Consumer.php

Go to the documentation of this file.

<?php

require_once "Auth/OpenID.php";
require_once "Auth/OpenID/Message.php";
require_once "Auth/OpenID/HMAC.php";
require_once "Auth/OpenID/Association.php";
require_once "Auth/OpenID/CryptUtil.php";
require_once "Auth/OpenID/DiffieHellman.php";
require_once "Auth/OpenID/KVForm.php";
require_once "Auth/OpenID/Nonce.php";
require_once "Auth/OpenID/Discover.php";
require_once "Auth/OpenID/URINorm.php";
require_once "Auth/Yadis/Manager.php";
require_once "Auth/Yadis/XRI.php";

define('Auth_OpenID_SUCCESS', 'success');

define('Auth_OpenID_CANCEL', 'cancel');

define('Auth_OpenID_FAILURE', 'failure');

define('Auth_OpenID_SETUP_NEEDED', 'setup needed');

define('Auth_OpenID_PARSE_ERROR', 'parse error');

class Auth_OpenID_Consumer {

    var $discoverMethod = 'Auth_OpenID_discover';

    var $session_key_prefix = "_openid_consumer_";

    var $_token_suffix = "last_token";

    function Auth_OpenID_Consumer(&$store, $session = null,
                                  $consumer_cls = null)
    {
        if ($session === null) {
            $session = new Auth_Yadis_PHPSession();
        }

        $this->session =& $session;

        if ($consumer_cls !== null) {
            $this->consumer =& new $consumer_cls($store);
        } else {
            $this->consumer =& new Auth_OpenID_GenericConsumer($store);
        }

        $this->_token_key = $this->session_key_prefix . $this->_token_suffix;
    }

    function getDiscoveryObject(&$session, $openid_url,
                                $session_key_prefix)
    {
        return new Auth_Yadis_Discovery($session, $openid_url,
                                        $session_key_prefix);
    }

    function begin($user_url, $anonymous=false)
    {
        $openid_url = $user_url;

        $disco = $this->getDiscoveryObject($this->session,
                                           $openid_url,
                                           $this->session_key_prefix);

        // Set the 'stale' attribute of the manager.  If discovery
        // fails in a fatal way, the stale flag will cause the manager
        // to be cleaned up next time discovery is attempted.

        $m = $disco->getManager();
        $loader = new Auth_Yadis_ManagerLoader();

        if ($m) {
            if ($m->stale) {
                $disco->destroyManager();
            } else {
                $m->stale = true;
                $disco->session->set($disco->session_key,
                                     serialize($loader->toSession($m)));
            }
        }

        $endpoint = $disco->getNextService($this->discoverMethod,
                                           $this->consumer->fetcher);

        // Reset the 'stale' attribute of the manager.
        $m =& $disco->getManager();
        if ($m) {
            $m->stale = false;
            $disco->session->set($disco->session_key,
                                 serialize($loader->toSession($m)));
        }

        if ($endpoint === null) {
            return null;
        } else {
            return $this->beginWithoutDiscovery($endpoint,
                                                $anonymous);
        }
    }

    function &beginWithoutDiscovery($endpoint, $anonymous=false)
    {
        $loader = new Auth_OpenID_ServiceEndpointLoader();
        $auth_req = $this->consumer->begin($endpoint);
        $this->session->set($this->_token_key,
              $loader->toSession($auth_req->endpoint));
        if (!$auth_req->setAnonymous($anonymous)) {
            return new Auth_OpenID_FailureResponse(null,
              "OpenID 1 requests MUST include the identifier " .
              "in the request.");
        }
        return $auth_req;
    }

    function complete($current_url, $query=null)
    {
        if ($current_url && !is_string($current_url)) {
            // This is ugly, but we need to complain loudly when
            // someone uses the API incorrectly.
            trigger_error("current_url must be a string; see NEWS file " .
                          "for upgrading notes.",
                          E_USER_ERROR);
        }

        if ($query === null) {
            $query = Auth_OpenID::getQuery();
        }

        $loader = new Auth_OpenID_ServiceEndpointLoader();
        $endpoint_data = $this->session->get($this->_token_key);
        $endpoint =
            $loader->fromSession($endpoint_data);

        $message = Auth_OpenID_Message::fromPostArgs($query);
        $response = $this->consumer->complete($message, $endpoint, 
                                              $current_url);
        $this->session->del($this->_token_key);

        if (in_array($response->status, array(Auth_OpenID_SUCCESS,
                                              Auth_OpenID_CANCEL))) {
            if ($response->identity_url !== null) {
                $disco = $this->getDiscoveryObject($this->session,
                                                   $response->identity_url,
                                                   $this->session_key_prefix);
                $disco->cleanup(true);
            }
        }

        return $response;
    }
}

class Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
    var $session_type = 'DH-SHA1';
    var $hash_func = 'Auth_OpenID_SHA1';
    var $secret_size = 20;
    var $allowed_assoc_types = array('HMAC-SHA1');

    function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null)
    {
        if ($dh === null) {
            $dh = new Auth_OpenID_DiffieHellman();
        }

        $this->dh = $dh;
    }

    function getRequest()
    {
        $math =& Auth_OpenID_getMathLib();

        $cpub = $math->longToBase64($this->dh->public);

        $args = array('dh_consumer_public' => $cpub);

        if (!$this->dh->usingDefaultValues()) {
            $args = array_merge($args, array(
                'dh_modulus' =>
                     $math->longToBase64($this->dh->mod),
                'dh_gen' =>
                     $math->longToBase64($this->dh->gen)));
        }

        return $args;
    }

    function extractSecret($response)
    {
        if (!$response->hasKey(Auth_OpenID_OPENID_NS,
                               'dh_server_public')) {
            return null;
        }

        if (!$response->hasKey(Auth_OpenID_OPENID_NS,
                               'enc_mac_key')) {
            return null;
        }

        $math =& Auth_OpenID_getMathLib();

        $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS,
                                                      'dh_server_public'));
        $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
                                                       'enc_mac_key'));

        return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func);
    }
}

class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends
      Auth_OpenID_DiffieHellmanSHA1ConsumerSession {
    var $session_type = 'DH-SHA256';
    var $hash_func = 'Auth_OpenID_SHA256';
    var $secret_size = 32;
    var $allowed_assoc_types = array('HMAC-SHA256');
}

class Auth_OpenID_PlainTextConsumerSession {
    var $session_type = 'no-encryption';
    var $allowed_assoc_types =  array('HMAC-SHA1', 'HMAC-SHA256');

    function getRequest()
    {
        return array();
    }

    function extractSecret($response)
    {
        if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) {
            return null;
        }

        return base64_decode($response->getArg(Auth_OpenID_OPENID_NS,
                                               'mac_key'));
    }
}

function Auth_OpenID_getAvailableSessionTypes()
{
    $types = array(
      'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession',
      'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession',
      'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession');

    return $types;
}

class Auth_OpenID_GenericConsumer {
    var $discoverMethod = 'Auth_OpenID_discover';

    var $store;

    var $_use_assocs;

    var $openid1_nonce_query_arg_name = 'janrain_nonce';

    var $openid1_return_to_identifier_name = 'openid1_claimed_id';

    function Auth_OpenID_GenericConsumer(&$store)
    {
        $this->store =& $store;
        $this->negotiator =& Auth_OpenID_getDefaultNegotiator();
        $this->_use_assocs = ($this->store ? true : false);

        $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher();

        $this->session_types = Auth_OpenID_getAvailableSessionTypes();
    }

    function begin($service_endpoint)
    {
        $assoc = $this->_getAssociation($service_endpoint);
        $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc);
        $r->return_to_args[$this->openid1_nonce_query_arg_name] =
            Auth_OpenID_mkNonce();

        if ($r->message->isOpenID1()) {
            $r->return_to_args[$this->openid1_return_to_identifier_name] =
                $r->endpoint->claimed_id;
        }

        return $r;
    }

    function complete($message, $endpoint, $return_to)
    {
        $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
                                 '<no mode set>');

        $mode_methods = array(
                              'cancel' => '_complete_cancel',
                              'error' => '_complete_error',
                              'setup_needed' => '_complete_setup_needed',
                              'id_res' => '_complete_id_res',
                              );

        $method = Auth_OpenID::arrayGet($mode_methods, $mode,
                                        '_completeInvalid');

        return call_user_func_array(array(&$this, $method),
                                    array($message, $endpoint, $return_to));
    }

    function _completeInvalid($message, &$endpoint, $unused)
    {
        $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode',
                                 '<No mode set>');

        return new Auth_OpenID_FailureResponse($endpoint,
                    sprintf("Invalid openid.mode '%s'", $mode));
    }

    function _complete_cancel($message, &$endpoint, $unused)
    {
        return new Auth_OpenID_CancelResponse($endpoint);
    }

    function _complete_error($message, &$endpoint, $unused)
    {
        $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error');
        $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact');
        $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference');

        return new Auth_OpenID_FailureResponse($endpoint, $error,
                                               $contact, $reference);
    }

    function _complete_setup_needed($message, &$endpoint, $unused)
    {
        if (!$message->isOpenID2()) {
            return $this->_completeInvalid($message, $endpoint);
        }

        $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS,
                                           'user_setup_url');
        return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url);
    }

    function _complete_id_res($message, &$endpoint, $return_to)
    {
        $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
                                           'user_setup_url');

        if ($this->_checkSetupNeeded($message)) {
            return new Auth_OpenID_SetupNeededResponse(
                $endpoint, $user_setup_url);
        } else {
            return $this->_doIdRes($message, $endpoint, $return_to);
        }
    }

    function _checkSetupNeeded($message)
    {
        // In OpenID 1, we check to see if this is a cancel from
        // immediate mode by the presence of the user_setup_url
        // parameter.
        if ($message->isOpenID1()) {
            $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS,
                                               'user_setup_url');
            if ($user_setup_url !== null) {
                return true;
            }
        }

        return false;
    }

    function _doIdRes($message, $endpoint, $return_to)
    {
        // Checks for presence of appropriate fields (and checks
        // signed list fields)
        $result = $this->_idResCheckForFields($message);

        if (Auth_OpenID::isFailure($result)) {
            return $result;
        }

        if (!$this->_checkReturnTo($message, $return_to)) {
            return new Auth_OpenID_FailureResponse(null,
            sprintf("return_to does not match return URL. Expected %s, got %s",
                    $return_to,
                    $message->getArg(Auth_OpenID_OPENID_NS, 'return_to')));
        }

        // Verify discovery information:
        $result = $this->_verifyDiscoveryResults($message, $endpoint);

        if (Auth_OpenID::isFailure($result)) {
            return $result;
        }

        $endpoint = $result;

        $result = $this->_idResCheckSignature($message,
                                              $endpoint->server_url);

        if (Auth_OpenID::isFailure($result)) {
            return $result;
        }

        $result = $this->_idResCheckNonce($message, $endpoint);

        if (Auth_OpenID::isFailure($result)) {
            return $result;
        }

        $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed',
                                            Auth_OpenID_NO_DEFAULT);
        if (Auth_OpenID::isFailure($signed_list_str)) {
            return $signed_list_str;
        }
        $signed_list = explode(',', $signed_list_str);

        $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid.");

        return new Auth_OpenID_SuccessResponse($endpoint, $message,
                                               $signed_fields);

    }

    function _checkReturnTo($message, $return_to)
    {
        // Check an OpenID message and its openid.return_to value
        // against a return_to URL from an application.  Return True
        // on success, False on failure.

        // Check the openid.return_to args against args in the
        // original message.
        $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs(
                                           $message->toPostArgs());
        if (Auth_OpenID::isFailure($result)) {
            return false;
        }

        // Check the return_to base URL against the one in the
        // message.
        $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS,
                                          'return_to');
        if (Auth_OpenID::isFailure($return_to)) {
            // XXX log me
            return false;
        }

        $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to));
        $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to));

        // If port is absent from both, add it so it's equal in the
        // check below.
        if ((!array_key_exists('port', $return_to_parts)) &&
            (!array_key_exists('port', $msg_return_to_parts))) {
            $return_to_parts['port'] = null;
            $msg_return_to_parts['port'] = null;
        }

        // If path is absent from both, add it so it's equal in the
        // check below.
        if ((!array_key_exists('path', $return_to_parts)) &&
            (!array_key_exists('path', $msg_return_to_parts))) {
            $return_to_parts['path'] = null;
            $msg_return_to_parts['path'] = null;
        }

        // The URL scheme, authority, and path MUST be the same
        // between the two URLs.
        foreach (array('scheme', 'host', 'port', 'path') as $component) {
            // If the url component is absent in either URL, fail.
            // There should always be a scheme, host, port, and path.
            if (!array_key_exists($component, $return_to_parts)) {
                return false;
            }

            if (!array_key_exists($component, $msg_return_to_parts)) {
                return false;
            }

            if (Auth_OpenID::arrayGet($return_to_parts, $component) !==
                Auth_OpenID::arrayGet($msg_return_to_parts, $component)) {
                return false;
            }
        }

        return true;
    }

    function _verifyReturnToArgs($query)
    {
        // Verify that the arguments in the return_to URL are present in this
        // response.

        $message = Auth_OpenID_Message::fromPostArgs($query);
        $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to');

        if (Auth_OpenID::isFailure($return_to)) {
            return $return_to;
        }
        // XXX: this should be checked by _idResCheckForFields
        if (!$return_to) {
            return new Auth_OpenID_FailureResponse(null,
                           "Response has no return_to");
        }

        $parsed_url = parse_url($return_to);

        $q = array();
        if (array_key_exists('query', $parsed_url)) {
            $rt_query = $parsed_url['query'];
            $q = Auth_OpenID::parse_str($rt_query);
        }

        foreach ($q as $rt_key => $rt_value) {
            if (!array_key_exists($rt_key, $query)) {
                return new Auth_OpenID_FailureResponse(null,
                  sprintf("return_to parameter %s absent from query", $rt_key));
            } else {
                $value = $query[$rt_key];
                if ($rt_value != $value) {
                    return new Auth_OpenID_FailureResponse(null,
                      sprintf("parameter %s value %s does not match " .
                              "return_to value %s", $rt_key,
                              $value, $rt_value));
                }
            }
        }

        // Make sure all non-OpenID arguments in the response are also
        // in the signed return_to.
        $bare_args = $message->getArgs(Auth_OpenID_BARE_NS);
        foreach ($bare_args as $key => $value) {
            if (Auth_OpenID::arrayGet($q, $key) != $value) {
                return new Auth_OpenID_FailureResponse(null,
                  sprintf("Parameter %s = %s not in return_to URL",
                          $key, $value));
            }
        }

        return true;
    }

    function _idResCheckSignature($message, $server_url)
    {
        $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS,
                                         'assoc_handle');
        if (Auth_OpenID::isFailure($assoc_handle)) {
            return $assoc_handle;
        }

        $assoc = $this->store->getAssociation($server_url, $assoc_handle);

        if ($assoc) {
            if ($assoc->getExpiresIn() <= 0) {
                // XXX: It might be a good idea sometimes to re-start
                // the authentication with a new association. Doing it
                // automatically opens the possibility for
                // denial-of-service by a server that just returns
                // expired associations (or really short-lived
                // associations)
                return new Auth_OpenID_FailureResponse(null,
                             'Association with ' . $server_url . ' expired');
            }

            if (!$assoc->checkMessageSignature($message)) {
                return new Auth_OpenID_FailureResponse(null,
                                                       "Bad signature");
            }
        } else {
            // It's not an association we know about.  Stateless mode
            // is our only possible path for recovery.  XXX - async
            // framework will not want to block on this call to
            // _checkAuth.
            if (!$this->_checkAuth($message, $server_url)) {
                return new Auth_OpenID_FailureResponse(null,
                             "Server denied check_authentication");
            }
        }

        return null;
    }

    function _verifyDiscoveryResults($message, $endpoint=null)
    {
        if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) {
            return $this->_verifyDiscoveryResultsOpenID2($message,
                                                         $endpoint);
        } else {
            return $this->_verifyDiscoveryResultsOpenID1($message,
                                                         $endpoint);
        }
    }

    function _verifyDiscoveryResultsOpenID1($message, $endpoint)
    {
        $claimed_id = $message->getArg(Auth_OpenID_BARE_NS,
                                $this->openid1_return_to_identifier_name);

        if (($endpoint === null) && ($claimed_id === null)) {
            return new Auth_OpenID_FailureResponse($endpoint,
              'When using OpenID 1, the claimed ID must be supplied, ' .
              'either by passing it through as a return_to parameter ' .
              'or by using a session, and supplied to the GenericConsumer ' .
              'as the argument to complete()');
        } else if (($endpoint !== null) && ($claimed_id === null)) {
            $claimed_id = $endpoint->claimed_id;
        }

        $to_match = new Auth_OpenID_ServiceEndpoint();
        $to_match->type_uris = array(Auth_OpenID_TYPE_1_1);
        $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS,
                                               'identity');

        // Restore delegate information from the initiation phase
        $to_match->claimed_id = $claimed_id;

        if ($to_match->local_id === null) {
            return new Auth_OpenID_FailureResponse($endpoint,
                         "Missing required field openid.identity");
        }

        $to_match_1_0 = $to_match->copy();
        $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0);

        if ($endpoint !== null) {
            $result = $this->_verifyDiscoverySingle($endpoint, $to_match);

            if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) {
                $result = $this->_verifyDiscoverySingle($endpoint,
                                                        $to_match_1_0);
            }

            if (Auth_OpenID::isFailure($result)) {
                // oidutil.log("Error attempting to use stored
                //             discovery information: " + str(e))
                //             oidutil.log("Attempting discovery to
                //             verify endpoint")
            } else {
                return $endpoint;
            }
        }

        // Endpoint is either bad (failed verification) or None
        return $this->_discoverAndVerify($to_match->claimed_id,
                                         array($to_match, $to_match_1_0));
    }

    function _verifyDiscoverySingle($endpoint, $to_match)
    {
        // Every type URI that's in the to_match endpoint has to be
        // present in the discovered endpoint.
        foreach ($to_match->type_uris as $type_uri) {
            if (!$endpoint->usesExtension($type_uri)) {
                return new Auth_OpenID_TypeURIMismatch($endpoint,
                             "Required type ".$type_uri." not present");
            }
        }

        // Fragments do not influence discovery, so we can't compare a
        // claimed identifier with a fragment to discovered
        // information.
        list($defragged_claimed_id, $_) =
            Auth_OpenID::urldefrag($to_match->claimed_id);

        if ($defragged_claimed_id != $endpoint->claimed_id) {
            return new Auth_OpenID_FailureResponse($endpoint,
              sprintf('Claimed ID does not match (different subjects!), ' .
                      'Expected %s, got %s', $defragged_claimed_id,
                      $endpoint->claimed_id));
        }

        if ($to_match->getLocalID() != $endpoint->getLocalID()) {
            return new Auth_OpenID_FailureResponse($endpoint,
              sprintf('local_id mismatch. Expected %s, got %s',
                      $to_match->getLocalID(), $endpoint->getLocalID()));
        }

        // If the server URL is None, this must be an OpenID 1
        // response, because op_endpoint is a required parameter in
        // OpenID 2. In that case, we don't actually care what the
        // discovered server_url is, because signature checking or
        // check_auth should take care of that check for us.
        if ($to_match->server_url === null) {
            if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) {
                return new Auth_OpenID_FailureResponse($endpoint,
                             "Preferred namespace mismatch (bug)");
            }
        } else if ($to_match->server_url != $endpoint->server_url) {
            return new Auth_OpenID_FailureResponse($endpoint,
              sprintf('OP Endpoint mismatch. Expected %s, got %s',
                      $to_match->server_url, $endpoint->server_url));
        }

        return null;
    }

    function _verifyDiscoveryResultsOpenID2($message, $endpoint)
    {
        $to_match = new Auth_OpenID_ServiceEndpoint();
        $to_match->type_uris = array(Auth_OpenID_TYPE_2_0);
        $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS,
                                                 'claimed_id');

        $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS,
                                                'identity');

        $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS,
                                                 'op_endpoint');

        if ($to_match->server_url === null) {
            return new Auth_OpenID_FailureResponse($endpoint,
                         "OP Endpoint URL missing");
        }

        // claimed_id and identifier must both be present or both be
        // absent
        if (($to_match->claimed_id === null) &&
            ($to_match->local_id !== null)) {
            return new Auth_OpenID_FailureResponse($endpoint,
              'openid.identity is present without openid.claimed_id');
        }

        if (($to_match->claimed_id !== null) &&
            ($to_match->local_id === null)) {
            return new Auth_OpenID_FailureResponse($endpoint,
              'openid.claimed_id is present without openid.identity');
        }

        if ($to_match->claimed_id === null) {
            // This is a response without identifiers, so there's
            // really no checking that we can do, so return an
            // endpoint that's for the specified `openid.op_endpoint'
            return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL(
                                                $to_match->server_url);
        }

        if (!$endpoint) {
            // The claimed ID doesn't match, so we have to do
            // discovery again. This covers not using sessions, OP
            // identifier endpoints and responses that didn't match
            // the original request.
            // oidutil.log('No pre-discovered information supplied.')
            return $this->_discoverAndVerify($to_match->claimed_id,
                                             array($to_match));
        } else {

            // The claimed ID matches, so we use the endpoint that we
            // discovered in initiation. This should be the most
            // common case.
            $result = $this->_verifyDiscoverySingle($endpoint, $to_match);

            if (Auth_OpenID::isFailure($result)) {
                $endpoint = $this->_discoverAndVerify($to_match->claimed_id,
                                                      array($to_match));
                if (Auth_OpenID::isFailure($endpoint)) {
                    return $endpoint;
                }
            }
        }

        // The endpoint we return should have the claimed ID from the
        // message we just verified, fragment and all.
        if ($endpoint->claimed_id != $to_match->claimed_id) {
            $endpoint->claimed_id = $to_match->claimed_id;
        }

        return $endpoint;
    }

    function _discoverAndVerify($claimed_id, $to_match_endpoints)
    {
        // oidutil.log('Performing discovery on %s' % (claimed_id,))
        list($unused, $services) = call_user_func($this->discoverMethod,
                                                  $claimed_id,
                                                  $this->fetcher);

        if (!$services) {
            return new Auth_OpenID_FailureResponse(null,
              sprintf("No OpenID information found at %s",
                      $claimed_id));
        }

        return $this->_verifyDiscoveryServices($claimed_id, $services,
                                               $to_match_endpoints);
    }

    function _verifyDiscoveryServices($claimed_id, 
                                      &$services, &$to_match_endpoints)
    {
        // Search the services resulting from discovery to find one
        // that matches the information from the assertion

        foreach ($services as $endpoint) {
            foreach ($to_match_endpoints as $to_match_endpoint) {
                $result = $this->_verifyDiscoverySingle($endpoint, 
                                                        $to_match_endpoint);

                if (!Auth_OpenID::isFailure($result)) {
                    // It matches, so discover verification has
                    // succeeded. Return this endpoint.
                    return $endpoint;
                }
            }
        }

        return new Auth_OpenID_FailureResponse(null,
          sprintf('No matching endpoint found after discovering %s',
                  $claimed_id));
    }

    function _idResGetNonceOpenID1($message, $endpoint)
    {
        return $message->getArg(Auth_OpenID_BARE_NS,
                                $this->openid1_nonce_query_arg_name);
    }

    function _idResCheckNonce($message, $endpoint)
    {
        if ($message->isOpenID1()) {
            // This indicates that the nonce was generated by the consumer
            $nonce = $this->_idResGetNonceOpenID1($message, $endpoint);
            $server_url = '';
        } else {
            $nonce = $message->getArg(Auth_OpenID_OPENID2_NS,
                                      'response_nonce');

            $server_url = $endpoint->server_url;
        }

        if ($nonce === null) {
            return new Auth_OpenID_FailureResponse($endpoint,
                                     "Nonce missing from response");
        }

        $parts = Auth_OpenID_splitNonce($nonce);

        if ($parts === null) {
            return new Auth_OpenID_FailureResponse($endpoint,
                                     "Malformed nonce in response");
        }

        list($timestamp, $salt) = $parts;

        if (!$this->store->useNonce($server_url, $timestamp, $salt)) {
            return new Auth_OpenID_FailureResponse($endpoint,
                         "Nonce already used or out of range");
        }

        return null;
    }

    function _idResCheckForFields($message)
    {
        $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed');
        $basic_sig_fields = array('return_to', 'identity');

        $require_fields = array(
            Auth_OpenID_OPENID2_NS => array_merge($basic_fields,
                                                  array('op_endpoint')),

            Auth_OpenID_OPENID1_NS => array_merge($basic_fields,
                                                  array('identity'))
            );

        $require_sigs = array(
            Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields,
                                                  array('response_nonce',
                                                        'claimed_id',
                                                        'assoc_handle')),
            Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields,
                                                  array('nonce'))
            );

        foreach ($require_fields[$message->getOpenIDNamespace()] as $field) {
            if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) {
                return new Auth_OpenID_FailureResponse(null,
                             "Missing required field '".$field."'");
            }
        }

        $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS,
                                            'signed',
                                            Auth_OpenID_NO_DEFAULT);
        if (Auth_OpenID::isFailure($signed_list_str)) {
            return $signed_list_str;
        }
        $signed_list = explode(',', $signed_list_str);

        foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) {
            // Field is present and not in signed list
            if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) &&
                (!in_array($field, $signed_list))) {
                return new Auth_OpenID_FailureResponse(null,
                             "'".$field."' not signed");
            }
        }

        return null;
    }

    function _checkAuth($message, $server_url)
    {
        $request = $this->_createCheckAuthRequest($message);
        if ($request === null) {
            return false;
        }

        $resp_message = $this->_makeKVPost($request, $server_url);
        if (($resp_message === null) ||
            (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) {
            return false;
        }

        return $this->_processCheckAuthResponse($resp_message, $server_url);
    }

    function _createCheckAuthRequest($message)
    {
        $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed');
        if ($signed) {
            foreach (explode(',', $signed) as $k) {
                $value = $message->getAliasedArg($k);
                if ($value === null) {
                    return null;
                }
            }
        }
        $ca_message = $message->copy();
        $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode', 
                            'check_authentication');
        return $ca_message;
    }

    function _processCheckAuthResponse($response, $server_url)
    {
        $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid',
                                      'false');

        $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS,
                                               'invalidate_handle');

        if ($invalidate_handle !== null) {
            $this->store->removeAssociation($server_url,
                                            $invalidate_handle);
        }

        if ($is_valid == 'true') {
            return true;
        }

        return false;
    }

    function _httpResponseToMessage($response, $server_url)
    {
        // Should this function be named Message.fromHTTPResponse instead?
        $response_message = Auth_OpenID_Message::fromKVForm($response->body);

        if ($response->status == 400) {
            return Auth_OpenID_ServerErrorContainer::fromMessage(
                        $response_message);
        } else if ($response->status != 200 and $response->status != 206) {
            return null;
        }

        return $response_message;
    }

    function _makeKVPost($message, $server_url)
    {
        $body = $message->toURLEncoded();
        $resp = $this->fetcher->post($server_url, $body);

        if ($resp === null) {
            return null;
        }

        return $this->_httpResponseToMessage($resp, $server_url);
    }

    function _getAssociation($endpoint)
    {
        if (!$this->_use_assocs) {
            return null;
        }

        $assoc = $this->store->getAssociation($endpoint->server_url);

        if (($assoc === null) ||
            ($assoc->getExpiresIn() <= 0)) {

            $assoc = $this->_negotiateAssociation($endpoint);

            if ($assoc !== null) {
                $this->store->storeAssociation($endpoint->server_url,
                                               $assoc);
            }
        }

        return $assoc;
    }

    function _extractSupportedAssociationType(&$server_error, &$endpoint,
                                              $assoc_type)
    {
        // Any error message whose code is not 'unsupported-type'
        // should be considered a total failure.
        if (($server_error->error_code != 'unsupported-type') ||
            ($server_error->message->isOpenID1())) {
            return null;
        }

        // The server didn't like the association/session type that we
        // sent, and it sent us back a message that might tell us how
        // to handle it.

        // Extract the session_type and assoc_type from the error
        // message
        $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
                                                     'assoc_type');

        $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS,
                                                       'session_type');

        if (($assoc_type === null) || ($session_type === null)) {
            return null;
        } else if (!$this->negotiator->isAllowed($assoc_type,
                                                 $session_type)) {
            return null;
        } else {
          return array($assoc_type, $session_type);
        }
    }

    function _negotiateAssociation($endpoint)
    {
        // Get our preferred session/association type from the negotiatior.
        list($assoc_type, $session_type) = $this->negotiator->getAllowedType();

        $assoc = $this->_requestAssociation(
                           $endpoint, $assoc_type, $session_type);

        if (Auth_OpenID::isFailure($assoc)) {
            return null;
        }

        if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
            $why = $assoc;

            $supportedTypes = $this->_extractSupportedAssociationType(
                                     $why, $endpoint, $assoc_type);

            if ($supportedTypes !== null) {
                list($assoc_type, $session_type) = $supportedTypes;

                // Attempt to create an association from the assoc_type
                // and session_type that the server told us it
                // supported.
                $assoc = $this->_requestAssociation(
                                   $endpoint, $assoc_type, $session_type);

                if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) {
                    // Do not keep trying, since it rejected the
                    // association type that it told us to use.
                    // oidutil.log('Server %s refused its suggested association
                    //             'type: session_type=%s, assoc_type=%s'
                    //             % (endpoint.server_url, session_type,
                    //                assoc_type))
                    return null;
                } else {
                    return $assoc;
                }
            } else {
                return null;
            }
        } else {
            return $assoc;
        }
    }

    function _requestAssociation($endpoint, $assoc_type, $session_type)
    {
        list($assoc_session, $args) = $this->_createAssociateRequest(
                                      $endpoint, $assoc_type, $session_type);

        $response_message = $this->_makeKVPost($args, $endpoint->server_url);

        if ($response_message === null) {
            // oidutil.log('openid.associate request failed: %s' % (why[0],))
            return null;
        } else if (is_a($response_message,
                        'Auth_OpenID_ServerErrorContainer')) {
            return $response_message;
        }

        return $this->_extractAssociation($response_message, $assoc_session);
    }

    function _extractAssociation(&$assoc_response, &$assoc_session)
    {
        // Extract the common fields from the response, raising an
        // exception if they are not found
        $assoc_type = $assoc_response->getArg(
                         Auth_OpenID_OPENID_NS, 'assoc_type',
                         Auth_OpenID_NO_DEFAULT);

        if (Auth_OpenID::isFailure($assoc_type)) {
            return $assoc_type;
        }

        $assoc_handle = $assoc_response->getArg(
                           Auth_OpenID_OPENID_NS, 'assoc_handle',
                           Auth_OpenID_NO_DEFAULT);

        if (Auth_OpenID::isFailure($assoc_handle)) {
            return $assoc_handle;
        }

        // expires_in is a base-10 string. The Python parsing will
        // accept literals that have whitespace around them and will
        // accept negative values. Neither of these are really in-spec,
        // but we think it's OK to accept them.
        $expires_in_str = $assoc_response->getArg(
                             Auth_OpenID_OPENID_NS, 'expires_in',
                             Auth_OpenID_NO_DEFAULT);

        if (Auth_OpenID::isFailure($expires_in_str)) {
            return $expires_in_str;
        }

        $expires_in = Auth_OpenID::intval($expires_in_str);
        if ($expires_in === false) {
            
            $err = sprintf("Could not parse expires_in from association ".
                           "response %s", print_r($assoc_response, true));
            return new Auth_OpenID_FailureResponse(null, $err);
        }

        // OpenID 1 has funny association session behaviour.
        if ($assoc_response->isOpenID1()) {
            $session_type = $this->_getOpenID1SessionType($assoc_response);
        } else {
            $session_type = $assoc_response->getArg(
                               Auth_OpenID_OPENID2_NS, 'session_type',
                               Auth_OpenID_NO_DEFAULT);

            if (Auth_OpenID::isFailure($session_type)) {
                return $session_type;
            }
        }

        // Session type mismatch
        if ($assoc_session->session_type != $session_type) {
            if ($assoc_response->isOpenID1() &&
                ($session_type == 'no-encryption')) {
                // In OpenID 1, any association request can result in
                // a 'no-encryption' association response. Setting
                // assoc_session to a new no-encryption session should
                // make the rest of this function work properly for
                // that case.
                $assoc_session = new Auth_OpenID_PlainTextConsumerSession();
            } else {
                // Any other mismatch, regardless of protocol version
                // results in the failure of the association session
                // altogether.
                return null;
            }
        }

        // Make sure assoc_type is valid for session_type
        if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) {
            return null;
        }

        // Delegate to the association session to extract the secret
        // from the response, however is appropriate for that session
        // type.
        $secret = $assoc_session->extractSecret($assoc_response);

        if ($secret === null) {
            return null;
        }

        return Auth_OpenID_Association::fromExpiresIn(
                 $expires_in, $assoc_handle, $secret, $assoc_type);
    }

    function _createAssociateRequest($endpoint, $assoc_type, $session_type)
    {
        if (array_key_exists($session_type, $this->session_types)) {
            $session_type_class = $this->session_types[$session_type];

            if (is_callable($session_type_class)) {
                $assoc_session = $session_type_class();
            } else {
                $assoc_session = new $session_type_class();
            }
        } else {
            return null;
        }

        $args = array(
            'mode' => 'associate',
            'assoc_type' => $assoc_type);

        if (!$endpoint->compatibilityMode()) {
            $args['ns'] = Auth_OpenID_OPENID2_NS;
        }

        // Leave out the session type if we're in compatibility mode
        // *and* it's no-encryption.
        if ((!$endpoint->compatibilityMode()) ||
            ($assoc_session->session_type != 'no-encryption')) {
            $args['session_type'] = $assoc_session->session_type;
        }

        $args = array_merge($args, $assoc_session->getRequest());
        $message = Auth_OpenID_Message::fromOpenIDArgs($args);
        return array($assoc_session, $message);
    }

    function _getOpenID1SessionType($assoc_response)
    {
        // If it's an OpenID 1 message, allow session_type to default
        // to None (which signifies "no-encryption")
        $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS,
                                                'session_type');

        // Handle the differences between no-encryption association
        // respones in OpenID 1 and 2:

        // no-encryption is not really a valid session type for OpenID
        // 1, but we'll accept it anyway, while issuing a warning.
        if ($session_type == 'no-encryption') {
            // oidutil.log('WARNING: OpenID server sent "no-encryption"'
            //             'for OpenID 1.X')
        } else if (($session_type == '') || ($session_type === null)) {
            // Missing or empty session type is the way to flag a
            // 'no-encryption' response. Change the session type to
            // 'no-encryption' so that it can be handled in the same
            // way as OpenID 2 'no-encryption' respones.
            $session_type = 'no-encryption';
        }

        return $session_type;
    }
}

class Auth_OpenID_AuthRequest {

    function Auth_OpenID_AuthRequest(&$endpoint, $assoc)
    {
        $this->assoc = $assoc;
        $this->endpoint =& $endpoint;
        $this->return_to_args = array();
        $this->message = new Auth_OpenID_Message(
            $endpoint->preferredNamespace());
        $this->_anonymous = false;
    }

    function addExtension(&$extension_request)
    {
        $extension_request->toMessage($this->message);
    }

    function addExtensionArg($namespace, $key, $value)
    {
        return $this->message->setArg($namespace, $key, $value);
    }

    function setAnonymous($is_anonymous)
    {
        if ($is_anonymous && $this->message->isOpenID1()) {
            return false;
        } else {
            $this->_anonymous = $is_anonymous;
            return true;
        }
    }

    function getMessage($realm, $return_to=null, $immediate=false)
    {
        if ($return_to) {
            $return_to = Auth_OpenID::appendArgs($return_to,
                                                 $this->return_to_args);
        } else if ($immediate) {
            // raise ValueError(
            //     '"return_to" is mandatory when
            //using "checkid_immediate"')
            return new Auth_OpenID_FailureResponse(null,
              "'return_to' is mandatory when using checkid_immediate");
        } else if ($this->message->isOpenID1()) {
            // raise ValueError('"return_to" is
            // mandatory for OpenID 1 requests')
            return new Auth_OpenID_FailureResponse(null,
              "'return_to' is mandatory for OpenID 1 requests");
        } else if ($this->return_to_args) {
            // raise ValueError('extra "return_to" arguments
            // were specified, but no return_to was specified')
            return new Auth_OpenID_FailureResponse(null,
              "extra 'return_to' arguments where specified, " .
              "but no return_to was specified");
        }

        if ($immediate) {
            $mode = 'checkid_immediate';
        } else {
            $mode = 'checkid_setup';
        }

        $message = $this->message->copy();
        if ($message->isOpenID1()) {
            $realm_key = 'trust_root';
        } else {
            $realm_key = 'realm';
        }

        $message->updateArgs(Auth_OpenID_OPENID_NS,
                             array(
                                   $realm_key => $realm,
                                   'mode' => $mode,
                                   'return_to' => $return_to));

        if (!$this->_anonymous) {
            if ($this->endpoint->isOPIdentifier()) {
                // This will never happen when we're in compatibility
                // mode, as long as isOPIdentifier() returns False
                // whenever preferredNamespace() returns OPENID1_NS.
                $claimed_id = $request_identity =
                    Auth_OpenID_IDENTIFIER_SELECT;
            } else {
                $request_identity = $this->endpoint->getLocalID();
                $claimed_id = $this->endpoint->claimed_id;
            }

            // This is true for both OpenID 1 and 2
            $message->setArg(Auth_OpenID_OPENID_NS, 'identity',
                             $request_identity);

            if ($message->isOpenID2()) {
                $message->setArg(Auth_OpenID_OPENID2_NS, 'claimed_id',
                                 $claimed_id);
            }
        }

        if ($this->assoc) {
            $message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle',
                             $this->assoc->handle);
        }

        return $message;
    }

    function redirectURL($realm, $return_to = null,
                         $immediate = false)
    {
        $message = $this->getMessage($realm, $return_to, $immediate);

        if (Auth_OpenID::isFailure($message)) {
            return $message;
        }

        return $message->toURL($this->endpoint->server_url);
    }

    function formMarkup($realm, $return_to=null, $immediate=false,
                        $form_tag_attrs=null)
    {
        $message = $this->getMessage($realm, $return_to, $immediate);

        if (Auth_OpenID::isFailure($message)) {
            return $message;
        }

        return $message->toFormMarkup($this->endpoint->server_url,
                                      $form_tag_attrs);
    }

    function htmlMarkup($realm, $return_to=null, $immediate=false,
                        $form_tag_attrs=null)
    {
        $form = $this->formMarkup($realm, $return_to, $immediate, 
                                  $form_tag_attrs);

        if (Auth_OpenID::isFailure($form)) {
            return $form;
        }
        return Auth_OpenID::autoSubmitHTML($form);
    }

    function shouldSendRedirect()
    {
        return $this->endpoint->compatibilityMode();
    }
}

class Auth_OpenID_ConsumerResponse {
    var $status = null;

    function setEndpoint($endpoint)
    {
        $this->endpoint = $endpoint;
        if ($endpoint === null) {
            $this->identity_url = null;
        } else {
            $this->identity_url = $endpoint->claimed_id;
        }
    }

    function getDisplayIdentifier()
    {
        if ($this->endpoint !== null) {
            return $this->endpoint->getDisplayIdentifier();
        }
        return null;
    }
}

class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse {
    var $status = Auth_OpenID_SUCCESS;

    function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null)
    {
        $this->endpoint = $endpoint;
        $this->identity_url = $endpoint->claimed_id;
        $this->signed_args = $signed_args;
        $this->message = $message;

        if ($this->signed_args === null) {
            $this->signed_args = array();
        }
    }

    function extensionResponse($namespace_uri, $require_signed)
    {
        if ($require_signed) {
            return $this->getSignedNS($namespace_uri);
        } else {
            return $this->message->getArgs($namespace_uri);
        }
    }

    function isOpenID1()
    {
        return $this->message->isOpenID1();
    }

    function isSigned($ns_uri, $ns_key)
    {
        // Return whether a particular key is signed, regardless of
        // its namespace alias
        return in_array($this->message->getKey($ns_uri, $ns_key),
                        $this->signed_args);
    }

    function getSigned($ns_uri, $ns_key, $default = null)
    {
        // Return the specified signed field if available, otherwise
        // return default
        if ($this->isSigned($ns_uri, $ns_key)) {
            return $this->message->getArg($ns_uri, $ns_key, $default);
        } else {
            return $default;
        }
    }

    function getSignedNS($ns_uri)
    {
        $args = array();

        $msg_args = $this->message->getArgs($ns_uri);
        if (Auth_OpenID::isFailure($msg_args)) {
            return null;
        }

        foreach ($msg_args as $key => $value) {
            if (!$this->isSigned($ns_uri, $key)) {
                return null;
            }
        }

        return $msg_args;
    }

    function getReturnTo()
    {
        return $this->getSigned(Auth_OpenID_OPENID_NS, 'return_to');
    }
}

class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse {
    var $status = Auth_OpenID_FAILURE;

    function Auth_OpenID_FailureResponse($endpoint, $message = null,
                                         $contact = null, $reference = null)
    {
        $this->setEndpoint($endpoint);
        $this->message = $message;
        $this->contact = $contact;
        $this->reference = $reference;
    }
}

class Auth_OpenID_TypeURIMismatch extends Auth_OpenID_FailureResponse {
}

class Auth_OpenID_ServerErrorContainer {
    function Auth_OpenID_ServerErrorContainer($error_text,
                                              $error_code,
                                              $message)
    {
        $this->error_text = $error_text;
        $this->error_code = $error_code;
        $this->message = $message;
    }

    function fromMessage($message)
    {
        $error_text = $message->getArg(
           Auth_OpenID_OPENID_NS, 'error', '<no error message supplied>');
        $error_code = $message->getArg(Auth_OpenID_OPENID_NS, 'error_code');
        return new Auth_OpenID_ServerErrorContainer($error_text,
                                                    $error_code,
                                                    $message);
    }
}

class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse {
    var $status = Auth_OpenID_CANCEL;

    function Auth_OpenID_CancelResponse($endpoint)
    {
        $this->setEndpoint($endpoint);
    }
}

class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse {
    var $status = Auth_OpenID_SETUP_NEEDED;

    function Auth_OpenID_SetupNeededResponse($endpoint,
                                             $setup_url = null)
    {
        $this->setEndpoint($endpoint);
        $this->setup_url = $setup_url;
    }
}

?>

---