diff --git a/core/modules/openid/config/openid.settings.yml b/core/modules/openid/config/openid.settings.yml deleted file mode 100644 index 02e5db0..0000000 --- a/core/modules/openid/config/openid.settings.yml +++ /dev/null @@ -1 +0,0 @@ -xri_proxy_resolver: 'http://xri.net/' diff --git a/core/modules/openid/config/schema/openid.schema.yml b/core/modules/openid/config/schema/openid.schema.yml deleted file mode 100644 index 2ae5738..0000000 --- a/core/modules/openid/config/schema/openid.schema.yml +++ /dev/null @@ -1,9 +0,0 @@ -# Schema for the configuration files of the openid module. - -openid.settings: - type: mapping - label: 'OpenID settings' - mapping: - xri_proxy_resolver: - type: string - label: 'Proxy resolver for XRI' diff --git a/core/modules/openid/lib/Drupal/openid/Form/UserDeleteForm.php b/core/modules/openid/lib/Drupal/openid/Form/UserDeleteForm.php deleted file mode 100644 index 233cd44..0000000 --- a/core/modules/openid/lib/Drupal/openid/Form/UserDeleteForm.php +++ /dev/null @@ -1,110 +0,0 @@ -database = $database; - } - - /** - * {@inheritdoc} - */ - public static function create(ContainerInterface $container) { - return new static( - $container->get('database') - ); - } - - /** - * {@inheritdoc} - */ - protected function getQuestion() { - $identifier = $this->database->query("SELECT identifier FROM {openid_identities} WHERE uid = :uid AND aid = :aid", array( - ':uid' => $this->account->id(), - ':aid' => $this->aid, - ))->fetchField(); - return t('Are you sure you want to delete the OpenID %identifier for %user?', array('%identifier' => $identifier, '%user' => $this->account->label())); - } - - /** - * {@inheritdoc} - */ - protected function getCancelPath() { - return 'user/' . $this->account->id() . '/openid'; - } - - /** - * {@inheritdoc} - */ - public function getFormID() { - return 'openid_user_delete_form'; - } - - /** - * {@inheritdoc} - */ - public function buildForm(array $form, array &$form_state, UserInterface $account = NULL, $aid = NULL) { - $this->aid = $aid; - $this->account = $account; - - return parent::buildForm($form, $form_state); - } - - /** - * {@inheritdoc} - */ - public function submitForm(array &$form, array &$form_state) { - $query = $this->database->delete('openid_identities') - ->condition('uid', $this->account->id()) - ->condition('aid', $this->aid) - ->execute(); - if ($query) { - drupal_set_message(t('OpenID deleted.')); - } - $form_state['redirect'] = 'user/' . $this->account->id() . '/openid'; - } - -} diff --git a/core/modules/openid/lib/Drupal/openid/Tests/OpenIDFunctionalTest.php b/core/modules/openid/lib/Drupal/openid/Tests/OpenIDFunctionalTest.php deleted file mode 100644 index 0479793..0000000 --- a/core/modules/openid/lib/Drupal/openid/Tests/OpenIDFunctionalTest.php +++ /dev/null @@ -1,404 +0,0 @@ - 'OpenID discovery and login', - 'description' => "Adds an identity to a user's profile and uses it to log in.", - 'group' => 'OpenID' - ); - } - - function setUp() { - parent::setUp(); - - // User doesn't need special permissions; only the ability to log in. - $this->web_user = $this->drupalCreateUser(array()); - } - - /** - * Test discovery of OpenID Provider Endpoint via Yadis and HTML. - */ - function testDiscovery() { - $this->drupalLogin($this->web_user); - - // The User-supplied Identifier entered by the user may indicate the URL of - // the OpenID Provider Endpoint in various ways, as described in OpenID - // Authentication 2.0 and Yadis Specification 1.0. - // Note that all of the tested identifiers refer to the same endpoint, so - // only the first will trigger an associate request in openid_association() - // (association is only done the first time Drupal encounters a given - // endpoint). - - - // Yadis discovery (see Yadis Specification 1.0, section 6.2.5): - // If the User-supplied Identifier is a URL, it may be a direct or indirect - // reference to an XRDS document (a Yadis Resource Descriptor) that contains - // the URL of the OpenID Provider Endpoint. - - // Identifier is the URL of an XRDS document. - // On HTTP test environments, the URL scheme is stripped in order to test - // that the supplied identifier is normalized in openid_begin(). - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); - $this->addIdentity(preg_replace('@^http://@', '', $identity), 2, 'http://example.com/xrds', $identity); - - $identity = url('openid-test/yadis/xrds/delegate', array('absolute' => TRUE)); - $this->addIdentity(preg_replace('@^http://@', '', $identity), 2, 'http://example.com/xrds-delegate', $identity); - - // Identifier is the URL of an XRDS document containing an OP Identifier - // Element. The Relying Party sends the special value - // "http://specs.openid.net/auth/2.0/identifier_select" as Claimed - // Identifier. The OpenID Provider responds with the actual identifier - // including the fragment. - $identity = url('openid-test/yadis/xrds/dummy-user', array('absolute' => TRUE, 'fragment' => $this->randomName())); - // Tell openid_test.module to respond with this identifier. If the fragment - // part is present in the identifier, it should be retained. - state()->set('openid_test.response', array('openid.claimed_id' => $identity)); - $this->addIdentity(url('openid-test/yadis/xrds/server', array('absolute' => TRUE)), 2, 'http://specs.openid.net/auth/2.0/identifier_select', $identity); - state()->set('openid_test.response', array()); - - // Identifier is the URL of an HTML page that is sent with an HTTP header - // that contains the URL of an XRDS document. - $this->addIdentity(url('openid-test/yadis/x-xrds-location', array('absolute' => TRUE)), 2); - - // Identifier is the URL of an HTML page containing a - // element that contains the URL of an XRDS document. - $this->addIdentity(url('openid-test/yadis/http-equiv', array('absolute' => TRUE)), 2); - - // Identifier is an XRI. Resolve using our own dummy proxy resolver. - config('openid.settings') - ->set('xri_proxy_resolver', url('openid-test/yadis/xrds/xri', array('absolute' => TRUE)) . '/') - ->save(); - $this->addIdentity('@example*résumé;%25', 2, 'http://example.com/xrds', 'http://example.com/user'); - - // Make sure that unverified CanonicalID are not trusted. - state()->set('openid_test.canonical_id_status', 'bad value'); - $this->addIdentity('@example*résumé;%25', 2, FALSE, FALSE); - - // HTML-based discovery: - // If the User-supplied Identifier is a URL of an HTML page, the page may - // contain a element containing the URL of the OpenID - // Provider Endpoint. OpenID 1 and 2 describe slightly different formats. - - // OpenID Authentication 1.1, section 3.1: - $this->addIdentity(url('openid-test/html/openid1', array('absolute' => TRUE)), 1, 'http://example.com/html-openid1'); - - // OpenID Authentication 2.0, section 7.3.3: - $this->addIdentity(url('openid-test/html/openid2', array('absolute' => TRUE)), 2, 'http://example.com/html-openid2'); - - // OpenID Authentication 2.0, section 7.2.4: - // URL Identifiers MUST then be further normalized by both (1) following - // redirects when retrieving their content and finally (2) applying the - // rules in Section 6 of RFC3986 to the final destination URL. This final - // URL MUST be noted by the Relying Party as the Claimed Identifier and be - // used when requesting authentication. - - // Single redirect. - $identity = $expected_claimed_id = url('openid-test/redirected/yadis/xrds/1', array('absolute' => TRUE)); - $this->addRedirectedIdentity($identity, 2, 'http://example.com/xrds', $expected_claimed_id, 0); - - // Exactly 5 redirects (default value for the max redirects setting). - $identity = $expected_claimed_id = url('openid-test/redirected/yadis/xrds/2', array('absolute' => TRUE)); - $this->addRedirectedIdentity($identity, 2, 'http://example.com/xrds', $expected_claimed_id, 4); - - // Fails because there are more than 5 redirects. - $identity = url('openid-test/redirected/yadis/xrds/3', array('absolute' => TRUE)); - $expected_claimed_id = FALSE; - $this->addRedirectedIdentity($identity, 2, 'http://example.com/xrds', $expected_claimed_id, 5); - } - - /** - * Test login using OpenID. - */ - function testLogin() { - $this->drupalLogin($this->web_user); - - // Use a User-supplied Identity that is the URL of an XRDS document. - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); - $this->addIdentity($identity); - $response = state()->get('openid_test.hook_openid_response_response'); - $account = state()->get('openid_test.hook_openid_response_account'); - $this->assertEqual($response['openid.claimed_id'], $identity, 'hook_openid_response() was invoked.'); - $this->assertEqual($account->uid, $this->web_user->uid, 'Proper user object passed to hook_openid_response().'); - - $this->drupalLogout(); - - // Test logging in via the login block on the front page. - state()->delete('openid_test.hook_openid_response_response'); - state()->delete('openid_test.hook_openid_response_account'); - $this->submitLoginForm($identity); - $this->assertLink(t('Log out'), 0, 'User was logged in.'); - $response = state()->get('openid_test.hook_openid_response_response'); - $account = state()->get('openid_test.hook_openid_response_account'); - $this->assertEqual($response['openid.claimed_id'], $identity, 'hook_openid_response() was invoked.'); - $this->assertEqual($account->uid, $this->web_user->uid, 'Proper user object passed to hook_openid_response().'); - - $this->drupalLogout(); - - // Test logging in via the user/login/openid page. - $edit = array('openid_identifier' => $identity); - $this->drupalPost('user/login/openid', $edit, t('Log in')); - - // Check we are on the OpenID redirect form. - $this->assertTitle(t('OpenID redirect'), 'OpenID redirect page was displayed.'); - - // Submit form to the OpenID Provider Endpoint. - $this->drupalPost(NULL, array(), t('Send')); - - $this->assertLink(t('Log out'), 0, 'User was logged in.'); - - // Verify user was redirected away from user/login/openid to an accessible - // page. - $this->assertResponse(200); - - $this->drupalLogout(); - - // Tell openid_test.module to alter the checkid_setup request. - $new_identity = 'http://example.com/' . $this->randomName(); - state()->set('openid_test.identity', $new_identity); - state()->set('openid_test.request_alter', array('checkid_setup' => array('openid.identity' => $new_identity))); - $this->submitLoginForm($identity); - $this->assertLink(t('Log out'), 0, 'User was logged in.'); - $response = state()->get('openid_test.hook_openid_response_response'); - $this->assertEqual($response['openid.identity'], $new_identity, 'hook_openid_request_alter() were invoked.'); - - $this->drupalLogout(); - - // Use a User-supplied Identity that is the URL of an XRDS document. - // Tell the test module to add a doctype. This should fail. - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE, 'query' => array('doctype' => 1))); - // Test logging in via the login block on the front page. - $edit = array('openid_identifier' => $identity); - $this->drupalPost('', $edit, t('Log in'), array(), array(), 'openid-login-form'); - $this->assertRaw(t('Sorry, that is not a valid OpenID. Ensure you have spelled your ID correctly.'), 'XML with DOCTYPE was rejected.'); - } - - /** - * Test login using OpenID during maintenance mode. - */ - function testLoginMaintenanceMode() { - $this->web_user = $this->drupalCreateUser(array('access site in maintenance mode')); - $this->drupalLogin($this->web_user); - - // Use a User-supplied Identity that is the URL of an XRDS document. - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); - $this->addIdentity($identity); - $this->drupalLogout(); - - // Enable maintenance mode. - config('system.maintenance')->set('enabled', TRUE)->save(); - - // Test logging in via the user/login/openid page while the site is offline. - $edit = array('openid_identifier' => $identity); - $this->drupalPost('user/login/openid', $edit, t('Log in')); - - // Check we are on the OpenID redirect form. - $this->assertTitle(t('OpenID redirect'), 'OpenID redirect page was displayed.'); - - // Submit form to the OpenID Provider Endpoint. - $this->drupalPost(NULL, array(), t('Send')); - - $this->assertLink(t('Log out'), 0, 'User was logged in.'); - - // Verify user was redirected away from user/login/openid to an accessible - // page. - $this->assertText(t('Operating in maintenance mode.')); - $this->assertResponse(200); - } - - /** - * Test deleting an OpenID identity from a user's profile. - */ - function testDelete() { - $this->drupalLogin($this->web_user); - - // Add identity to user's profile. - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); - $this->addIdentity($identity); - $this->assertText($identity, 'Identity appears in list.'); - - // Delete the newly added identity. - $this->clickLink(t('Delete')); - $this->drupalPost(NULL, array(), t('Confirm')); - - $this->assertText(t('OpenID deleted.'), 'Identity deleted'); - $this->assertNoText($identity, 'Identity no longer appears in list.'); - } - - /** - * Test that a blocked user cannot log in. - */ - function testBlockedUserLogin() { - // Use a User-supplied Identity that is the URL of an XRDS document. - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); - - // Log in and add an OpenID Identity to the account. - $this->drupalLogin($this->web_user); - $this->addIdentity($identity); - $this->drupalLogout(); - - // Log in as an admin user and block the account. - $admin_user = $this->drupalCreateUser(array('administer users')); - $this->drupalLogin($admin_user); - $this->drupalGet('admin/people'); - $edit = array( - 'operation' => 'block', - 'accounts[' . $this->web_user->uid . ']' => TRUE, - ); - $this->drupalPost('admin/people', $edit, t('Update')); - $this->assertRaw('The update has been performed.', 'Account was blocked.'); - $this->drupalLogout(); - - $this->submitLoginForm($identity); - $this->assertRaw(t('The username %name has not been activated or is blocked.', array('%name' => $this->web_user->name)), 'User login was blocked.'); - } - - /** - * Add OpenID identity to user's profile. - * - * @param $identity - * The User-supplied Identifier. - * @param $version - * The protocol version used by the service. - * @param $local_id - * The expected OP-Local Identifier found during discovery. - * @param $claimed_id - * The expected Claimed Identifier returned by the OpenID Provider, or FALSE - * if the discovery is expected to fail. - */ - function addIdentity($identity, $version = 2, $local_id = 'http://example.com/xrds', $claimed_id = NULL) { - // Tell openid_test.module to only accept this OP-Local Identifier. - state()->set('openid_test.identity', $local_id); - - $edit = array('openid_identifier' => $identity); - $this->drupalPost('user/' . $this->web_user->uid . '/openid', $edit, t('Add an OpenID')); - - if ($claimed_id === FALSE) { - $this->assertRaw(t('Sorry, that is not a valid OpenID. Ensure you have spelled your ID correctly.'), 'Invalid identity was rejected.'); - return; - } - - // OpenID 1 used a HTTP redirect, OpenID 2 uses a HTML form that is submitted automatically using JavaScript. - if ($version == 2) { - // Check we are on the OpenID redirect form. - $this->assertTitle(t('OpenID redirect'), 'OpenID redirect page was displayed.'); - - // Submit form to the OpenID Provider Endpoint. - $this->drupalPost(NULL, array(), t('Send')); - } - - if (!isset($claimed_id)) { - $claimed_id = $identity; - } - $this->assertRaw(t('Successfully added %identity', array('%identity' => $claimed_id)), format_string('Identity %identity was added.', array('%identity' => $identity))); - } - - /** - * Add OpenID identity, changed by the following redirects, to user's profile. - * - * According to OpenID Authentication 2.0, section 7.2.4, URL Identifiers MUST - * be further normalized by following redirects when retrieving their content - * and this final URL MUST be noted by the Relying Party as the Claimed - * Identifier and be used when requesting authentication. - * - * @param $identity - * The User-supplied Identifier. - * @param $version - * The protocol version used by the service. - * @param $local_id - * The expected OP-Local Identifier found during discovery. - * @param $claimed_id - * The expected Claimed Identifier returned by the OpenID Provider, or FALSE - * if the discovery is expected to fail. - * @param $redirects - * The number of redirects. - */ - function addRedirectedIdentity($identity, $version = 2, $local_id = 'http://example.com/xrds', $claimed_id = NULL, $redirects = 0) { - // Set the final destination URL which is the same as the Claimed - // Identifier, we insert the same identifier also to the provider response, - // but provider could further change the Claimed ID actually (e.g. it could - // add unique fragment). - state()->set('openid_test.redirect_url', $identity); - state()->set('openid_test.response', array('openid.claimed_id' => $identity)); - - $this->addIdentity(url('openid-test/redirect/' . $redirects, array('absolute' => TRUE)), $version, $local_id, $claimed_id); - - // Clean up. - state()->delete('openid_test.redirect_url'); - state()->delete('openid_test.response'); - } - - /** - * Tests that openid.signed is verified. - */ - function testSignatureValidation() { - module_load_include('inc', 'openid'); - // Use a User-supplied Identity that is the URL of an XRDS document. - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); - - // Respond with an invalid signature. - state()->set('openid_test.response', array('openid.sig' => 'this-is-an-invalid-signature')); - $this->submitLoginForm($identity); - $this->assertRaw('OpenID login failed.'); - - // Do not sign the mandatory field openid.assoc_handle. - state()->set('openid_test.response', array('openid.signed' => 'op_endpoint,claimed_id,identity,return_to,response_nonce')); - $this->submitLoginForm($identity); - $this->assertRaw('OpenID login failed.'); - - // Sign all mandatory fields and a custom field. - $keys_to_sign = array('op_endpoint', 'claimed_id', 'identity', 'return_to', 'response_nonce', 'assoc_handle', 'foo'); - $association = new stdClass(); - $association->mac_key = NULL; - $response = array( - 'openid.op_endpoint' => url('openid-test/endpoint', array('absolute' => TRUE)), - 'openid.claimed_id' => $identity, - 'openid.identity' => $identity, - 'openid.return_to' => url('openid/authenticate', array('absolute' => TRUE)), - 'openid.response_nonce' => _openid_nonce(), - 'openid.assoc_handle' => 'openid-test', - 'openid.foo' => 123, - 'openid.signed' => implode(',', $keys_to_sign), - ); - $response['openid.sig'] = _openid_signature($association, $response, $keys_to_sign); - state()->set('openid_test.response', $response); - $this->submitLoginForm($identity); - $this->assertNoRaw('OpenID login failed.'); - $this->assertFieldByName('name', '', 'No username was supplied by provider.'); - $this->assertFieldByName('mail', '', 'No e-mail address was supplied by provider.'); - - // Check that unsigned SREG fields are ignored. - $response = array( - 'openid.signed' => 'op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,sreg.nickname', - 'openid.sreg.nickname' => 'john', - 'openid.sreg.email' => 'john@example.com', - ); - state()->set('openid_test.response', $response); - $this->submitLoginForm($identity); - $this->assertNoRaw('OpenID login failed.'); - $this->assertFieldByName('name', 'john', 'Username was supplied by provider.'); - $this->assertFieldByName('mail', '', 'E-mail address supplied by provider was ignored.'); - } -} diff --git a/core/modules/openid/lib/Drupal/openid/Tests/OpenIDRegistrationTest.php b/core/modules/openid/lib/Drupal/openid/Tests/OpenIDRegistrationTest.php deleted file mode 100644 index 7389580..0000000 --- a/core/modules/openid/lib/Drupal/openid/Tests/OpenIDRegistrationTest.php +++ /dev/null @@ -1,271 +0,0 @@ - 'OpenID account registration', - 'description' => 'Creates a user account using auto-registration.', - 'group' => 'OpenID' - ); - } - - /** - * Test OpenID auto-registration with e-mail verification enabled. - */ - function testRegisterUserWithEmailVerification() { - config('user.settings')->set('verify_mail', TRUE)->save(); - - config('system.timezone') - ->set('user.configurable', 1) - ->set('default', 'Europe/Brussels') - ->save(); - - // Tell openid_test.module to respond with these SREG fields. - state()->set('openid_test.response', array( - 'openid.sreg.nickname' => 'john', - 'openid.sreg.email' => 'john@example.com', - 'openid.sreg.language' => 'pt-BR', - 'openid.sreg.timezone' => 'Europe/London', - )); - - // Save Portuguese and Portuguese, Portugal as optional languages. The - // process should pick 'pt' based on the sreg.language being 'pt-BR' - // (and falling back on least specific language given no pt-br available - // locally). - $language = new Language(array( - 'langcode' => 'pt', - )); - language_save($language); - $language = new Language(array( - 'langcode' => 'pt-pt', - )); - language_save($language); - - // Use a User-supplied Identity that is the URL of an XRDS document. - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); - $this->submitLoginForm($identity); - $this->assertRaw(t('Once you have verified your e-mail address, you may log in via OpenID.'), 'User was asked to verify e-mail address.'); - $this->assertRaw(t('A welcome message with further instructions has been sent to your e-mail address.'), 'A welcome message was sent to the user.'); - $reset_url = $this->getPasswordResetURLFromMail(); - - $user = user_load_by_name('john'); - $this->assertTrue($user, 'User was registered with right username.'); - $this->assertEqual($user->mail, 'john@example.com', 'User was registered with right email address.'); - $this->assertEqual($user->timezone, 'Europe/London', 'User was registered with right timezone.'); - $this->assertEqual($user->preferred_langcode, 'pt', 'User was registered with right language.'); - - $this->submitLoginForm($identity); - $this->assertRaw(t('You must validate your email address for this account before logging in via OpenID.')); - - // Follow the one-time login that was sent in the welcome e-mail. - $this->drupalGet($reset_url); - $this->drupalPost(NULL, array(), t('Log in')); - - $this->drupalLogout(); - - // Verify that the account was activated. - $this->submitLoginForm($identity); - $this->assertLink(t('Log out'), 0, 'User was logged in.'); - } - - /** - * Test OpenID auto-registration with e-mail verification disabled. - */ - function testRegisterUserWithoutEmailVerification() { - config('user.settings')->set('verify_mail', FALSE)->save(); - - config('system.timezone') - ->set('user.configurable', 1) - ->set('default', 'Europe/Brussels') - ->save(); - - // Tell openid_test.module to respond with these SREG fields. - state()->set('openid_test.response', array( - 'openid.sreg.nickname' => 'john', - 'openid.sreg.email' => 'john@example.com', - 'openid.sreg.language' => 'pt-BR', - 'openid.sreg.timezone' => 'Europe/London', - )); - - // Save Portuguese, Brazil as an optional language. The process should pick - // 'pt-br' based on the sreg.language later. - $language = new Language(array( - 'langcode' => 'pt-br', - )); - language_save($language); - - // Use a User-supplied Identity that is the URL of an XRDS document. - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); - $this->submitLoginForm($identity); - $this->assertLink(t('Log out'), 0, 'User was logged in.'); - - $user = user_load_by_name('john'); - $this->assertTrue($user, 'User was registered with right username.'); - $this->assertEqual($user->mail, 'john@example.com', 'User was registered with right email address.'); - $this->assertEqual($user->timezone, 'Europe/London', 'User was registered with right timezone.'); - $this->assertEqual($user->preferred_langcode, 'pt-br', 'User was registered with right language.'); - - $this->drupalLogout(); - - $this->submitLoginForm($identity); - $this->assertLink(t('Log out'), 0, 'User was logged in.'); - } - - /** - * Test OpenID auto-registration with a provider that supplies invalid SREG - * information (a username that is already taken, and no e-mail address). - */ - function testRegisterUserWithInvalidSreg() { - config('system.timezone') - ->set('user.configurable', 1) - ->set('default', 'Europe/Brussels') - ->save(); - - // Tell openid_test.module to respond with these SREG fields. - $web_user = $this->drupalCreateUser(array()); - state()->set('openid_test.response', array( - 'openid.sreg.nickname' => $web_user->name, - 'openid.sreg.email' => 'mail@invalid#', - 'openid.sreg.timezone' => 'Foo/Bar', - 'openid.sreg.language' => 'foobar', - )); - - // Use a User-supplied Identity that is the URL of an XRDS document. - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); - $this->submitLoginForm($identity); - - $this->assertRaw(t('Account registration using the information provided by your OpenID provider failed due to the reasons listed below. Complete the registration by filling out the form below. If you already have an account, you can log in now and add your OpenID under "My account".', array('@login' => url('user/login'))), 'User was asked to complete the registration process manually.'); - $this->assertRaw(t('The name %name is already taken.', array('%name' => $web_user->name)), 'Form validation error for username was displayed.'); - $this->assertRaw(t('The e-mail address %mail is not valid.', array('%mail' => 'mail@invalid#')), 'Form validation error for e-mail address was displayed.'); - $this->assertTrue(state()->get('openid_test.hook_openid_response_response'), 'hook_openid_response() was invoked.'); - $this->assertFalse(state()->get('openid_test.hook_openid_response_account'), 'No user object passed to hook_openid_response().'); - - // Enter username and e-mail address manually. - state()->delete('openid_test.hook_openid_response_response'); - $edit = array('name' => 'john', 'mail' => 'john@example.com'); - $this->drupalPost(NULL, $edit, t('Create new account')); - $this->assertRaw(t('Once you have verified your e-mail address, you may log in via OpenID.'), 'User was asked to verify e-mail address.'); - $reset_url = $this->getPasswordResetURLFromMail(); - - $user = user_load_by_name('john'); - $this->assertTrue($user, 'User was registered with right username.'); - $this->assertEqual($user->preferred_langcode, language_default()->langcode, 'User language is site default.'); - - // Follow the one-time login that was sent in the welcome e-mail. - $this->drupalGet($reset_url); - $this->drupalPost(NULL, array(), t('Log in')); - $this->assertFalse(state()->get('openid_test.hook_openid_response_response'), 'hook_openid_response() was not invoked.'); - - // The user is taken to user/%uid/edit. - $this->assertFieldByName('mail', 'john@example.com', 'User was registered with right e-mail address.'); - - $this->clickLink(t('OpenID identities')); - $this->assertRaw($identity, 'OpenID identity was registered.'); - } - - /** - * Test OpenID auto-registration with a provider that does not supply SREG - * information (i.e. no username or e-mail address). - */ - function testRegisterUserWithoutSreg() { - - // Load the front page to get the user login block. - $this->drupalGet(''); - - // Use a User-supplied Identity that is the URL of an XRDS document. - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); - $this->submitLoginForm($identity); - $this->assertRaw(t('Complete the registration by filling out the form below. If you already have an account, you can log in now and add your OpenID under "My account".', array('@login' => url('user/login'))), 'User was asked to complete the registration process manually.'); - $this->assertNoRaw(t('You must enter a username.'), 'Form validation error for username was not displayed.'); - $this->assertNoRaw(t('You must enter an e-mail address.'), 'Form validation error for e-mail address was not displayed.'); - - // Enter username and e-mail address manually. - $edit = array('name' => 'john', 'mail' => 'john@example.com'); - $this->drupalPost(NULL, $edit, t('Create new account')); - $this->assertRaw(t('Once you have verified your e-mail address, you may log in via OpenID.'), 'User was asked to verify e-mail address.'); - $reset_url = $this->getPasswordResetURLFromMail(); - - $user = user_load_by_name('john'); - $this->assertTrue($user, 'User was registered with right username.'); - $this->assertEqual($user->preferred_langcode, language_default()->langcode, 'User language is site default.'); - - // Follow the one-time login that was sent in the welcome e-mail. - $this->drupalGet($reset_url); - $this->drupalPost(NULL, array(), t('Log in')); - - // The user is taken to user/%uid/edit. - $this->assertFieldByName('mail', 'john@example.com', 'User was registered with right e-mail address.'); - - $this->clickLink(t('OpenID identities')); - $this->assertRaw($identity, 'OpenID identity was registered.'); - } - - /** - * Test OpenID auto-registration with a provider that supplies AX information, - * but no SREG. - */ - function testRegisterUserWithAXButNoSREG() { - config('user.settings')->set('verify_mail', FALSE)->save(); - config('system.timezone') - ->set('default', 'Europe/Brussels') - ->save(); - - // Tell openid_test.module to respond with these AX fields. - state()->set('openid_test.response', array( - 'openid.ns.ext123' => 'http://openid.net/srv/ax/1.0', - 'openid.ext123.type.mail456' => 'http://axschema.org/contact/email', - 'openid.ext123.value.mail456' => 'john@example.com', - 'openid.ext123.type.name789' => 'http://schema.openid.net/namePerson/friendly', - 'openid.ext123.count.name789' => '1', - 'openid.ext123.value.name789.1' => 'john', - 'openid.ext123.type.timezone' => 'http://axschema.org/pref/timezone', - 'openid.ext123.value.timezone' => 'Europe/London', - 'openid.ext123.type.language' => 'http://axschema.org/pref/language', - 'openid.ext123.value.language' => 'pt-PT', - )); - - // Save Portuguese and Portuguese, Portugal as optional languages. The - // process should pick 'pt-pt' as the more specific language. - $language = new Language(array( - 'langcode' => 'pt', - )); - language_save($language); - $language = new Language(array( - 'langcode' => 'pt-pt', - )); - language_save($language); - - // Use a User-supplied Identity that is the URL of an XRDS document. - $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE)); - $this->submitLoginForm($identity); - $this->assertLink(t('Log out'), 0, 'User was logged in.'); - - $user = user_load_by_name('john'); - $this->assertTrue($user, 'User was registered with right username.'); - $this->assertEqual($user->mail, 'john@example.com', 'User was registered with right email address.'); - $this->assertEqual($user->timezone, 'Europe/London', 'User was registered with right timezone.'); - $this->assertEqual($user->preferred_langcode, 'pt-pt', 'User was registered with right language.'); - } -} diff --git a/core/modules/openid/lib/Drupal/openid/Tests/OpenIDTest.php b/core/modules/openid/lib/Drupal/openid/Tests/OpenIDTest.php deleted file mode 100644 index 3c2e614..0000000 --- a/core/modules/openid/lib/Drupal/openid/Tests/OpenIDTest.php +++ /dev/null @@ -1,168 +0,0 @@ - 'OpenID helper functions', - 'description' => 'Test OpenID helper functions.', - 'group' => 'OpenID' - ); - } - - function setUp() { - parent::setUp(); - module_load_include('inc', 'openid'); - } - - /** - * Test _openid_dh_XXX_to_XXX() functions. - */ - function testConversion() { - $this->assertEqual(_openid_dh_long_to_base64('12345678901234567890123456789012345678901234567890'), 'CHJ/Y2mq+DyhUCZ0evjH8ZbOPwrS', '_openid_dh_long_to_base64() returned expected result.'); - $this->assertEqual(_openid_dh_base64_to_long('BsH/g8Nrpn2dtBSdu/sr1y8hxwyx'), '09876543210987654321098765432109876543210987654321', '_openid_dh_base64_to_long() returned expected result.'); - - $this->assertEqual(_openid_dh_long_to_binary('12345678901234567890123456789012345678901234567890'), "\x08r\x7fci\xaa\xf8<\xa1P&tz\xf8\xc7\xf1\x96\xce?\x0a\xd2", '_openid_dh_long_to_binary() returned expected result.'); - $this->assertEqual(_openid_dh_binary_to_long("\x06\xc1\xff\x83\xc3k\xa6}\x9d\xb4\x14\x9d\xbb\xfb+\xd7/!\xc7\x0c\xb1"), '09876543210987654321098765432109876543210987654321', '_openid_dh_binary_to_long() returned expected result.'); - } - - /** - * Test _openid_dh_xorsecret(). - */ - function testOpenidDhXorsecret() { - $this->assertEqual(_openid_dh_xorsecret('123456790123456790123456790', "abc123ABC\x00\xFF"), "\xa4'\x06\xbe\xf1.\x00y\xff\xc2\xc1", '_openid_dh_xorsecret() returned expected result.'); - } - - /** - * Test _openid_get_bytes(). - */ - function testOpenidGetBytes() { - $this->assertEqual(strlen(_openid_get_bytes(20)), 20, '_openid_get_bytes() returned expected result.'); - } - - /** - * Test _openid_signature(). - */ - function testOpenidSignature() { - // Test that signature is calculated according to OpenID Authentication 2.0, - // section 6.1. In the following array, only the two first entries should be - // included in the calculation, because the substring following the period - // is mentioned in the third argument for _openid_signature(). The last - // entry should not be included, because it does not start with "openid.". - $response = array( - 'openid.foo' => 'abc1', - 'openid.bar' => 'abc2', - 'openid.baz' => 'abc3', - 'foobar.foo' => 'abc4', - ); - $association = new stdClass(); - $association->mac_key = "1234567890abcdefghij\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\xF0\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9"; - $this->assertEqual(_openid_signature($association, $response, array('foo', 'bar')), 'QnKZQzSFstT+GNiJDFOptdcZjrc=', 'Expected signature calculated.'); - } - - /** - * Test _openid_is_xri(). - */ - function testOpenidXRITest() { - // Test that the XRI test is according to OpenID Authentication 2.0, - // section 7.2. If the user-supplied string starts with xri:// it should be - // stripped and the resulting string should be treated as an XRI when it - // starts with "=", "@", "+", "$", "!" or "(". - $this->assertTrue(_openid_is_xri('xri://=foo'), '_openid_is_xri() returned expected result for an xri identifier with xri scheme.'); - $this->assertTrue(_openid_is_xri('xri://@foo'), '_openid_is_xri() returned expected result for an xri identifier with xri scheme.'); - $this->assertTrue(_openid_is_xri('xri://+foo'), '_openid_is_xri() returned expected result for an xri identifier with xri scheme.'); - $this->assertTrue(_openid_is_xri('xri://$foo'), '_openid_is_xri() returned expected result for an xri identifier with xri scheme.'); - $this->assertTrue(_openid_is_xri('xri://!foo'), '_openid_is_xri() returned expected result for an xri identifier with xri scheme..'); - $this->assertTrue(_openid_is_xri('xri://(foo'), '_openid_is_xri() returned expected result for an xri identifier with xri scheme..'); - - $this->assertTrue(_openid_is_xri('=foo'), '_openid_is_xri() returned expected result for an xri identifier.'); - $this->assertTrue(_openid_is_xri('@foo'), '_openid_is_xri() returned expected result for an xri identifier.'); - $this->assertTrue(_openid_is_xri('+foo'), '_openid_is_xri() returned expected result for an xri identifier.'); - $this->assertTrue(_openid_is_xri('$foo'), '_openid_is_xri() returned expected result for an xri identifier.'); - $this->assertTrue(_openid_is_xri('!foo'), '_openid_is_xri() returned expected result for an xri identifier.'); - $this->assertTrue(_openid_is_xri('(foo'), '_openid_is_xri() returned expected result for an xri identifier.'); - - $this->assertFalse(_openid_is_xri('foo'), '_openid_is_xri() returned expected result for an http URL.'); - $this->assertFalse(_openid_is_xri('xri://foo'), '_openid_is_xri() returned expected result for an http URL.'); - $this->assertFalse(_openid_is_xri('http://foo/'), '_openid_is_xri() returned expected result for an http URL.'); - $this->assertFalse(_openid_is_xri('http://example.com/'), '_openid_is_xri() returned expected result for an http URL.'); - $this->assertFalse(_openid_is_xri('user@example.com/'), '_openid_is_xri() returned expected result for an http URL.'); - $this->assertFalse(_openid_is_xri('http://user@example.com/'), '_openid_is_xri() returned expected result for an http URL.'); - } - - /** - * Test openid_normalize(). - */ - function testOpenidNormalize() { - // Test that the normalization is according to OpenID Authentication 2.0, - // section 7.2 and 11.5.2. - - $this->assertEqual(openid_normalize('$foo'), '$foo', 'openid_normalize() correctly normalized an XRI.'); - $this->assertEqual(openid_normalize('xri://$foo'), '$foo', 'openid_normalize() correctly normalized an XRI with an xri:// scheme.'); - - $this->assertEqual(openid_normalize('example.com/'), 'http://example.com/', 'openid_normalize() correctly normalized a URL with a missing scheme.'); - $this->assertEqual(openid_normalize('example.com'), 'http://example.com/', 'openid_normalize() correctly normalized a URL with a missing scheme and empty path.'); - $this->assertEqual(openid_normalize('http://example.com'), 'http://example.com/', 'openid_normalize() correctly normalized a URL with an empty path.'); - - $this->assertEqual(openid_normalize('http://example.com/path'), 'http://example.com/path', 'openid_normalize() correctly normalized a URL with a path.'); - - $this->assertEqual(openid_normalize('http://example.com/path#fragment'), 'http://example.com/path', 'openid_normalize() correctly normalized a URL with a fragment.'); - } - - /** - * Test openid_extract_namespace(). - */ - function testOpenidExtractNamespace() { - $response = array( - 'openid.sreg.nickname' => 'john', - 'openid.ns.ext1' => OPENID_NS_SREG, - 'openid.ext1.nickname' => 'george', - 'openid.ext1.email' => 'george@example.com', - 'openid.ns.ext2' => 'http://example.com/ns/ext2', - 'openid.ext2.foo' => '123', - 'openid.ext2.bar' => '456', - 'openid.signed' => 'sreg.nickname,ns.ext1,ext1.email,ext2.foo', - ); - - $values = openid_extract_namespace($response, 'http://example.com/ns/dummy', NULL, FALSE); - $this->assertEqual($values, array(), 'Nothing found for unused namespace.'); - - $values = openid_extract_namespace($response, 'http://example.com/ns/dummy', 'sreg', FALSE); - $this->assertEqual($values, array('nickname' => 'john'), 'Value found for fallback prefix.'); - - $values = openid_extract_namespace($response, OPENID_NS_SREG, 'sreg', FALSE); - $this->assertEqual($values, array('nickname' => 'george', 'email' => 'george@example.com'), 'Namespace takes precedence over fallback prefix.'); - - // ext1.email is signed, but ext1.nickname is not. - $values = openid_extract_namespace($response, OPENID_NS_SREG, 'sreg', TRUE); - $this->assertEqual($values, array('email' => 'george@example.com'), 'Unsigned namespaced fields ignored.'); - - $values = openid_extract_namespace($response, 'http://example.com/ns/ext2', 'sreg', FALSE); - $this->assertEqual($values, array('foo' => '123', 'bar' => '456'), 'Unsigned fields found.'); - - // ext2.foo and ext2.bar are ignored, because ns.ext2 is not signed. The - // fallback prefix is not used, because the namespace is specified. - $values = openid_extract_namespace($response, 'http://example.com/ns/ext2', 'sreg', TRUE); - $this->assertEqual($values, array(), 'Unsigned fields ignored.'); - } -} diff --git a/core/modules/openid/lib/Drupal/openid/Tests/OpenIDTestBase.php b/core/modules/openid/lib/Drupal/openid/Tests/OpenIDTestBase.php deleted file mode 100644 index 3110d88..0000000 --- a/core/modules/openid/lib/Drupal/openid/Tests/OpenIDTestBase.php +++ /dev/null @@ -1,62 +0,0 @@ -admin_user = $this->drupalCreateUser(array('administer blocks')); - $this->drupalLogin($this->admin_user); - $this->drupalPlaceBlock('user_login_block'); - $this->drupalLogout(); - - // Use a different front page than login page for testing OpenID login from - // the user login block. - config('system.site')->set('page.front', 'test-page')->save(); - } - - /** - * Initiates the login procedure using the specified User-supplied Identity. - */ - function submitLoginForm($identity) { - // Fill out and submit the login form. - $edit = array('openid_identifier' => $identity); - $this->drupalPost('', $edit, t('Log in'), array(), array(), 'openid-login-form'); - - // Check we are on the OpenID redirect form. - $this->assertTitle(t('OpenID redirect'), 'OpenID redirect page was displayed.'); - - // Submit form to the OpenID Provider Endpoint. - $this->drupalPost(NULL, array(), t('Send')); - } - - /** - * Parses the last sent e-mail and returns the one-time login link URL. - */ - function getPasswordResetURLFromMail() { - $mails = $this->drupalGetMails(); - $mail = end($mails); - preg_match('@.+user/reset/.+@', $mail['body'], $matches); - return $matches[0]; - } -} diff --git a/core/modules/openid/lib/Drupal/openid/Tests/Upgrade/OpenIDAuthmapUpgradePathTest.php b/core/modules/openid/lib/Drupal/openid/Tests/Upgrade/OpenIDAuthmapUpgradePathTest.php deleted file mode 100644 index e10cdbb..0000000 --- a/core/modules/openid/lib/Drupal/openid/Tests/Upgrade/OpenIDAuthmapUpgradePathTest.php +++ /dev/null @@ -1,70 +0,0 @@ - 'OpenID upgrade path', - 'description' => 'Identities migration from the authmap upgrade tests.', - 'group' => 'OpenID', - ); - } - - public function setUp() { - // Path to the database dump files. - $this->databaseDumpFiles = array( - drupal_get_path('module', 'system') . '/tests/upgrade/drupal-7.bare.minimal.database.php.gz', - drupal_get_path('module', 'openid') . '/tests/upgrade/drupal-7.openid.database.php', - drupal_get_path('module', 'openid') . '/tests/upgrade/drupal-7.openid.authmap.database.php', - ); - parent::setUp(); - } - - /** - * Tests expected openid identities conversion after a successful upgrade. - */ - public function testIdentitiesUpgrade() { - $this->assertTrue($this->performUpgrade(), 'The upgrade was completed successfully.'); - - // Verify that user identities was properly upgraded. - $expected_identities = array( - 1 => (object) array( - 'aid' => 1, - 'uid' => 1, - 'identifier' => 'userA@providerA', - ), - 2 => (object) array( - 'aid' => 2, - 'uid' => 1, - 'identifier' => 'userB@providerA', - )); - - $db_identities = db_select('openid_identities', 'oi') - ->fields('oi') - ->execute() - ->fetchAllAssoc('aid'); - - foreach ($expected_identities as $aid => $expected_identity) { - $this->assertEqual($expected_identity, $db_identities[$aid]); - } - - $this->assertEqual(count($expected_identities), count($db_identities)); - } -} diff --git a/core/modules/openid/login-bg.png b/core/modules/openid/login-bg.png deleted file mode 100644 index 532614f..0000000 --- a/core/modules/openid/login-bg.png +++ /dev/null @@ -1,4 +0,0 @@ -PNG - - IHDRaIDAT8c`%-Sbp!y  3ƇCkP|G2*?qihG6=f,j0S -D$'$W4Ir>zH6$=!A]oZ] g$aFIENDB` \ No newline at end of file diff --git a/core/modules/openid/openid-rtl.css b/core/modules/openid/openid-rtl.css deleted file mode 100644 index 36acd61..0000000 --- a/core/modules/openid/openid-rtl.css +++ /dev/null @@ -1,10 +0,0 @@ -#edit-openid-identifier { - background-position: right 50%; - padding-left: 0; - padding-right: 20px; -} - -#block-user-login .openid-link { - background-position: right top; - padding: 0 1.5em 0 0; -} diff --git a/core/modules/openid/openid.api.php b/core/modules/openid/openid.api.php deleted file mode 100644 index bd286ff..0000000 --- a/core/modules/openid/openid.api.php +++ /dev/null @@ -1,110 +0,0 @@ - '_my_discovery_method', - ); -} - -/** - * Allow modules to alter discovery methods. - */ -function hook_openid_discovery_method_info_alter(&$methods) { - // Remove XRI discovery scheme. - unset($methods['xri']); -} - -/** - * Allow modules to declare OpenID normalization methods. - * - * The discovery function callbacks will be called in turn with an unique - * parameter, the identifier to normalize. They have to return a normalized - * identifier, or NULL if the identifier is not in a form they can handle. - * - * The first normalization method that succeed (return a value that is not NULL) - * will stop the normalization process. - * - * @return - * An array with a set of function callbacks, that will be called in turn - * when normalizing an OpenID identifier. The normalization functions have - * to return a normalized identifier, or NULL if the identifier is not in - * a form they can handle. - * @see hook_openid_normalization_method_info_alter() - */ -function hook_openid_normalization_method_info() { - return array( - 'new_normalization_idea' => '_my_normalization_method', - ); -} - -/** - * Allow modules to alter normalization methods. - */ -function hook_openid_normalization_method_info_alter(&$methods) { - // Remove Google IDP normalization. - unset($methods['google_idp']); -} - -/** - * @} End of "addtogroup hooks". - */ diff --git a/core/modules/openid/openid.css b/core/modules/openid/openid.css deleted file mode 100644 index f96058e..0000000 --- a/core/modules/openid/openid.css +++ /dev/null @@ -1,17 +0,0 @@ -#edit-openid-identifier { - background-image: url("login-bg.png"); - background-position: left 50%; /* LTR */ - background-repeat: no-repeat; - padding-left: 20px; /* LTR */ -} - -#block-user-login #openid-login-form { - display: none; -} - -#block-user-login .openid-link { - background-image: url("login-bg.png"); - background-position: left top; /* LTR */ - background-repeat: no-repeat; - padding: 0 0 0 1.5em; /* LTR */ -} diff --git a/core/modules/openid/openid.inc b/core/modules/openid/openid.inc deleted file mode 100644 index a4b9b2c..0000000 --- a/core/modules/openid/openid.inc +++ /dev/null @@ -1,822 +0,0 @@ - $val) { - $query[] = $key . '=' . urlencode($val); - } - - $sep = (strpos($url, '?') === FALSE) ? '?' : '&'; - header('Location: ' . $url . $sep . implode('&', $query), TRUE, 302); - - drupal_exit(); -} - -/** - * Creates a js auto-submit redirect for (for the 2.x protocol) - */ -function openid_redirect($url, $message) { - $language_interface = language(Language::TYPE_INTERFACE); - - $output = '' . "\n"; - $output .= '' . "\n"; - $output .= "\n"; - $output .= "\n"; - $output .= "" . t('OpenID redirect') . "\n"; - $output .= "\n"; - $output .= "\n"; - $elements = drupal_get_form('openid_redirect_form', $url, $message); - $output .= drupal_render($elements); - $output .= '' . "\n"; - $output .= "\n"; - $output .= "\n"; - print $output; - - drupal_exit(); -} - -function openid_redirect_form($form, &$form_state, $url, $message) { - $form['#action'] = $url; - $form['#method'] = "post"; - foreach ($message as $key => $value) { - $form[$key] = array( - '#type' => 'hidden', - '#name' => $key, - '#value' => $value, - ); - } - $form['actions'] = array('#type' => 'actions'); - $form['actions']['submit'] = array( - '#type' => 'submit', - '#prefix' => '', - '#value' => t('Send'), - ); - - return $form; -} - -/** - * Parse an XRDS document. - * - * @param $raw_xml - * A string containing the XRDS document. - * @return - * An array of service entries. - */ -function _openid_xrds_parse($raw_xml) { - $services = array(); - - // Protect against malicious doctype declarations and other unexpected entity - // loading. - $load_entities = libxml_disable_entity_loader(TRUE); - - // Load the XML into a DOM document. - $dom = new DOMDocument(); - @$dom->loadXML($raw_xml); - - // Since DOCTYPE declarations from an untrusted source could be malicious, we - // stop parsing here and treat the XML as invalid since XRDS documents do not - // require, and are not expected to have, a DOCTYPE. - if (isset($dom->doctype)) { - return array(); - } - - // Parse the DOM document for the information we need. - if ($xml = simplexml_import_dom($dom)) { - foreach ($xml->children(OPENID_NS_XRD)->XRD as $xrd) { - foreach ($xrd->children(OPENID_NS_XRD)->Service as $service_element) { - $service = array( - 'priority' => $service_element->attributes()->priority ? (int)$service_element->attributes()->priority : PHP_INT_MAX, - 'types' => array(), - 'uri' => (string)$service_element->children(OPENID_NS_XRD)->URI, - 'service' => $service_element, - 'xrd' => $xrd, - ); - foreach ($service_element->Type as $type) { - $service['types'][] = (string)$type; - } - if ($service_element->children(OPENID_NS_XRD)->LocalID) { - $service['identity'] = (string)$service_element->children(OPENID_NS_XRD)->LocalID; - } - elseif ($service_element->children(OPENID_NS_OPENID)->Delegate) { - $service['identity'] = (string)$service_element->children(OPENID_NS_OPENID)->Delegate; - } - else { - $service['identity'] = FALSE; - } - $services[] = $service; - } - } - } - - // Return the LIBXML options to the previous state before returning. - libxml_disable_entity_loader($load_entities); - - return $services; -} - -/** - * Select a service element. - * - * The procedure is described in OpenID Authentication 2.0, section 7.3.2. - * - * A new entry is added to the returned array with the key 'version' and the - * value 1 or 2 specifying the protocol version used by the service. - * - * @param $services - * An array of service arrays as returned by openid_discovery(). - * @return - * The selected service array, or NULL if no valid services were found. - */ -function _openid_select_service(array $services) { - // Extensible Resource Identifier (XRI) Resolution Version 2.0, section 4.3.3: - // Find the service with the highest priority (lowest integer value). If there - // is a tie, select a random one, not just the first in the XML document. - shuffle($services); - $selected_service = NULL; - $selected_type_priority = FALSE; - - // Search for an OP Identifier Element. - foreach ($services as $service) { - if (!empty($service['uri'])) { - $type_priority = FALSE; - if (in_array('http://specs.openid.net/auth/2.0/server', $service['types'])) { - $service['version'] = 2; - $type_priority = 1; - } - elseif (in_array('http://specs.openid.net/auth/2.0/signon', $service['types'])) { - $service['version'] = 2; - $type_priority = 2; - } - elseif (in_array(OPENID_NS_1_0, $service['types']) || in_array(OPENID_NS_1_1, $service['types'])) { - $service['version'] = 1; - $type_priority = 3; - } - - if ($type_priority - && (!$selected_service - || $type_priority < $selected_type_priority - || ($type_priority == $selected_type_priority && $service['priority'] < $selected_service['priority']))) { - $selected_service = $service; - $selected_type_priority = $type_priority; - } - } - } - - if ($selected_service) { - // Unset SimpleXMLElement instances that cannot be saved in $_SESSION. - unset($selected_service['xrd']); - unset($selected_service['service']); - } - - return $selected_service; -} - -/** - * Determine if the given identifier is an XRI ID. - */ -function _openid_is_xri($identifier) { - // Strip the xri:// scheme from the identifier if present. - if (stripos($identifier, 'xri://') === 0) { - $identifier = substr($identifier, 6); - } - - // Test whether the identifier starts with an XRI global context symbol or (. - $firstchar = substr($identifier, 0, 1); - if (strpos("=@+$!(", $firstchar) !== FALSE) { - return TRUE; - } - - return FALSE; -} - -/** - * Normalize the given identifier. - * - * The procedure is described in OpenID Authentication 2.0, section 7.2. - */ -function openid_normalize($identifier) { - $methods = module_invoke_all('openid_normalization_method_info'); - drupal_alter('openid_normalization_method_info', $methods); - - // Execute each method in turn, stopping after the first method accepted - // the identifier. - foreach ($methods as $method) { - $result = $method($identifier); - if ($result !== NULL) { - $identifier = $result; - break; - } - } - - return $identifier; -} - -/** - * OpenID normalization method: normalize XRI identifiers. - */ -function _openid_xri_normalize($identifier) { - if (_openid_is_xri($identifier)) { - if (stristr($identifier, 'xri://') !== FALSE) { - $identifier = substr($identifier, 6); - } - return $identifier; - } -} - -/** - * OpenID normalization method: normalize URL identifiers. - */ -function _openid_url_normalize($url) { - $normalized_url = $url; - - if (stristr($url, '://') === FALSE) { - $normalized_url = 'http://' . $url; - } - - // Strip the fragment and fragment delimiter if present. - $normalized_url = strtok($normalized_url, '#'); - - if (substr_count($normalized_url, '/') < 3) { - $normalized_url .= '/'; - } - - return $normalized_url; -} - -/** - * Create a serialized message packet as per spec: $key:$value\n . - */ -function _openid_create_message($data) { - $serialized = ''; - - foreach ($data as $key => $value) { - if ((strpos($key, ':') !== FALSE) || (strpos($key, "\n") !== FALSE) || (strpos($value, "\n") !== FALSE)) { - return NULL; - } - $serialized .= "$key:$value\n"; - } - return $serialized; -} - -/** - * Encode a message from _openid_create_message for HTTP Post - */ -function _openid_encode_message($message) { - $encoded_message = ''; - - $items = explode("\n", $message); - foreach ($items as $item) { - $parts = explode(':', $item, 2); - - if (count($parts) == 2) { - if ($encoded_message != '') { - $encoded_message .= '&'; - } - $encoded_message .= rawurlencode(trim($parts[0])) . '=' . rawurlencode(trim($parts[1])); - } - } - - return $encoded_message; -} - -/** - * Convert a direct communication message - * into an associative array. - */ -function _openid_parse_message($message) { - $parsed_message = array(); - - $items = explode("\n", $message); - foreach ($items as $item) { - $parts = explode(':', $item, 2); - - if (count($parts) == 2) { - $parsed_message[$parts[0]] = $parts[1]; - } - } - - return $parsed_message; -} - -/** - * Return a nonce value - formatted per OpenID spec. - */ -function _openid_nonce() { - // YYYY-MM-DDThh:mm:ssZ, plus some optional extra unique characters. - return gmdate('Y-m-d\TH:i:s\Z') . - chr(mt_rand(0, 25) + 65) . - chr(mt_rand(0, 25) + 65) . - chr(mt_rand(0, 25) + 65) . - chr(mt_rand(0, 25) + 65); -} - -/** - * Pull the href attribute out of an html link element. - */ -function _openid_link_href($rel, $html) { - $html_dom = new DOMDocument(); - if (@$html_dom->loadHTML($html)) { - $html_element = simplexml_import_dom($html_dom); - if (isset($html_element->head->link)) { - foreach ($html_element->head->link as $link) { - // The rel attribute contains a space-separated list of case-insensitive - // link types. - if (preg_match('@(?:\s|^)' . preg_quote($rel, '@') . '(?:\s|$)@i', $link['rel'])) { - return trim($link['href']); - } - } - } - } - return FALSE; -} - -/** - * Pull the content attribute out of an X-XRDS-Location meta http-equiv element. - */ -function _openid_meta_httpequiv($html) { - $html_dom = new DOMDocument(); - if (@$html_dom->loadHTML($html)) { - $html_element = simplexml_import_dom($html_dom); - if (isset($html_element->head->meta)) { - foreach ($html_element->head->meta as $meta) { - // The http-equiv attribute is case-insensitive. - if (strtolower(trim($meta['http-equiv'])) == 'x-xrds-location') { - return trim($meta['content']); - } - } - } - } - return FALSE; -} - -/** - * Sign certain keys in a message - * @param $association - object loaded from openid_association or openid_server_association table - * - important fields are ->assoc_type and ->mac_key - * @param $message_array - array of entire message about to be sent - * @param $keys_to_sign - keys in the message to include in signature (without - * 'openid.' appended) - */ -function _openid_signature($association, $message_array, $keys_to_sign) { - $signature = ''; - $sign_data = array(); - - foreach ($keys_to_sign as $key) { - if (isset($message_array['openid.' . $key])) { - $sign_data[$key] = $message_array['openid.' . $key]; - } - } - - $message = _openid_create_message($sign_data); - $secret = base64_decode($association->mac_key); - $signature = hash_hmac('sha1', $message, $secret, TRUE); - - return base64_encode($signature); -} - -function _openid_dh_base64_to_long($str) { - $b64 = base64_decode($str); - - return _openid_dh_binary_to_long($b64); -} - -function _openid_dh_long_to_base64($str) { - return base64_encode(_openid_dh_long_to_binary($str)); -} - -function _openid_dh_binary_to_long($str) { - $bytes = array_merge(unpack('C*', $str)); - - $n = 0; - foreach ($bytes as $byte) { - $n = _openid_math_mul($n, pow(2, 8)); - $n = _openid_math_add($n, $byte); - } - - return $n; -} - -function _openid_dh_long_to_binary($long) { - $cmp = _openid_math_cmp($long, 0); - if ($cmp < 0) { - return FALSE; - } - - if ($cmp == 0) { - return "\x00"; - } - - $bytes = array(); - - while (_openid_math_cmp($long, 0) > 0) { - array_unshift($bytes, _openid_math_mod($long, 256)); - $long = _openid_math_div($long, pow(2, 8)); - } - - if ($bytes && ($bytes[0] > 127)) { - array_unshift($bytes, 0); - } - - $string = ''; - foreach ($bytes as $byte) { - $string .= pack('C', $byte); - } - - return $string; -} - -function _openid_dh_xorsecret($shared, $secret) { - $dh_shared_str = _openid_dh_long_to_binary($shared); - $sha1_dh_shared = sha1($dh_shared_str, TRUE); - $xsecret = ""; - for ($i = 0; $i < strlen($secret); $i++) { - $xsecret .= chr(ord($secret[$i]) ^ ord($sha1_dh_shared[$i])); - } - - return $xsecret; -} - -function _openid_dh_rand($stop) { - $duplicate_cache = &drupal_static(__FUNCTION__, array()); - - // Used as the key for the duplicate cache - $rbytes = _openid_dh_long_to_binary($stop); - - if (isset($duplicate_cache[$rbytes])) { - list($duplicate, $nbytes) = $duplicate_cache[$rbytes]; - } - else { - if ($rbytes[0] == "\x00") { - $nbytes = strlen($rbytes) - 1; - } - else { - $nbytes = strlen($rbytes); - } - - $mxrand = _openid_math_pow(256, $nbytes); - - // If we get a number less than this, then it is in the - // duplicated range. - $duplicate = _openid_math_mod($mxrand, $stop); - - if (count($duplicate_cache) > 10) { - $duplicate_cache = array(); - } - - $duplicate_cache[$rbytes] = array($duplicate, $nbytes); - } - - do { - $bytes = "\x00" . _openid_get_bytes($nbytes); - $n = _openid_dh_binary_to_long($bytes); - // Keep looping if this value is in the low duplicated range. - } while (_openid_math_cmp($n, $duplicate) < 0); - - return _openid_math_mod($n, $stop); -} - -function _openid_get_bytes($num_bytes) { - $f = &drupal_static(__FUNCTION__); - $bytes = ''; - if (!isset($f)) { - $f = @fopen(OPENID_RAND_SOURCE, "r"); - } - if (!$f) { - // pseudorandom used - $bytes = ''; - for ($i = 0; $i < $num_bytes; $i += 4) { - $bytes .= pack('L', mt_rand()); - } - $bytes = substr($bytes, 0, $num_bytes); - } - else { - $bytes = fread($f, $num_bytes); - } - return $bytes; -} - -function _openid_response($str = NULL) { - $data = array(); - - if (isset($_SERVER['REQUEST_METHOD'])) { - $data = _openid_get_params($_SERVER['QUERY_STRING']); - - if ($_SERVER['REQUEST_METHOD'] == 'POST') { - $str = file_get_contents('php://input'); - - $post = array(); - if ($str !== FALSE) { - $post = _openid_get_params($str); - } - - $data = array_merge($data, $post); - } - } - - return $data; -} - -function _openid_get_params($str) { - $chunks = explode("&", $str); - - $data = array(); - foreach ($chunks as $chunk) { - $parts = explode("=", $chunk, 2); - - if (count($parts) == 2) { - list($k, $v) = $parts; - $data[$k] = urldecode($v); - } - } - return $data; -} - -/** - * Extract all the parameters belonging to an extension in a response message. - * - * OpenID 2.0 defines a simple extension mechanism, based on a namespace prefix. - * - * Each request or response can define a prefix using: - * @code - * openid.ns.[prefix] = [extension_namespace] - * openid.[prefix].[key1] = [value1] - * openid.[prefix].[key2] = [value2] - * ... - * @endcode - * - * This function extracts all the keys belonging to an extension namespace in a - * response, optionally using a fallback prefix if none is provided in the response. - * - * Note that you cannot assume that a given extension namespace will use the same - * prefix on the response and the request: each party may use a different prefix - * to refer to the same namespace. - * - * @param $response - * The response array. - * @param $extension_namespace - * The namespace of the extension. - * @param $fallback_prefix - * An optional prefix that will be used in case no prefix is found for the - * target extension namespace. - * @param $only_signed - * Return only keys that are included in the message signature in openid.sig. - * Unsigned fields may have been modified or added by other parties than the - * OpenID Provider. - * - * @return - * An associative array containing all the parameters in the response message - * that belong to the extension. The keys are stripped from their namespace - * prefix. - * - * @see http://openid.net/specs/openid-authentication-2_0.html#extensions - */ -function openid_extract_namespace($response, $extension_namespace, $fallback_prefix = NULL, $only_signed = FALSE) { - $signed_keys = explode(',', $response['openid.signed']); - - // Find the namespace prefix. - $prefix = $fallback_prefix; - foreach ($response as $key => $value) { - if ($value == $extension_namespace && preg_match('/^openid\.ns\.([^.]+)$/', $key, $matches)) { - $prefix = $matches[1]; - if ($only_signed && !in_array('ns.' . $matches[1], $signed_keys)) { - // The namespace was defined but was not signed as required. In this - // case we do not fall back to $fallback_prefix. - $prefix = NULL; - } - break; - } - } - - // Now extract the namespace keys from the response. - $output = array(); - if (!isset($prefix)) { - return $output; - } - foreach ($response as $key => $value) { - if (preg_match('/^openid\.' . $prefix . '\.(.+)$/', $key, $matches)) { - $local_key = $matches[1]; - if (!$only_signed || in_array($prefix . '.' . $local_key, $signed_keys)) { - $output[$local_key] = $value; - } - } - } - - return $output; -} - -/** - * Extracts values from an OpenID AX Response. - * - * The values can be returned in two forms: - * - only openid.ax.value. (for single-valued answers) - * - both openid.ax.count. and openid.ax.value.. (for both - * single and multiple-valued answers) - * - * @param $values - * An array as returned by openid_extract_namespace(..., OPENID_NS_AX). - * @param $uris - * An array of identifier URIs. - * @return - * An array of values. - * @see http://openid.net/specs/openid-attribute-exchange-1_0.html#fetch_response - */ -function openid_extract_ax_values($values, $uris) { - $output = array(); - foreach ($values as $key => $value) { - if (in_array($value, $uris) && preg_match('/^type\.([^.]+)$/', $key, $matches)) { - $alias = $matches[1]; - if (isset($values['count.' . $alias])) { - for ($i = 1; $i <= $values['count.' . $alias]; $i++) { - $output[] = $values['value.' . $alias . '.' . $i]; - } - } - elseif (isset($values['value.' . $alias])) { - $output[] = $values['value.' . $alias]; - } - break; - } - } - return $output; -} - -/** - * Determine the available math library GMP vs. BCMath, favouring GMP for performance. - */ -function _openid_get_math_library() { - // Not drupal_static(), because a function is not going to disappear and - // change the output of this under any circumstances. - static $library; - - if (empty($library)) { - if (function_exists('gmp_add')) { - $library = 'gmp'; - } - elseif (function_exists('bcadd')) { - $library = 'bcmath'; - } - } - - return $library; -} - -/** - * Calls the add function from the available math library for OpenID. - */ -function _openid_math_add($x, $y) { - $library = _openid_get_math_library(); - switch ($library) { - case 'gmp': - return gmp_strval(gmp_add($x, $y)); - case 'bcmath': - return bcadd($x, $y); - } -} - -/** - * Calls the mul function from the available math library for OpenID. - */ -function _openid_math_mul($x, $y) { - $library = _openid_get_math_library(); - switch ($library) { - case 'gmp': - return gmp_mul($x, $y); - case 'bcmath': - return bcmul($x, $y); - } -} - -/** - * Calls the div function from the available math library for OpenID. - */ -function _openid_math_div($x, $y) { - $library = _openid_get_math_library(); - switch ($library) { - case 'gmp': - return gmp_div($x, $y); - case 'bcmath': - return bcdiv($x, $y); - } -} - -/** - * Calls the cmp function from the available math library for OpenID. - */ -function _openid_math_cmp($x, $y) { - $library = _openid_get_math_library(); - switch ($library) { - case 'gmp': - return gmp_cmp($x, $y); - case 'bcmath': - return bccomp($x, $y); - } -} - -/** - * Calls the mod function from the available math library for OpenID. - */ -function _openid_math_mod($x, $y) { - $library = _openid_get_math_library(); - switch ($library) { - case 'gmp': - return gmp_mod($x, $y); - case 'bcmath': - return bcmod($x, $y); - } -} - -/** - * Calls the pow function from the available math library for OpenID. - */ -function _openid_math_pow($x, $y) { - $library = _openid_get_math_library(); - switch ($library) { - case 'gmp': - return gmp_pow($x, $y); - case 'bcmath': - return bcpow($x, $y); - } -} - -/** - * Calls the mul function from the available math library for OpenID. - */ -function _openid_math_powmod($x, $y, $z) { - $library = _openid_get_math_library(); - switch ($library) { - case 'gmp': - return gmp_powm($x, $y, $z); - case 'bcmath': - return bcpowmod($x, $y, $z); - } -} diff --git a/core/modules/openid/openid.info.yml b/core/modules/openid/openid.info.yml deleted file mode 100644 index 4c6fc0d..0000000 --- a/core/modules/openid/openid.info.yml +++ /dev/null @@ -1,6 +0,0 @@ -name: OpenID -type: module -description: 'Allows users to log into your site using OpenID.' -version: VERSION -package: Core -core: 8.x diff --git a/core/modules/openid/openid.install b/core/modules/openid/openid.install deleted file mode 100644 index 820a8e0..0000000 --- a/core/modules/openid/openid.install +++ /dev/null @@ -1,234 +0,0 @@ - 'Stores temporary shared key association information for OpenID authentication.', - 'fields' => array( - 'idp_endpoint_uri' => array( - 'type' => 'varchar', - 'length' => 255, - 'description' => 'URI of the OpenID Provider endpoint.', - ), - 'assoc_handle' => array( - 'type' => 'varchar', - 'length' => 255, - 'not null' => TRUE, - 'description' => 'Primary Key: Used to refer to this association in subsequent messages.', - ), - 'assoc_type' => array( - 'type' => 'varchar', - 'length' => 32, - 'description' => 'The signature algorithm used: one of HMAC-SHA1 or HMAC-SHA256.', - ), - 'session_type' => array( - 'type' => 'varchar', - 'length' => 32, - 'description' => 'Valid association session types: "no-encryption", "DH-SHA1", and "DH-SHA256".', - ), - 'mac_key' => array( - 'type' => 'varchar', - 'length' => 255, - 'description' => 'The MAC key (shared secret) for this association.', - ), - 'created' => array( - 'type' => 'int', - 'not null' => TRUE, - 'default' => 0, - 'description' => 'UNIX timestamp for when the association was created.', - ), - 'expires_in' => array( - 'type' => 'int', - 'not null' => TRUE, - 'default' => 0, - 'description' => 'The lifetime, in seconds, of this association.', - ), - ), - 'primary key' => array('assoc_handle'), - ); - - $schema['openid_identities'] = array( - 'description' => 'Stores OpenID authentication mapping.', - 'fields' => array( - 'aid' => array( - 'description' => 'Primary Key: Unique authmap ID.', - 'type' => 'serial', - 'unsigned' => TRUE, - 'not null' => TRUE, - ), - 'uid' => array( - 'type' => 'int', - 'not null' => TRUE, - 'default' => 0, - 'description' => "User's {users}.uid.", - ), - 'identifier' => array( - 'type' => 'varchar', - 'length' => 128, - 'not null' => TRUE, - 'default' => '', - 'description' => 'Unique OpenID identifier.', - ), - ), - 'unique keys' => array( - 'identifier' => array('identifier'), - ), - 'primary key' => array('aid'), - 'foreign keys' => array( - 'user' => array( - 'table' => 'users', - 'columns' => array('uid' => 'uid'), - ), - ), - ); - - $schema['openid_nonce'] = array( - 'description' => 'Stores received openid.response_nonce per OpenID endpoint URL to prevent replay attacks.', - 'fields' => array( - 'idp_endpoint_uri' => array( - 'type' => 'varchar', - 'length' => 255, - 'description' => 'URI of the OpenID Provider endpoint.', - ), - 'nonce' => array( - 'type' => 'varchar', - 'length' => 255, - 'description' => 'The value of openid.response_nonce.', - ), - 'expires' => array( - 'type' => 'int', - 'not null' => TRUE, - 'default' => 0, - 'description' => 'A Unix timestamp indicating when the entry should expire.', - ), - ), - 'indexes' => array( - 'nonce' => array('nonce'), - 'expires' => array('expires'), - ), - ); - - return $schema; -} - -/** - * Implements hook_requirements(). - */ -function openid_requirements($phase) { - $requirements = array(); - - if ($phase == 'runtime') { - // Check for the PHP BC Math library. - if (!function_exists('bcadd') && !function_exists('gmp_add')) { - $requirements['openid_math'] = array( - 'value' => t('Not installed'), - 'severity' => REQUIREMENT_ERROR, - 'description' => t('OpenID suggests the use of either the GMP Math (recommended for performance) or BC Math libraries to enable OpenID associations.', array('@gmp' => 'http://php.net/manual/book.gmp.php', '@bc' => 'http://www.php.net/manual/book.bc.php')), - ); - } - elseif (!function_exists('gmp_add')) { - $requirements['openid_math'] = array( - 'value' => t('Not optimized'), - 'severity' => REQUIREMENT_WARNING, - 'description' => t('OpenID suggests the use of the GMP Math library for PHP for optimal performance. Check the GMP Math Library documentation for installation instructions.', array('@url' => 'http://www.php.net/manual/book.gmp.php')), - ); - } - else { - $requirements['openid_math'] = array( - 'value' => t('Installed'), - ); - } - $requirements['openid_math']['title'] = t('OpenID Math library'); - } - - return $requirements; -} - -/** - * Implements hook_update_last_removed(). - */ -function openid_update_last_removed() { - return 6000; -} - -/** - * @addtogroup updates-7.x-to-8.x - * @{ - */ - -/** - * Moves xri_proxy_resolver settings from variable to config. - * - * @ingroup config_upgrade - */ -function openid_update_8001() { - update_variables_to_config('openid.settings', array( - 'xri_proxy_resolver' => 'xri_proxy_resolver', - )); -} -/** - * Move authentication mapping to an OpenID managed table. - */ -function openid_update_8002() { - $schema['openid_identities'] = array( - 'description' => 'Stores OpenID authentication mapping.', - 'fields' => array( - 'aid' => array( - 'description' => 'Primary Key: Unique authmap ID.', - 'type' => 'serial', - 'unsigned' => TRUE, - 'not null' => TRUE, - ), - 'uid' => array( - 'type' => 'int', - 'not null' => TRUE, - 'default' => 0, - 'description' => "User's {users}.uid.", - ), - 'identifier' => array( - 'type' => 'varchar', - 'length' => 128, - 'not null' => TRUE, - 'default' => '', - 'description' => 'Unique OpenID identifier.', - ), - ), - 'unique keys' => array( - 'identifier' => array('identifier'), - ), - 'primary key' => array('aid'), - 'foreign keys' => array( - 'user' => array( - 'table' => 'users', - 'columns' => array('uid' => 'uid'), - ), - ), - ); - - db_create_table('openid_identities', $schema['openid_identities']); - - // Migrate entries from {authmap} to {openid_identities}. - $query = db_select('authmap', 'a') - ->condition('module', 'openid'); - $query->addField('a', 'uid'); - $query->addField('a', 'authname', 'identifier'); - db_insert('openid_identities') - ->from($query) - ->execute(); - - // Remove old entries in {authmap}. - db_delete('authmap') - ->condition('module', 'openid') - ->execute(); -} - -/** - * @} End of "addtogroup updates-7.x-to-8.x". - */ diff --git a/core/modules/openid/openid.js b/core/modules/openid/openid.js deleted file mode 100644 index ac69b82..0000000 --- a/core/modules/openid/openid.js +++ /dev/null @@ -1,46 +0,0 @@ -(function ($) { - -"use strict"; - -Drupal.behaviors.openid = { - attach: function (context) { - function clearStatus ($form) { - $form.find('input:first').focus(); - // Clear input fields and reset any validation errors. - $form[0].reset(); - - // Reset error state. - $form.find('.error').removeClass('error'); - - // Forget saved identifier. - $.cookie('Drupal.visitor.openid_identifier', null); - } - - if ($('#block-user-login').length) { - var $login_form = $('#user-login-form'); - var $openid_form = $('#openid-login-form'); - - // Change link text and triggers loginchange event. - var toggleClick = true; - $('#block-user-login .openid-link').on('click', function() { - if (toggleClick) { - $(this).html(Drupal.t('Cancel OpenID login')); - $login_form.hide(); - $openid_form.show(); - clearStatus($login_form); - // Move focus to OpenID input. - $('#edit-openid-identifier').focus(); - } - else { - $(this).html(Drupal.t('Log in using OpenID')); - $login_form.show(); - $openid_form.hide(); - clearStatus($openid_form); - } - toggleClick = !toggleClick; - }); - } - - } -}; -})(jQuery, Drupal); diff --git a/core/modules/openid/openid.module b/core/modules/openid/openid.module deleted file mode 100644 index 51fe3c2..0000000 --- a/core/modules/openid/openid.module +++ /dev/null @@ -1,1136 +0,0 @@ - 'OpenID Login', - 'page callback' => 'openid_authentication_page', - 'access callback' => 'user_is_anonymous', - 'type' => MENU_CALLBACK, - 'file' => 'openid.pages.inc', - ); - $items['user/login/openid'] = array( - 'title' => 'OpenID', - 'page callback' => 'drupal_get_form', - 'page arguments' => array('openid_login_form'), - 'access callback' => 'user_is_anonymous', - 'type' => MENU_LOCAL_TASK, - ); - $items['user/%user/openid'] = array( - 'title' => 'OpenID identities', - 'page callback' => 'openid_user_identities', - 'page arguments' => array(1), - 'access callback' => 'entity_page_access', - 'access arguments' => array(1, 'update'), - 'type' => MENU_LOCAL_TASK, - 'file' => 'openid.pages.inc', - ); - $items['user/%user/openid/delete'] = array( - 'title' => 'Delete OpenID', - 'route_name' => 'openid_user_delete_form', - ); - return $items; -} - -/** - * Implements hook_menu_site_status_alter(). - */ -function openid_menu_site_status_alter(&$menu_site_status, $path) { - // Allow access to openid/authenticate even if site is in offline mode. - if ($menu_site_status == MENU_SITE_OFFLINE && user_is_anonymous() && in_array($path, array('openid/authenticate', 'user/login/openid'))) { - $menu_site_status = MENU_SITE_ONLINE; - } -} - -/** - * Implements hook_admin_paths(). - */ -function openid_admin_paths() { - $paths = array( - 'user/*/openid' => TRUE, - 'user/*/openid/delete' => TRUE, - ); - return $paths; -} - -/** - * Implements hook_help(). - */ -function openid_help($path, $arg) { - switch ($path) { - case 'user/%/openid': - $output = '

' . t('This site supports OpenID, a secure way to log in to many websites using a single username and password. OpenID can reduce the necessity of managing many usernames and passwords for many websites.', array('@openid-net' => 'http://openid.net')) . '

'; - $output .= '

' . t('To use OpenID you must first establish an identity on a public or private OpenID server. If you do not have an OpenID and would like one, look into one of the free public providers. You can find out more about OpenID at this website.', array('@openid-providers' => 'http://openid.net/get/', '@openid-net' => 'http://openid.net')) . '

'; - $output .= '

' . t('If you already have an OpenID, enter the URL to your OpenID server below (e.g. myusername.openidprovider.com). Next time you log in, you will be able to use this URL instead of a regular username and password. You can have multiple OpenID servers if you like; just keep adding them here.') . '

'; - return $output; - case 'admin/help#openid': - $output = ''; - $output .= '

' . t('About') . '

'; - $output .= '

' . t('The OpenID module allows users to log in using the OpenID single sign on service. OpenID is a secure method for logging into many websites with a single username and password. It does not require special software, and it does not share passwords with any site to which it is associated, including the site being logged into. The main benefit to users is that they can have a single password that they can use on many websites. This means they can easily update their single password from a centralized location, rather than having to change dozens of passwords individually. For more information, see the online handbook entry for OpenID module.', array('@openid-net' => 'http://openid.net', '@handbook' => 'http://drupal.org/documentation/modules/openid')) . '

'; - $output .= '

' . t('Uses') . '

'; - $output .= '
'; - $output .= '
' . t('Logging in with OpenID') . '
'; - $output .= '
' . t("To log in using OpenID, a user must already have an OpenID account. Users can then create site accounts using their OpenID, assign one or more OpenIDs to an existing account, and log in using an OpenID. This lowers the barrier to registration, which helps increase the user base, and offers convenience and security to the users. Because OpenID cannot guarantee a user is legitimate, email verification is still necessary. When logging in, users are presented with the option of entering their OpenID URL, which will look like myusername.openidprovider.com. The site then communicates with the OpenID server, asking it to verify the identity of the user. If the user is logged into their OpenID server, the server communicates back to your site, verifying the user. If they are not logged in, the OpenID server will ask the user for their password. At no point does the site being logged into record the user's OpenID password.") . '
'; - $output .= '
'; - return $output; - } -} - -/** - * Fetch a user object by OpenID identifier. - * - * @param $identifier - * The OpenID identifier. - * - * @return - * A fully-loaded user object if the user is found or FALSE if not found. - */ -function openid_external_load($identifier) { - $uid = db_query("SELECT uid FROM {openid_identities} WHERE identifier = :identifier", array(':identifier' => $identifier))->fetchField(); - if ($uid) { - return user_load($uid); - } - return FALSE; -} - -/** - * Implements hook_user_delete(). - */ -function openid_user_delete($account) { - db_delete('openid_identities') - ->condition('uid', $account->uid) - ->execute(); -} - -/** - * Implements hook_user_insert(). - */ -function openid_user_insert($account) { - if (!empty($account->openid_claimed_id)) { - // The user has registered after trying to log in via OpenID. - if (config('user.settings')->get('verify_mail')) { - drupal_set_message(t('Once you have verified your e-mail address, you may log in via OpenID.')); - } - db_insert('openid_identities') - ->fields(array( - 'uid' => $account->uid, - 'identifier' => $account->openid_claimed_id, - )) - ->execute(); - unset($_SESSION['openid']); - unset($account->openid_claimed_id); - } -} - -/** - * Implements hook_user_login(). - * - * Save openid_identifier to visitor cookie. - */ -function openid_user_login($account) { - if (isset($_SESSION['openid'])) { - // The user has logged in via OpenID. - user_cookie_save(array_intersect_key($_SESSION['openid']['user_login_values'], array_flip(array('openid_identifier')))); - unset($_SESSION['openid']); - } -} - -/** - * Implements hook_user_logout(). - * - * Delete any openid_identifier in visitor cookie. - */ -function openid_user_logout($account) { - if (isset($_COOKIE['Drupal_visitor_openid_identifier'])) { - user_cookie_delete('openid_identifier'); - } -} - -/** - * Implements hook_block_view_BASE_BLOCK_ID_alter() for 'user_login_block'. - * - * Adds the OpenID login form to the user login block. - * - * @see \Drupal\user\Plugin\block\block\UserLoginBlock - */ -function openid_block_view_user_login_block_alter(array &$build, BlockPluginInterface $block) { - // Only alter the block when it is non-empty, i.e. when no user is logged in. - if (!isset($build['content']['user_login_form'])) { - return; - } - - $build['content']['openid_login_form'] = drupal_get_form('openid_login_form'); - $build['content']['openid_login_form']['openid_identifier']['#size'] = $build['content']['user_login_form']['name']['#size']; - - // Put an OpenID link as a first element. - $build['content']['user_links']['#items'] = array( - l(t('Log in using OpenID'), 'user/login/openid', array( - 'attributes' => array( - 'title' => t('Log in using OpenID.'), - 'class' => array('openid-link'), - 'role' => 'button', - 'tabindex' => 0, - ), - )) - ) + $build['content']['user_links']['#items']; - - // Move links under the openid form. - $build['content']['user_links']['#weight'] = 10; -} - -/** - * Form constructor for the OpenID login form. - * - * @see openid_login_form_submit() - */ -function openid_login_form($form) { - $form['#attached']['library'][] = array('openid', 'drupal.openid'); - - $form['openid_identifier'] = array( - '#type' => 'textfield', - '#title' => t('OpenID'), - '#maxlength' => 255, - '#description' => l(t('What is OpenID?'), 'http://openid.net/', array('external' => TRUE)), - '#required' => TRUE, - ); - - $form['openid.return_to'] = array( - '#type' => 'hidden', - '#value' => url('openid/authenticate', array('absolute' => TRUE, 'query' => user_login_destination())), - ); - - $form['actions'] = array('#type' => 'actions'); - $form['actions']['submit'] = array('#type' => 'submit', '#value' => t('Log in')); - - return $form; -} - -/** - * Form submit handler for openid_login_form(). - * - * @see openid_login_form() - */ -function openid_login_form_submit($form, &$form_state) { - $return_to = $form_state['values']['openid.return_to']; - if (empty($return_to)) { - $return_to = url('', array('absolute' => TRUE)); - } - - openid_begin($form_state['values']['openid_identifier'], $return_to, $form_state['values']); -} - -/** - * Implements hook_form_FORM_ID_alter(). - * - * Prefills the login form with values acquired via OpenID. - */ -function openid_form_user_register_form_alter(&$form, &$form_state) { - if (isset($_SESSION['openid']['response'])) { - module_load_include('inc', 'openid'); - - $response = $_SESSION['openid']['response']; - - // Extract Simple Registration keys from the response. We only include - // signed keys as required by OpenID Simple Registration Extension 1.0, - // section 4. - $sreg_values = openid_extract_namespace($response, OPENID_NS_SREG, 'sreg', TRUE); - // Extract Attribute Exchanges keys from the response. We only include - // signed keys. This is not required by the specification, but it is - // recommended by Google, see - // http://googlecode.blogspot.com/2011/05/security-advisory-to-websites-using.html - $ax_values = openid_extract_namespace($response, OPENID_NS_AX, 'ax', TRUE); - - if (!empty($sreg_values['nickname'])) { - // Use the nickname returned by Simple Registration if available. - $form['account']['name']['#default_value'] = $sreg_values['nickname']; - } - elseif ($ax_name_values = openid_extract_ax_values($ax_values, array('http://axschema.org/namePerson/friendly', 'http://schema.openid.net/namePerson/friendly'))) { - // Else, use the first nickname returned by AX if available. - $form['account']['name']['#default_value'] = current($ax_name_values); - } - else { - $form['account']['name']['#default_value'] = ''; - } - - if (!empty($sreg_values['email'])) { - // Use the email returned by Simple Registration if available. - $form['account']['mail']['#default_value'] = $sreg_values['email']; - } - elseif ($ax_mail_values = openid_extract_ax_values($ax_values, array('http://axschema.org/contact/email', 'http://schema.openid.net/contact/email'))) { - // Else, use the first nickname returned by AX if available. - $form['account']['mail']['#default_value'] = current($ax_mail_values); - } - - // If email verification is off, hide the password field and just fill - // with random password to avoid confusion. - if (!config('user.settings')->get('verify_mail')) { - $form['account']['pass']['#type'] = 'hidden'; - $form['account']['pass']['#value'] = user_password(); - } - - $timezone = FALSE; - if (!empty($sreg_values['timezone'])) { - $timezone = $sreg_values['timezone']; - } - elseif ($ax_timezone_values = openid_extract_ax_values($ax_values, array('http://axschema.org/pref/timezone', 'http://openid.net/schema/timezone'))) { - $timezone = current($ax_timezone_values); - } - if (in_array($timezone, timezone_identifiers_list())) { - $account = $form_state['controller']->getEntity(); - $account->timezone = $timezone; - } - - $language = FALSE; - if (!empty($sreg_values['language'])) { - $language = $sreg_values['language']; - } - elseif ($ax_language_values = openid_extract_ax_values($ax_values, array('http://axschema.org/pref/language', 'http://openid.net/schema/language/pref'))) { - $language = current($ax_language_values); - } - if ($language) { - // The OpenID Simple Registration Extension specification is unclear about - // the format of openid.sreg.language. Codes like "EN" and "ZH_CN" have - // been observed. - // AX values are in RFC 4646 format, e.g. "de", "en-GB", "en-Latn-GB", - // "zh-Hans", or "zh-Hans-CN". The first part is the language, the second - // is the script, and the third is the region. Other parts are also - // defined, but we will not use them here. All parts except the first are - // optional. - // We generate a list of all permutations of the first three parts and - // match them against the list of enabled languages. E.g. if the user's - // preferred langugage is "en-GB", we look for "en-gb" (Drupal's language - // codes are lower-case) or fall back to "en". - $parts = preg_split('/[_-]/', strtolower($language)); - $candidate_langcodes[] = $parts[0]; - if (count($parts) > 1) { - $candidate_langcodes[] = $parts[0] . '-' . $parts[1]; - } - if (count($parts) > 2) { - $candidate_langcodes[] = $parts[0] . '-' . $parts[2]; - $candidate_langcodes[] = $parts[0] . '-' . $parts[1] . '-' . $parts[2]; - } - $languages = language_list(); - // Iterate over the generated permutations starting with the longest (most - // specific) strings. - foreach (array_reverse($candidate_langcodes) as $candidate_langcode) { - if (isset($languages[$candidate_langcode])) { - $form['language']['preferred_langcode']['#type'] = 'hidden'; - $form['language']['preferred_langcode']['#value'] = $candidate_langcode; - // Skip the rest of the foreach to not overwrite the specific - // language we found. - break; - } - } - } - - $form['openid_claimed_id'] = array( - '#type' => 'value', - '#default_value' => $response['openid.claimed_id'], - ); - $form['openid_display'] = array( - '#type' => 'item', - '#title' => t('Your OpenID'), - '#description' => t('This OpenID will be attached to your account after registration.'), - '#markup' => check_plain($response['openid.claimed_id']), - ); - } -} - -/** - * The initial step of OpenID authentication responsible for the following: - * - Perform discovery on the claimed OpenID. - * - If possible, create an association with the Provider's endpoint. - * - Create the authentication request. - * - Perform the appropriate redirect. - * - * @param $claimed_id The OpenID to authenticate - * @param $return_to The endpoint to return to from the OpenID Provider - */ -function openid_begin($claimed_id, $return_to = '', $form_values = array()) { - module_load_include('inc', 'openid'); - - $service = NULL; - $claimed_id = openid_normalize($claimed_id); - $discovery = openid_discovery($claimed_id); - - if (!empty($discovery['services'])) { - $service = _openid_select_service($discovery['services']); - } - - // Quit if the discovery result was empty or if we can't select any service. - if (!$discovery || !$service) { - form_set_error('openid_identifier', t('Sorry, that is not a valid OpenID. Ensure you have spelled your ID correctly.')); - return; - } - - // Set claimed id from discovery. - if (!empty($discovery['claimed_id'])) { - $claimed_id = $discovery['claimed_id']; - } - - // Store discovered information in the users' session so we don't have to rediscover. - $_SESSION['openid']['service'] = $service; - // Store the claimed id - $_SESSION['openid']['claimed_id'] = $claimed_id; - // Store the login form values so we can pass them to - // user_exteral_login later. - $_SESSION['openid']['user_login_values'] = $form_values; - - // If a supported math library is present, then create an association. - $assoc_handle = ''; - if (_openid_get_math_library()) { - $assoc_handle = openid_association($service['uri']); - } - - if (in_array('http://specs.openid.net/auth/2.0/server', $service['types'])) { - // User entered an OP Identifier. - $claimed_id = $identity = 'http://specs.openid.net/auth/2.0/identifier_select'; - } - else { - // Use Claimed ID and/or OP-Local Identifier from service description, if - // available. - if (!empty($service['claimed_id'])) { - $claimed_id = $service['claimed_id']; - } - $identity = !empty($service['identity']) ? $service['identity'] : $claimed_id; - } - $request = openid_authentication_request($claimed_id, $identity, $return_to, $assoc_handle, $service); - - if ($service['version'] == 2) { - openid_redirect($service['uri'], $request); - } - else { - openid_redirect_http($service['uri'], $request); - } -} - -/** - * Completes OpenID authentication by validating returned data from the OpenID - * Provider. - * - * @param $response Array of returned values from the OpenID Provider. - * - * @return $response Response values for further processing with - * $response['status'] set to one of 'success', 'failed' or 'cancel'. - */ -function openid_complete($response = array()) { - module_load_include('inc', 'openid'); - - if (count($response) == 0) { - $response = _openid_response(); - } - - // Default to failed response - $response['status'] = 'failed'; - if (isset($_SESSION['openid']['service']['uri']) && isset($_SESSION['openid']['claimed_id'])) { - $service = $_SESSION['openid']['service']; - $claimed_id = $_SESSION['openid']['claimed_id']; - unset($_SESSION['openid']['service']); - unset($_SESSION['openid']['claimed_id']); - if (isset($response['openid.mode'])) { - if ($response['openid.mode'] == 'cancel') { - $response['status'] = 'cancel'; - } - else { - if (openid_verify_assertion($service, $response)) { - // OpenID Authentication, section 7.3.2.3 and Appendix A.5: - // The CanonicalID specified in the XRDS document must be used as the - // account key. We rely on the XRI proxy resolver to verify that the - // provider is authorized to respond on behalf of the specified - // identifer (required per Extensible Resource Identifier (XRI) - // (XRI) Resolution Version 2.0, section 14.3): - if (!empty($service['claimed_id'])) { - $response['openid.claimed_id'] = $service['claimed_id']; - } - elseif ($service['version'] == 2) { - // Returned Claimed Identifier could contain unique fragment - // identifier to allow identifier recycling so we need to preserve - // it in the response. - $response_claimed_id = openid_normalize($response['openid.claimed_id']); - - // OpenID Authentication, section 11.2: - // If the returned Claimed Identifier is different from the one sent - // to the OpenID Provider, we need to do discovery on the returned - // identififer to make sure that the provider is authorized to - // respond on behalf of this. - if ($response_claimed_id != $claimed_id) { - $discovery = openid_discovery($response['openid.claimed_id']); - if ($discovery && !empty($discovery['services'])) { - $uris = array(); - foreach ($discovery['services'] as $discovered_service) { - if (in_array('http://specs.openid.net/auth/2.0/server', $discovered_service['types']) || in_array('http://specs.openid.net/auth/2.0/signon', $discovered_service['types'])) { - $uris[] = $discovered_service['uri']; - } - } - } - if (!in_array($service['uri'], $uris)) { - return $response; - } - } - } - else { - $response['openid.claimed_id'] = $claimed_id; - } - $response['status'] = 'success'; - } - } - } - } - return $response; -} - -/** - * Perform discovery on a claimed ID to determine the OpenID provider endpoint. - * - * Discovery methods are provided by the hook_openid_discovery_method_info and - * could be further altered using the hook_openid_discovery_method_info_alter. - * - * @param $claimed_id - * The OpenID URL to perform discovery on. - * - * @return - * The resulting discovery array from the first successful discovery method, - * which must contain following keys: - * - 'services' (required) an array of discovered services (including OpenID - * version, endpoint URI, etc). - * - 'claimed_id' (optional) new claimed identifer, found by following HTTP - * redirects during the services discovery. - * If all the discovery method fails or if no appropriate discovery method is - * found, FALSE is returned. - */ -function openid_discovery($claimed_id) { - module_load_include('inc', 'openid'); - - $methods = module_invoke_all('openid_discovery_method_info'); - drupal_alter('openid_discovery_method_info', $methods); - - // Execute each method in turn and return first successful discovery. - foreach ($methods as $method) { - $discovery = $method($claimed_id); - if (!empty($discovery)) { - return $discovery; - } - } - - return FALSE; -} - -/** - * Implements hook_openid_discovery_method_info(). - * - * Define standard discovery methods. - */ -function openid_openid_discovery_method_info() { - // The discovery process will stop as soon as one discovery method succeed. - // We first attempt to discover XRI-based identifiers, then standard XRDS - // identifiers via Yadis and HTML-based discovery, conforming to the OpenID 2.0 - // specification. - return array( - 'xri' => '_openid_xri_discovery', - 'xrds' => '_openid_xrds_discovery', - ); -} - -/** - * OpenID discovery method: perform an XRI discovery. - * - * @see http://openid.net/specs/openid-authentication-2_0.html#discovery - * @see hook_openid_discovery_method_info() - * @see openid_discovery() - * - * @return - * An array of discovered services and claimed identifier or NULL. See - * openid_discovery() for more specific information. - */ -function _openid_xri_discovery($claimed_id) { - if (_openid_is_xri($claimed_id)) { - // Resolve XRI using a proxy resolver (Extensible Resource Identifier (XRI) - // Resolution Version 2.0, section 11.2 and 14.3). - $xrds_url = config('openid.settings')->get('xri_proxy_resolver') . rawurlencode($claimed_id) . '?_xrd_r=application/xrds+xml'; - $discovery = _openid_xrds_discovery($xrds_url); - if (!empty($discovery['services']) && is_array($discovery['services'])) { - foreach ($discovery['services'] as $i => &$service) { - $status = $service['xrd']->children(OPENID_NS_XRD)->Status; - if ($status && $status->attributes()->cid == 'verified') { - $service['claimed_id'] = openid_normalize((string)$service['xrd']->children(OPENID_NS_XRD)->CanonicalID); - } - else { - // Ignore service if the Canonical ID could not be verified. - unset($discovery['services'][$i]); - } - } - if (!empty($discovery['services'])) { - return $discovery; - } - } - } -} - -/** - * OpenID discovery method: perform a XRDS discovery. - * - * @see http://openid.net/specs/openid-authentication-2_0.html#discovery - * @see hook_openid_discovery_method_info() - * @see openid_discovery() - * - * @return - * An array of discovered services and claimed identifier or NULL. See - * openid_discovery() for more specific information. - */ -function _openid_xrds_discovery($claimed_id) { - $services = array(); - - $xrds_url = $claimed_id; - $scheme = @parse_url($xrds_url, PHP_URL_SCHEME); - if ($scheme == 'http' || $scheme == 'https') { - // For regular URLs, try Yadis resolution first, then HTML-based discovery - try { - $client = Drupal::httpClient(); - $headers = array('Accept' => 'application/xrds+xml'); - $response = $client->get($xrds_url, $headers)->send(); - // Replace the user-entered claimed_id if we received a redirect. - if ($previous_response = $response->getPreviousResponse()) { - $claimed_id = openid_normalize($previous_response->getLocation()); - } - - if ($response->getHeader('content-type') && preg_match("/application\/xrds\+xml/", $response->getHeader('Content-Type'))) { - // Parse XML document to find URL - $services = _openid_xrds_parse($response->getBody(TRUE)); - } - else { - $xrds_url = $response->getHeader('x-xrds-location'); - if (empty($xrds_url)) { - // Look for meta http-equiv link in HTML head - $xrds_url = _openid_meta_httpequiv($response->getBody(TRUE)); - } - if (!empty($xrds_url)) { - $xrds_response = $client->get($xrds_url, $headers)->send(); - $services = _openid_xrds_parse($xrds_response->getBody(TRUE)); - } - } - - // Check for HTML delegation - if (count($services) == 0) { - // Look for 2.0 links - $body = $response->getBody(TRUE); - $uri = _openid_link_href('openid2.provider', $body); - $identity = _openid_link_href('openid2.local_id', $body); - $type = 'http://specs.openid.net/auth/2.0/signon'; - - // 1.x links - if (empty($uri)) { - $uri = _openid_link_href('openid.server', $body); - $identity = _openid_link_href('openid.delegate', $body); - $type = 'http://openid.net/signon/1.1'; - } - if (!empty($uri)) { - $services[] = array( - 'uri' => $uri, - 'identity' => $identity, - 'types' => array($type), - ); - } - } - if (!empty($services)) { - return array( - 'services' => $services, - 'claimed_id' => $claimed_id, - ); - } - } - catch (RequestException $exception) { - return; - } - } -} - -/** - * Implements hook_openid_normalization_method_info(). - * - * Define standard normalization methods. - */ -function openid_openid_normalization_method_info() { - // OpenID Authentication 2.0, section 7.2: - // If the User-supplied Identifier looks like an XRI, treat it as such; - // otherwise treat it as an HTTP URL. - return array( - 'xri' => '_openid_xri_normalize', - 'url' => '_openid_url_normalize', - ); -} - -/** - * Attempt to create a shared secret with the OpenID Provider. - * - * @param $op_endpoint URL of the OpenID Provider endpoint. - * - * @return $assoc_handle The association handle. - */ -function openid_association($op_endpoint) { - module_load_include('inc', 'openid'); - - // Remove Old Associations: - db_delete('openid_association') - ->where('created + expires_in < :request_time', array(':request_time' => REQUEST_TIME)) - ->execute(); - - // Check to see if we have an association for this IdP already - $assoc_handle = db_query("SELECT assoc_handle FROM {openid_association} WHERE idp_endpoint_uri = :endpoint", array(':endpoint' => $op_endpoint))->fetchField(); - if (empty($assoc_handle)) { - $mod = OPENID_DH_DEFAULT_MOD; - $gen = OPENID_DH_DEFAULT_GEN; - $r = _openid_dh_rand($mod); - $private = _openid_math_add($r, 1); - $public = _openid_math_powmod($gen, $private, $mod); - - // If there is no existing association, then request one - $assoc_request = openid_association_request($public); - $assoc_message = _openid_encode_message(_openid_create_message($assoc_request)); - try { - $headers = array('Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'); - $response = Drupal::httpClient() - ->post($op_endpoint, $headers, $assoc_message) - ->send(); - $assoc_response = _openid_parse_message($response->getBody(TRUE)); - if (isset($assoc_response['mode']) && $assoc_response['mode'] == 'error') { - return FALSE; - } - - if ($assoc_response['session_type'] == 'DH-SHA1') { - $spub = _openid_dh_base64_to_long($assoc_response['dh_server_public']); - $enc_mac_key = base64_decode($assoc_response['enc_mac_key']); - $shared = _openid_math_powmod($spub, $private, $mod); - $assoc_response['mac_key'] = base64_encode(_openid_dh_xorsecret($shared, $enc_mac_key)); - } - db_insert('openid_association') - ->fields(array( - 'idp_endpoint_uri' => $op_endpoint, - 'session_type' => $assoc_response['session_type'], - 'assoc_handle' => $assoc_response['assoc_handle'], - 'assoc_type' => $assoc_response['assoc_type'], - 'expires_in' => $assoc_response['expires_in'], - 'mac_key' => $assoc_response['mac_key'], - 'created' => REQUEST_TIME, - )) - ->execute(); - $assoc_handle = $assoc_response['assoc_handle']; - } - catch (RequestException $exception) { - return FALSE; - } - } - return $assoc_handle; -} - -/** - * Authenticate a user or attempt registration. - * - * @param $response Response values from the OpenID Provider. - */ -function openid_authentication($response) { - $identity = $response['openid.claimed_id']; - - $account = openid_external_load($identity); - if (isset($account->uid)) { - if (!config('user.settings')->get('verify_mail') || $account->login) { - // Check if user is blocked. - $state['values']['name'] = $account->name; - user_login_name_validate(array(), $state); - if (!form_get_errors()) { - // Load global $user and perform final login tasks. - $form_state['uid'] = $account->uid; - user_login_form_submit(array(), $form_state); - } - } - else { - drupal_set_message(t('You must validate your email address for this account before logging in via OpenID.')); - } - // Let other modules act on OpenID login - module_invoke_all('openid_response', $response, $account); - } - elseif (config('user.settings')->get('register') != USER_REGISTER_ADMINISTRATORS_ONLY) { - // Register new user. - - // Save response for use in openid_form_user_register_form_alter(). - $_SESSION['openid']['response'] = $response; - - $form_state['values'] = array(); - $form_state['values']['op'] = t('Create new account'); - $account = entity_create('user', array()); - entity_form_submit($account, 'register', $form_state); - - if (empty($form_state['user'])) { - module_invoke_all('openid_response', $response, NULL); - } - else { - module_invoke_all('openid_response', $response, $form_state['user']); - drupal_goto(); - } - - $messages = drupal_get_messages('error'); - if (empty($form_state['values']['name']) || empty($form_state['values']['mail'])) { - // If the OpenID provider did not provide both a user name and an email - // address, ask the user to complete the registration manually instead of - // showing the error messages about the missing values generated by FAPI. - drupal_set_message(t('Complete the registration by filling out the form below. If you already have an account, you can log in now and add your OpenID under "My account".', array('@login' => url('user/login'))), 'warning'); - } - else { - drupal_set_message(t('Account registration using the information provided by your OpenID provider failed due to the reasons listed below. Complete the registration by filling out the form below. If you already have an account, you can log in now and add your OpenID under "My account".', array('@login' => url('user/login'))), 'warning'); - // Append form validation errors below the above warning. - foreach ($messages['error'] as $message) { - drupal_set_message( $message, 'error'); - } - } - - // We were unable to register a valid new user. Redirect to the normal - // registration page and prefill with the values we received. - $destination = drupal_get_destination(); - unset($_GET['destination']); - drupal_goto('user/register', array('query' => $destination)); - } - else { - drupal_set_message(t('Only site administrators can create new user accounts.'), 'error'); - module_invoke_all('openid_response', $response, NULL); - } - drupal_goto(); -} - -function openid_association_request($public) { - module_load_include('inc', 'openid'); - - $request = array( - 'openid.ns' => OPENID_NS_2_0, - 'openid.mode' => 'associate', - 'openid.session_type' => 'DH-SHA1', - 'openid.assoc_type' => 'HMAC-SHA1' - ); - - if ($request['openid.session_type'] == 'DH-SHA1' || $request['openid.session_type'] == 'DH-SHA256') { - $cpub = _openid_dh_long_to_base64($public); - $request['openid.dh_consumer_public'] = $cpub; - } - - return $request; -} - -function openid_authentication_request($claimed_id, $identity, $return_to = '', $assoc_handle = '', $service) { - global $base_url; - - module_load_include('inc', 'openid'); - - $request = array( - 'openid.mode' => 'checkid_setup', - 'openid.identity' => $identity, - 'openid.assoc_handle' => $assoc_handle, - 'openid.return_to' => $return_to, - ); - - if ($service['version'] == 2) { - $request['openid.ns'] = OPENID_NS_2_0; - $request['openid.claimed_id'] = $claimed_id; - $request['openid.realm'] = $base_url .'/'; - } - else { - $request['openid.trust_root'] = $base_url .'/'; - } - - // Always request Simple Registration. The specification doesn't mandate - // that the Endpoint advertise OPENID_NS_SREG in the service description. - $request['openid.ns.sreg'] = OPENID_NS_SREG; - $request['openid.sreg.required'] = 'nickname,email'; - $request['openid.sreg.optional'] = 'timezone,language'; - - // Request Attribute Exchange, if available. - // We only request the minimum attributes we need here, contributed modules - // can alter the request to add more attribute, and map them to profile fields. - if (in_array(OPENID_NS_AX, $service['types'])) { - $request['openid.ns.ax'] = OPENID_NS_AX; - $request['openid.ax.mode'] = 'fetch_request'; - $request['openid.ax.required'] = 'mail_ao,name_ao,mail_son,name_son'; - $request['openid.ax.if_available'] = 'timezone_ao,language_ao,timezone_son,language_son'; - - // Implementors disagree on which URIs to use, even for simple - // attributes like name and email (*sigh*). We ask for both axschema.org - // attributes (which are supposed to be newer), and schema.openid.net ones - // (which are supposed to be legacy). - - // Attributes as defined by axschema.org. - $request['openid.ax.type.mail_ao'] = 'http://axschema.org/contact/email'; - $request['openid.ax.type.name_ao'] = 'http://axschema.org/namePerson/friendly'; - $request['openid.ax.type.timezone_ao'] = 'http://axschema.org/pref/timezone'; - $request['openid.ax.type.language_ao'] = 'http://axschema.org/pref/language'; - - // Attributes as defined by schema.openid.net. - $request['openid.ax.type.mail_son'] = 'http://schema.openid.net/contact/email'; - $request['openid.ax.type.name_son'] = 'http://schema.openid.net/namePerson/friendly'; - $request['openid.ax.type.timezone_son'] = 'http://openid.net/schema/timezone'; - $request['openid.ax.type.language_son'] = 'http://openid.net/schema/language/pref'; - } - - drupal_alter('openid_request', $request, $service); - - return $request; -} - -/** - * Attempt to verify the response received from the OpenID Provider. - * - * @param $service - * Array describing the OpenID provider. - * @param $response - * Array of response values from the provider. - * - * @return boolean - * @see http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4 - */ -function openid_verify_assertion($service, $response) { - module_load_include('inc', 'openid'); - - // http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.3 - // Check the Nonce to protect against replay attacks. - if (!openid_verify_assertion_nonce($service, $response)) { - return FALSE; - } - - // http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.1 - // Verifying the return URL. - if (!openid_verify_assertion_return_url($service, $response)) { - return FALSE; - } - - // http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4 - // Verify the signatures. - $valid = FALSE; - $association = FALSE; - - // If the OP returned a openid.invalidate_handle, we have to proceed with - // direct verification: ignore the openid.assoc_handle, even if present. - // See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.1 - if (!empty($response['openid.assoc_handle']) && empty($response['openid.invalidate_handle'])) { - $association = db_query("SELECT * FROM {openid_association} WHERE assoc_handle = :assoc_handle", array(':assoc_handle' => $response['openid.assoc_handle']))->fetchObject(); - } - - if ($association && isset($association->session_type)) { - // http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2 - // Verification using an association. - $valid = openid_verify_assertion_signature($service, $association, $response); - } - else { - // http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2 - // Direct verification. - // The verification requests contain all the fields from the response, - // except openid.mode. - $request = $response; - $request['openid.mode'] = 'check_authentication'; - $message = _openid_create_message($request); - try { - $headers = array('Content-Type' => 'application/x-www-form-urlencoded; charset=utf-8'); - $http_response = Drupal::httpClient() - ->post($service['uri'], $headers, _openid_encode_message($message)) - ->send(); - $response = _openid_parse_message($http_response->getBody(TRUE)); - - if (strtolower(trim($response['is_valid'])) == 'true') { - $valid = TRUE; - if (!empty($response['invalidate_handle'])) { - // This association handle has expired on the OP side, remove it from the - // database to avoid reusing it again on a subsequent authentication request. - // See http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4.2.2 - db_delete('openid_association') - ->condition('assoc_handle', $response['invalidate_handle']) - ->execute(); - } - } - else { - $valid = FALSE; - } - } - catch (RequestException $exception) { - $valid = FALSE; - } - } - return $valid; -} - - -/** - * Verify the signature of the response received from the OpenID provider. - * - * @param $service - * Array describing the OpenID provider. - * @param $association - * Information on the association with the OpenID provider. - * @param $response - * Array of response values from the provider. - * - * @return - * TRUE if the signature is valid and covers all fields required to be signed. - * @see http://openid.net/specs/openid-authentication-2_0.html#rfc.section.11.4 - */ -function openid_verify_assertion_signature($service, $association, $response) { - if ($service['version'] == 2) { - // OpenID Authentication 2.0, section 10.1: - // These keys must always be signed. - $mandatory_keys = array('op_endpoint', 'return_to', 'response_nonce', 'assoc_handle'); - if (isset($response['openid.claimed_id'])) { - // If present, these two keys must also be signed. According to the spec, - // they are either both present or both absent. - $mandatory_keys[] = 'claimed_id'; - $mandatory_keys[] = 'identity'; - } - } - else { - // OpenID Authentication 1.1. section 4.3.3. - $mandatory_keys = array('identity', 'return_to'); - } - - $keys_to_sign = explode(',', $response['openid.signed']); - - if (count(array_diff($mandatory_keys, $keys_to_sign)) > 0) { - return FALSE; - } - - return _openid_signature($association, $response, $keys_to_sign) === $response['openid.sig']; -} - -/** - * Verify that the nonce has not been used in earlier assertions from the same OpenID provider. - * - * @param $service - * Array describing the OpenID provider. - * @param $response - * Array of response values from the provider. - * - * @return - * TRUE if the nonce has not expired and has not been used earlier. - */ -function openid_verify_assertion_nonce($service, $response) { - if ($service['version'] != 2) { - return TRUE; - } - - if (preg_match('/^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})Z/', $response['openid.response_nonce'], $matches)) { - list(, $year, $month, $day, $hour, $minutes, $seconds) = $matches; - $nonce_timestamp = gmmktime($hour, $minutes, $seconds, $month, $day, $year); - } - else { - watchdog('openid', 'Nonce from @endpoint rejected because it is not correctly formatted, nonce: @nonce.', array('@endpoint' => $service['uri'], '@nonce' => $response['openid.response_nonce']), WATCHDOG_WARNING); - return FALSE; - } - - // A nonce with a timestamp to far in the past or future will already have - // been removed and cannot be checked for single use anymore. - $time = time(); - $expiry = 900; - if ($nonce_timestamp <= $time - $expiry || $nonce_timestamp >= $time + $expiry) { - watchdog('openid', 'Nonce received from @endpoint is out of range (time difference: @intervals). Check possible clock skew.', array('@endpoint' => $service['uri'], '@interval' => $time - $nonce_timestamp), WATCHDOG_WARNING); - return FALSE; - } - - // Record that this nonce was used. - db_insert('openid_nonce') - ->fields(array( - 'idp_endpoint_uri' => $service['uri'], - 'nonce' => $response['openid.response_nonce'], - 'expires' => $nonce_timestamp + $expiry, - )) - ->execute(); - - // Count the number of times this nonce was used. - $count_used = db_query("SELECT COUNT(*) FROM {openid_nonce} WHERE nonce = :nonce AND idp_endpoint_uri = :idp_endpoint_uri", array( - ':nonce' => $response['openid.response_nonce'], - ':idp_endpoint_uri' => $service['uri'], - ))->fetchField(); - - if ($count_used == 1) { - return TRUE; - } - else { - watchdog('openid', 'Nonce replay attempt blocked from @ip, nonce: @nonce.', array('@ip' => Drupal::request()->getClientIP(), '@nonce' => $response['openid.response_nonce']), WATCHDOG_CRITICAL); - return FALSE; - } -} - - -/** - * Verify that openid.return_to matches the current URL. - * - * See OpenID Authentication 2.0, section 11.1. While OpenID Authentication - * 1.1, section 4.3 does not mandate return_to verification, the received - * return_to should still match these constraints. - * - * @param $service - * Array describing the OpenID provider. - * @param $response - * Array of response values from the provider. - * - * @return - * TRUE if return_to is valid, FALSE otherwise. - */ -function openid_verify_assertion_return_url($service, $response) { - global $base_url; - - $return_to_parts = parse_url($response['openid.return_to']); - - $base_url_parts = parse_url($base_url); - $current_parts = parse_url($base_url_parts['scheme'] .'://'. $base_url_parts['host'] . request_uri()); - - if ($return_to_parts['scheme'] != $current_parts['scheme'] || $return_to_parts['host'] != $current_parts['host'] || $return_to_parts['path'] != $current_parts['path']) { - return FALSE; - } - // Verify that all query parameters in the openid.return_to URL have - // the same value in the current URL. In addition, the current URL - // contains a number of other parameters added by the OpenID Provider. - parse_str(isset($return_to_parts['query']) ? $return_to_parts['query'] : '', $return_to_query_parameters); - foreach ($return_to_query_parameters as $name => $value) { - if (!isset($_GET[$name]) || $_GET[$name] != $value) { - return FALSE; - } - } - return TRUE; -} - -/** - * Remove expired nonces from the database. - * - * Implements hook_cron(). - */ -function openid_cron() { - db_delete('openid_nonce') - ->condition('expires', REQUEST_TIME, '<') - ->execute(); -} - -/** - * Implements hook_library_info(). - */ -function openid_library_info() { - $libraries['drupal.openid'] = array( - 'title' => 'OpenID', - 'version' => VERSION, - 'js' => array( - drupal_get_path('module', 'openid') . '/openid.js' => array(), - ), - 'css' => array( - drupal_get_path('module', 'openid') . '/openid.css' => array(), - ), - 'dependencies' => array( - array('system', 'jquery'), - array('system', 'drupal'), - array('system', 'jquery.cookie'), - array('system', 'jquery.once'), - ), - ); - - return $libraries; -} diff --git a/core/modules/openid/openid.pages.inc b/core/modules/openid/openid.pages.inc deleted file mode 100644 index df730af..0000000 --- a/core/modules/openid/openid.pages.inc +++ /dev/null @@ -1,106 +0,0 @@ -fields(array( - 'uid' => $account->uid, - 'identifier' => $identity, - )) - ->execute(); - drupal_set_message(t('Successfully added %identity', array('%identity' => $identity))); - // Let other modules act on OpenID authentication. - module_invoke_all('openid_response', $response, $account); - } - - $header = array(t('OpenID'), t('Operations')); - $rows = array(); - - $result = db_query("SELECT * FROM {openid_identities} WHERE uid=:uid", array(':uid' => $account->uid)); - foreach ($result as $identity) { - $row = array(); - $row[] = check_plain($identity->identifier); - $links = array(); - $links['delete'] = array( - 'title' => t('Delete'), - 'href' => 'user/' . $account->uid . '/openid/delete/' . $identity->aid, - ); - $row[] = array( - 'data' => array( - '#type' => 'operations', - '#links' => $links, - ), - ); - $rows[] = $row; - } - - $build['openid_table'] = array( - '#theme' => 'table', - '#header' => $header, - '#rows' => $rows, - '#empty' => t('No OpenID identities available for this account.'), - ); - $build['openid_user_add'] = drupal_get_form('openid_user_add'); - return $build; -} - -/** - * Form builder; Add an OpenID identity. - * - * @ingroup forms - * @see openid_user_add_validate() - */ -function openid_user_add() { - $form['openid_identifier'] = array( - '#type' => 'textfield', - '#title' => t('OpenID'), - ); - $form['actions'] = array('#type' => 'actions'); - $form['actions']['submit'] = array('#type' => 'submit', '#value' => t('Add an OpenID')); - return $form; -} - -function openid_user_add_validate($form, &$form_state) { - // Check for existing entries. - $claimed_id = openid_normalize($form_state['values']['openid_identifier']); - if (db_query("SELECT identifier FROM {openid_identities} WHERE identifier = :identifier", array(':identifier' => $claimed_id))->fetchField()) { - form_set_error('openid_identifier', t('That OpenID is already in use on this site.')); - } -} - -function openid_user_add_submit($form, &$form_state) { - $return_to = url('user/' . arg(1) . '/openid', array('absolute' => TRUE)); - openid_begin($form_state['values']['openid_identifier'], $return_to); -} diff --git a/core/modules/openid/openid.routing.yml b/core/modules/openid/openid.routing.yml deleted file mode 100644 index a6a34e8..0000000 --- a/core/modules/openid/openid.routing.yml +++ /dev/null @@ -1,9 +0,0 @@ -openid_user_delete_form: - pattern: '/user/{account}/openid/delete/{aid}' - options: - converters: - account: 'user' - defaults: - _form: 'Drupal\openid\Form\UserDeleteForm' - requirements: - _entity_access: 'account.update' diff --git a/core/modules/openid/tests/openid_test.info.yml b/core/modules/openid/tests/openid_test.info.yml deleted file mode 100644 index 192c688..0000000 --- a/core/modules/openid/tests/openid_test.info.yml +++ /dev/null @@ -1,9 +0,0 @@ -name: 'OpenID dummy provider' -type: module -description: 'OpenID provider used for testing.' -package: Testing -version: VERSION -core: 8.x -dependencies: - - openid -hidden: true diff --git a/core/modules/openid/tests/openid_test.module b/core/modules/openid/tests/openid_test.module deleted file mode 100644 index c442884..0000000 --- a/core/modules/openid/tests/openid_test.module +++ /dev/null @@ -1,374 +0,0 @@ - 'XRDS service document', - 'page callback' => 'openid_test_yadis_xrds', - 'access callback' => TRUE, - 'type' => MENU_CALLBACK, - ); - $items['openid-test/yadis/x-xrds-location'] = array( - 'title' => 'Yadis discovery using X-XRDS-Location header', - 'page callback' => 'openid_test_yadis_x_xrds_location', - 'access callback' => TRUE, - 'type' => MENU_CALLBACK, - ); - $items['openid-test/yadis/http-equiv'] = array( - 'title' => 'Yadis discovery using ', - 'page callback' => 'openid_test_yadis_http_equiv', - 'access callback' => TRUE, - 'type' => MENU_CALLBACK, - ); - $items['openid-test/html/openid1'] = array( - 'title' => 'HTML-based discovery using ', - 'page callback' => 'openid_test_html_openid1', - 'access callback' => TRUE, - 'type' => MENU_CALLBACK, - ); - $items['openid-test/html/openid2'] = array( - 'title' => 'HTML-based discovery using ', - 'page callback' => 'openid_test_html_openid2', - 'access callback' => TRUE, - 'type' => MENU_CALLBACK, - ); - $items['openid-test/endpoint'] = array( - 'title' => 'OpenID Provider Endpoint', - 'page callback' => 'openid_test_endpoint', - 'access callback' => TRUE, - 'type' => MENU_CALLBACK, - ); - $items['openid-test/redirect'] = array( - 'title' => 'OpenID Provider Redirection Point', - 'page callback' => 'openid_test_redirect', - 'access callback' => TRUE, - 'type' => MENU_CALLBACK, - ); - $items['openid-test/redirected/%/%'] = array( - 'title' => 'OpenID Provider Final URL', - 'page callback' => 'openid_test_redirected_method', - 'page arguments' => array(2, 3), - 'access callback' => TRUE, - 'type' => MENU_CALLBACK, - ); - return $items; -} - -/** - * Implements hook_menu_site_status_alter(). - */ -function openid_test_menu_site_status_alter(&$menu_site_status, $path) { - // Allow access to openid endpoint and identity even in offline mode. - if ($menu_site_status == MENU_SITE_OFFLINE && user_is_anonymous() && in_array($path, array('openid-test/yadis/xrds', 'openid-test/endpoint'))) { - $menu_site_status = MENU_SITE_ONLINE; - } -} - -/** - * Menu callback; XRDS document that references the OP Endpoint URL. - */ -function openid_test_yadis_xrds() { - if ($_SERVER['HTTP_ACCEPT'] == 'application/xrds+xml') { - // Only respond to XRI requests for one specific XRI. The is used to verify - // that the XRI has been properly encoded. The "+" sign in the _xrd_r query - // parameter is decoded to a space by PHP. - if (arg(3) == 'xri' && (arg(4) != '@example*résumé;%25' || $_GET['_xrd_r'] != 'application/xrds xml')) { - throw new NotFoundHttpException(); - } - $output = ''; - if (!empty($_GET['doctype'])) { - $output .= "\n ]>\n"; - } - $output .= ' - - - - xri://@ - http://example.com/user - - http://example.com/this-is-ignored - - - http://openid.net/signon/1.0 - http://example.com/this-is-only-openid-1.0 - - - http://specs.openid.net/auth/2.0/signon - http://openid.net/srv/ax/1.0 - ' . url('openid-test/endpoint', array('absolute' => TRUE)) . ' - http://example.com/xrds - - - http://specs.openid.net/auth/2.0/signon - http://example.com/this-has-too-low-priority - - - http://specs.openid.net/auth/2.0/signon - http://example.com/this-has-too-low-priority - - '; - if (arg(3) == 'server') { - $output .= ' - - http://specs.openid.net/auth/2.0/server - http://example.com/this-has-too-low-priority - - - http://specs.openid.net/auth/2.0/server - ' . url('openid-test/endpoint', array('absolute' => TRUE)) . ' - '; - } - elseif (arg(3) == 'delegate') { - $output .= ' - - http://specs.openid.net/auth/2.0/signon - http://openid.net/srv/ax/1.0 - ' . url('openid-test/endpoint', array('absolute' => TRUE)) . ' - http://example.com/xrds-delegate - '; - } - $output .= ' - - '; - return new Response($output, 200, array('Content-type' => 'application/xrds+xml; charset=utf-8')); - } - else { - return t('This is a regular HTML page. If the client sends an Accept: application/xrds+xml header when requesting this URL, an XRDS document is returned.'); - } -} - -/** - * Menu callback; regular HTML page with an X-XRDS-Location HTTP header. - */ -function openid_test_yadis_x_xrds_location() { - drupal_add_http_header('X-XRDS-Location', url('openid-test/yadis/xrds', array('absolute' => TRUE))); - return t('This page includes an X-RDS-Location HTTP header containing the URL of an XRDS document.'); -} - -/** - * Menu callback; regular HTML page with element. - */ -function openid_test_yadis_http_equiv() { - $element = array( - '#tag' => 'meta', - '#attributes' => array( - 'http-equiv' => "X-XRDS-Location\n", - 'content' => url('openid-test/yadis/xrds', array('absolute' => TRUE)), - ), - ); - drupal_add_html_head($element, 'openid_test_yadis_http_equiv'); - return t('This page includes a <meta equiv=...> element containing the URL of an XRDS document.'); -} - -/** - * Menu callback; regular HTML page with OpenID 1.0 element. - */ -function openid_test_html_openid1() { - drupal_add_html_head_link(array('rel' => 'openid.server', 'href' => url('openid-test/endpoint', array('absolute' => TRUE)))); - drupal_add_html_head_link(array('rel' => 'openid.delegate', 'href' => 'http://example.com/html-openid1')); - return t('This page includes a <link rel=...> element containing the URL of an OpenID Provider Endpoint.'); -} - -/** - * Menu callback; regular HTML page with OpenID 2.0 element. - */ -function openid_test_html_openid2() { - // Use unusual values in order to test proper parsing of HTML attributes. - drupal_add_html_head_link(array('rel' => "foo\nopenid2.PROVIDER\tbar", 'href' => "\n" . url('openid-test/endpoint', array('absolute' => TRUE)))); - drupal_add_html_head_link(array('rel' => 'openid2.local_id', 'href' => 'http://example.com/html-openid2')); - return t('This page includes a <link rel=...> element containing the URL of an OpenID Provider Endpoint.'); -} - -/** - * Menu callback; OpenID Provider Endpoint. - * - * It accepts "associate" requests directly from the Relying Party, and - * "checkid_setup" requests made by the user's browser based on HTTP redirects - * (in OpenID 1) or HTML forms (in OpenID 2) generated by the Relying Party. - */ -function openid_test_endpoint() { - switch ($_REQUEST['openid_mode']) { - case 'associate': - return _openid_test_endpoint_associate(); - case 'checkid_setup': - return _openid_test_endpoint_authenticate(); - } -} - -/** - * Menu callback; redirect during Normalization/Discovery. - */ -function openid_test_redirect($count = 0) { - if ($count == 0) { - $url = state()->get('openid_test.redirect_url'); - } - else { - $url = url('openid-test/redirect/' . --$count, array('absolute' => TRUE)); - } - $http_response_code = state()->get('openid_test.redirect_http_response_code') ?: 301; - return new RedirectResponse($url, $http_response_code); -} - -/** - * Menu callback; respond with appropriate callback. - */ -function openid_test_redirected_method($method1, $method2) { - return call_user_func('openid_test_' . $method1 . '_' . $method2); -} - -/** - * OpenID endpoint; handle "associate" requests (see OpenID Authentication 2.0, - * section 8). - * - * The purpose of association is to send the secret MAC key to the Relying Party - * using Diffie-Hellman key exchange. The MAC key is used in subsequent - * "authenticate" requests. The "associate" request is made by the Relying Party - * (in the testing scenario, this is the OpenID module that communicates with - * the endpoint). - */ -function _openid_test_endpoint_associate() { - module_load_include('inc', 'openid'); - - // Use default parameters for Diffie-Helmann key exchange. - $mod = OPENID_DH_DEFAULT_MOD; - $gen = OPENID_DH_DEFAULT_GEN; - - // Generate private Diffie-Helmann key. - $r = _openid_dh_rand($mod); - $private = _openid_math_add($r, 1); - - // Calculate public Diffie-Helmann key. - $public = _openid_math_powmod($gen, $private, $mod); - - // Calculate shared secret based on Relying Party's public key. - $cpub = _openid_dh_base64_to_long($_REQUEST['openid_dh_consumer_public']); - $shared = _openid_math_powmod($cpub, $private, $mod); - - // Encrypt the MAC key using the shared secret. - $enc_mac_key = base64_encode(_openid_dh_xorsecret($shared, NULL)); - - // Generate response including our public key and the MAC key. Using our - // public key and its own private key, the Relying Party can calculate the - // shared secret, and with this it can decrypt the encrypted MAC key. - $response = array( - 'ns' => 'http://specs.openid.net/auth/2.0', - 'assoc_handle' => 'openid-test', - 'session_type' => $_REQUEST['openid_session_type'], - 'assoc_type' => $_REQUEST['openid_assoc_type'], - 'expires_in' => '3600', - 'dh_server_public' => _openid_dh_long_to_base64($public), - 'enc_mac_key' => $enc_mac_key, - ); - - // Respond to Relying Party in the special Key-Value Form Encoding (see OpenID - // Authentication 1.0, section 4.1.1). - return new Response(_openid_create_message($response), 200, array('Content-Type' => 'text/plain')); -} - -/** - * OpenID endpoint; handle "authenticate" requests. - * - * All requests result in a successful response. The request is a GET or POST - * made by the user's browser based on an HTML form or HTTP redirect generated - * by the Relying Party. The user is redirected back to the Relying Party using - * a URL containing a signed message in the query string confirming the user's - * identity. - */ -function _openid_test_endpoint_authenticate() { - module_load_include('inc', 'openid'); - - $expected_identity = state()->get('openid_test.identity'); - if ($expected_identity && $_REQUEST['openid_identity'] != $expected_identity) { - $response = state()->get('openid_test.response') ?: array(); - $response += array( - 'openid.ns' => OPENID_NS_2_0, - 'openid.mode' => 'error', - 'openid.error' => 'Unexpted identity', - ); - return new RedirectResponse(url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE))); - } - - // Generate unique identifier for this authentication. - $nonce = _openid_nonce(); - - // Generate response containing the user's identity. - $response = state()->get('openid_test.response') ?: array(); - $response += array( - 'openid.ns' => OPENID_NS_2_0, - 'openid.mode' => 'id_res', - 'openid.op_endpoint' => url('openid-test/endpoint', array('absolute' => TRUE)), - 'openid.claimed_id' => !empty($_REQUEST['openid_claimed_id']) ? $_REQUEST['openid_claimed_id'] : '', - 'openid.identity' => $_REQUEST['openid_identity'], - 'openid.return_to' => $_REQUEST['openid_return_to'], - 'openid.response_nonce' => $nonce, - 'openid.assoc_handle' => 'openid-test', - ); - - if (isset($response['openid.signed'])) { - $keys_to_sign = explode(',', $response['openid.signed']); - } - else { - // Unless openid.signed is explicitly defined, all keys are signed. - $keys_to_sign = array(); - foreach ($response as $key => $value) { - // Strip off the "openid." prefix. - $keys_to_sign[] = substr($key, 7); - } - $response['openid.signed'] = implode(',', $keys_to_sign); - } - - // Sign the message using the MAC key that was exchanged during association. - $association = new stdClass(); - $association->mac_key = NULL; - if (!isset($response['openid.sig'])) { - $response['openid.sig'] = _openid_signature($association, $response, $keys_to_sign); - } - - // Put the signed message into the query string of a URL supplied by the - // Relying Party, and redirect the user. - return new RedirectResponse(url($_REQUEST['openid_return_to'], array('query' => $response, 'external', TRUE))); -} - -/** - * Implements hook_openid_request_alter(). - */ -function openid_test_openid_request_alter(&$request, $service) { - $parameters = state()->get('openid_test.request_alter'); - if (isset($parameters[$request['openid.mode']])) { - $request = $parameters[$request['openid.mode']] + $request; - } -} - -/** - * Implements hook_openid_response(). - */ -function openid_test_openid_response($response, $account) { - state()->set('openid_test.hook_openid_response_response', $response); - state()->set('openid_test.hook_openid_response_account', $account ? $account : FALSE); -} diff --git a/core/modules/openid/tests/upgrade/drupal-7.openid.authmap.database.php b/core/modules/openid/tests/upgrade/drupal-7.openid.authmap.database.php deleted file mode 100644 index 96b369b..0000000 --- a/core/modules/openid/tests/upgrade/drupal-7.openid.authmap.database.php +++ /dev/null @@ -1,36 +0,0 @@ -fields(array( - 'aid', - 'uid', - 'authname', - 'module', - )) - ->values(array( - 'aid' => 1, - 'uid' => 1, - 'authname' => 'userA@providerA', - 'module' => 'openid', - )) - ->values(array( - 'aid' => 2, - 'uid' => 1, - 'authname' => 'userB@providerA', - 'module' => 'openid', - )) - ->values(array( - 'aid' => 3, - 'uid' => 1, - 'authname' => 'userA@providerB', - 'module' => 'fancy', - )) - ->execute(); diff --git a/core/modules/openid/tests/upgrade/drupal-7.openid.database.php b/core/modules/openid/tests/upgrade/drupal-7.openid.database.php deleted file mode 100644 index 955f9c5..0000000 --- a/core/modules/openid/tests/upgrade/drupal-7.openid.database.php +++ /dev/null @@ -1,94 +0,0 @@ - array( - 'idp_endpoint_uri' => array( - 'type' => 'varchar', - 'length' => 255, - ), - 'assoc_handle' => array( - 'type' => 'varchar', - 'length' => 255, - 'not null' => TRUE, - ), - 'assoc_type' => array( - 'type' => 'varchar', - 'length' => 32, - ), - 'session_type' => array( - 'type' => 'varchar', - 'length' => 32, - ), - 'mac_key' => array( - 'type' => 'varchar', - 'length' => 255, - ), - 'created' => array( - 'type' => 'int', - 'not null' => TRUE, - 'default' => 0, - ), - 'expires_in' => array( - 'type' => 'int', - 'not null' => TRUE, - 'default' => 0, - ), - ), - 'primary key' => array( - 'assoc_handle', - ), - 'module' => 'openid', - 'name' => 'openid_association', -)); - -db_create_table('openid_nonce', array( - 'fields' => array( - 'idp_endpoint_uri' => array( - 'type' => 'varchar', - 'length' => 255, - ), - 'nonce' => array( - 'type' => 'varchar', - 'length' => 255, - ), - 'expires' => array( - 'type' => 'int', - 'not null' => TRUE, - 'default' => 0, - ), - ), - 'indexes' => array( - 'nonce' => array( - 'nonce', - ), - 'expires' => array( - 'expires', - ), - ), - 'module' => 'openid', - 'name' => 'openid_nonce', -)); - -db_update('system') - ->fields(array( - 'filename' => 'modules/openid/openid.module', - 'name' => 'openid', - 'type' => 'module', - 'owner' => '', - 'status' => '1', - 'bootstrap' => '0', - 'schema_version' => '6000', - 'weight' => '0', - 'info' => 'a:11:{s:4:"name";s:6:"OpenID";s:11:"description";s:48:"Allows users to log into your site using OpenID.";s:7:"version";s:11:"7.14+29-dev";s:7:"package";s:4:"Core";s:4:"core";s:3:"7.x";s:5:"files";a:1:{i:0;s:11:"openid.test";}s:7:"project";s:6:"drupal";s:9:"datestamp";s:10:"1338768537";s:12:"dependencies";a:0:{}s:3:"php";s:5:"5.2.4";s:9:"bootstrap";i:0;}', - )) - ->condition('filename', 'modules/openid/openid.module') - ->execute(); diff --git a/core/themes/bartik/css/style-rtl.css b/core/themes/bartik/css/style-rtl.css index dc7c2a4..23d14a4 100644 --- a/core/themes/bartik/css/style-rtl.css +++ b/core/themes/bartik/css/style-rtl.css @@ -58,15 +58,6 @@ ul.tips { padding-left: 0; padding-right: 0.5em; } -.region-header #block-user-login ul.openid-links li.last { - padding-right: 0; -} -.region-header #user-login-form li.openid-link a, -.region-header #user-login li.openid-link a { - background-position: right -3px; - padding-left: 0; - padding-right: 20px; -} /* --------------- Main Menu ------------ */ diff --git a/core/themes/bartik/css/style.css b/core/themes/bartik/css/style.css index 89e4fd4..9c65ea3 100644 --- a/core/themes/bartik/css/style.css +++ b/core/themes/bartik/css/style.css @@ -441,13 +441,6 @@ h1#site-name { .region-header #block-user-login .item-list li.last { padding-left: 0.5em; /* LTR */ } -.region-header #block-user-login ul.openid-links li.last { - padding-left: 0; /* LTR */ -} -.region-header #user-login-form li.openid-link a, -.region-header #user-login li.openid-link a { - padding-left: 20px; /* LTR */ -} .region-header #block-user-login .form-actions { margin: 4px 0 0; padding: 0; diff --git a/core/themes/seven/style-rtl.css b/core/themes/seven/style-rtl.css index f4097d9..70770d1 100644 --- a/core/themes/seven/style-rtl.css +++ b/core/themes/seven/style-rtl.css @@ -150,14 +150,6 @@ ol.task-list li.active { padding: 0 0 5px 5px; } -/* User login block */ -#user-login-form .openid-links { - margin-right: 0; -} -#user-login-form .openid-links .user-link { - margin-right: 1.5em; -} - /** * Improve spacing of cancel link. */ diff --git a/core/themes/seven/style.css b/core/themes/seven/style.css index 52db095..427c267 100644 --- a/core/themes/seven/style.css +++ b/core/themes/seven/style.css @@ -1108,14 +1108,6 @@ h1#overlay-title { padding: 0 5px 5px 0; /* LTR */ } -/* User login block */ -#user-login-form .openid-links { - margin-left: 0; /* LTR */ -} -#user-login-form .openid-links .user-link { - margin-left: 1.5em; /* LTR */ -} - /* Dropbutton */ .js .dropbutton-widget { background-color: #fff;