- Patch #218097 by c960657: OpenID must use canonical ID when authenticating XRI i-names.

author: Dries Buytaert <dries@buytaert.net> 2010-03-23 21:14:49 +0000
committer: Dries Buytaert <dries@buytaert.net> 2010-03-23 21:14:49 +0000
commit: b9123f23092221da8b12449794ee6f0511e904ef (patch)
tree: 9ac416acba4e8707e9edbf506fb77f392f468ac8 /modules/openid
parent: 58ea109dcd89a204bea80aa3badeffb728886e6c (diff)
download: brdo-b9123f23092221da8b12449794ee6f0511e904ef.tar.gz
brdo-b9123f23092221da8b12449794ee6f0511e904ef.tar.bz2
3 files changed, 28 insertions, 9 deletions
diff --git a/modules/openid/openid.module b/modules/openid/openid.module
index 89e0e3732..d7773744b 100644
--- a/modules/openid/openid.module
+++ b/modules/openid/openid.module
@@ -372,11 +372,18 @@ function openid_openid_discovery_method_info() {
 function _openid_xri_discovery($claimed_id) {
   if (_openid_is_xri($claimed_id)) {
     // Resolve XRI using a proxy resolver (Extensible Resource Identifier (XRI)
-    // Resolution Version 2.0, section 11.2).
+    // Resolution Version 2.0, section 11.2 and 14.3).
     $xrds_url = variable_get('xri_proxy_resolver', 'http://xri.net/') . rawurlencode($claimed_id) . '?_xrd_r=application/xrds+xml';
     $services = _openid_xrds_discovery($xrds_url);
-    foreach ($services as &$service) {
-      $service['claimed_id'] = openid_normalize((string)$service['xrd']->children(OPENID_NS_XRD)->CanonicalID);
+    foreach ($services as $i => &$service) {
+      $status = $service['xrd']->children(OPENID_NS_XRD)->Status;
+      if ($status && $status->attributes()->cid == 'verified') {
+        $service['claimed_id'] = openid_normalize((string)$service['xrd']->children(OPENID_NS_XRD)->CanonicalID);
+      }
+      else {
+        // Ignore service if CanonicalID could not be verified.
+        unset($services[$i]);
+      }
     }
     return $services;
   }
diff --git a/modules/openid/openid.test b/modules/openid/openid.test
index 4de6f67d4..65b805b1b 100644
--- a/modules/openid/openid.test
+++ b/modules/openid/openid.test
@@ -72,6 +72,10 @@ class OpenIDFunctionalTest extends DrupalWebTestCase {
     variable_set('xri_proxy_resolver', url('openid-test/yadis/xrds/xri', array('absolute' => TRUE)) . '/');
     $this->addIdentity('@example*résumé;%25', 2, 'http://example.com/user');
 
+    // Make sure that unverified CanonicalID are not trusted.
+    variable_set('openid_test_canonical_id_status', 'bad value');
+    $this->addIdentity('@example*résumé;%25', 2, FALSE);
+
     // HTML-based discovery:
     // If the User-supplied Identifier is a URL of an HTML page, the page may
     // contain a <link rel=...> element containing the URL of the OpenID
@@ -186,21 +190,28 @@ class OpenIDFunctionalTest extends DrupalWebTestCase {
    * @param $version
    *   The protocol version used by the service.
    * @param $claimed_id
-   *   The expected Claimed Identifier returned by the OpenID Provider.
+   *   The expected Claimed Identifier returned by the OpenID Provider, or FALSE
+   *   if the discovery is expected to fail.
    */
   function addIdentity($identity, $version = 2, $claimed_id = NULL) {
-    $this->drupalGet('user/' . $this->web_user->uid . '/openid');
     $edit = array('openid_identifier' => $identity);
-    $this->drupalPost(NULL, $edit, t('Add an OpenID'));
+    $this->drupalPost('user/' . $this->web_user->uid . '/openid', $edit, t('Add an OpenID'));
+
+    if ($claimed_id === FALSE) {
+      $this->assertRaw(t('Sorry, that is not a valid OpenID. Ensure you have spelled your ID correctly.'), t('Invalid identity was rejected.'));
+      return;
+    }
 
     // OpenID 1 used a HTTP redirect, OpenID 2 uses a HTML form that is submitted automatically using JavaScript.
     if ($version == 2) {
-      // Manually submit form because SimpleTest is not able to execute JavaScript.
-      $this->assertRaw('<script type="text/javascript">document.getElementById("openid-redirect-form").submit();</script>', t('JavaScript form submission found.'));
+      // Check we are on the OpenID redirect form.
+      $this->assertTitle(t('OpenID redirect'), t('OpenID redirect page was displayed.'));
+
+      // Submit form to the OpenID Provider Endpoint.
       $this->drupalPost(NULL, array(), t('Send'));
     }
 
-    if (!$claimed_id) {
+    if (!isset($claimed_id)) {
       $claimed_id = $identity;
     }
     $this->assertRaw(t('Successfully added %identity', array('%identity' => $claimed_id)), t('Identity %identity was added.', array('%identity' => $identity)));
diff --git a/modules/openid/tests/openid_test.module b/modules/openid/tests/openid_test.module
index 4314e0b20..b2f737b21 100644
--- a/modules/openid/tests/openid_test.module
+++ b/modules/openid/tests/openid_test.module
@@ -90,6 +90,7 @@ function openid_test_yadis_xrds() {
     print '<?xml version="1.0" encoding="UTF-8"?>
       <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
         <XRD>
+          <Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/>
           <ProviderID>xri://@</ProviderID>
           <CanonicalID>http://example.com/user</CanonicalID>
           <Service>
author	Dries Buytaert <dries@buytaert.net>	2010-03-23 21:14:49 +0000
committer	Dries Buytaert <dries@buytaert.net>	2010-03-23 21:14:49 +0000
commit	b9123f23092221da8b12449794ee6f0511e904ef (patch)
tree	9ac416acba4e8707e9edbf506fb77f392f468ac8 /modules/openid
parent	58ea109dcd89a204bea80aa3badeffb728886e6c (diff)
download	brdo-b9123f23092221da8b12449794ee6f0511e904ef.tar.gz brdo-b9123f23092221da8b12449794ee6f0511e904ef.tar.bz2