- Patch #225535 by flobruit, c960657: OpenID login fails for delegated OpenIDs.

3 files changed, 48 insertions, 11 deletions

diff --git a/modules/openid/openid.inc b/modules/openid/openid.inc
index 40ccaa3f9..74cd7c494 100644
--- a/modules/openid/openid.inc
+++ b/modules/openid/openid.inc
@@ -51,6 +51,11 @@ define('OPENID_NS_1_1', 'http://openid.net/signon/1.1');
 define('OPENID_NS_1_0', 'http://openid.net/signon/1.0');
 
 /**
+ * OpenID namespace used in Yadis documents.
+ */
+define('OPENID_NS_OPENID', 'http://openid.net/xmlns/1.0');
+
+/**
  * OpenID Simple Registration extension.
  */
 define('OPENID_NS_SREG', 'http://openid.net/extensions/sreg/1.1');
@@ -148,12 +153,12 @@ function _openid_xrds_parse($raw_xml) {
         foreach ($service_element->Type as $type) {
           $service['types'][] = (string)$type;
         }
-        if ($service_element->children(OPENID_NS_XRD)->Delegate) {
-          $service['identity'] = (string)$service_element->children(OPENID_NS_XRD)->Delegate;
-        }
         if ($service_element->children(OPENID_NS_XRD)->LocalID) {
           $service['identity'] = (string)$service_element->children(OPENID_NS_XRD)->LocalID;
         }
+        elseif ($service_element->children(OPENID_NS_OPENID)->Delegate) {
+          $service['identity'] = (string)$service_element->children(OPENID_NS_OPENID)->Delegate;
+        }
         else {
           $service['identity'] = FALSE;
         }
diff --git a/modules/openid/openid.test b/modules/openid/openid.test
index 3e58c1f6d..49f390b12 100644
--- a/modules/openid/openid.test
+++ b/modules/openid/openid.test
@@ -67,7 +67,10 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
     // The URL scheme is stripped in order to test that the supplied identifier
     // is normalized in openid_begin().
     $identity = url('openid-test/yadis/xrds', array('absolute' => TRUE));
-    $this->addIdentity(preg_replace('@^https?://@', '', $identity), 2, $identity);
+    $this->addIdentity(preg_replace('@^https?://@', '', $identity), 2, 'http://example.com/xrds', $identity);
+
+    $identity = url('openid-test/yadis/xrds/delegate', array('absolute' => TRUE));
+    $this->addIdentity(preg_replace('@^https?://@', '', $identity), 2, 'http://example.com/xrds-delegate', $identity);
 
     // Identifier is the URL of an XRDS document containing an OP Identifier
     // Element. The Relying Party sends the special value
@@ -78,7 +81,7 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
     // is stripped in order to test that the returned identifier is normalized in
     // openid_complete().
     variable_set('openid_test_response', array('openid.claimed_id' => preg_replace('@^https?://@', '', $identity)));
-    $this->addIdentity(url('openid-test/yadis/xrds/server', array('absolute' => TRUE)), 2, $identity);
+    $this->addIdentity(url('openid-test/yadis/xrds/server', array('absolute' => TRUE)), 2, 'http://specs.openid.net/auth/2.0/identifier_select', $identity);
     variable_set('openid_test_response', array());
 
     // Identifier is the URL of an HTML page that is sent with an HTTP header
@@ -91,11 +94,11 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
 
     // Identifier is an XRI. Resolve using our own dummy proxy resolver.
     variable_set('xri_proxy_resolver', url('openid-test/yadis/xrds/xri', array('absolute' => TRUE)) . '/');
-    $this->addIdentity('@example*résumé;%25', 2, 'http://example.com/user');
+    $this->addIdentity('@example*résumé;%25', 2, 'http://example.com/xrds', 'http://example.com/user');
 
     // Make sure that unverified CanonicalID are not trusted.
     variable_set('openid_test_canonical_id_status', 'bad value');
-    $this->addIdentity('@example*résumé;%25', 2, FALSE);
+    $this->addIdentity('@example*résumé;%25', 2, FALSE, FALSE);
 
     // HTML-based discovery:
     // If the User-supplied Identifier is a URL of an HTML page, the page may
@@ -103,10 +106,10 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
     // Provider Endpoint. OpenID 1 and 2 describe slightly different formats.
 
     // OpenID Authentication 1.1, section 3.1:
-    $this->addIdentity(url('openid-test/html/openid1', array('absolute' => TRUE)), 1);
+    $this->addIdentity(url('openid-test/html/openid1', array('absolute' => TRUE)), 1, 'http://example.com/html-openid1');
 
     // OpenID Authentication 2.0, section 7.3.3:
-    $this->addIdentity(url('openid-test/html/openid2', array('absolute' => TRUE)), 2);
+    $this->addIdentity(url('openid-test/html/openid2', array('absolute' => TRUE)), 2, 'http://example.com/html-openid2');
   }
 
   /**
@@ -197,11 +200,16 @@ class OpenIDFunctionalTestCase extends OpenIDWebTestCase {
    *   The User-supplied Identifier.
    * @param $version
    *   The protocol version used by the service.
+   * @param $local_id
+   *   The expected OP-Local Identifier found during discovery.
    * @param $claimed_id
    *   The expected Claimed Identifier returned by the OpenID Provider, or FALSE
    *   if the discovery is expected to fail.
    */
-  function addIdentity($identity, $version = 2, $claimed_id = NULL) {
+  function addIdentity($identity, $version = 2, $local_id = 'http://example.com/xrds', $claimed_id = NULL) {
+    // Tell openid_test.module to only accept this OP-Local Identifier.
+    variable_set('openid_test_identity', $local_id);
+
     $edit = array('openid_identifier' => $identity);
     $this->drupalPost('user/' . $this->web_user->uid . '/openid', $edit, t('Add an OpenID'));
 
diff --git a/modules/openid/tests/openid_test.module b/modules/openid/tests/openid_test.module
index f6e1a9f6e..261a1aa1e 100644
--- a/modules/openid/tests/openid_test.module
+++ b/modules/openid/tests/openid_test.module
@@ -88,7 +88,7 @@ function openid_test_yadis_xrds() {
     }
     drupal_add_http_header('Content-Type', 'application/xrds+xml');
     print '<?xml version="1.0" encoding="UTF-8"?>
-      <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
+      <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0">
         <XRD>
           <Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/>
           <ProviderID>xri://@</ProviderID>
@@ -100,6 +100,7 @@ function openid_test_yadis_xrds() {
             <Type>http://specs.openid.net/auth/2.0/signon</Type>
             <Type>http://openid.net/srv/ax/1.0</Type>
             <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
+            <LocalID>http://example.com/xrds</LocalID>
           </Service>
           <Service priority="15">
             <Type>http://specs.openid.net/auth/2.0/signon</Type>
@@ -121,6 +122,15 @@ function openid_test_yadis_xrds() {
             <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
           </Service>';
     }
+    elseif (arg(3) == 'delegate') {
+      print '
+          <Service priority="5">
+            <Type>http://specs.openid.net/auth/2.0/signon</Type>
+            <Type>http://openid.net/srv/ax/1.0</Type>
+            <URI>' . url('openid-test/endpoint', array('absolute' => TRUE)) . '</URI>
+            <openid:Delegate>http://example.com/xrds-delegate</openid:Delegate>
+          </Service>';
+    }
     print '
         </XRD>
       </xrds:XRDS>';
@@ -158,6 +168,7 @@ function openid_test_yadis_http_equiv() {
  */
 function openid_test_html_openid1() {
   drupal_add_html_head_link(array('rel' => 'openid.server', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
+  drupal_add_html_head_link(array('rel' => 'openid.delegate', 'href' => 'http://example.com/html-openid1'));
   return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');
 }
 
@@ -166,6 +177,7 @@ function openid_test_html_openid1() {
  */
 function openid_test_html_openid2() {
   drupal_add_html_head_link(array('rel' => 'openid2.provider', 'href' => url('openid-test/endpoint', array('absolute' => TRUE))));
+  drupal_add_html_head_link(array('rel' => 'openid2.local_id', 'href' => 'http://example.com/html-openid2'));
   return t('This page includes a &lt;link rel=...&gt; element containing the URL of an OpenID Provider Endpoint.');
 }
 
@@ -249,6 +261,18 @@ function _openid_test_endpoint_associate() {
 function _openid_test_endpoint_authenticate() {
   module_load_include('inc', 'openid');
 
+  $expected_identity = variable_get('openid_test_identity');
+  if ($expected_identity && $_REQUEST['openid_identity'] != $expected_identity) {
+    $response = variable_get('openid_test_response', array()) + array(
+      'openid.ns' => OPENID_NS_2_0,
+      'openid.mode' => 'error',
+      'openid.error' => 'Unexpted identity',
+    );
+    drupal_add_http_header('Content-Type', 'text/plain');
+    header('Location: ' . url($_REQUEST['openid_return_to'], array('query' => $response, 'external' => TRUE)));
+    return;
+  }
+
   // Generate unique identifier for this authentication.
   $nonce = _openid_nonce();