension {
}
$auth_age_str = Auth_OpenID::arrayGet($args, 'auth_age');
- if ($auth_age_str) {
- $auth_age = intval($auth_age_str);
+ if ($auth_age_str !== null) {
+ $auth_age = Auth_OpenID::intval($auth_age_str);
if ($auth_age === false) {
if ($strict) {
return false;
@@ -263,7 +283,7 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension {
);
if ($this->nist_auth_level !== null) {
- if (!in_array($this->nist_auth_level, range(0, 4))) {
+ if (!in_array($this->nist_auth_level, range(0, 4), true)) {
return false;
}
$ns_args['nist_auth_level'] = strval($this->nist_auth_level);
@@ -274,8 +294,14 @@ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension {
return false;
}
+ $result = Auth_OpenID::intval($this->auth_age);
+
+ if ($result === false) {
+ return false;
+ }
+
$ns_args['auth_age'] =
- strval(Auth_OpenID::intval($this->auth_age));
+ strval($result);
}
return $ns_args;
diff --git a/Tests/Auth/OpenID/PAPE.php b/Tests/Auth/OpenID/PAPE.php
new file mode 100644
index 0000000..52e6c7a
--- /dev/null
+++ b/Tests/Auth/OpenID/PAPE.php
@@ -0,0 +1,244 @@
+<?php
+
+require_once "PHPUnit.php";
+
+require_once "Auth/OpenID/PAPE.php";
+require_once "Auth/OpenID/Message.php";
+require_once "Auth/OpenID/Server.php";
+
+class PapeRequestTestCase extends PHPUnit_TestCase {
+ function setUp()
+ {
+ $this->req = new Auth_OpenID_PAPE_Request();
+ }
+
+ function test_construct()
+ {
+ $this->assertEquals(array(), $this->req->preferred_auth_policies);
+ $this->assertEquals(null, $this->req->max_auth_age);
+ $this->assertEquals('pape', $this->req->ns_alias);
+
+ $req2 = new Auth_OpenID_PAPE_Request(array(PAPE_AUTH_MULTI_FACTOR), 1000);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR), $req2->preferred_auth_policies);
+ $this->assertEquals(1000, $req2->max_auth_age);
+ }
+
+ function test_add_policy_uri()
+ {
+ $this->assertEquals(array(), $this->req->preferred_auth_policies);
+ $this->req->addPolicyURI(PAPE_AUTH_MULTI_FACTOR);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR), $this->req->preferred_auth_policies);
+ $this->req->addPolicyURI(PAPE_AUTH_MULTI_FACTOR);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR), $this->req->preferred_auth_policies);
+ $this->req->addPolicyURI(PAPE_AUTH_PHISHING_RESISTANT);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT),
+ $this->req->preferred_auth_policies);
+ $this->req->addPolicyURI(PAPE_AUTH_MULTI_FACTOR);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT),
+ $this->req->preferred_auth_policies);
+ }
+
+ function test_getExtensionArgs() {
+ $this->assertEquals(array('preferred_auth_policies' => ''), $this->req->getExtensionArgs());
+ $this->req->addPolicyURI('http://uri');
+ $this->assertEquals(array('preferred_auth_policies' => 'http://uri'), $this->req->getExtensionArgs());
+ $this->req->addPolicyURI('http://zig');
+ $this->assertEquals(array('preferred_auth_policies' => 'http://uri http://zig'), $this->req->getExtensionArgs());
+ $this->req->max_auth_age = 789;
+ $this->assertEquals(array('preferred_auth_policies' => 'http://uri http://zig', 'max_auth_age' => '789'), $this->req->getExtensionArgs());
+ }
+
+ function test_parseExtensionArgs() {
+ $args = array('preferred_auth_policies' => 'http://foo http://bar',
+ 'max_auth_age' => '9');
+ $this->req->parseExtensionArgs($args);
+ $this->assertEquals(9, $this->req->max_auth_age);
+ $this->assertEquals(array('http://foo','http://bar'), $this->req->preferred_auth_policies);
+ }
+
+ function test_parseExtensionArgs_empty() {
+ $this->req->parseExtensionArgs(array());
+ $this->assertEquals(null, $this->req->max_auth_age);
+ $this->assertEquals(array(), $this->req->preferred_auth_policies);
+ }
+
+ function test_fromOpenIDRequest() {
+ $openid_req_msg = Auth_OpenID_Message::fromOpenIDArgs(array(
+ 'mode' => 'checkid_setup',
+ 'ns' => Auth_OpenID_OPENID2_NS,
+ 'ns.pape' => Auth_OpenID_PAPE_NS_URI,
+ 'pape.preferred_auth_policies' => implode(' ', array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT)),
+ 'pape.max_auth_age' => '5476'
+ ));
+ $oid_req = new Auth_OpenID_Request();
+ $oid_req->message = $openid_req_msg;
+ $req = Auth_OpenID_PAPE_Request::fromOpenIDRequest($oid_req);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT), $req->preferred_auth_policies);
+ $this->assertEquals(5476, $req->max_auth_age);
+ }
+
+ function test_fromOpenIDRequest_no_pape() {
+ $message = new Auth_OpenID_Message();
+ $openid_req = new Auth_OpenID_Request();
+ $openid_req->message = $message;
+ $pape_req = Auth_OpenID_PAPE_Request::fromOpenIDRequest($openid_req);
+ $this->assertTrue($pape_req === null);
+ }
+
+ function test_preferred_types() {
+ $this->req->addPolicyURI(PAPE_AUTH_PHISHING_RESISTANT);
+ $this->req->addPolicyURI(PAPE_AUTH_MULTI_FACTOR);
+ $pt = $this->req->preferredTypes(array(PAPE_AUTH_MULTI_FACTOR,
+ PAPE_AUTH_MULTI_FACTOR_PHYSICAL));
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR), $pt);
+ }
+}
+
+class PAPE_DummySuccessResponse {
+ function PAPE_DummySuccessResponse($message, $signed_stuff)
+ {
+ $this->message = $message;
+ $this->signed_stuff = $signed_stuff;
+ }
+
+ function getSignedNS($ns_uri)
+ {
+ return $this->signed_stuff;
+ }
+}
+
+class PapeResponseTestCase extends PHPUnit_TestCase {
+ function setUp() {
+ $this->req = new Auth_OpenID_PAPE_Response();
+ }
+
+ function test_construct() {
+ $this->assertEquals(array(), $this->req->auth_policies);
+ $this->assertEquals(null, $this->req->auth_age);
+ $this->assertEquals('pape', $this->req->ns_alias);
+ $this->assertEquals(null, $this->req->nist_auth_level);
+
+ $req2 = new Auth_OpenID_PAPE_Response(array(PAPE_AUTH_MULTI_FACTOR), 1000, 3);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR), $req2->auth_policies);
+ $this->assertEquals(1000, $req2->auth_age);
+ $this->assertEquals(3, $req2->nist_auth_level);
+ }
+
+ function test_add_policy_uri() {
+ $this->assertEquals(array(), $this->req->auth_policies);
+ $this->req->addPolicyURI(PAPE_AUTH_MULTI_FACTOR);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR), $this->req->auth_policies);
+ $this->req->addPolicyURI(PAPE_AUTH_MULTI_FACTOR);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR), $this->req->auth_policies);
+ $this->req->addPolicyURI(PAPE_AUTH_PHISHING_RESISTANT);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT), $this->req->auth_policies);
+ $this->req->addPolicyURI(PAPE_AUTH_MULTI_FACTOR);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT), $this->req->auth_policies);
+ }
+
+ function test_getExtensionArgs() {
+ $this->assertEquals(array('auth_policies' => ''), $this->req->getExtensionArgs());
+ $this->req->addPolicyURI('http://uri');
+ $this->assertEquals(array('auth_policies' => 'http://uri'), $this->req->getExtensionArgs());
+ $this->req->addPolicyURI('http://zig');
+ $this->assertEquals(array('auth_policies' => 'http://uri http://zig'), $this->req->getExtensionArgs());
+ $this->req->auth_age = 789;
+ $this->assertEquals(array('auth_policies' => 'http://uri http://zig', 'auth_age' => '789'), $this->req->getExtensionArgs());
+ $this->req->nist_auth_level = 3;
+ $this->assertEquals(array('auth_policies' => 'http://uri http://zig', 'auth_age' => '789', 'nist_auth_level' => '3'), $this->req->getExtensionArgs());
+ }
+
+ function test_getExtensionArgs_error_auth_age() {
+ $this->req->auth_age = "older than the sun";
+ $this->assertEquals(false, $this->req->getExtensionArgs());
+ $this->req->auth_age = -10;
+ $this->assertEquals(false, $this->req->getExtensionArgs());
+ }
+
+ function test_getExtensionArgs_error_nist_auth_level() {
+ $this->req->nist_auth_level = "high as a kite";
+ $this->assertEquals(false, $this->req->getExtensionArgs());
+ $this->req->nist_auth_level = 5;
+ $this->assertEquals(false, $this->req->getExtensionArgs());
+ $this->req->nist_auth_level = -1;
+ $this->assertEquals(false, $this->req->getExtensionArgs());
+ }
+
+ function test_parseExtensionArgs() {
+ $args = array('auth_policies' => 'http://foo http://bar',
+ 'auth_age' => '9');
+ $this->req->parseExtensionArgs($args);
+ $this->assertEquals(9, $this->req->auth_age);
+ $this->assertEquals(array('http://foo','http://bar'), $this->req->auth_policies);
+ }
+
+ function test_parseExtensionArgs_empty() {
+ $this->req->parseExtensionArgs(array());
+ $this->assertEquals(null, $this->req->auth_age);
+ $this->assertEquals(array(), $this->req->auth_policies);
+ }
+
+ function test_parseExtensionArgs_strict_bogus1() {
+ $args = array('auth_policies' => 'http://foo http://bar',
+ 'auth_age' => 'not too old');
+ $this->assertEquals(false, $this->req->parseExtensionArgs($args, true));
+ }
+
+ function test_parseExtensionArgs_strict_bogus2() {
+ $args = array('auth_policies' => 'http://foo http://bar',
+ 'auth_age' => '63',
+ 'nist_auth_level' => 'some');
+ $this->assertEquals(false, $this->req->parseExtensionArgs($args, true));
+ }
+
+ function test_parseExtensionArgs_strict_good() {
+ $args = array('auth_policies' => 'http://foo http://bar',
+ 'auth_age' => '0',
+ 'nist_auth_level' => '0');
+ $this->req->parseExtensionArgs($args, true);
+ $this->assertEquals(array('http://foo','http://bar'), $this->req->auth_policies);
+ $this->assertEquals(0, $this->req->auth_age);
+ $this->assertEquals(0, $this->req->nist_auth_level);
+ }
+
+ function test_parseExtensionArgs_nostrict_bogus() {
+ $args = array('auth_policies' => 'http://foo http://bar',
+ 'auth_age' => 'old',
+ 'nist_auth_level' => 'some');
+ $this->req->parseExtensionArgs($args);
+ $this->assertEquals(array('http://foo','http://bar'), $this->req->auth_policies);
+ $this->assertEquals(null, $this->req->auth_age);
+ $this->assertEquals(null, $this->req->nist_auth_level);
+ }
+
+ function test_fromSuccessResponse() {
+ $openid_req_msg = Auth_OpenID_Message::fromOpenIDArgs(array(
+ 'mode' => 'id_res',
+ 'ns' => Auth_OpenID_OPENID2_NS,
+ 'ns.pape' => Auth_OpenID_PAPE_NS_URI,
+ 'auth_policies' => implode(' ', array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT)),
+ 'auth_age' => '5476'
+ ));
+ $signed_stuff = array(
+ 'auth_policies' => implode(' ', array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT)),
+ 'auth_age' => '5476'
+ );
+ $oid_req = new PAPE_DummySuccessResponse($openid_req_msg, $signed_stuff);
+ $req = Auth_OpenID_PAPE_Response::fromSuccessResponse($oid_req);
+ $this->assertEquals(array(PAPE_AUTH_MULTI_FACTOR, PAPE_AUTH_PHISHING_RESISTANT), $req->auth_policies);
+ $this->assertEquals(5476, $req->auth_age);
+ }
+}
+
+class Tests_Auth_OpenID_PAPE extends PHPUnit_TestSuite {
+ function getName() {
+ return "Tests_Auth_OpenID_PAPE";
+ }
+
+ function Tests_Auth_OpenID_PAPE() {
+ $this->addTestSuite('PapeRequestTestCase');
+ $this->addTestSuite('PapeResponseTestCase');
+ }
+}
+
+?>
diff --git a/Tests/TestDriver.php b/Tests/TestDriver.php
index db2985a..c003efe 100644
--- a/Tests/TestDriver.php
+++ b/Tests/TestDriver.php
@@ -129,6 +129,7 @@ $_tests = array(
'Negotiation',
'Nonce',
'OpenID_Yadis',
+ 'PAPE',
'Parse',
'RPVerify',
'Server',
generated by cgit v1.1 at 2025-05-11 22:57:49 +0000