TrustRoot.php 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462
  1. <?php
  2. /**
  3. * Functions for dealing with OpenID trust roots
  4. *
  5. * PHP versions 4 and 5
  6. *
  7. * LICENSE: See the COPYING file included in this distribution.
  8. *
  9. * @package OpenID
  10. * @author JanRain, Inc. <openid@janrain.com>
  11. * @copyright 2005-2008 Janrain, Inc.
  12. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
  13. */
  14. require_once 'Auth/OpenID/Discover.php';
  15. /**
  16. * A regular expression that matches a domain ending in a top-level domains.
  17. * Used in checking trust roots for sanity.
  18. *
  19. * @access private
  20. */
  21. define('Auth_OpenID___TLDs',
  22. '/\.(ac|ad|ae|aero|af|ag|ai|al|am|an|ao|aq|ar|arpa|as|asia' .
  23. '|at|au|aw|ax|az|ba|bb|bd|be|bf|bg|bh|bi|biz|bj|bm|bn|bo|br' .
  24. '|bs|bt|bv|bw|by|bz|ca|cat|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co' .
  25. '|com|coop|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|edu|ee|eg' .
  26. '|er|es|et|eu|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl' .
  27. '|gm|gn|gov|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie' .
  28. '|il|im|in|info|int|io|iq|ir|is|it|je|jm|jo|jobs|jp|ke|kg|kh' .
  29. '|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly' .
  30. '|ma|mc|md|me|mg|mh|mil|mk|ml|mm|mn|mo|mobi|mp|mq|mr|ms|mt' .
  31. '|mu|museum|mv|mw|mx|my|mz|na|name|nc|ne|net|nf|ng|ni|nl|no' .
  32. '|np|nr|nu|nz|om|org|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|pro|ps|pt' .
  33. '|pw|py|qa|re|ro|rs|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl' .
  34. '|sm|sn|so|sr|st|su|sv|sy|sz|tc|td|tel|tf|tg|th|tj|tk|tl|tm' .
  35. '|tn|to|tp|tr|travel|tt|tv|tw|tz|ua|ug|uk|us|uy|uz|va|vc|ve' .
  36. '|vg|vi|vn|vu|wf|ws|xn--0zwm56d|xn--11b5bs3a9aj6g' .
  37. '|xn--80akhbyknj4f|xn--9t4b11yi5a|xn--deba0ad|xn--g6w251d' .
  38. '|xn--hgbk6aj7f53bba|xn--hlcj6aya9esc7a|xn--jxalpdlp' .
  39. '|xn--kgbechtv|xn--zckzah|ye|yt|yu|za|zm|zw)\.?$/');
  40. define('Auth_OpenID___HostSegmentRe',
  41. "/^(?:[-a-zA-Z0-9!$&'\\(\\)\\*+,;=._~]|%[a-zA-Z0-9]{2})*$/");
  42. /**
  43. * A wrapper for trust-root related functions
  44. */
  45. class Auth_OpenID_TrustRoot {
  46. /*
  47. * Return a discovery URL for this realm.
  48. *
  49. * Return null if the realm could not be parsed or was not valid.
  50. *
  51. * @param return_to The relying party return URL of the OpenID
  52. * authentication request
  53. *
  54. * @return The URL upon which relying party discovery should be
  55. * run in order to verify the return_to URL
  56. */
  57. static function buildDiscoveryURL($realm)
  58. {
  59. $parsed = Auth_OpenID_TrustRoot::_parse($realm);
  60. if ($parsed === false) {
  61. return false;
  62. }
  63. if ($parsed['wildcard']) {
  64. // Use "www." in place of the star
  65. if ($parsed['host'][0] != '.') {
  66. return false;
  67. }
  68. $www_domain = 'www' . $parsed['host'];
  69. return sprintf('%s://%s%s', $parsed['scheme'],
  70. $www_domain, $parsed['path']);
  71. } else {
  72. return $parsed['unparsed'];
  73. }
  74. }
  75. /**
  76. * Parse a URL into its trust_root parts.
  77. *
  78. * @static
  79. *
  80. * @access private
  81. *
  82. * @param string $trust_root The url to parse
  83. *
  84. * @return mixed $parsed Either an associative array of trust root
  85. * parts or false if parsing failed.
  86. */
  87. static function _parse($trust_root)
  88. {
  89. $trust_root = Auth_OpenID_urinorm($trust_root);
  90. if ($trust_root === null) {
  91. return false;
  92. }
  93. if (preg_match("/:\/\/[^:]+(:\d+){2,}(\/|$)/", $trust_root)) {
  94. return false;
  95. }
  96. $parts = @parse_url($trust_root);
  97. if ($parts === false) {
  98. return false;
  99. }
  100. $required_parts = array('scheme', 'host');
  101. $forbidden_parts = array('user', 'pass', 'fragment');
  102. $keys = array_keys($parts);
  103. if (array_intersect($keys, $required_parts) != $required_parts) {
  104. return false;
  105. }
  106. if (array_intersect($keys, $forbidden_parts) != array()) {
  107. return false;
  108. }
  109. if (!preg_match(Auth_OpenID___HostSegmentRe, $parts['host'])) {
  110. return false;
  111. }
  112. $scheme = strtolower($parts['scheme']);
  113. $allowed_schemes = array('http', 'https');
  114. if (!in_array($scheme, $allowed_schemes)) {
  115. return false;
  116. }
  117. $parts['scheme'] = $scheme;
  118. $host = strtolower($parts['host']);
  119. $hostparts = explode('*', $host);
  120. switch (count($hostparts)) {
  121. case 1:
  122. $parts['wildcard'] = false;
  123. break;
  124. case 2:
  125. if ($hostparts[0] ||
  126. ($hostparts[1] && substr($hostparts[1], 0, 1) != '.')) {
  127. return false;
  128. }
  129. $host = $hostparts[1];
  130. $parts['wildcard'] = true;
  131. break;
  132. default:
  133. return false;
  134. }
  135. if (strpos($host, ':') !== false) {
  136. return false;
  137. }
  138. $parts['host'] = $host;
  139. if (isset($parts['path'])) {
  140. $path = strtolower($parts['path']);
  141. if (substr($path, 0, 1) != '/') {
  142. return false;
  143. }
  144. } else {
  145. $path = '/';
  146. }
  147. $parts['path'] = $path;
  148. if (!isset($parts['port'])) {
  149. $parts['port'] = false;
  150. }
  151. $parts['unparsed'] = $trust_root;
  152. return $parts;
  153. }
  154. /**
  155. * Is this trust root sane?
  156. *
  157. * A trust root is sane if it is syntactically valid and it has a
  158. * reasonable domain name. Specifically, the domain name must be
  159. * more than one level below a standard TLD or more than two
  160. * levels below a two-letter tld.
  161. *
  162. * For example, '*.com' is not a sane trust root, but '*.foo.com'
  163. * is. '*.co.uk' is not sane, but '*.bbc.co.uk' is.
  164. *
  165. * This check is not always correct, but it attempts to err on the
  166. * side of marking sane trust roots insane instead of marking
  167. * insane trust roots sane. For example, 'kink.fm' is marked as
  168. * insane even though it "should" (for some meaning of should) be
  169. * marked sane.
  170. *
  171. * This function should be used when creating OpenID servers to
  172. * alert the users of the server when a consumer attempts to get
  173. * the user to accept a suspicious trust root.
  174. *
  175. * @static
  176. * @param string $trust_root The trust root to check
  177. * @return bool $sanity Whether the trust root looks OK
  178. */
  179. static function isSane($trust_root)
  180. {
  181. $parts = Auth_OpenID_TrustRoot::_parse($trust_root);
  182. if ($parts === false) {
  183. return false;
  184. }
  185. // Localhost is a special case
  186. if ($parts['host'] == 'localhost') {
  187. return true;
  188. }
  189. $host_parts = explode('.', $parts['host']);
  190. if ($parts['wildcard']) {
  191. // Remove the empty string from the beginning of the array
  192. array_shift($host_parts);
  193. }
  194. if ($host_parts && !$host_parts[count($host_parts) - 1]) {
  195. array_pop($host_parts);
  196. }
  197. if (!$host_parts) {
  198. return false;
  199. }
  200. // Don't allow adjacent dots
  201. if (in_array('', $host_parts, true)) {
  202. return false;
  203. }
  204. // Get the top-level domain of the host. If it is not a valid TLD,
  205. // it's not sane.
  206. preg_match(Auth_OpenID___TLDs, $parts['host'], $matches);
  207. if (!$matches) {
  208. return false;
  209. }
  210. $tld = $matches[1];
  211. if (count($host_parts) == 1) {
  212. return false;
  213. }
  214. if ($parts['wildcard']) {
  215. // It's a 2-letter tld with a short second to last segment
  216. // so there needs to be more than two segments specified
  217. // (e.g. *.co.uk is insane)
  218. $second_level = $host_parts[count($host_parts) - 2];
  219. if (strlen($tld) == 2 && strlen($second_level) <= 3) {
  220. return count($host_parts) > 2;
  221. }
  222. }
  223. return true;
  224. }
  225. /**
  226. * Does this URL match the given trust root?
  227. *
  228. * Return whether the URL falls under the given trust root. This
  229. * does not check whether the trust root is sane. If the URL or
  230. * trust root do not parse, this function will return false.
  231. *
  232. * @param string $trust_root The trust root to match against
  233. *
  234. * @param string $url The URL to check
  235. *
  236. * @return bool $matches Whether the URL matches against the
  237. * trust root
  238. */
  239. static function match($trust_root, $url)
  240. {
  241. $trust_root_parsed = Auth_OpenID_TrustRoot::_parse($trust_root);
  242. $url_parsed = Auth_OpenID_TrustRoot::_parse($url);
  243. if (!$trust_root_parsed || !$url_parsed) {
  244. return false;
  245. }
  246. // Check hosts matching
  247. if ($url_parsed['wildcard']) {
  248. return false;
  249. }
  250. if ($trust_root_parsed['wildcard']) {
  251. $host_tail = $trust_root_parsed['host'];
  252. $host = $url_parsed['host'];
  253. if ($host_tail &&
  254. substr($host, -(strlen($host_tail))) != $host_tail &&
  255. substr($host_tail, 1) != $host) {
  256. return false;
  257. }
  258. } else {
  259. if ($trust_root_parsed['host'] != $url_parsed['host']) {
  260. return false;
  261. }
  262. }
  263. // Check path and query matching
  264. $base_path = $trust_root_parsed['path'];
  265. $path = $url_parsed['path'];
  266. if (!isset($trust_root_parsed['query'])) {
  267. if ($base_path != $path) {
  268. if (substr($path, 0, strlen($base_path)) != $base_path) {
  269. return false;
  270. }
  271. if (substr($base_path, strlen($base_path) - 1, 1) != '/' &&
  272. substr($path, strlen($base_path), 1) != '/') {
  273. return false;
  274. }
  275. }
  276. } else {
  277. $base_query = $trust_root_parsed['query'];
  278. $query = @$url_parsed['query'];
  279. $qplus = substr($query, 0, strlen($base_query) + 1);
  280. $bqplus = $base_query . '&';
  281. if ($base_path != $path ||
  282. ($base_query != $query && $qplus != $bqplus)) {
  283. return false;
  284. }
  285. }
  286. // The port and scheme need to match exactly
  287. return ($trust_root_parsed['scheme'] == $url_parsed['scheme'] &&
  288. $url_parsed['port'] === $trust_root_parsed['port']);
  289. }
  290. }
  291. /*
  292. * If the endpoint is a relying party OpenID return_to endpoint,
  293. * return the endpoint URL. Otherwise, return None.
  294. *
  295. * This function is intended to be used as a filter for the Yadis
  296. * filtering interface.
  297. *
  298. * @see: C{L{openid.yadis.services}}
  299. * @see: C{L{openid.yadis.filters}}
  300. *
  301. * @param endpoint: An XRDS BasicServiceEndpoint, as returned by
  302. * performing Yadis dicovery.
  303. *
  304. * @returns: The endpoint URL or None if the endpoint is not a
  305. * relying party endpoint.
  306. */
  307. function filter_extractReturnURL($endpoint)
  308. {
  309. if ($endpoint->matchTypes(array(Auth_OpenID_RP_RETURN_TO_URL_TYPE))) {
  310. return $endpoint;
  311. } else {
  312. return null;
  313. }
  314. }
  315. function &Auth_OpenID_extractReturnURL(&$endpoint_list)
  316. {
  317. $result = array();
  318. foreach ($endpoint_list as $endpoint) {
  319. if (filter_extractReturnURL($endpoint)) {
  320. $result[] = $endpoint;
  321. }
  322. }
  323. return $result;
  324. }
  325. /*
  326. * Is the return_to URL under one of the supplied allowed return_to
  327. * URLs?
  328. */
  329. function Auth_OpenID_returnToMatches($allowed_return_to_urls, $return_to)
  330. {
  331. foreach ($allowed_return_to_urls as $allowed_return_to) {
  332. // A return_to pattern works the same as a realm, except that
  333. // it's not allowed to use a wildcard. We'll model this by
  334. // parsing it as a realm, and not trying to match it if it has
  335. // a wildcard.
  336. $return_realm = Auth_OpenID_TrustRoot::_parse($allowed_return_to);
  337. if (// Parses as a trust root
  338. ($return_realm !== false) &&
  339. // Does not have a wildcard
  340. (!$return_realm['wildcard']) &&
  341. // Matches the return_to that we passed in with it
  342. (Auth_OpenID_TrustRoot::match($allowed_return_to, $return_to))) {
  343. return true;
  344. }
  345. }
  346. // No URL in the list matched
  347. return false;
  348. }
  349. /*
  350. * Given a relying party discovery URL return a list of return_to
  351. * URLs.
  352. */
  353. function Auth_OpenID_getAllowedReturnURLs($relying_party_url, $fetcher,
  354. $discover_function=null)
  355. {
  356. if ($discover_function === null) {
  357. $discover_function = array('Auth_Yadis_Yadis', 'discover');
  358. }
  359. $xrds_parse_cb = array('Auth_OpenID_ServiceEndpoint', 'consumerFromXRDS');
  360. list($rp_url_after_redirects, $endpoints) =
  361. Auth_Yadis_getServiceEndpoints($relying_party_url, $xrds_parse_cb,
  362. $discover_function, $fetcher);
  363. if ($rp_url_after_redirects != $relying_party_url) {
  364. // Verification caused a redirect
  365. return false;
  366. }
  367. call_user_func_array($discover_function,
  368. array($relying_party_url, &$fetcher));
  369. $return_to_urls = array();
  370. $matching_endpoints = Auth_OpenID_extractReturnURL($endpoints);
  371. foreach ($matching_endpoints as $e) {
  372. $return_to_urls[] = $e->server_url;
  373. }
  374. return $return_to_urls;
  375. }
  376. /*
  377. * Verify that a return_to URL is valid for the given realm.
  378. *
  379. * This function builds a discovery URL, performs Yadis discovery on
  380. * it, makes sure that the URL does not redirect, parses out the
  381. * return_to URLs, and finally checks to see if the current return_to
  382. * URL matches the return_to.
  383. *
  384. * @return true if the return_to URL is valid for the realm
  385. */
  386. function Auth_OpenID_verifyReturnTo($realm_str, $return_to, $fetcher,
  387. $_vrfy='Auth_OpenID_getAllowedReturnURLs')
  388. {
  389. $disco_url = Auth_OpenID_TrustRoot::buildDiscoveryURL($realm_str);
  390. if ($disco_url === false) {
  391. return false;
  392. }
  393. $allowable_urls = call_user_func_array($_vrfy,
  394. array($disco_url, $fetcher));
  395. // The realm_str could not be parsed.
  396. if ($allowable_urls === false) {
  397. return false;
  398. }
  399. if (Auth_OpenID_returnToMatches($allowable_urls, $return_to)) {
  400. return true;
  401. } else {
  402. return false;
  403. }
  404. }