diff options
author | Dries Buytaert <dries@buytaert.net> | 2010-03-23 21:14:49 +0000 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2010-03-23 21:14:49 +0000 |
commit | b9123f23092221da8b12449794ee6f0511e904ef (patch) | |
tree | 9ac416acba4e8707e9edbf506fb77f392f468ac8 /modules/openid | |
parent | 58ea109dcd89a204bea80aa3badeffb728886e6c (diff) | |
download | brdo-b9123f23092221da8b12449794ee6f0511e904ef.tar.gz brdo-b9123f23092221da8b12449794ee6f0511e904ef.tar.bz2 |
- Patch #218097 by c960657: OpenID must use canonical ID when authenticating XRI i-names.
Diffstat (limited to 'modules/openid')
-rw-r--r-- | modules/openid/openid.module | 13 | ||||
-rw-r--r-- | modules/openid/openid.test | 23 | ||||
-rw-r--r-- | modules/openid/tests/openid_test.module | 1 |
3 files changed, 28 insertions, 9 deletions
diff --git a/modules/openid/openid.module b/modules/openid/openid.module index 89e0e3732..d7773744b 100644 --- a/modules/openid/openid.module +++ b/modules/openid/openid.module @@ -372,11 +372,18 @@ function openid_openid_discovery_method_info() { function _openid_xri_discovery($claimed_id) { if (_openid_is_xri($claimed_id)) { // Resolve XRI using a proxy resolver (Extensible Resource Identifier (XRI) - // Resolution Version 2.0, section 11.2). + // Resolution Version 2.0, section 11.2 and 14.3). $xrds_url = variable_get('xri_proxy_resolver', 'http://xri.net/') . rawurlencode($claimed_id) . '?_xrd_r=application/xrds+xml'; $services = _openid_xrds_discovery($xrds_url); - foreach ($services as &$service) { - $service['claimed_id'] = openid_normalize((string)$service['xrd']->children(OPENID_NS_XRD)->CanonicalID); + foreach ($services as $i => &$service) { + $status = $service['xrd']->children(OPENID_NS_XRD)->Status; + if ($status && $status->attributes()->cid == 'verified') { + $service['claimed_id'] = openid_normalize((string)$service['xrd']->children(OPENID_NS_XRD)->CanonicalID); + } + else { + // Ignore service if CanonicalID could not be verified. + unset($services[$i]); + } } return $services; } diff --git a/modules/openid/openid.test b/modules/openid/openid.test index 4de6f67d4..65b805b1b 100644 --- a/modules/openid/openid.test +++ b/modules/openid/openid.test @@ -72,6 +72,10 @@ class OpenIDFunctionalTest extends DrupalWebTestCase { variable_set('xri_proxy_resolver', url('openid-test/yadis/xrds/xri', array('absolute' => TRUE)) . '/'); $this->addIdentity('@example*résumé;%25', 2, 'http://example.com/user'); + // Make sure that unverified CanonicalID are not trusted. + variable_set('openid_test_canonical_id_status', 'bad value'); + $this->addIdentity('@example*résumé;%25', 2, FALSE); + // HTML-based discovery: // If the User-supplied Identifier is a URL of an HTML page, the page may // contain a <link rel=...> element containing the URL of the OpenID @@ -186,21 +190,28 @@ class OpenIDFunctionalTest extends DrupalWebTestCase { * @param $version * The protocol version used by the service. * @param $claimed_id - * The expected Claimed Identifier returned by the OpenID Provider. + * The expected Claimed Identifier returned by the OpenID Provider, or FALSE + * if the discovery is expected to fail. */ function addIdentity($identity, $version = 2, $claimed_id = NULL) { - $this->drupalGet('user/' . $this->web_user->uid . '/openid'); $edit = array('openid_identifier' => $identity); - $this->drupalPost(NULL, $edit, t('Add an OpenID')); + $this->drupalPost('user/' . $this->web_user->uid . '/openid', $edit, t('Add an OpenID')); + + if ($claimed_id === FALSE) { + $this->assertRaw(t('Sorry, that is not a valid OpenID. Ensure you have spelled your ID correctly.'), t('Invalid identity was rejected.')); + return; + } // OpenID 1 used a HTTP redirect, OpenID 2 uses a HTML form that is submitted automatically using JavaScript. if ($version == 2) { - // Manually submit form because SimpleTest is not able to execute JavaScript. - $this->assertRaw('<script type="text/javascript">document.getElementById("openid-redirect-form").submit();</script>', t('JavaScript form submission found.')); + // Check we are on the OpenID redirect form. + $this->assertTitle(t('OpenID redirect'), t('OpenID redirect page was displayed.')); + + // Submit form to the OpenID Provider Endpoint. $this->drupalPost(NULL, array(), t('Send')); } - if (!$claimed_id) { + if (!isset($claimed_id)) { $claimed_id = $identity; } $this->assertRaw(t('Successfully added %identity', array('%identity' => $claimed_id)), t('Identity %identity was added.', array('%identity' => $identity))); diff --git a/modules/openid/tests/openid_test.module b/modules/openid/tests/openid_test.module index 4314e0b20..b2f737b21 100644 --- a/modules/openid/tests/openid_test.module +++ b/modules/openid/tests/openid_test.module @@ -90,6 +90,7 @@ function openid_test_yadis_xrds() { print '<?xml version="1.0" encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> + <Status cid="' . check_plain(variable_get('openid_test_canonical_id_status', 'verified')) . '"/> <ProviderID>xri://@</ProviderID> <CanonicalID>http://example.com/user</CanonicalID> <Service> |