OpenID library installed
[living-lab-site.git] / application / libraries / Auth / OpenID / Server.php
1 <?php
2
3 /**
4  * OpenID server protocol and logic.
5  * 
6  * Overview
7  *
8  * An OpenID server must perform three tasks:
9  *
10  *  1. Examine the incoming request to determine its nature and validity.
11  *  2. Make a decision about how to respond to this request.
12  *  3. Format the response according to the protocol.
13  * 
14  * The first and last of these tasks may performed by the {@link
15  * Auth_OpenID_Server::decodeRequest()} and {@link
16  * Auth_OpenID_Server::encodeResponse} methods.  Who gets to do the
17  * intermediate task -- deciding how to respond to the request -- will
18  * depend on what type of request it is.
19  *
20  * If it's a request to authenticate a user (a 'checkid_setup' or
21  * 'checkid_immediate' request), you need to decide if you will assert
22  * that this user may claim the identity in question.  Exactly how you
23  * do that is a matter of application policy, but it generally
24  * involves making sure the user has an account with your system and
25  * is logged in, checking to see if that identity is hers to claim,
26  * and verifying with the user that she does consent to releasing that
27  * information to the party making the request.
28  *
29  * Examine the properties of the {@link Auth_OpenID_CheckIDRequest}
30  * object, and if and when you've come to a decision, form a response
31  * by calling {@link Auth_OpenID_CheckIDRequest::answer()}.
32  *
33  * Other types of requests relate to establishing associations between
34  * client and server and verifing the authenticity of previous
35  * communications.  {@link Auth_OpenID_Server} contains all the logic
36  * and data necessary to respond to such requests; just pass it to
37  * {@link Auth_OpenID_Server::handleRequest()}.
38  *
39  * OpenID Extensions
40  * 
41  * Do you want to provide other information for your users in addition
42  * to authentication?  Version 1.2 of the OpenID protocol allows
43  * consumers to add extensions to their requests.  For example, with
44  * sites using the Simple Registration
45  * Extension
46  * (http://openid.net/specs/openid-simple-registration-extension-1_0.html),
47  * a user can agree to have their nickname and e-mail address sent to
48  * a site when they sign up.
49  *
50  * Since extensions do not change the way OpenID authentication works,
51  * code to handle extension requests may be completely separate from
52  * the {@link Auth_OpenID_Request} class here.  But you'll likely want
53  * data sent back by your extension to be signed.  {@link
54  * Auth_OpenID_ServerResponse} provides methods with which you can add
55  * data to it which can be signed with the other data in the OpenID
56  * signature.
57  *
58  * For example:
59  *
60  * <pre>  // when request is a checkid_* request
61  *  $response = $request->answer(true);
62  *  // this will a signed 'openid.sreg.timezone' parameter to the response
63  *  response.addField('sreg', 'timezone', 'America/Los_Angeles')</pre>
64  *
65  * Stores
66  *
67  * The OpenID server needs to maintain state between requests in order
68  * to function.  Its mechanism for doing this is called a store.  The
69  * store interface is defined in Interface.php.  Additionally, several
70  * concrete store implementations are provided, so that most sites
71  * won't need to implement a custom store.  For a store backed by flat
72  * files on disk, see {@link Auth_OpenID_FileStore}.  For stores based
73  * on MySQL, SQLite, or PostgreSQL, see the {@link
74  * Auth_OpenID_SQLStore} subclasses.
75  *
76  * Upgrading
77  *
78  * The keys by which a server looks up associations in its store have
79  * changed in version 1.2 of this library.  If your store has entries
80  * created from version 1.0 code, you should empty it.
81  *
82  * PHP versions 4 and 5
83  *
84  * LICENSE: See the COPYING file included in this distribution.
85  *
86  * @package OpenID
87  * @author JanRain, Inc. <openid@janrain.com>
88  * @copyright 2005-2008 Janrain, Inc.
89  * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
90  */
91
92 /**
93  * Required imports
94  */
95 require_once "Auth/OpenID.php";
96 require_once "Auth/OpenID/Association.php";
97 require_once "Auth/OpenID/CryptUtil.php";
98 require_once "Auth/OpenID/BigMath.php";
99 require_once "Auth/OpenID/DiffieHellman.php";
100 require_once "Auth/OpenID/KVForm.php";
101 require_once "Auth/OpenID/TrustRoot.php";
102 require_once "Auth/OpenID/ServerRequest.php";
103 require_once "Auth/OpenID/Message.php";
104 require_once "Auth/OpenID/Nonce.php";
105
106 define('AUTH_OPENID_HTTP_OK', 200);
107 define('AUTH_OPENID_HTTP_REDIRECT', 302);
108 define('AUTH_OPENID_HTTP_ERROR', 400);
109
110 /**
111  * @access private
112  */
113 global $_Auth_OpenID_Request_Modes;
114 $_Auth_OpenID_Request_Modes = array('checkid_setup',
115                                     'checkid_immediate');
116
117 /**
118  * @access private
119  */
120 define('Auth_OpenID_ENCODE_KVFORM', 'kfvorm');
121
122 /**
123  * @access private
124  */
125 define('Auth_OpenID_ENCODE_URL', 'URL/redirect');
126
127 /**
128  * @access private
129  */
130 define('Auth_OpenID_ENCODE_HTML_FORM', 'HTML form');
131
132 /**
133  * @access private
134  */
135 function Auth_OpenID_isError($obj, $cls = 'Auth_OpenID_ServerError')
136 {
137     return is_a($obj, $cls);
138 }
139
140 /**
141  * An error class which gets instantiated and returned whenever an
142  * OpenID protocol error occurs.  Be prepared to use this in place of
143  * an ordinary server response.
144  *
145  * @package OpenID
146  */
147 class Auth_OpenID_ServerError {
148     /**
149      * @access private
150      */
151     function Auth_OpenID_ServerError($message = null, $text = null,
152                                      $reference = null, $contact = null)
153     {
154         $this->message = $message;
155         $this->text = $text;
156         $this->contact = $contact;
157         $this->reference = $reference;
158     }
159
160     function getReturnTo()
161     {
162         if ($this->message &&
163             $this->message->hasKey(Auth_OpenID_OPENID_NS, 'return_to')) {
164             return $this->message->getArg(Auth_OpenID_OPENID_NS,
165                                           'return_to');
166         } else {
167             return null;
168         }
169     }
170
171     /**
172      * Returns the return_to URL for the request which caused this
173      * error.
174      */
175     function hasReturnTo()
176     {
177         return $this->getReturnTo() !== null;
178     }
179
180     /**
181      * Encodes this error's response as a URL suitable for
182      * redirection.  If the response has no return_to, another
183      * Auth_OpenID_ServerError is returned.
184      */
185     function encodeToURL()
186     {
187         if (!$this->message) {
188             return null;
189         }
190
191         $msg = $this->toMessage();
192         return $msg->toURL($this->getReturnTo());
193     }
194
195     /**
196      * Encodes the response to key-value form.  This is a
197      * machine-readable format used to respond to messages which came
198      * directly from the consumer and not through the user-agent.  See
199      * the OpenID specification.
200      */
201     function encodeToKVForm()
202     {
203         return Auth_OpenID_KVForm::fromArray(
204                                       array('mode' => 'error',
205                                             'error' => $this->toString()));
206     }
207
208     function toFormMarkup($form_tag_attrs=null)
209     {
210         $msg = $this->toMessage();
211         return $msg->toFormMarkup($this->getReturnTo(), $form_tag_attrs);
212     }
213
214     function toHTML($form_tag_attrs=null)
215     {
216         return Auth_OpenID::autoSubmitHTML(
217                       $this->toFormMarkup($form_tag_attrs));
218     }
219
220     function toMessage()
221     {
222         // Generate a Message object for sending to the relying party,
223         // after encoding.
224         $namespace = $this->message->getOpenIDNamespace();
225         $reply = new Auth_OpenID_Message($namespace);
226         $reply->setArg(Auth_OpenID_OPENID_NS, 'mode', 'error');
227         $reply->setArg(Auth_OpenID_OPENID_NS, 'error', $this->toString());
228
229         if ($this->contact !== null) {
230             $reply->setArg(Auth_OpenID_OPENID_NS, 'contact', $this->contact);
231         }
232
233         if ($this->reference !== null) {
234             $reply->setArg(Auth_OpenID_OPENID_NS, 'reference',
235                            $this->reference);
236         }
237
238         return $reply;
239     }
240
241     /**
242      * Returns one of Auth_OpenID_ENCODE_URL,
243      * Auth_OpenID_ENCODE_KVFORM, or null, depending on the type of
244      * encoding expected for this error's payload.
245      */
246     function whichEncoding()
247     {
248         global $_Auth_OpenID_Request_Modes;
249
250         if ($this->hasReturnTo()) {
251             if ($this->message->isOpenID2() &&
252                 (strlen($this->encodeToURL()) >
253                    Auth_OpenID_OPENID1_URL_LIMIT)) {
254                 return Auth_OpenID_ENCODE_HTML_FORM;
255             } else {
256                 return Auth_OpenID_ENCODE_URL;
257             }
258         }
259
260         if (!$this->message) {
261             return null;
262         }
263
264         $mode = $this->message->getArg(Auth_OpenID_OPENID_NS,
265                                        'mode');
266
267         if ($mode) {
268             if (!in_array($mode, $_Auth_OpenID_Request_Modes)) {
269                 return Auth_OpenID_ENCODE_KVFORM;
270             }
271         }
272         return null;
273     }
274
275     /**
276      * Returns this error message.
277      */
278     function toString()
279     {
280         if ($this->text) {
281             return $this->text;
282         } else {
283             return get_class($this) . " error";
284         }
285     }
286 }
287
288 /**
289  * Error returned by the server code when a return_to is absent from a
290  * request.
291  *
292  * @package OpenID
293  */
294 class Auth_OpenID_NoReturnToError extends Auth_OpenID_ServerError {
295     function Auth_OpenID_NoReturnToError($message = null,
296                                          $text = "No return_to URL available")
297     {
298         parent::Auth_OpenID_ServerError($message, $text);
299     }
300
301     function toString()
302     {
303         return "No return_to available";
304     }
305 }
306
307 /**
308  * An error indicating that the return_to URL is malformed.
309  *
310  * @package OpenID
311  */
312 class Auth_OpenID_MalformedReturnURL extends Auth_OpenID_ServerError {
313     function Auth_OpenID_MalformedReturnURL($message, $return_to)
314     {
315         $this->return_to = $return_to;
316         parent::Auth_OpenID_ServerError($message, "malformed return_to URL");
317     }
318 }
319
320 /**
321  * This error is returned when the trust_root value is malformed.
322  *
323  * @package OpenID
324  */
325 class Auth_OpenID_MalformedTrustRoot extends Auth_OpenID_ServerError {
326     function Auth_OpenID_MalformedTrustRoot($message = null,
327                                             $text = "Malformed trust root")
328     {
329         parent::Auth_OpenID_ServerError($message, $text);
330     }
331
332     function toString()
333     {
334         return "Malformed trust root";
335     }
336 }
337
338 /**
339  * The base class for all server request classes.
340  *
341  * @package OpenID
342  */
343 class Auth_OpenID_Request {
344     var $mode = null;
345 }
346
347 /**
348  * A request to verify the validity of a previous response.
349  *
350  * @package OpenID
351  */
352 class Auth_OpenID_CheckAuthRequest extends Auth_OpenID_Request {
353     var $mode = "check_authentication";
354     var $invalidate_handle = null;
355
356     function Auth_OpenID_CheckAuthRequest($assoc_handle, $signed,
357                                           $invalidate_handle = null)
358     {
359         $this->assoc_handle = $assoc_handle;
360         $this->signed = $signed;
361         if ($invalidate_handle !== null) {
362             $this->invalidate_handle = $invalidate_handle;
363         }
364         $this->namespace = Auth_OpenID_OPENID2_NS;
365         $this->message = null;
366     }
367
368     static function fromMessage($message, $server=null)
369     {
370         $required_keys = array('assoc_handle', 'sig', 'signed');
371
372         foreach ($required_keys as $k) {
373             if (!$message->getArg(Auth_OpenID_OPENID_NS, $k)) {
374                 return new Auth_OpenID_ServerError($message,
375                     sprintf("%s request missing required parameter %s from \
376                             query", "check_authentication", $k));
377             }
378         }
379
380         $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, 'assoc_handle');
381         $sig = $message->getArg(Auth_OpenID_OPENID_NS, 'sig');
382
383         $signed_list = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
384         $signed_list = explode(",", $signed_list);
385
386         $signed = $message;
387         if ($signed->hasKey(Auth_OpenID_OPENID_NS, 'mode')) {
388             $signed->setArg(Auth_OpenID_OPENID_NS, 'mode', 'id_res');
389         }
390
391         $result = new Auth_OpenID_CheckAuthRequest($assoc_handle, $signed);
392         $result->message = $message;
393         $result->sig = $sig;
394         $result->invalidate_handle = $message->getArg(Auth_OpenID_OPENID_NS,
395                                                       'invalidate_handle');
396         return $result;
397     }
398
399     function answer($signatory)
400     {
401         $is_valid = $signatory->verify($this->assoc_handle, $this->signed);
402
403         // Now invalidate that assoc_handle so it this checkAuth
404         // message cannot be replayed.
405         $signatory->invalidate($this->assoc_handle, true);
406         $response = new Auth_OpenID_ServerResponse($this);
407
408         $response->fields->setArg(Auth_OpenID_OPENID_NS,
409                                   'is_valid',
410                                   ($is_valid ? "true" : "false"));
411
412         if ($this->invalidate_handle) {
413             $assoc = $signatory->getAssociation($this->invalidate_handle,
414                                                 false);
415             if (!$assoc) {
416                 $response->fields->setArg(Auth_OpenID_OPENID_NS,
417                                           'invalidate_handle',
418                                           $this->invalidate_handle);
419             }
420         }
421         return $response;
422     }
423 }
424
425 /**
426  * A class implementing plaintext server sessions.
427  *
428  * @package OpenID
429  */
430 class Auth_OpenID_PlainTextServerSession {
431     /**
432      * An object that knows how to handle association requests with no
433      * session type.
434      */
435     var $session_type = 'no-encryption';
436     var $needs_math = false;
437     var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256');
438
439     static function fromMessage($unused_request)
440     {
441         return new Auth_OpenID_PlainTextServerSession();
442     }
443
444     function answer($secret)
445     {
446         return array('mac_key' => base64_encode($secret));
447     }
448 }
449
450 /**
451  * A class implementing DH-SHA1 server sessions.
452  *
453  * @package OpenID
454  */
455 class Auth_OpenID_DiffieHellmanSHA1ServerSession {
456     /**
457      * An object that knows how to handle association requests with
458      * the Diffie-Hellman session type.
459      */
460
461     var $session_type = 'DH-SHA1';
462     var $needs_math = true;
463     var $allowed_assoc_types = array('HMAC-SHA1');
464     var $hash_func = 'Auth_OpenID_SHA1';
465
466     function Auth_OpenID_DiffieHellmanSHA1ServerSession($dh, $consumer_pubkey)
467     {
468         $this->dh = $dh;
469         $this->consumer_pubkey = $consumer_pubkey;
470     }
471
472     static function getDH($message)
473     {
474         $dh_modulus = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_modulus');
475         $dh_gen = $message->getArg(Auth_OpenID_OPENID_NS, 'dh_gen');
476
477         if ((($dh_modulus === null) && ($dh_gen !== null)) ||
478             (($dh_gen === null) && ($dh_modulus !== null))) {
479
480             if ($dh_modulus === null) {
481                 $missing = 'modulus';
482             } else {
483                 $missing = 'generator';
484             }
485
486             return new Auth_OpenID_ServerError($message,
487                                 'If non-default modulus or generator is '.
488                                 'supplied, both must be supplied.  Missing '.
489                                 $missing);
490         }
491
492         $lib = Auth_OpenID_getMathLib();
493
494         if ($dh_modulus || $dh_gen) {
495             $dh_modulus = $lib->base64ToLong($dh_modulus);
496             $dh_gen = $lib->base64ToLong($dh_gen);
497             if ($lib->cmp($dh_modulus, 0) == 0 ||
498                 $lib->cmp($dh_gen, 0) == 0) {
499                 return new Auth_OpenID_ServerError(
500                   $message, "Failed to parse dh_mod or dh_gen");
501             }
502             $dh = new Auth_OpenID_DiffieHellman($dh_modulus, $dh_gen);
503         } else {
504             $dh = new Auth_OpenID_DiffieHellman();
505         }
506
507         $consumer_pubkey = $message->getArg(Auth_OpenID_OPENID_NS,
508                                             'dh_consumer_public');
509         if ($consumer_pubkey === null) {
510             return new Auth_OpenID_ServerError($message,
511                                   'Public key for DH-SHA1 session '.
512                                   'not found in query');
513         }
514
515         $consumer_pubkey =
516             $lib->base64ToLong($consumer_pubkey);
517
518         if ($consumer_pubkey === false) {
519             return new Auth_OpenID_ServerError($message,
520                                        "dh_consumer_public is not base64");
521         }
522
523         return array($dh, $consumer_pubkey);
524     }
525
526     static function fromMessage($message)
527     {
528         $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message);
529
530         if (is_a($result, 'Auth_OpenID_ServerError')) {
531             return $result;
532         } else {
533             list($dh, $consumer_pubkey) = $result;
534             return new Auth_OpenID_DiffieHellmanSHA1ServerSession($dh,
535                                                     $consumer_pubkey);
536         }
537     }
538
539     function answer($secret)
540     {
541         $lib = Auth_OpenID_getMathLib();
542         $mac_key = $this->dh->xorSecret($this->consumer_pubkey, $secret,
543                                         $this->hash_func);
544         return array(
545            'dh_server_public' =>
546                 $lib->longToBase64($this->dh->public),
547            'enc_mac_key' => base64_encode($mac_key));
548     }
549 }
550
551 /**
552  * A class implementing DH-SHA256 server sessions.
553  *
554  * @package OpenID
555  */
556 class Auth_OpenID_DiffieHellmanSHA256ServerSession
557       extends Auth_OpenID_DiffieHellmanSHA1ServerSession {
558
559     var $session_type = 'DH-SHA256';
560     var $hash_func = 'Auth_OpenID_SHA256';
561     var $allowed_assoc_types = array('HMAC-SHA256');
562
563     static function fromMessage($message)
564     {
565         $result = Auth_OpenID_DiffieHellmanSHA1ServerSession::getDH($message);
566
567         if (is_a($result, 'Auth_OpenID_ServerError')) {
568             return $result;
569         } else {
570             list($dh, $consumer_pubkey) = $result;
571             return new Auth_OpenID_DiffieHellmanSHA256ServerSession($dh,
572                                                       $consumer_pubkey);
573         }
574     }
575 }
576
577 /**
578  * A request to associate with the server.
579  *
580  * @package OpenID
581  */
582 class Auth_OpenID_AssociateRequest extends Auth_OpenID_Request {
583     var $mode = "associate";
584
585     static function getSessionClasses()
586     {
587         return array(
588           'no-encryption' => 'Auth_OpenID_PlainTextServerSession',
589           'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ServerSession',
590           'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ServerSession');
591     }
592
593     function Auth_OpenID_AssociateRequest($session, $assoc_type)
594     {
595         $this->session = $session;
596         $this->namespace = Auth_OpenID_OPENID2_NS;
597         $this->assoc_type = $assoc_type;
598     }
599
600     static function fromMessage($message, $server=null)
601     {
602         if ($message->isOpenID1()) {
603             $session_type = $message->getArg(Auth_OpenID_OPENID_NS,
604                                              'session_type');
605
606             if ($session_type == 'no-encryption') {
607                 // oidutil.log('Received OpenID 1 request with a no-encryption '
608                 //             'assocaition session type. Continuing anyway.')
609             } else if (!$session_type) {
610                 $session_type = 'no-encryption';
611             }
612         } else {
613             $session_type = $message->getArg(Auth_OpenID_OPENID_NS,
614                                              'session_type');
615             if ($session_type === null) {
616                 return new Auth_OpenID_ServerError($message,
617                   "session_type missing from request");
618             }
619         }
620
621         $session_class = Auth_OpenID::arrayGet(
622            Auth_OpenID_AssociateRequest::getSessionClasses(),
623            $session_type);
624
625         if ($session_class === null) {
626             return new Auth_OpenID_ServerError($message,
627                                                "Unknown session type " .
628                                                $session_type);
629         }
630
631         $session = call_user_func(array($session_class, 'fromMessage'),
632                                   $message);
633         if (is_a($session, 'Auth_OpenID_ServerError')) {
634             return $session;
635         }
636
637         $assoc_type = $message->getArg(Auth_OpenID_OPENID_NS,
638                                        'assoc_type', 'HMAC-SHA1');
639
640         if (!in_array($assoc_type, $session->allowed_assoc_types)) {
641             $fmt = "Session type %s does not support association type %s";
642             return new Auth_OpenID_ServerError($message,
643               sprintf($fmt, $session_type, $assoc_type));
644         }
645
646         $obj = new Auth_OpenID_AssociateRequest($session, $assoc_type);
647         $obj->message = $message;
648         $obj->namespace = $message->getOpenIDNamespace();
649         return $obj;
650     }
651
652     function answer($assoc)
653     {
654         $response = new Auth_OpenID_ServerResponse($this);
655         $response->fields->updateArgs(Auth_OpenID_OPENID_NS,
656            array(
657                  'expires_in' => sprintf('%d', $assoc->getExpiresIn()),
658                  'assoc_type' => $this->assoc_type,
659                  'assoc_handle' => $assoc->handle));
660
661         $response->fields->updateArgs(Auth_OpenID_OPENID_NS,
662            $this->session->answer($assoc->secret));
663
664         if (! ($this->session->session_type == 'no-encryption' 
665                && $this->message->isOpenID1())) {
666             $response->fields->setArg(Auth_OpenID_OPENID_NS,
667                                       'session_type',
668                                       $this->session->session_type);
669         }
670
671         return $response;
672     }
673
674     function answerUnsupported($text_message,
675                                $preferred_association_type=null,
676                                $preferred_session_type=null)
677     {
678         if ($this->message->isOpenID1()) {
679             return new Auth_OpenID_ServerError($this->message);
680         }
681
682         $response = new Auth_OpenID_ServerResponse($this);
683         $response->fields->setArg(Auth_OpenID_OPENID_NS,
684                                   'error_code', 'unsupported-type');
685         $response->fields->setArg(Auth_OpenID_OPENID_NS,
686                                   'error', $text_message);
687
688         if ($preferred_association_type) {
689             $response->fields->setArg(Auth_OpenID_OPENID_NS,
690                                       'assoc_type',
691                                       $preferred_association_type);
692         }
693
694         if ($preferred_session_type) {
695             $response->fields->setArg(Auth_OpenID_OPENID_NS,
696                                       'session_type',
697                                       $preferred_session_type);
698         }
699         $response->code = AUTH_OPENID_HTTP_ERROR;
700         return $response;
701     }
702 }
703
704 /**
705  * A request to confirm the identity of a user.
706  *
707  * @package OpenID
708  */
709 class Auth_OpenID_CheckIDRequest extends Auth_OpenID_Request {
710     /**
711      * Return-to verification callback.  Default is
712      * Auth_OpenID_verifyReturnTo from TrustRoot.php.
713      */
714     var $verifyReturnTo = 'Auth_OpenID_verifyReturnTo';
715
716     /**
717      * The mode of this request.
718      */
719     var $mode = "checkid_setup"; // or "checkid_immediate"
720
721     /**
722      * Whether this request is for immediate mode.
723      */
724     var $immediate = false;
725
726     /**
727      * The trust_root value for this request.
728      */
729     var $trust_root = null;
730
731     /**
732      * The OpenID namespace for this request.
733      * deprecated since version 2.0.2
734      */
735     var $namespace;
736     
737     static function make($message, $identity, $return_to, $trust_root = null,
738                   $immediate = false, $assoc_handle = null, $server = null)
739     {
740         if ($server === null) {
741             return new Auth_OpenID_ServerError($message,
742                                                "server must not be null");
743         }
744
745         if ($return_to &&
746             !Auth_OpenID_TrustRoot::_parse($return_to)) {
747             return new Auth_OpenID_MalformedReturnURL($message, $return_to);
748         }
749
750         $r = new Auth_OpenID_CheckIDRequest($identity, $return_to,
751                                             $trust_root, $immediate,
752                                             $assoc_handle, $server);
753
754         $r->namespace = $message->getOpenIDNamespace();
755         $r->message = $message;
756
757         if (!$r->trustRootValid()) {
758             return new Auth_OpenID_UntrustedReturnURL($message,
759                                                       $return_to,
760                                                       $trust_root);
761         } else {
762             return $r;
763         }
764     }
765
766     function Auth_OpenID_CheckIDRequest($identity, $return_to,
767                                         $trust_root = null, $immediate = false,
768                                         $assoc_handle = null, $server = null,
769                                         $claimed_id = null)
770     {
771         $this->namespace = Auth_OpenID_OPENID2_NS;
772         $this->assoc_handle = $assoc_handle;
773         $this->identity = $identity;
774         if ($claimed_id === null) {
775             $this->claimed_id = $identity;
776         } else {
777             $this->claimed_id = $claimed_id;
778         }
779         $this->return_to = $return_to;
780         $this->trust_root = $trust_root;
781         $this->server = $server;
782
783         if ($immediate) {
784             $this->immediate = true;
785             $this->mode = "checkid_immediate";
786         } else {
787             $this->immediate = false;
788             $this->mode = "checkid_setup";
789         }
790     }
791
792     function equals($other)
793     {
794         return (
795                 (is_a($other, 'Auth_OpenID_CheckIDRequest')) &&
796                 ($this->namespace == $other->namespace) &&
797                 ($this->assoc_handle == $other->assoc_handle) &&
798                 ($this->identity == $other->identity) &&
799                 ($this->claimed_id == $other->claimed_id) &&
800                 ($this->return_to == $other->return_to) &&
801                 ($this->trust_root == $other->trust_root));
802     }
803
804     /*
805      * Does the relying party publish the return_to URL for this
806      * response under the realm? It is up to the provider to set a
807      * policy for what kinds of realms should be allowed. This
808      * return_to URL verification reduces vulnerability to data-theft
809      * attacks based on open proxies, corss-site-scripting, or open
810      * redirectors.
811      *
812      * This check should only be performed after making sure that the
813      * return_to URL matches the realm.
814      *
815      * @return true if the realm publishes a document with the
816      * return_to URL listed, false if not or if discovery fails
817      */
818     function returnToVerified()
819     {
820         $fetcher = Auth_Yadis_Yadis::getHTTPFetcher();
821         return call_user_func_array($this->verifyReturnTo,
822                                     array($this->trust_root, $this->return_to, $fetcher));
823     }
824
825     static function fromMessage($message, $server)
826     {
827         $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
828         $immediate = null;
829
830         if ($mode == "checkid_immediate") {
831             $immediate = true;
832             $mode = "checkid_immediate";
833         } else {
834             $immediate = false;
835             $mode = "checkid_setup";
836         }
837
838         $return_to = $message->getArg(Auth_OpenID_OPENID_NS,
839                                       'return_to');
840
841         if (($message->isOpenID1()) &&
842             (!$return_to)) {
843             $fmt = "Missing required field 'return_to' from checkid request";
844             return new Auth_OpenID_ServerError($message, $fmt);
845         }
846
847         $identity = $message->getArg(Auth_OpenID_OPENID_NS,
848                                      'identity');
849         $claimed_id = $message->getArg(Auth_OpenID_OPENID_NS, 'claimed_id');
850         if ($message->isOpenID1()) {
851             if ($identity === null) {
852                 $s = "OpenID 1 message did not contain openid.identity";
853                 return new Auth_OpenID_ServerError($message, $s);
854             }
855         } else {
856             if ($identity && !$claimed_id) {
857                 $s = "OpenID 2.0 message contained openid.identity but not " .
858                   "claimed_id";
859                 return new Auth_OpenID_ServerError($message, $s);
860             } else if ($claimed_id && !$identity) {
861                 $s = "OpenID 2.0 message contained openid.claimed_id " .
862                   "but not identity";
863                 return new Auth_OpenID_ServerError($message, $s);
864             }
865         }
866
867         // There's a case for making self.trust_root be a TrustRoot
868         // here.  But if TrustRoot isn't currently part of the
869         // "public" API, I'm not sure it's worth doing.
870         if ($message->isOpenID1()) {
871             $trust_root_param = 'trust_root';
872         } else {
873             $trust_root_param = 'realm';
874         }
875         $trust_root = $message->getArg(Auth_OpenID_OPENID_NS, 
876                                        $trust_root_param);
877         if (! $trust_root) {
878             $trust_root = $return_to;
879         }
880
881         if (! $message->isOpenID1() && 
882             ($return_to === null) &&
883             ($trust_root === null)) {
884             return new Auth_OpenID_ServerError($message,
885               "openid.realm required when openid.return_to absent");
886         }
887
888         $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
889                                          'assoc_handle');
890
891         $obj = Auth_OpenID_CheckIDRequest::make($message,
892                                                 $identity,
893                                                 $return_to,
894                                                 $trust_root,
895                                                 $immediate,
896                                                 $assoc_handle,
897                                                 $server);
898
899         if (is_a($obj, 'Auth_OpenID_ServerError')) {
900             return $obj;
901         }
902
903         $obj->claimed_id = $claimed_id;
904
905         return $obj;
906     }
907
908     function idSelect()
909     {
910         // Is the identifier to be selected by the IDP?
911         // So IDPs don't have to import the constant
912         return $this->identity == Auth_OpenID_IDENTIFIER_SELECT;
913     }
914
915     function trustRootValid()
916     {
917         if (!$this->trust_root) {
918             return true;
919         }
920
921         $tr = Auth_OpenID_TrustRoot::_parse($this->trust_root);
922         if ($tr === false) {
923             return new Auth_OpenID_MalformedTrustRoot($this->message,
924                                                       $this->trust_root);
925         }
926
927         if ($this->return_to !== null) {
928             return Auth_OpenID_TrustRoot::match($this->trust_root,
929                                                 $this->return_to);
930         } else {
931             return true;
932         }
933     }
934
935     /**
936      * Respond to this request.  Return either an
937      * {@link Auth_OpenID_ServerResponse} or
938      * {@link Auth_OpenID_ServerError}.
939      *
940      * @param bool $allow Allow this user to claim this identity, and
941      * allow the consumer to have this information?
942      *
943      * @param string $server_url DEPRECATED.  Passing $op_endpoint to
944      * the {@link Auth_OpenID_Server} constructor makes this optional.
945      *
946      * When an OpenID 1.x immediate mode request does not succeed, it
947      * gets back a URL where the request may be carried out in a
948      * not-so-immediate fashion.  Pass my URL in here (the fully
949      * qualified address of this server's endpoint, i.e.
950      * http://example.com/server), and I will use it as a base for the
951      * URL for a new request.
952      *
953      * Optional for requests where {@link $immediate} is false or
954      * $allow is true.
955      *
956      * @param string $identity The OP-local identifier to answer with.
957      * Only for use when the relying party requested identifier
958      * selection.
959      *
960      * @param string $claimed_id The claimed identifier to answer
961      * with, for use with identifier selection in the case where the
962      * claimed identifier and the OP-local identifier differ,
963      * i.e. when the claimed_id uses delegation.
964      *
965      * If $identity is provided but this is not, $claimed_id will
966      * default to the value of $identity.  When answering requests
967      * that did not ask for identifier selection, the response
968      * $claimed_id will default to that of the request.
969      *
970      * This parameter is new in OpenID 2.0.
971      *
972      * @return mixed
973      */
974     function answer($allow, $server_url = null, $identity = null,
975                     $claimed_id = null)
976     {
977         if (!$this->return_to) {
978             return new Auth_OpenID_NoReturnToError();
979         }
980
981         if (!$server_url) {
982             if ((!$this->message->isOpenID1()) &&
983                 (!$this->server->op_endpoint)) {
984                 return new Auth_OpenID_ServerError(null,
985                   "server should be constructed with op_endpoint to " .
986                   "respond to OpenID 2.0 messages.");
987             }
988
989             $server_url = $this->server->op_endpoint;
990         }
991
992         if ($allow) {
993             $mode = 'id_res';
994         } else if ($this->message->isOpenID1()) {
995             if ($this->immediate) {
996                 $mode = 'id_res';
997             } else {
998                 $mode = 'cancel';
999             }
1000         } else {
1001             if ($this->immediate) {
1002                 $mode = 'setup_needed';
1003             } else {
1004                 $mode = 'cancel';
1005             }
1006         }
1007
1008         if (!$this->trustRootValid()) {
1009             return new Auth_OpenID_UntrustedReturnURL(null,
1010                                                       $this->return_to,
1011                                                       $this->trust_root);
1012         }
1013
1014         $response = new Auth_OpenID_ServerResponse($this);
1015
1016         if ($claimed_id &&
1017             ($this->message->isOpenID1())) {
1018             return new Auth_OpenID_ServerError(null,
1019               "claimed_id is new in OpenID 2.0 and not " .
1020               "available for ".$this->namespace);
1021         }
1022
1023         if ($identity && !$claimed_id) {
1024             $claimed_id = $identity;
1025         }
1026
1027         if ($allow) {
1028
1029             if ($this->identity == Auth_OpenID_IDENTIFIER_SELECT) {
1030                 if (!$identity) {
1031                     return new Auth_OpenID_ServerError(null,
1032                       "This request uses IdP-driven identifier selection.  " .
1033                       "You must supply an identifier in the response.");
1034                 }
1035
1036                 $response_identity = $identity;
1037                 $response_claimed_id = $claimed_id;
1038
1039             } else if ($this->identity) {
1040                 if ($identity &&
1041                     ($this->identity != $identity)) {
1042                     $fmt = "Request was for %s, cannot reply with identity %s";
1043                     return new Auth_OpenID_ServerError(null,
1044                       sprintf($fmt, $this->identity, $identity));
1045                 }
1046
1047                 $response_identity = $this->identity;
1048                 $response_claimed_id = $this->claimed_id;
1049             } else {
1050                 if ($identity) {
1051                     return new Auth_OpenID_ServerError(null,
1052                       "This request specified no identity and " .
1053                       "you supplied ".$identity);
1054                 }
1055
1056                 $response_identity = null;
1057             }
1058
1059             if (($this->message->isOpenID1()) &&
1060                 ($response_identity === null)) {
1061                 return new Auth_OpenID_ServerError(null,
1062                   "Request was an OpenID 1 request, so response must " .
1063                   "include an identifier.");
1064             }
1065
1066             $response->fields->updateArgs(Auth_OpenID_OPENID_NS,
1067                    array('mode' => $mode,
1068                          'return_to' => $this->return_to,
1069                          'response_nonce' => Auth_OpenID_mkNonce()));
1070
1071             if (!$this->message->isOpenID1()) {
1072                 $response->fields->setArg(Auth_OpenID_OPENID_NS,
1073                                           'op_endpoint', $server_url);
1074             }
1075
1076             if ($response_identity !== null) {
1077                 $response->fields->setArg(
1078                                           Auth_OpenID_OPENID_NS,
1079                                           'identity',
1080                                           $response_identity);
1081                 if ($this->message->isOpenID2()) {
1082                     $response->fields->setArg(
1083                                               Auth_OpenID_OPENID_NS,
1084                                               'claimed_id',
1085                                               $response_claimed_id);
1086                 }
1087             }
1088
1089         } else {
1090             $response->fields->setArg(Auth_OpenID_OPENID_NS,
1091                                       'mode', $mode);
1092
1093             if ($this->immediate) {
1094                 if (($this->message->isOpenID1()) &&
1095                     (!$server_url)) {
1096                     return new Auth_OpenID_ServerError(null,
1097                                  'setup_url is required for $allow=false \
1098                                   in OpenID 1.x immediate mode.');
1099                 }
1100
1101                 $setup_request = new Auth_OpenID_CheckIDRequest(
1102                                                 $this->identity,
1103                                                 $this->return_to,
1104                                                 $this->trust_root,
1105                                                 false,
1106                                                 $this->assoc_handle,
1107                                                 $this->server,
1108                                                 $this->claimed_id);
1109                 $setup_request->message = $this->message;
1110
1111                 $setup_url = $setup_request->encodeToURL($server_url);
1112
1113                 if ($setup_url === null) {
1114                     return new Auth_OpenID_NoReturnToError();
1115                 }
1116
1117                 $response->fields->setArg(Auth_OpenID_OPENID_NS,
1118                                           'user_setup_url',
1119                                           $setup_url);
1120             }
1121         }
1122
1123         return $response;
1124     }
1125
1126     function encodeToURL($server_url)
1127     {
1128         if (!$this->return_to) {
1129             return new Auth_OpenID_NoReturnToError();
1130         }
1131
1132         // Imported from the alternate reality where these classes are
1133         // used in both the client and server code, so Requests are
1134         // Encodable too.  That's right, code imported from alternate
1135         // realities all for the love of you, id_res/user_setup_url.
1136
1137         $q = array('mode' => $this->mode,
1138                    'identity' => $this->identity,
1139                    'claimed_id' => $this->claimed_id,
1140                    'return_to' => $this->return_to);
1141
1142         if ($this->trust_root) {
1143             if ($this->message->isOpenID1()) {
1144                 $q['trust_root'] = $this->trust_root;
1145             } else {
1146                 $q['realm'] = $this->trust_root;
1147             }
1148         }
1149
1150         if ($this->assoc_handle) {
1151             $q['assoc_handle'] = $this->assoc_handle;
1152         }
1153
1154         $response = new Auth_OpenID_Message(
1155             $this->message->getOpenIDNamespace());
1156         $response->updateArgs(Auth_OpenID_OPENID_NS, $q);
1157         return $response->toURL($server_url);
1158     }
1159
1160     function getCancelURL()
1161     {
1162         if (!$this->return_to) {
1163             return new Auth_OpenID_NoReturnToError();
1164         }
1165
1166         if ($this->immediate) {
1167             return new Auth_OpenID_ServerError(null,
1168                                                "Cancel is not an appropriate \
1169                                                response to immediate mode \
1170                                                requests.");
1171         }
1172
1173         $response = new Auth_OpenID_Message(
1174             $this->message->getOpenIDNamespace());
1175         $response->setArg(Auth_OpenID_OPENID_NS, 'mode', 'cancel');
1176         return $response->toURL($this->return_to);
1177     }
1178 }
1179
1180 /**
1181  * This class encapsulates the response to an OpenID server request.
1182  *
1183  * @package OpenID
1184  */
1185 class Auth_OpenID_ServerResponse {
1186
1187     function Auth_OpenID_ServerResponse($request)
1188     {
1189         $this->request = $request;
1190         $this->fields = new Auth_OpenID_Message($this->request->namespace);
1191     }
1192
1193     function whichEncoding()
1194     {
1195       global $_Auth_OpenID_Request_Modes;
1196
1197         if (in_array($this->request->mode, $_Auth_OpenID_Request_Modes)) {
1198             if ($this->fields->isOpenID2() &&
1199                 (strlen($this->encodeToURL()) >
1200                    Auth_OpenID_OPENID1_URL_LIMIT)) {
1201                 return Auth_OpenID_ENCODE_HTML_FORM;
1202             } else {
1203                 return Auth_OpenID_ENCODE_URL;
1204             }
1205         } else {
1206             return Auth_OpenID_ENCODE_KVFORM;
1207         }
1208     }
1209
1210     /*
1211      * Returns the form markup for this response.
1212      *
1213      * @return str
1214      */
1215     function toFormMarkup($form_tag_attrs=null)
1216     {
1217         return $this->fields->toFormMarkup($this->request->return_to,
1218                                            $form_tag_attrs);
1219     }
1220
1221     /*
1222      * Returns an HTML document containing the form markup for this
1223      * response that autosubmits with javascript.
1224      */
1225     function toHTML()
1226     {
1227         return Auth_OpenID::autoSubmitHTML($this->toFormMarkup());
1228     }
1229
1230     /*
1231      * Returns True if this response's encoding is ENCODE_HTML_FORM.
1232      * Convenience method for server authors.
1233      *
1234      * @return bool
1235      */
1236     function renderAsForm()
1237     {
1238         return $this->whichEncoding() == Auth_OpenID_ENCODE_HTML_FORM;
1239     }
1240
1241
1242     function encodeToURL()
1243     {
1244         return $this->fields->toURL($this->request->return_to);
1245     }
1246
1247     function addExtension($extension_response)
1248     {
1249         $extension_response->toMessage($this->fields);
1250     }
1251
1252     function needsSigning()
1253     {
1254         return $this->fields->getArg(Auth_OpenID_OPENID_NS,
1255                                      'mode') == 'id_res';
1256     }
1257
1258     function encodeToKVForm()
1259     {
1260         return $this->fields->toKVForm();
1261     }
1262 }
1263
1264 /**
1265  * A web-capable response object which you can use to generate a
1266  * user-agent response.
1267  *
1268  * @package OpenID
1269  */
1270 class Auth_OpenID_WebResponse {
1271     var $code = AUTH_OPENID_HTTP_OK;
1272     var $body = "";
1273
1274     function Auth_OpenID_WebResponse($code = null, $headers = null,
1275                                      $body = null)
1276     {
1277         if ($code) {
1278             $this->code = $code;
1279         }
1280
1281         if ($headers !== null) {
1282             $this->headers = $headers;
1283         } else {
1284             $this->headers = array();
1285         }
1286
1287         if ($body !== null) {
1288             $this->body = $body;
1289         }
1290     }
1291 }
1292
1293 /**
1294  * Responsible for the signature of query data and the verification of
1295  * OpenID signature values.
1296  *
1297  * @package OpenID
1298  */
1299 class Auth_OpenID_Signatory {
1300
1301     // = 14 * 24 * 60 * 60; # 14 days, in seconds
1302     var $SECRET_LIFETIME = 1209600;
1303
1304     // keys have a bogus server URL in them because the filestore
1305     // really does expect that key to be a URL.  This seems a little
1306     // silly for the server store, since I expect there to be only one
1307     // server URL.
1308     var $normal_key = 'http://localhost/|normal';
1309     var $dumb_key = 'http://localhost/|dumb';
1310
1311     /**
1312      * Create a new signatory using a given store.
1313      */
1314     function Auth_OpenID_Signatory($store)
1315     {
1316         // assert store is not None
1317         $this->store = $store;
1318     }
1319
1320     /**
1321      * Verify, using a given association handle, a signature with
1322      * signed key-value pairs from an HTTP request.
1323      */
1324     function verify($assoc_handle, $message)
1325     {
1326         $assoc = $this->getAssociation($assoc_handle, true);
1327         if (!$assoc) {
1328             // oidutil.log("failed to get assoc with handle %r to verify sig %r"
1329             //             % (assoc_handle, sig))
1330             return false;
1331         }
1332
1333         return $assoc->checkMessageSignature($message);
1334     }
1335
1336     /**
1337      * Given a response, sign the fields in the response's 'signed'
1338      * list, and insert the signature into the response.
1339      */
1340     function sign($response)
1341     {
1342         $signed_response = $response;
1343         $assoc_handle = $response->request->assoc_handle;
1344
1345         if ($assoc_handle) {
1346             // normal mode
1347             $assoc = $this->getAssociation($assoc_handle, false, false);
1348             if (!$assoc || ($assoc->getExpiresIn() <= 0)) {
1349                 // fall back to dumb mode
1350                 $signed_response->fields->setArg(Auth_OpenID_OPENID_NS,
1351                              'invalidate_handle', $assoc_handle);
1352                 $assoc_type = ($assoc ? $assoc->assoc_type : 'HMAC-SHA1');
1353
1354                 if ($assoc && ($assoc->getExpiresIn() <= 0)) {
1355                     $this->invalidate($assoc_handle, false);
1356                 }
1357
1358                 $assoc = $this->createAssociation(true, $assoc_type);
1359             }
1360         } else {
1361             // dumb mode.
1362             $assoc = $this->createAssociation(true);
1363         }
1364
1365         $signed_response->fields = $assoc->signMessage(
1366                                       $signed_response->fields);
1367         return $signed_response;
1368     }
1369
1370     /**
1371      * Make a new association.
1372      */
1373     function createAssociation($dumb = true, $assoc_type = 'HMAC-SHA1')
1374     {
1375         $secret = Auth_OpenID_CryptUtil::getBytes(
1376                     Auth_OpenID_getSecretSize($assoc_type));
1377
1378         $uniq = base64_encode(Auth_OpenID_CryptUtil::getBytes(4));
1379         $handle = sprintf('{%s}{%x}{%s}', $assoc_type, intval(time()), $uniq);
1380
1381         $assoc = Auth_OpenID_Association::fromExpiresIn(
1382                       $this->SECRET_LIFETIME, $handle, $secret, $assoc_type);
1383
1384         if ($dumb) {
1385             $key = $this->dumb_key;
1386         } else {
1387             $key = $this->normal_key;
1388         }
1389
1390         $this->store->storeAssociation($key, $assoc);
1391         return $assoc;
1392     }
1393
1394     /**
1395      * Given an association handle, get the association from the
1396      * store, or return a ServerError or null if something goes wrong.
1397      */
1398     function getAssociation($assoc_handle, $dumb, $check_expiration=true)
1399     {
1400         if ($assoc_handle === null) {
1401             return new Auth_OpenID_ServerError(null,
1402                                      "assoc_handle must not be null");
1403         }
1404
1405         if ($dumb) {
1406             $key = $this->dumb_key;
1407         } else {
1408             $key = $this->normal_key;
1409         }
1410
1411         $assoc = $this->store->getAssociation($key, $assoc_handle);
1412
1413         if (($assoc !== null) && ($assoc->getExpiresIn() <= 0)) {
1414             if ($check_expiration) {
1415                 $this->store->removeAssociation($key, $assoc_handle);
1416                 $assoc = null;
1417             }
1418         }
1419
1420         return $assoc;
1421     }
1422
1423     /**
1424      * Invalidate a given association handle.
1425      */
1426     function invalidate($assoc_handle, $dumb)
1427     {
1428         if ($dumb) {
1429             $key = $this->dumb_key;
1430         } else {
1431             $key = $this->normal_key;
1432         }
1433         $this->store->removeAssociation($key, $assoc_handle);
1434     }
1435 }
1436
1437 /**
1438  * Encode an {@link Auth_OpenID_ServerResponse} to an
1439  * {@link Auth_OpenID_WebResponse}.
1440  *
1441  * @package OpenID
1442  */
1443 class Auth_OpenID_Encoder {
1444
1445     var $responseFactory = 'Auth_OpenID_WebResponse';
1446
1447     /**
1448      * Encode an {@link Auth_OpenID_ServerResponse} and return an
1449      * {@link Auth_OpenID_WebResponse}.
1450      */
1451     function encode($response)
1452     {
1453         $cls = $this->responseFactory;
1454
1455         $encode_as = $response->whichEncoding();
1456         if ($encode_as == Auth_OpenID_ENCODE_KVFORM) {
1457             $wr = new $cls(null, null, $response->encodeToKVForm());
1458             if (is_a($response, 'Auth_OpenID_ServerError')) {
1459                 $wr->code = AUTH_OPENID_HTTP_ERROR;
1460             }
1461         } else if ($encode_as == Auth_OpenID_ENCODE_URL) {
1462             $location = $response->encodeToURL();
1463             $wr = new $cls(AUTH_OPENID_HTTP_REDIRECT,
1464                            array('location' => $location));
1465         } else if ($encode_as == Auth_OpenID_ENCODE_HTML_FORM) {
1466           $wr = new $cls(AUTH_OPENID_HTTP_OK, array(),
1467                          $response->toHTML());
1468         } else {
1469             return new Auth_OpenID_EncodingError($response);
1470         }
1471         /* Allow the response to carry a custom error code (ex: for Association errors) */
1472         if(isset($response->code)) {
1473             $wr->code = $response->code;
1474         }
1475         return $wr;
1476     }
1477 }
1478
1479 /**
1480  * An encoder which also takes care of signing fields when required.
1481  *
1482  * @package OpenID
1483  */
1484 class Auth_OpenID_SigningEncoder extends Auth_OpenID_Encoder {
1485
1486     function Auth_OpenID_SigningEncoder($signatory)
1487     {
1488         $this->signatory = $signatory;
1489     }
1490
1491     /**
1492      * Sign an {@link Auth_OpenID_ServerResponse} and return an
1493      * {@link Auth_OpenID_WebResponse}.
1494      */
1495     function encode($response)
1496     {
1497         // the isinstance is a bit of a kludge... it means there isn't
1498         // really an adapter to make the interfaces quite match.
1499         if (!is_a($response, 'Auth_OpenID_ServerError') &&
1500             $response->needsSigning()) {
1501
1502             if (!$this->signatory) {
1503                 return new Auth_OpenID_ServerError(null,
1504                                        "Must have a store to sign request");
1505             }
1506
1507             if ($response->fields->hasKey(Auth_OpenID_OPENID_NS, 'sig')) {
1508                 return new Auth_OpenID_AlreadySigned($response);
1509             }
1510             $response = $this->signatory->sign($response);
1511         }
1512
1513         return parent::encode($response);
1514     }
1515 }
1516
1517 /**
1518  * Decode an incoming query into an Auth_OpenID_Request.
1519  *
1520  * @package OpenID
1521  */
1522 class Auth_OpenID_Decoder {
1523
1524     function Auth_OpenID_Decoder($server)
1525     {
1526         $this->server = $server;
1527
1528         $this->handlers = array(
1529             'checkid_setup' => 'Auth_OpenID_CheckIDRequest',
1530             'checkid_immediate' => 'Auth_OpenID_CheckIDRequest',
1531             'check_authentication' => 'Auth_OpenID_CheckAuthRequest',
1532             'associate' => 'Auth_OpenID_AssociateRequest'
1533             );
1534     }
1535
1536     /**
1537      * Given an HTTP query in an array (key-value pairs), decode it
1538      * into an Auth_OpenID_Request object.
1539      */
1540     function decode($query)
1541     {
1542         if (!$query) {
1543             return null;
1544         }
1545
1546         $message = Auth_OpenID_Message::fromPostArgs($query);
1547
1548         if ($message === null) {
1549             /*
1550              * It's useful to have a Message attached to a
1551              * ProtocolError, so we override the bad ns value to build
1552              * a Message out of it.  Kinda kludgy, since it's made of
1553              * lies, but the parts that aren't lies are more useful
1554              * than a 'None'.
1555              */
1556             $old_ns = $query['openid.ns'];
1557
1558             $query['openid.ns'] = Auth_OpenID_OPENID2_NS;
1559             $message = Auth_OpenID_Message::fromPostArgs($query);
1560             return new Auth_OpenID_ServerError(
1561                   $message,
1562                   sprintf("Invalid OpenID namespace URI: %s", $old_ns));
1563         }
1564
1565         $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
1566         if (!$mode) {
1567             return new Auth_OpenID_ServerError($message,
1568                                                "No mode value in message");
1569         }
1570
1571         if (Auth_OpenID::isFailure($mode)) {
1572             return new Auth_OpenID_ServerError($message,
1573                                                $mode->message);
1574         }
1575
1576         $handlerCls = Auth_OpenID::arrayGet($this->handlers, $mode,
1577                                             $this->defaultDecoder($message));
1578
1579         if (!is_a($handlerCls, 'Auth_OpenID_ServerError')) {
1580             return call_user_func_array(array($handlerCls, 'fromMessage'),
1581                                         array($message, $this->server));
1582         } else {
1583             return $handlerCls;
1584         }
1585     }
1586
1587     function defaultDecoder($message)
1588     {
1589         $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode');
1590
1591         if (Auth_OpenID::isFailure($mode)) {
1592             return new Auth_OpenID_ServerError($message,
1593                                                $mode->message);
1594         }
1595
1596         return new Auth_OpenID_ServerError($message,
1597                        sprintf("Unrecognized OpenID mode %s", $mode));
1598     }
1599 }
1600
1601 /**
1602  * An error that indicates an encoding problem occurred.
1603  *
1604  * @package OpenID
1605  */
1606 class Auth_OpenID_EncodingError {
1607     function Auth_OpenID_EncodingError($response)
1608     {
1609         $this->response = $response;
1610     }
1611 }
1612
1613 /**
1614  * An error that indicates that a response was already signed.
1615  *
1616  * @package OpenID
1617  */
1618 class Auth_OpenID_AlreadySigned extends Auth_OpenID_EncodingError {
1619     // This response is already signed.
1620 }
1621
1622 /**
1623  * An error that indicates that the given return_to is not under the
1624  * given trust_root.
1625  *
1626  * @package OpenID
1627  */
1628 class Auth_OpenID_UntrustedReturnURL extends Auth_OpenID_ServerError {
1629     function Auth_OpenID_UntrustedReturnURL($message, $return_to,
1630                                             $trust_root)
1631     {
1632         parent::Auth_OpenID_ServerError($message, "Untrusted return_to URL");
1633         $this->return_to = $return_to;
1634         $this->trust_root = $trust_root;
1635     }
1636
1637     function toString()
1638     {
1639         return sprintf("return_to %s not under trust_root %s",
1640                        $this->return_to, $this->trust_root);
1641     }
1642 }
1643
1644 /**
1645  * I handle requests for an OpenID server.
1646  *
1647  * Some types of requests (those which are not checkid requests) may
1648  * be handed to my {@link handleRequest} method, and I will take care
1649  * of it and return a response.
1650  *
1651  * For your convenience, I also provide an interface to {@link
1652  * Auth_OpenID_Decoder::decode()} and {@link
1653  * Auth_OpenID_SigningEncoder::encode()} through my methods {@link
1654  * decodeRequest} and {@link encodeResponse}.
1655  *
1656  * All my state is encapsulated in an {@link Auth_OpenID_OpenIDStore}.
1657  *
1658  * Example:
1659  *
1660  * <pre> $oserver = new Auth_OpenID_Server(Auth_OpenID_FileStore($data_path),
1661  *                                   "http://example.com/op");
1662  * $request = $oserver->decodeRequest();
1663  * if (in_array($request->mode, array('checkid_immediate',
1664  *                                    'checkid_setup'))) {
1665  *     if ($app->isAuthorized($request->identity, $request->trust_root)) {
1666  *         $response = $request->answer(true);
1667  *     } else if ($request->immediate) {
1668  *         $response = $request->answer(false);
1669  *     } else {
1670  *         $app->showDecidePage($request);
1671  *         return;
1672  *     }
1673  * } else {
1674  *     $response = $oserver->handleRequest($request);
1675  * }
1676  *
1677  * $webresponse = $oserver->encode($response);</pre>
1678  *
1679  * @package OpenID
1680  */
1681 class Auth_OpenID_Server {
1682     function Auth_OpenID_Server($store, $op_endpoint=null)
1683     {
1684         $this->store = $store;
1685         $this->signatory = new Auth_OpenID_Signatory($this->store);
1686         $this->encoder = new Auth_OpenID_SigningEncoder($this->signatory);
1687         $this->decoder = new Auth_OpenID_Decoder($this);
1688         $this->op_endpoint = $op_endpoint;
1689         $this->negotiator = Auth_OpenID_getDefaultNegotiator();
1690     }
1691
1692     /**
1693      * Handle a request.  Given an {@link Auth_OpenID_Request} object,
1694      * call the appropriate {@link Auth_OpenID_Server} method to
1695      * process the request and generate a response.
1696      *
1697      * @param Auth_OpenID_Request $request An {@link Auth_OpenID_Request}
1698      * returned by {@link Auth_OpenID_Server::decodeRequest()}.
1699      *
1700      * @return Auth_OpenID_ServerResponse $response A response object
1701      * capable of generating a user-agent reply.
1702      */
1703     function handleRequest($request)
1704     {
1705         if (method_exists($this, "openid_" . $request->mode)) {
1706             $handler = array($this, "openid_" . $request->mode);
1707             return call_user_func($handler, $request);
1708         }
1709         return null;
1710     }
1711
1712     /**
1713      * The callback for 'check_authentication' messages.
1714      */
1715     function openid_check_authentication($request)
1716     {
1717         return $request->answer($this->signatory);
1718     }
1719
1720     /**
1721      * The callback for 'associate' messages.
1722      */
1723     function openid_associate($request)
1724     {
1725         $assoc_type = $request->assoc_type;
1726         $session_type = $request->session->session_type;
1727         if ($this->negotiator->isAllowed($assoc_type, $session_type)) {
1728             $assoc = $this->signatory->createAssociation(false,
1729                                                          $assoc_type);
1730             return $request->answer($assoc);
1731         } else {
1732             $message = sprintf('Association type %s is not supported with '.
1733                                'session type %s', $assoc_type, $session_type);
1734             list($preferred_assoc_type, $preferred_session_type) =
1735                 $this->negotiator->getAllowedType();
1736             return $request->answerUnsupported($message,
1737                                                $preferred_assoc_type,
1738                                                $preferred_session_type);
1739         }
1740     }
1741
1742     /**
1743      * Encodes as response in the appropriate format suitable for
1744      * sending to the user agent.
1745      */
1746     function encodeResponse($response)
1747     {
1748         return $this->encoder->encode($response);
1749     }
1750
1751     /**
1752      * Decodes a query args array into the appropriate
1753      * {@link Auth_OpenID_Request} object.
1754      */
1755     function decodeRequest($query=null)
1756     {
1757         if ($query === null) {
1758             $query = Auth_OpenID::getQuery();
1759         }
1760
1761         return $this->decoder->decode($query);
1762     }
1763 }
1764
1765