FileStore.php 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628
  1. <?php
  2. /**
  3. * This file supplies a Memcached store backend for OpenID servers and
  4. * consumers.
  5. *
  6. * PHP versions 4 and 5
  7. *
  8. * LICENSE: See the COPYING file included in this distribution.
  9. *
  10. * @package OpenID
  11. * @author JanRain, Inc. <openid@janrain.com>
  12. * @copyright 2005-2008 Janrain, Inc.
  13. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache
  14. */
  15. /**
  16. * Require base class for creating a new interface.
  17. */
  18. require_once 'Auth/OpenID.php';
  19. require_once 'Auth/OpenID/Interface.php';
  20. require_once 'Auth/OpenID/HMAC.php';
  21. require_once 'Auth/OpenID/Nonce.php';
  22. /**
  23. * This is a filesystem-based store for OpenID associations and
  24. * nonces. This store should be safe for use in concurrent systems on
  25. * both windows and unix (excluding NFS filesystems). There are a
  26. * couple race conditions in the system, but those failure cases have
  27. * been set up in such a way that the worst-case behavior is someone
  28. * having to try to log in a second time.
  29. *
  30. * Most of the methods of this class are implementation details.
  31. * People wishing to just use this store need only pay attention to
  32. * the constructor.
  33. *
  34. * @package OpenID
  35. */
  36. class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore {
  37. /**
  38. * Initializes a new {@link Auth_OpenID_FileStore}. This
  39. * initializes the nonce and association directories, which are
  40. * subdirectories of the directory passed in.
  41. *
  42. * @param string $directory This is the directory to put the store
  43. * directories in.
  44. */
  45. function Auth_OpenID_FileStore($directory)
  46. {
  47. if (!Auth_OpenID::ensureDir($directory)) {
  48. trigger_error('Not a directory and failed to create: '
  49. . $directory, E_USER_ERROR);
  50. }
  51. $directory = realpath($directory);
  52. $this->directory = $directory;
  53. $this->active = true;
  54. $this->nonce_dir = $directory . DIRECTORY_SEPARATOR . 'nonces';
  55. $this->association_dir = $directory . DIRECTORY_SEPARATOR .
  56. 'associations';
  57. // Temp dir must be on the same filesystem as the assciations
  58. // $directory.
  59. $this->temp_dir = $directory . DIRECTORY_SEPARATOR . 'temp';
  60. $this->max_nonce_age = 6 * 60 * 60; // Six hours, in seconds
  61. if (!$this->_setup()) {
  62. trigger_error('Failed to initialize OpenID file store in ' .
  63. $directory, E_USER_ERROR);
  64. }
  65. }
  66. function destroy()
  67. {
  68. Auth_OpenID_FileStore::_rmtree($this->directory);
  69. $this->active = false;
  70. }
  71. /**
  72. * Make sure that the directories in which we store our data
  73. * exist.
  74. *
  75. * @access private
  76. */
  77. function _setup()
  78. {
  79. return (Auth_OpenID::ensureDir($this->nonce_dir) &&
  80. Auth_OpenID::ensureDir($this->association_dir) &&
  81. Auth_OpenID::ensureDir($this->temp_dir));
  82. }
  83. /**
  84. * Create a temporary file on the same filesystem as
  85. * $this->association_dir.
  86. *
  87. * The temporary directory should not be cleaned if there are any
  88. * processes using the store. If there is no active process using
  89. * the store, it is safe to remove all of the files in the
  90. * temporary directory.
  91. *
  92. * @return array ($fd, $filename)
  93. * @access private
  94. */
  95. function _mktemp()
  96. {
  97. $name = Auth_OpenID_FileStore::_mkstemp($dir = $this->temp_dir);
  98. $file_obj = @fopen($name, 'wb');
  99. if ($file_obj !== false) {
  100. return array($file_obj, $name);
  101. } else {
  102. Auth_OpenID_FileStore::_removeIfPresent($name);
  103. }
  104. }
  105. function cleanupNonces()
  106. {
  107. global $Auth_OpenID_SKEW;
  108. $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir);
  109. $now = time();
  110. $removed = 0;
  111. // Check all nonces for expiry
  112. foreach ($nonces as $nonce_fname) {
  113. $base = basename($nonce_fname);
  114. $parts = explode('-', $base, 2);
  115. $timestamp = $parts[0];
  116. $timestamp = intval($timestamp, 16);
  117. if (abs($timestamp - $now) > $Auth_OpenID_SKEW) {
  118. Auth_OpenID_FileStore::_removeIfPresent($nonce_fname);
  119. $removed += 1;
  120. }
  121. }
  122. return $removed;
  123. }
  124. /**
  125. * Create a unique filename for a given server url and
  126. * handle. This implementation does not assume anything about the
  127. * format of the handle. The filename that is returned will
  128. * contain the domain name from the server URL for ease of human
  129. * inspection of the data directory.
  130. *
  131. * @return string $filename
  132. */
  133. function getAssociationFilename($server_url, $handle)
  134. {
  135. if (!$this->active) {
  136. trigger_error("FileStore no longer active", E_USER_ERROR);
  137. return null;
  138. }
  139. if (strpos($server_url, '://') === false) {
  140. trigger_error(sprintf("Bad server URL: %s", $server_url),
  141. E_USER_WARNING);
  142. return null;
  143. }
  144. list($proto, $rest) = explode('://', $server_url, 2);
  145. $parts = explode('/', $rest);
  146. $domain = Auth_OpenID_FileStore::_filenameEscape($parts[0]);
  147. $url_hash = Auth_OpenID_FileStore::_safe64($server_url);
  148. if ($handle) {
  149. $handle_hash = Auth_OpenID_FileStore::_safe64($handle);
  150. } else {
  151. $handle_hash = '';
  152. }
  153. $filename = sprintf('%s-%s-%s-%s', $proto, $domain, $url_hash,
  154. $handle_hash);
  155. return $this->association_dir. DIRECTORY_SEPARATOR . $filename;
  156. }
  157. /**
  158. * Store an association in the association directory.
  159. */
  160. function storeAssociation($server_url, $association)
  161. {
  162. if (!$this->active) {
  163. trigger_error("FileStore no longer active", E_USER_ERROR);
  164. return false;
  165. }
  166. $association_s = $association->serialize();
  167. $filename = $this->getAssociationFilename($server_url,
  168. $association->handle);
  169. list($tmp_file, $tmp) = $this->_mktemp();
  170. if (!$tmp_file) {
  171. trigger_error("_mktemp didn't return a valid file descriptor",
  172. E_USER_WARNING);
  173. return false;
  174. }
  175. fwrite($tmp_file, $association_s);
  176. fflush($tmp_file);
  177. fclose($tmp_file);
  178. if (@rename($tmp, $filename)) {
  179. return true;
  180. } else {
  181. // In case we are running on Windows, try unlinking the
  182. // file in case it exists.
  183. @unlink($filename);
  184. // Now the target should not exist. Try renaming again,
  185. // giving up if it fails.
  186. if (@rename($tmp, $filename)) {
  187. return true;
  188. }
  189. }
  190. // If there was an error, don't leave the temporary file
  191. // around.
  192. Auth_OpenID_FileStore::_removeIfPresent($tmp);
  193. return false;
  194. }
  195. /**
  196. * Retrieve an association. If no handle is specified, return the
  197. * association with the most recent issue time.
  198. *
  199. * @return mixed $association
  200. */
  201. function getAssociation($server_url, $handle = null)
  202. {
  203. if (!$this->active) {
  204. trigger_error("FileStore no longer active", E_USER_ERROR);
  205. return null;
  206. }
  207. if ($handle === null) {
  208. $handle = '';
  209. }
  210. // The filename with the empty handle is a prefix of all other
  211. // associations for the given server URL.
  212. $filename = $this->getAssociationFilename($server_url, $handle);
  213. if ($handle) {
  214. return $this->_getAssociation($filename);
  215. } else {
  216. $association_files =
  217. Auth_OpenID_FileStore::_listdir($this->association_dir);
  218. $matching_files = array();
  219. // strip off the path to do the comparison
  220. $name = basename($filename);
  221. foreach ($association_files as $association_file) {
  222. $base = basename($association_file);
  223. if (strpos($base, $name) === 0) {
  224. $matching_files[] = $association_file;
  225. }
  226. }
  227. $matching_associations = array();
  228. // read the matching files and sort by time issued
  229. foreach ($matching_files as $full_name) {
  230. $association = $this->_getAssociation($full_name);
  231. if ($association !== null) {
  232. $matching_associations[] = array($association->issued,
  233. $association);
  234. }
  235. }
  236. $issued = array();
  237. $assocs = array();
  238. foreach ($matching_associations as $key => $assoc) {
  239. $issued[$key] = $assoc[0];
  240. $assocs[$key] = $assoc[1];
  241. }
  242. array_multisort($issued, SORT_DESC, $assocs, SORT_DESC,
  243. $matching_associations);
  244. // return the most recently issued one.
  245. if ($matching_associations) {
  246. list($issued, $assoc) = $matching_associations[0];
  247. return $assoc;
  248. } else {
  249. return null;
  250. }
  251. }
  252. }
  253. /**
  254. * @access private
  255. */
  256. function _getAssociation($filename)
  257. {
  258. if (!$this->active) {
  259. trigger_error("FileStore no longer active", E_USER_ERROR);
  260. return null;
  261. }
  262. if (file_exists($filename) !== true) {
  263. return null;
  264. }
  265. $assoc_file = @fopen($filename, 'rb');
  266. if ($assoc_file === false) {
  267. return null;
  268. }
  269. $filesize = filesize($filename);
  270. if ($filesize === false || $filesize <= 0) {
  271. return null;
  272. }
  273. $assoc_s = fread($assoc_file, $filesize);
  274. fclose($assoc_file);
  275. if (!$assoc_s) {
  276. return null;
  277. }
  278. $association =
  279. Auth_OpenID_Association::deserialize('Auth_OpenID_Association',
  280. $assoc_s);
  281. if (!$association) {
  282. Auth_OpenID_FileStore::_removeIfPresent($filename);
  283. return null;
  284. }
  285. if ($association->getExpiresIn() == 0) {
  286. Auth_OpenID_FileStore::_removeIfPresent($filename);
  287. return null;
  288. } else {
  289. return $association;
  290. }
  291. }
  292. /**
  293. * Remove an association if it exists. Do nothing if it does not.
  294. *
  295. * @return bool $success
  296. */
  297. function removeAssociation($server_url, $handle)
  298. {
  299. if (!$this->active) {
  300. trigger_error("FileStore no longer active", E_USER_ERROR);
  301. return null;
  302. }
  303. $assoc = $this->getAssociation($server_url, $handle);
  304. if ($assoc === null) {
  305. return false;
  306. } else {
  307. $filename = $this->getAssociationFilename($server_url, $handle);
  308. return Auth_OpenID_FileStore::_removeIfPresent($filename);
  309. }
  310. }
  311. /**
  312. * Return whether this nonce is present. As a side effect, mark it
  313. * as no longer present.
  314. *
  315. * @return bool $present
  316. */
  317. function useNonce($server_url, $timestamp, $salt)
  318. {
  319. global $Auth_OpenID_SKEW;
  320. if (!$this->active) {
  321. trigger_error("FileStore no longer active", E_USER_ERROR);
  322. return null;
  323. }
  324. if ( abs($timestamp - time()) > $Auth_OpenID_SKEW ) {
  325. return false;
  326. }
  327. if ($server_url) {
  328. list($proto, $rest) = explode('://', $server_url, 2);
  329. } else {
  330. $proto = '';
  331. $rest = '';
  332. }
  333. $parts = explode('/', $rest, 2);
  334. $domain = $this->_filenameEscape($parts[0]);
  335. $url_hash = $this->_safe64($server_url);
  336. $salt_hash = $this->_safe64($salt);
  337. $filename = sprintf('%08x-%s-%s-%s-%s', $timestamp, $proto,
  338. $domain, $url_hash, $salt_hash);
  339. $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $filename;
  340. $result = @fopen($filename, 'x');
  341. if ($result === false) {
  342. return false;
  343. } else {
  344. fclose($result);
  345. return true;
  346. }
  347. }
  348. /**
  349. * Remove expired entries from the database. This is potentially
  350. * expensive, so only run when it is acceptable to take time.
  351. *
  352. * @access private
  353. */
  354. function _allAssocs()
  355. {
  356. $all_associations = array();
  357. $association_filenames =
  358. Auth_OpenID_FileStore::_listdir($this->association_dir);
  359. foreach ($association_filenames as $association_filename) {
  360. $association_file = fopen($association_filename, 'rb');
  361. if ($association_file !== false) {
  362. $assoc_s = fread($association_file,
  363. filesize($association_filename));
  364. fclose($association_file);
  365. // Remove expired or corrupted associations
  366. $association =
  367. Auth_OpenID_Association::deserialize(
  368. 'Auth_OpenID_Association', $assoc_s);
  369. if ($association === null) {
  370. Auth_OpenID_FileStore::_removeIfPresent(
  371. $association_filename);
  372. } else {
  373. if ($association->getExpiresIn() == 0) {
  374. $all_associations[] = array($association_filename,
  375. $association);
  376. }
  377. }
  378. }
  379. }
  380. return $all_associations;
  381. }
  382. function clean()
  383. {
  384. if (!$this->active) {
  385. trigger_error("FileStore no longer active", E_USER_ERROR);
  386. return null;
  387. }
  388. $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir);
  389. $now = time();
  390. // Check all nonces for expiry
  391. foreach ($nonces as $nonce) {
  392. if (!Auth_OpenID_checkTimestamp($nonce, $now)) {
  393. $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $nonce;
  394. Auth_OpenID_FileStore::_removeIfPresent($filename);
  395. }
  396. }
  397. foreach ($this->_allAssocs() as $pair) {
  398. list($assoc_filename, $assoc) = $pair;
  399. if ($assoc->getExpiresIn() == 0) {
  400. Auth_OpenID_FileStore::_removeIfPresent($assoc_filename);
  401. }
  402. }
  403. }
  404. /**
  405. * @access private
  406. */
  407. function _rmtree($dir)
  408. {
  409. if ($dir[strlen($dir) - 1] != DIRECTORY_SEPARATOR) {
  410. $dir .= DIRECTORY_SEPARATOR;
  411. }
  412. if ($handle = opendir($dir)) {
  413. while (false !== ($item = readdir($handle))) {
  414. if (!in_array($item, array('.', '..'))) {
  415. if (is_dir($dir . $item)) {
  416. if (!Auth_OpenID_FileStore::_rmtree($dir . $item)) {
  417. return false;
  418. }
  419. } else if (is_file($dir . $item)) {
  420. if (!unlink($dir . $item)) {
  421. return false;
  422. }
  423. }
  424. }
  425. }
  426. closedir($handle);
  427. if (!@rmdir($dir)) {
  428. return false;
  429. }
  430. return true;
  431. } else {
  432. // Couldn't open directory.
  433. return false;
  434. }
  435. }
  436. /**
  437. * @access private
  438. */
  439. function _mkstemp($dir)
  440. {
  441. foreach (range(0, 4) as $i) {
  442. $name = tempnam($dir, "php_openid_filestore_");
  443. if ($name !== false) {
  444. return $name;
  445. }
  446. }
  447. return false;
  448. }
  449. /**
  450. * @access private
  451. */
  452. static function _mkdtemp($dir)
  453. {
  454. foreach (range(0, 4) as $i) {
  455. $name = $dir . strval(DIRECTORY_SEPARATOR) . strval(getmypid()) .
  456. "-" . strval(rand(1, time()));
  457. if (!mkdir($name, 0700)) {
  458. return false;
  459. } else {
  460. return $name;
  461. }
  462. }
  463. return false;
  464. }
  465. /**
  466. * @access private
  467. */
  468. function _listdir($dir)
  469. {
  470. $handle = opendir($dir);
  471. $files = array();
  472. while (false !== ($filename = readdir($handle))) {
  473. if (!in_array($filename, array('.', '..'))) {
  474. $files[] = $dir . DIRECTORY_SEPARATOR . $filename;
  475. }
  476. }
  477. return $files;
  478. }
  479. /**
  480. * @access private
  481. */
  482. function _isFilenameSafe($char)
  483. {
  484. $_Auth_OpenID_filename_allowed = Auth_OpenID_letters .
  485. Auth_OpenID_digits . ".";
  486. return (strpos($_Auth_OpenID_filename_allowed, $char) !== false);
  487. }
  488. /**
  489. * @access private
  490. */
  491. function _safe64($str)
  492. {
  493. $h64 = base64_encode(Auth_OpenID_SHA1($str));
  494. $h64 = str_replace('+', '_', $h64);
  495. $h64 = str_replace('/', '.', $h64);
  496. $h64 = str_replace('=', '', $h64);
  497. return $h64;
  498. }
  499. /**
  500. * @access private
  501. */
  502. function _filenameEscape($str)
  503. {
  504. $filename = "";
  505. $b = Auth_OpenID::toBytes($str);
  506. for ($i = 0; $i < count($b); $i++) {
  507. $c = $b[$i];
  508. if (Auth_OpenID_FileStore::_isFilenameSafe($c)) {
  509. $filename .= $c;
  510. } else {
  511. $filename .= sprintf("_%02X", ord($c));
  512. }
  513. }
  514. return $filename;
  515. }
  516. /**
  517. * Attempt to remove a file, returning whether the file existed at
  518. * the time of the call.
  519. *
  520. * @access private
  521. * @return bool $result True if the file was present, false if not.
  522. */
  523. function _removeIfPresent($filename)
  524. {
  525. return @unlink($filename);
  526. }
  527. function cleanupAssociations()
  528. {
  529. $removed = 0;
  530. foreach ($this->_allAssocs() as $pair) {
  531. list($assoc_filename, $assoc) = $pair;
  532. if ($assoc->getExpiresIn() == 0) {
  533. $this->_removeIfPresent($assoc_filename);
  534. $removed += 1;
  535. }
  536. }
  537. return $removed;
  538. }
  539. }