| [ Index ] |
PHP Cross Reference of Joomla 1.5.26 DE |
[Summary view] [Print] [Text view]
1 <?php 2 3 /** 4 * An implementation of the OpenID Provider Authentication Policy 5 * Extension 1.0 6 * 7 * See: 8 * http://openid.net/developers/specs/ 9 */ 10 11 // Do not allow direct access 12 defined( '_JEXEC' ) or die( 'Restricted access' ); 13 14 require_once "Auth/OpenID/Extension.php"; 15 16 define('Auth_OpenID_PAPE_NS_URI', 17 "http://specs.openid.net/extensions/pape/1.0"); 18 19 define('PAPE_AUTH_MULTI_FACTOR_PHYSICAL', 20 'http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical'); 21 define('PAPE_AUTH_MULTI_FACTOR', 22 'http://schemas.openid.net/pape/policies/2007/06/multi-factor'); 23 define('PAPE_AUTH_PHISHING_RESISTANT', 24 'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant'); 25 26 define('PAPE_TIME_VALIDATOR', 27 '^[0-9]{4,4}-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9]Z$'); 28 /** 29 * A Provider Authentication Policy request, sent from a relying party 30 * to a provider 31 * 32 * preferred_auth_policies: The authentication policies that 33 * the relying party prefers 34 * 35 * max_auth_age: The maximum time, in seconds, that the relying party 36 * wants to allow to have elapsed before the user must re-authenticate 37 */ 38 class Auth_OpenID_PAPE_Request extends Auth_OpenID_Extension { 39 40 var $ns_alias = 'pape'; 41 var $ns_uri = Auth_OpenID_PAPE_NS_URI; 42 43 function Auth_OpenID_PAPE_Request($preferred_auth_policies=null, 44 $max_auth_age=null) 45 { 46 if ($preferred_auth_policies === null) { 47 $preferred_auth_policies = array(); 48 } 49 50 $this->preferred_auth_policies = $preferred_auth_policies; 51 $this->max_auth_age = $max_auth_age; 52 } 53 54 /** 55 * Add an acceptable authentication policy URI to this request 56 * 57 * This method is intended to be used by the relying party to add 58 * acceptable authentication types to the request. 59 * 60 * policy_uri: The identifier for the preferred type of 61 * authentication. 62 */ 63 function addPolicyURI($policy_uri) 64 { 65 if (!in_array($policy_uri, $this->preferred_auth_policies)) { 66 $this->preferred_auth_policies[] = $policy_uri; 67 } 68 } 69 70 function getExtensionArgs() 71 { 72 $ns_args = array( 73 'preferred_auth_policies' => 74 implode(' ', $this->preferred_auth_policies) 75 ); 76 77 if ($this->max_auth_age !== null) { 78 $ns_args['max_auth_age'] = strval($this->max_auth_age); 79 } 80 81 return $ns_args; 82 } 83 84 /** 85 * Instantiate a Request object from the arguments in a checkid_* 86 * OpenID message 87 */ 88 function fromOpenIDRequest($request) 89 { 90 $obj = new Auth_OpenID_PAPE_Request(); 91 $args = $request->message->getArgs(Auth_OpenID_PAPE_NS_URI); 92 93 if ($args === null || $args === array()) { 94 return null; 95 } 96 97 $obj->parseExtensionArgs($args); 98 return $obj; 99 } 100 101 /** 102 * Set the state of this request to be that expressed in these 103 * PAPE arguments 104 * 105 * @param args: The PAPE arguments without a namespace 106 */ 107 function parseExtensionArgs($args) 108 { 109 // preferred_auth_policies is a space-separated list of policy 110 // URIs 111 $this->preferred_auth_policies = array(); 112 113 $policies_str = Auth_OpenID::arrayGet($args, 'preferred_auth_policies'); 114 if ($policies_str) { 115 foreach (explode(' ', $policies_str) as $uri) { 116 if (!in_array($uri, $this->preferred_auth_policies)) { 117 $this->preferred_auth_policies[] = $uri; 118 } 119 } 120 } 121 122 // max_auth_age is base-10 integer number of seconds 123 $max_auth_age_str = Auth_OpenID::arrayGet($args, 'max_auth_age'); 124 if ($max_auth_age_str) { 125 $this->max_auth_age = Auth_OpenID::intval($max_auth_age_str); 126 } else { 127 $this->max_auth_age = null; 128 } 129 } 130 131 /** 132 * Given a list of authentication policy URIs that a provider 133 * supports, this method returns the subsequence of those types 134 * that are preferred by the relying party. 135 * 136 * @param supported_types: A sequence of authentication policy 137 * type URIs that are supported by a provider 138 * 139 * @return array The sub-sequence of the supported types that are 140 * preferred by the relying party. This list will be ordered in 141 * the order that the types appear in the supported_types 142 * sequence, and may be empty if the provider does not prefer any 143 * of the supported authentication types. 144 */ 145 function preferredTypes($supported_types) 146 { 147 $result = array(); 148 149 foreach ($supported_types as $st) { 150 if (in_array($st, $this->preferred_auth_policies)) { 151 $result[] = $st; 152 } 153 } 154 return $result; 155 } 156 } 157 158 /** 159 * A Provider Authentication Policy response, sent from a provider to 160 * a relying party 161 */ 162 class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { 163 164 var $ns_alias = 'pape'; 165 var $ns_uri = Auth_OpenID_PAPE_NS_URI; 166 167 function Auth_OpenID_PAPE_Response($auth_policies=null, $auth_time=null, 168 $nist_auth_level=null) 169 { 170 if ($auth_policies) { 171 $this->auth_policies = $auth_policies; 172 } else { 173 $this->auth_policies = array(); 174 } 175 176 $this->auth_time = $auth_time; 177 $this->nist_auth_level = $nist_auth_level; 178 } 179 180 /** 181 * Add a authentication policy to this response 182 * 183 * This method is intended to be used by the provider to add a 184 * policy that the provider conformed to when authenticating the 185 * user. 186 * 187 * @param policy_uri: The identifier for the preferred type of 188 * authentication. 189 */ 190 function addPolicyURI($policy_uri) 191 { 192 if (!in_array($policy_uri, $this->auth_policies)) { 193 $this->auth_policies[] = $policy_uri; 194 } 195 } 196 197 /** 198 * Create an Auth_OpenID_PAPE_Response object from a successful 199 * OpenID library response. 200 * 201 * @param success_response $success_response A SuccessResponse 202 * from Auth_OpenID_Consumer::complete() 203 * 204 * @returns: A provider authentication policy response from the 205 * data that was supplied with the id_res response. 206 */ 207 function fromSuccessResponse($success_response) 208 { 209 $obj = new Auth_OpenID_PAPE_Response(); 210 211 // PAPE requires that the args be signed. 212 $args = $success_response->getSignedNS(Auth_OpenID_PAPE_NS_URI); 213 214 if ($args === null || $args === array()) { 215 return null; 216 } 217 218 $result = $obj->parseExtensionArgs($args); 219 220 if ($result === false) { 221 return null; 222 } else { 223 return $obj; 224 } 225 } 226 227 /** 228 * Parse the provider authentication policy arguments into the 229 * internal state of this object 230 * 231 * @param args: unqualified provider authentication policy 232 * arguments 233 * 234 * @param strict: Whether to return false when bad data is 235 * encountered 236 * 237 * @return null The data is parsed into the internal fields of 238 * this object. 239 */ 240 function parseExtensionArgs($args, $strict=false) 241 { 242 $policies_str = Auth_OpenID::arrayGet($args, 'auth_policies'); 243 if ($policies_str && $policies_str != "none") { 244 $this->auth_policies = explode(" ", $policies_str); 245 } 246 247 $nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level'); 248 if ($nist_level_str !== null) { 249 $nist_level = Auth_OpenID::intval($nist_level_str); 250 251 if ($nist_level === false) { 252 if ($strict) { 253 return false; 254 } else { 255 $nist_level = null; 256 } 257 } 258 259 if (0 <= $nist_level && $nist_level < 5) { 260 $this->nist_auth_level = $nist_level; 261 } else if ($strict) { 262 return false; 263 } 264 } 265 266 $auth_time = Auth_OpenID::arrayGet($args, 'auth_time'); 267 if ($auth_time !== null) { 268 if (ereg(PAPE_TIME_VALIDATOR, $auth_time)) { 269 $this->auth_time = $auth_time; 270 } else if ($strict) { 271 return false; 272 } 273 } 274 } 275 276 function getExtensionArgs() 277 { 278 $ns_args = array(); 279 if (count($this->auth_policies) > 0) { 280 $ns_args['auth_policies'] = implode(' ', $this->auth_policies); 281 } else { 282 $ns_args['auth_policies'] = 'none'; 283 } 284 285 if ($this->nist_auth_level !== null) { 286 if (!in_array($this->nist_auth_level, range(0, 4), true)) { 287 return false; 288 } 289 $ns_args['nist_auth_level'] = strval($this->nist_auth_level); 290 } 291 292 if ($this->auth_time !== null) { 293 if (!ereg(PAPE_TIME_VALIDATOR, $this->auth_time)) { 294 return false; 295 } 296 297 $ns_args['auth_time'] = $this->auth_time; 298 } 299 300 return $ns_args; 301 } 302 } 303 304 ?>
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Wed Mar 28 15:54:07 2012 | Cross-referenced by PHPXref 0.7.1 |