View Source

<ac:macro ac:name="unmigrated-inline-wiki-markup"><ac:plain-text-body><![CDATA[{zone-template-instance:ZFDEV:Zend Proposal Zone Template}

{zone-data:component-name}
Zend_OpenId
{zone-data}

{zone-data:proposer-list}
[Dmitry Stogov|mailto:dmitry@zend.com]
{zone-data}

{zone-data:revision}
1.1 - 1 June 19: First draft.
{zone-data}

{zone-data:overview}
Zend_OpenId is a set of components that allow anyone to create OpenID authentication servers and consumers

According to http://www.dictionary.com an identity is the "collective aspect of the set of characteristics by which a thing is definitively recognizable or known". In many applications an Identity is necessary to authenticate entities, authorize access, maintain privacy and prevent disclosures

In the current Internet world, we have a lot of different unconnected identity systems, and a lot of identities for the individual user. An end user needs to remember their names and passwords for each and every site or service they visit and use.

Identity 2.0 aims to solve this problem. It advocates the use of simple decentralized solutions, so that the user is able to choose where to host their identity, and also control how much information about they should be disclosed to any given site. Sites should be able to integrate such an identity system without any redesign of existing applications in a very short time.

OpenID is one of the leading Identity 2.0 solutions. It provides a protocol framework for secure identity service discovery, authentication and data exchange. These are very simple protocols that require only standard HTTP requests and do not require the use of new schemes, public keys, SSL or browser plug-ins. Some of these (for example, SSL) may be used in addition to the core protocols.

An OpenID identifier is typically a URL. It may be the URL of the user's personal page, blog or other resource that may provide additional information about him. Such URLs are aliases pointing to the OpenID Provider's local identifier for the user. If a user does not wish to support an alias, they may use the OpenID Proider's local identifier directly. End-users should be able to use this identity URL to register and authenticate themselves on any site that supports OpenID. No more need for many passwords and duplicate user names - just one identifier for Internet services.

OpenID is an open, decentralized, and free user centric solution. A user may choose which OpenID provider to use, or even create their own personal identity server. No central authority must approve or register Relying Parties (OpenID Consumers or just Sites) or OpenID Providers (OpenID Servers). The protocols utilised by OpenID scale well.

OpenID standards are community driven. Several implementations are freely available for C++, C#, Java, Perl, Python, Ruby and PHP. However there is no final stable release yet for a PHP library conforming to the OpenID 2.0 specification (currently draft 11). The difficulty of a PHP implementation is increased by the fact that the majority of PHP installations do not have sufficient cryptographic or efficient math functions to provide OpenID applications which perform well. This proposal includes a reference to a possible openssl extension patch which would improve the efficiency of such functions in PHP.

At present, Identity 2.0 and OpenID are very popular and growing technologies and the Zend Framework's OpenID implementation may be a significant advantage in leading and supporting the development of web applications leveraging OpenID in PHP.

This document describes proposals for the Zend Framework's OpenID implementation. It will allow the use of both OpenID Providers (Servers) and Consumers (Relying Parties/Applications) that will fully implement the draft OpenID 2.0 Authentication Specification and remain backwards compatible with the current OpenID 1.1 specification. Also proposed is support for OpenID Extensions (e.g. Simple Registration Extension) which may allow for Relying Parties and Providers exchange data concerning the authenticated user with that user's permission.
{zone-data}

{zone-data:references}
* [OpenID Authentication 1.1|http://openid.net/specs/openid-authentication-1_1.html]
* [OpenID Simple Registration Extentsion 1.0|http://openid.net/specs/openid-simple-registration-extension-1_0.html]
* [OpenID Authentication 2.0 - Implementor's Draft 11|http://openid.net/specs/openid-authentication-2_0-11.html]
* [OpenID Simple Registration Extension 1.1 - Draft 1|http://openid.net/specs/openid-simple-registration-extension-1_1-01.html]
* [RFC 2104 - HMAC: Keyed-Hashing for Message Authentication|http://www.faqs.org/rfcs/rfc2104.html]
* [RFC 2631 - Diffie-Hellman Key Agreement Method|http://www.faqs.org/rfcs/rfc2631.html]
* [RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax|http://www.faqs.org/rfcs/rfc3986.html]
* [Yadis Discovery Protocol|http://yadis.org/papers/yadis-v1.0.pdf]
{zone-data}

{zone-data:requirements}
* This component *must* implement "OpenID Authentication 2.0 - Draft 11" standard.
* This component *must* be backward compatible with "OpenID Authentication 1.1" standard.
* This component *must* implement Yadis and XRI discovery (probably through Zend_Service_Yadis) in addition to HTML-based discovery
* This component *must* implement generic extension mechanism
* This component *must* implement "Simple Registration Extentsion 1.0" standard.
* This component will *require* +patched+ version of _OpenSSL_ extenion or one of "big-math" extensions (_gpm_ or _bcmath_) and one of hash extensions (_hash_ or _mhash_).
* Zend_OpenId_Consumer *must* be able to work with both 1.1 and 2.0 protocol versions in associated and dumb modes
* Zend_OpenId_Provider *will not* implement any user interface, but *will* provide functions to use external user interface
{zone-data}

{zone-data:dependencies}
* Zend_Exception
* Zend_Http_Client
* Zend_Session
* Zend_Controller_Response_Http
* Zend_Uri ? (I would propose to move OpenId::selfUrl() and especially OpenId::normalizeUrl() into Zend_Uri)
* Zend_Crypt ? (It is not committed yet)
* Zend_Services_Yadis ? (It is not committed yet)
{zone-data}

{zone-data:operation}
The main purpose of Zend_OpenId components is implementing an OpenID authentication protocol described in the following diagram:
!openid.jpg!
# The authentication is initiated by end-user, who passes his OpenID identifier to an OpenID consumer through User-Agent.
# OpenID consumer performs normalization of user-supplied identifier, and discovery on it. As result it get claimed identifier, OpenID provider URL and OpenID protocol version.
# OpenID client establishes an optional association with server using Diffie-Hellman keys. As result both parties get common shared secret that is used for signing and verification of the following messages.
# OpenID consumer redirects User-Agent to OpenID provider URL with OpenID authentication request.
# OpenID Provider checks if user-Agent is already authenticated and offers to do so if need.
# The end user enters necessary password.
# OpenID Provider checks if it allowed to pass user identity to given consumer, and asks user if need
# The end user allows or disallows passing his identity
# OpenID Provider redirects User-Agent back to OpenID consumer with authentication approved or failed request.
# The OpenID consumer verifies the information received from provider by using shared secret got on step 3 or by sending additional direct request to OpenID proider.

The Zend_OpenId components will implement both Zend_OpenId_Consumer and Zend_OpenId_Provider. The consumer class will contain two main public methods _login_() and _verify_(). The first one should be called on user login (step 1), it will perform normalisation, discovery and redirection to provider (steps 2-4). The function _verify_() should be called after redirecting back from provider (step 9), it must perform final validation of received authentication data. The Provider will have just one main method _handle_() that should be called on any OpenID request.

Both Provider and Consumer need external storage to store some data between requests. These storages will be implemented through abstract interface class, so it will be possible to use different kinds of storages without redesign.
{zone-data}

{zone-data:milestones}

* Milestone 1: [design notes will be published here|http://framework.zend.com/wiki/x/sg]
* Milestone 2: Working prototype implementing HTML-based discovery checked into the incubator
* Milestone 3: Working prototype implementing Yadis and XRI discovery checked into the incubator
* Milestone 4: Working prototype implementing SREG protocol checked into the incubator
* Milestone 5: Unit tests exist, work, and are checked into SVN.
* Milestone 6: Initial documentation exists.

If a milestone is already done, begin the description with "\[DONE\]", like this:
* Milestone #: \[DONE\] Unit tests ...
{zone-data}

{zone-data:class-list}
* Zend_OpenId
* Zend_OpenId_Exception
* Zend_OpenId_Consumer
* Zend_OpenId_Consumer_Storage
* Zend_OpenId_Consumer_Storage_File
* Zend_OpenId_Provider_Storage
* Zend_OpenId_Provider_Storage_File
* Zend_OpenId_Provider_User
* Zend_OpenId_Provider_User_Session
* Zend_OpenId_Extension
* Zend_OpenId_Extension_Sreg
{zone-data}

{zone-data:use-cases}
||UC-01||
Zend_OpenId_Consumer usage
{code}
<?php
require_once "Zend/OpenId/Consumer.php";

$consumer = new Zend_OpenId_Consumer();
if (isset($_POST['openid_url'])) {
if (!$consumer->login($_POST['openid_url'])) {
echo "OpenID login failed.<br>";
}
} else if (isset($_GET['openid_mode'])) {
if ($_GET['openid_mode'] == "id_res") {
if (!$consumer->verify($_GET)) {
echo "INVALID ID<br>\n";
} else {
echo "VALID ID<br>\n";
}
} else if ($_GET['openid_mode'] == "cancel") {
echo "CANCELED<br>\n";
}
}
?>
<form method="post">
<input type="text" name="openid_url">
<input type="submit" name="login" value="login">
</form>
{code}
||UC-02||
Simplified OpenID server with external user interface
{code}
<?php
require_once "Zend/OpenId/Provider.php";

$server = new Zend_OpenId_Provider("login.php", "trust.php");

if ($_SERVER["REQUEST_METHOD"] == "GET") {
if (isset($_GET['openid_mode'])) {
$ret = $server->handle($_GET);
}
} else if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (isset($_POST['openid_mode'])) {
$ret = $server->handle($_POST);
}
}
if (is_string($ret)) {
echo $ret;
} else if ($ret !== true) {
header('HTTP/1.0 403 Forbidden');
echo 'Forbidden';
}
{code}
{zone-data}

{zone-data:skeletons}
{code}
/**
* Static class that contains common utility functions for
* {@link Zend_OpenId_Consumer} and {@link Zend_OpenId_Provider}.
*
* This class implements common utility functions that are used by both
* Consumer and Provider. They include functions for Diffie-Hellman keys
* generation and exchange, URL normalization, HTTP redirection and some others.
*
* @category Zend
* @package Zend_OpenId
* @copyright Copyright (c) 2005-2007 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
final class Zend_OpenId
{
/**
* Default Diffie-Hellman key generator
*/
const DH_P = 'dcf93a0b...';

/**
* Default Diffie-Hellman prime number (should be 2 or 5)
*/
const DH_G = '02';

/**
* OpenID 2.0 namespace. All OpenID 2.0 messages MUST contain variable
* openid.ns with tis value.
*/
const NS_2_0 = 'http://specs.openid.net/auth/2.0';

/**
* Returns a full URL that was requested on current HTTP request.
*
* @return string
*/
static public function selfUrl()
{
}

/**
* Converts variable/value pairs into URL encoded query string
*
* @param array $params - variable/value pairs
* @return string - URL encoded query string
*/
static public function paramsToQuery($params)
{
}

/**
* Normalizes URL according to RFC 3986 to use it in comparison operations.
* The function gets URL argument by reference and modifies it.
* It returns true on success and false of failure.
*
* @param string $id
* @return bool
*/
static public function normalizeUrl(&$id)
{
}

/**
* Normalizes OpenID identifier that can be URL or XRI name.
* Returns true on success and false of failure.
*
* Normalization is performed according to the following rules:
* 1. If the user's input starts with one of the "xri://", "xri://$ip*",
* or "xri://$dns*" prefixes, they MUST be stripped off, so that XRIs
* are used in the canonical form, and URI-authority XRIs are further
* considered URL identifiers.
* 2. If the first character of the resulting string is an XRI Global
* Context Symbol ("=", "@", "+", "$", "!"), then the input SHOULD be
* treated as an XRI.
* 3. Otherwise, the input SHOULD be treated as an http URL; if it does
* not include a "http" or "https" scheme, the Identifier MUST be
* prefixed with the string "http://".
* 4. URL identifiers MUST then be further normalized by both following
* redirects when retrieving their content and finally applying the
* rules in Section 6 of [RFC3986] to the final destination URL.
* @param string $id
* @return bool
*/
static public function normalize(&$id)
{
}

/**
* Performs a HTTP redirection to specified URL with additional data.
* It may generate redirected request using GET or POST HTTP method.
* The function never returns.
*
* @param string $url URL to redirect to
* @param array $params additional variable/value pairs to send
* @param string $method redirection method ('GET' or 'POST')
*/
static public function redirect($url, $params = null, $method = 'GET')
{
}

/**
* Produces string of random byte of given length.
*
* @param integer $len length of requested string
* @return string RAW random binary string
*/
static public function randomBytes($len)
{
$key = '';
for($i=0; $i < $len; $i++) {
$key .= chr(mt_rand(0, 255));
}
return $key;
}

/**
* Generates a hash value (message digest) according to given algorithm.
* It returns RAW binary string.
*
* This is a wrapper function that uses one of available internal function
* dependent on given PHP configuration. It may use various functions from
* ext/openssl, ext/hash, ext/mhash or ext/standard.
*
* @param string $func digest algorithm
* @param string $data data to sign
* @return string RAW digital signature
* @throws Zend_OpenId_Exception
*/
static public function digest($func, $data)
{
if (function_exists('openssl_digest')) {
return openssl_digest($data, $func, true);
} else if (function_exists('hash')) {
return hash($func, $data, true);
} else if ($func === 'sha1') {
return sha1($data, true);
} else if ($func = 'sha256') {
if (function_exists('mhash')) {
return mhash(MHASH_SHA256 , $data);
}
}
throw new Zend_OpenId_Exception(
'Unsupported digest algorithm "' . $func . '".',
Zend_OpenId_Exception::UNSUPPORTED_DIGEST);
}

/**
* Generates a keyed hash value using the HMAC method. It uses ext/hash
* if available or user-level PHP implementation, that is not significantly
* slower.
*
* @param string $macFunc name of selected hashing algorithm (sha1, sha256)
* @param string $data data to sign
* @param string $secret shared secret key used for generating the HMAC
* variant of the message digest
* @return string RAW HMAC value
*/
static public function hashHmac($macFunc, $data, $secret)
{
if (function_exists('hash_hmac')) {
return hash_hmac($macFunc, $data, $secret, 1);
} else {
if (strlen($secret) > 64) {
$secret = self::digest($macFunc, $secret);
}
$secret = str_pad($secret, 64, chr(0x00));
$ipad = str_repeat(chr(0x36), 64);
$opad = str_repeat(chr(0x5c), 64);
$hash1 = self::digest($macFunc, ($secret ^ $ipad) . $data);
return self::digest($macFunc, ($secret ^ $opad) . $hash1);
}
}

/**
* Converts binary representation into ext/gmp or ext/bcmath big integer
* representation.
*
* @param string $bin binary representation of big number
* @return mixed
* @throws Zend_OpenId_Exception
*/
static public function binToBigNum($bin)
{
}

/**
* Converts internal ext/gmp or ext/bcmath big integer representation into
* binary string.
*
* @param mixed $bn big number
* @return string
* @throws Zend_OpenId_Exception
*/
static public function bigNumToBin($bn)
{
}

/**
* Performs the first step of a Diffie-Hellman key exchange by generating
* private and public DH values based on given prime number $p and
* generator $g. Both sides of key exchange MUST have the same prime number
* and generator. In this case they will able to create a random shared
* secret that is never send from one to the other.
*
* @param string $p prime number in binary representation
* @param string $g generator in binary representation
* @return mixed
*/
static public function createDhKey($p, $g)
{
}

/**
* Returns an associative array with Diffie-Hellman key components in
* binary representation. The array includes original prime number 'p' and
* generator 'g', random private key 'priv_key' and corresponding public
* key 'pub_key'.
*
* @param mixed $dh Diffie-Hellman key
* @return array
*/
static public function getDhKeyDetails($dh)
{
}

/**
* Computes the shared secret from the private DH value $dh and the other
* party's public value in $pub_key
*
* @param string $pub_key other party's public value
* @param mixed $dh Diffie-Hellman key
* @return string
* @throws Zend_OpenId_Exception
*/
static public function computeDhSecret($pub_key, $dh)
{
}

/**
* Takes an arbitrary precision integer and returns its shortest big-endian
* two's complement representation.
*
* Arbitrary precision integers MUST be encoded as big-endian signed two's
* complement binary strings. Henceforth, "btwoc" is a function that takes
* an arbitrary precision integer and returns its shortest big-endian two's
* complement representation. All integers that are used with
* Diffie-Hellman Key Exchange are positive. This means that the left-most
* bit of the two's complement representation MUST be zero. If it is not,
* implementations MUST add a zero byte at the front of the string.
*
* @param string $str binary representation of arbitrary precision integer
* @return string big-endian signed representation
*/
static public function btwoc($str)
{
if (ord($str[0]) > 127) {
return chr(0) . $str;
}
return $str;
}

}
{code}
{code}
/**
* Exception class for Zend_OpenId
*
* @category Zend
* @package Zend_OpenId
* @copyright Copyright (c) 2005-2007 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
class Zend_OpenId_Exception extends Zend_Exception
{

/**
* The specified digest algotithm is not supported by this PHP installation
*/
const UNSUPPORTED_DIGEST = 1;

/**
* The long math arithmetick is not supported by this PHP installation
*/
const UNSUPPORTED_LONG_MATH = 2;

/**
* Internal long math arithmetic error
*/
const ERROR_LONG_MATH = 3;

/**
* Iternal storage error
*/
const ERROR_STORAGE = 4;
}
{code}
{code}
/**
* OpenID consumer implementation
*
* @category Zend
* @package Zend_OpenId
* @subpackage Zend_OpenId_Consumer
* @copyright Copyright (c) 2005-2007 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
class Zend_OpenId_Consumer
{

/**
* Reference to an implementation of storage object
*
* @var Zend_OpenId_Consumer_Storage $_storage
*/
private $_storage = null;

/**
* Enables or disables consumer to use association with server based on
* Diffie-Hellman key agreement
*
* @var Zend_OpenId_Consumer_Storage $_dumbMode
*/
private $_dumbMode = false;

/**
* Internal cache to prevent unnecessary access to storage
*
* @var array $_cache
*/
private $_cache = array();

/**
* Constructs a Zend_OpenId_Consumer object with given $storage.
* Enables or disables future association with server based on
* Diffie-Hellman key agreement.
*
* @param Zend_OpenId_Consumer_Storage $storage
* @param bool $dumpMode
*/
public function __construct(Zend_OpenId_Consumer_Storage $storage = null,
$dumbMode = false)
{
if ($storage === null) {
require_once "Zend/OpenId/Consumer/Storage/File.php";
$this->_storage = new Zend_OpenId_Consumer_Storage_File();
} else {
$this->_storage = $storage;
}
$this->_dumbMode = $dumbMode;
}

/**
* Performs check (with possible user interaction) of OpenID identity.
*
* This is the first step of OpenID authentication process.
* On success the function does not return (it does HTTP redirection to
* server and exits). On failure it returns false.
*
* @param string $id OpenID identity
* @param string $returnTo URL to redirect response from server to
* @param string $root HTTP URL to identify consumer on server
* @param mixed $extensions extension object or array of extensions objects
* @return bool
*/
public function login($id, $returnTo=null, $root=null, $extensions=null)
{
return $this->_checkId(
false,
$id,
$returnTo,
$root);
}

/**
* Performs immediate check (without user interaction) of OpenID identity.
*
* This is the first step of OpenID authentication process.
* On success the function does not return (it does HTTP redirection to
* server and exits). On failure it returns false.
*
* @param string $id OpenID identity
* @param string $returnTo HTTP URL to redirect response from server to
* @param string $root HTTP URL to identify consumer on server
* @param mixed $extensions extension object or array of extensions objects
* @return bool
*/
public function check($id, $returnTo=null, $root=null, $extensions=null)
{
return $this->_checkId(
true,
$id,
$returnTo,
$root);
}

/**
* Verifies authentication response from OpenID server.
*
* This is the second step of OpenID authentication process.
* The function returns true on successful authentication and false on
* failure.
*
* @param array $params HTTP query data from OpenID server
* @return bool
*/
public function verify($params)
{
}

/**
* Store assiciation in internal chace and external storage
*
* @param string $url OpenID server url
* @param string $handle association handle
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param integer $expires expiration UNIX time
* @return void
*/
protected function _addAssociation($url, $handle, $macFunc, $secret, $expires)
{
}

/**
* Retrive assiciation information for given $url from internal cahce or
* external storage
*
* @param string $url OpenID server url
* @param string $handle association handle
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param integer $expires expiration UNIX time
* @return void
*/
protected function _getAssociation($url, &$handle, &$macFunc, &$secret, &$expires)
{
}

/**
* Performs HTTP request to given $url using given HTTP $method.
* Send additinal query specified by variable/value array,
* On success returns HTTP response withot headers, fasle on failure.
*
* @param string $url OpenID server url
* @param string $method
* @param array $params
* @return mixed
*/
protected function _httpRequest($url, $method = 'GET', $params = '')
{
}

/**
* Create (or reuse existing) association between OpenID consumer and
* OpenID server based on Diffie-Hellman key agreement. Returns true
* on success and false on failure.
*
* @param string $url OpenID server url
* @param float $version OpenID protocol version
* @return bool
*/
protected function _associate($url, $version)
{
}

/**
* Performs discovery of identity and finds OpenID URL, OpenID server URL
* and OpenID protocol version. Returns true on succees and false on
* failure.
*
* @param string $id OpenID identity URL
* @param string $server OpenID server URL
* @param float $version OpenID protocol version
* @return bool
*/
protected function _discovery(&$id, &$server, &$version)
{
}

/*
* Performs check of OpenID identity.
*
* This is the first step of OpenID authentication process.
* On success the function does not return (it does HTTP redirection to
* server and exits). On failure it returns false.
*
* @param bool $immediate enables or disables interaction with user
* @param string $id OpenID identity
* @param string $returnTo HTTP URL to redirect response from server to
* @param string $root HTTP URL to identify consumer on server
* @param mixed $extensions extension object or array of extensions objects
* @return bool
*/
protected function _checkId($immediate, $id, $returnTo=null, $root=null, $extensions=null)
{
}
}
{code}
{code}
/**
* Abstract class to implement external storage for OpenID consumer
*
* @category Zend
* @package Zend_OpenId
* @subpackage Zend_OpenId_Consumer
* @copyright Copyright (c) 2005-2007 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
abstract class Zend_OpenId_Consumer_Storage
{

/**
* Stores information about association identified by $url/$handle
*
* @param string $url OpenID server URL
* @param string $handle assiciation handle
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param string $expires expiration UNIX time
* @return void
*/
abstract public function addAssociation($url, $handle, $macFunc, $secret, $expires);

/**
* Gets information about association identified by $url
* Returns true if given association found and not expired and false
* otherwise
*
* @param string $url OpenID server URL
* @param string $handle assiciation handle
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param string $expires expiration UNIX time
* @return bool
*/
abstract public function getAssociation($url, &$handle, &$macFunc, &$secret, &$expires);

/**
* Gets information about association identified by $handle
* Returns true if given association found and not expired and false
* othverwise
*
* @param string $handle assiciation handle
* @param string $url OpenID server URL
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param string $expires expiration UNIX time
* @return bool
*/
abstract public function getAssociationByHandle($handle, &$url, &$macFunc, &$secret, &$expires);

/**
* Deletes association identified by $url
*
* @param string $url OpenID server URL
* @return void
*/
abstract public function delAssociation($url);

/**
* Stores information discovered from identity $id
*
* @param string $id identity
* @param string $realId discovered real identity URL
* @param string $server discovered OpenID server URL
* @param float $version discovered OpenID protocol version
* @return void
*/
abstract public function addDiscoveryInfo($id, $realId, $server, $version);

/**
* Gets information discovered from identity $id
* Returns true if such information exists and false otherwise
*
* @param string $id identity
* @param string $realId discovered real identity URL
* @param string $server discovered OpenID server URL
* @param float $version discovered OpenID protocol version
* @return bool
*/
abstract public function getDiscoveryInfo($id, &$realId, &$server, &$version);
}
{code}
{code}
/**
* External storage implemmentation using serialized files
*
* @category Zend
* @package Zend_OpenId
* @subpackage Zend_OpenId_Consumer
* @copyright Copyright (c) 2005-2007 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
class Zend_OpenId_Consumer_Storage_File extends Zend_OpenId_Consumer_Storage
{

/**
* Directory name to store data files in
*
* @var string $_dir
*/
private $_dir;

/**
* Constructs storage object and creates storage directory
*
* @param string $dir directory name to store data files in
* @throws Zend_OpenId_Exception
*/
public function __construct($dir = null)
{
if (is_null($dir)) {
$tmp = getenv('TMP');
if (empty($tmp)) {
$tmp = getenv('TEMP');
if (empty($tmp)) {
$tmp = "/tmp";
}
}
$dir = $tmp . '/openid/consumer';
}
$this->_dir = $dir;
if (!is_dir($this->_dir)) {
if (!mkdir($this->_dir, 0700, 1)) {
throw new Zend_OpenId_Exception(
'Cannot access storage directory',
Zend_OpenId_Exception::ERROR_STORAGE);
}
}
}

/**
* Stores information about association identified by $url/$handle
*
* @param string $url OpenID server URL
* @param string $handle assiciation handle
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param string $expires expiration UNIX time
* @return void
*/
public function addAssociation($url, $handle, $macFunc, $secret, $expires)
{
}

/**
* Gets information about association identified by $url
* Returns true if given association found and not expired and false
* otherwise
*
* @param string $url OpenID server URL
* @param string $handle assiciation handle
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param string $expires expiration UNIX time
* @return bool
*/
public function getAssociation($url, &$handle, &$macFunc, &$secret, &$expires)
{
}

/**
* Gets information about association identified by $handle
* Returns true if given association found and not expired and false
* otherwise
*
* @param string $handle assiciation handle
* @param string $url OpenID server URL
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param string $expires expiration UNIX time
* @return bool
*/
public function getAssociationByHandle($handle, &$url, &$macFunc, &$secret, &$expires)
{
}

/**
* Deletes association identified by $url
*
* @param string $url OpenID server URL
* @return void
*/
public function delAssociation($url)
{
}

/**
* Stores information discovered from identity $id
*
* @param string $id identity
* @param string $realId discovered real identity URL
* @param string $server discovered OpenID server URL
* @param float $version discovered OpenID protocol version
* @return void
*/
public function addDiscoveryInfo($id, $realId, $server, $version)
{
}

/**
* Gets information discovered from identity $id
* Returns true if such information exists and false otherwise
*
* @param string $id identity
* @param string $realId discovered real identity URL
* @param string $server discovered OpenID server URL
* @param float $version discovered OpenID protocol version
* @return bool
*/
public function getDiscoveryInfo($id, &$realId, &$server, &$version)
{
}
}
{code}
{code}
/**
* OpenID provider (server) implementation
*
* @category Zend
* @package Zend_OpenId
* @subpackage Zend_OpenId_Provider
* @copyright Copyright (c) 2005-2007 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
class Zend_OpenId_Provider
{

/**
* Reference to an implementation of storage object
*
* @var Zend_OpenId_Provider_Storage $_storage
*/
private $_storage;

/**
* Reference to an implementation of user object
*
* @var Zend_OpenId_Provider_User $_user
*/
private $_user;

/**
* Time to live of association session in secconds
*
* @var integer $_sessionTtl
*/
private $_sessionTtl;

/**
* URL to peform interactive user login
*
* @var string $_loginUrl
*/
private $_loginUrl;

/**
* URL to peform interactive validation of consumer by user
*
* @var string $_trustUrl
*/
private $_trustUrl;

/**
* Constructs a Zend_OpenId_Provider object with given parameters.
*
* @param string $loginUrl is an URL that provides login screen for
* end-user (by default it is the same URL with additional GET variable
* openid.action=login)
* @param string $trustUrl is an URL that shows a question if end-user
* trust to given consumer (by default it is the same URL with additional
* GET variable openid.action=trust)
* @param Zend_OpenId_Provider_User $user is an object for communication
* with User-Agent and store information about logged-in user (it is a
* Zend_OpenId_Provider_User_Session object by default)
* @param Zend_OpenId_Provider_Storage $storage is an object for keeping
* persistent database (it is a Zend_OpenId_Provider_Storage_File object
* by default)
* @param integer $sessionTtl is a default time to live for association
* session in seconds (1 hour by default). Consumer must reestablish
* association after that time.
*/
public function __construct($loginUrl = null,
$trustUrl = null,
Zend_OpenId_Provider_User $user = null,
Zend_OpenId_Provider_Storage $storage = null,
$sessionTtl = 3600)
{
if ($loginUrl === null) {
$loginUrl = Zend_OpenId::selfUrl() . '?openid.action=login';
}
$this->_loginUrl = $loginUrl;
if ($trustUrl === null) {
$trustUrl = Zend_OpenId::selfUrl() . '?openid.action=trust';
}
$this->_trustUrl = $trustUrl;
if ($user === null) {
require_once "Zend/OpenId/Provider/User/Session.php";
$this->_user = new Zend_OpenId_Provider_User_Session();
} else {
$this->_user = $user;
}
if ($storage === null) {
require_once "Zend/OpenId/Provider/Storage/File.php";
$this->_storage = new Zend_OpenId_Provider_Storage_File();
} else {
$this->_storage = $storage;
}
$this->_sessionTtl = $sessionTtl;
}

/**
* Registers a new user with given $id and $password
* Returns true in case of success and false if user with given $id already
* exists
*
* @param string $id user identity URL
* @param string $password encoded user password
* @return bool
*/
public function register($id, $password)
{
if (!Zend_OpenId::normalize($id)) {
return false;
}
return $this->_storage->addUser($id, md5($id.$password));
}

/**
* Returns true if user with given $id exists and false otherwise
*
* @param string $id user identity URL
* @return bool
*/
public function hasUser($id) {
if (!Zend_OpenId::normalize($id)) {
return false;
}
return $this->_storage->hasUser($id);
}

/**
* Performs login of user with given $id and $password
* Returns true in case of success and false otherwise
*
* @param string $id user identity URL
* @param string $password user password
* @return bool
*/
public function login($id, $password)
{
if (!Zend_OpenId::normalize($id)) {
return false;
}
if (!$this->_storage->checkUser($id, md5($id.$password))) {
return false;
}
$this->_user->setLoggedInUser($id);
return true;
}

/**
* Performs logout. Clears information about logged in user.
*
* @return void
*/
public function logout()
{
$this->_user->delLoggedInUser();
return true;
}

/**
* Returns identity URL of current logged in user or false
*
* @return mixed
*/
public function getLoggedInUser() {
return $this->_user->getLoggedInUser();
}

/**
* Retrieve consumer's root URL from request query
* Returns URL or false in case of failure
*
* @param array $params
* @return mixed
*/
public function getSiteRoot($params)
{
}

/**
* Allows consumer with given root URL to authenticate current logged
* in user. Returns true on success and false on error.
*
* @param string $root
* @param mixed $extensions extension object or array of extensions objects
* @return bool
*/
public function allowSite($root, $extensions=null)
{
}

/**
* Prohibit consumer with given root URL to authenticate current logged
* in user. Returns true on success and false on error.
*
* @param string $root
* @return bool
*/
public function denySite($root)
{
}

/**
* Delete consumer with given root URL from known sites of current logged
* in user. Next time this consumer will try to authenticate the user,
* Provider will ask user's confirmation.
* Returns true on success and false on error.
*
* @param string $root
* @return bool
*/
public function delSite($root)
{
}

/**
* Returns list of known consumers for current logged in user or false
* if he is not logged in.
*
* @return mixed
*/
public function getTrustedSites()
{
}

/**
* Handles HTTP request from consumer
*
* @param array $params GET or POST variables
* @param mixed $extensions extension object or array of extensions objects
* @return mixed
*/
public function handle($params, $extensions=null)
{
}

/**
* Generates a secret key for given hash function, returns RAW key or false
* if function is not supported
*
* @param string $func hash function (sha1 or sha256)
* @return mixed
*/
protected function _genSecret($func)
{
}

/**
* Processes association request from OpenID consumerm generates secret
* shared key and send it back using Diffie-Hellman encruption.
* Returns array of variables to push back to consumer.
*
* @param float $version
* @param array $params GET or POST request variables
* @return array
*/
protected function _associate($version, $params)
{
}

/**
* Performs authentication (or authentication check).
*
* @param float $version
* @param array $params GET or POST request variables
* @param bool $immediate enables or disables interaction with user
* @param mixed $extensions extension object or array of extensions objects
* @return array
*/
protected function _checkId($version, $params, $immediate, $extensions=null)
{
}

/**
* Perepares information to send back to consumer's authentication request
* and signs it using shared secret.
*
* @param array $params GET or POST request variables
* @param mixed $extensions extension object or array of extensions objects
* @return array
*/
public function respondToConsumer($params, $extensions=null)
{
}

/**
* Perepares information to send back to consumer's authentication request
* and signs it using shared secret.
*
* @param float $version OpenID protcol version
* @param array $ret
* @param array $params GET or POST request variables
* @param mixed $extensions extension object or array of extensions objects
* @return array
*/
protected function _respond($version, $ret, $params, $extensions=null)
{
}

/**
* Performs authentication validation for dumb consumers
* Returns array of variables to push back to consumer.
* It MUST contain 'is_valid' variable with value 'true' or 'false'.
*
* @param float $version
* @param array $params GET or POST request variables
* @return array
*/
protected function _checkAuthentication($version, $params)
{
}
{code}
{code}
/**
* Abstract class to implement external storage for OpenID consumer
*
* @category Zend
* @package Zend_OpenId
* @subpackage Zend_OpenId_Provider
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
abstract class Zend_OpenId_Provider_Storage
{

/**
* Stores information about session identified by $handle
*
* @param string $handle assiciation handle
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param string $expires expiration UNIX time
* @return void
*/
abstract public function addAssociation($handle, $macFunc, $secret, $expires);

/**
* Gets information about association identified by $handle
* Returns true if given association found and not expired and false
* otherwise
*
* @param string $handle assiciation handle
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param string $expires expiration UNIX time
* @return bool
*/
abstract public function getAssociation($handle, &$macFunc, &$secret, &$expires);

/**
* Register new user with given $id and $password
* Returns true in case of success and false if user with given $id already
* exists
*
* @param string $id user identity URL
* @param string $password encoded user password
* @return bool
*/
abstract public function addUser($id, $password);

/**
* Returns true if user with given $id exists and false otherwise
*
* @param string $id user identity URL
* @return bool
*/
abstract public function hasUser($id);

/**
* Verify if user with given $id exists and has specified $password
*
* @param string $id user identity URL
* @param string $password user password
* @return bool
*/
abstract public function checkUser($id, $password);

/**
* Returns array of all trusted/untrusted sites for given user identified
* by $id
*
* @param string $id user identity URL
* @return array
*/
abstract public function getTrustedSites($id);

/**
* Stores information about trusted/untrusted site for given user
*
* @param string $id user identity URL
* @param string $site site URL
* @param bool $trusted
* @return bool
*/
abstract public function addSite($id, $site, $trusted);
}
{code}
{code}
/**
* External storage implemmentation using serialized files
*
* @category Zend
* @package Zend_OpenId
* @subpackage Zend_OpenId_Provider
* @copyright Copyright (c) 2005-2007 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
class Zend_OpenId_Provider_Storage_File extends Zend_OpenId_Provider_Storage
{

/**
* Directory name to store data files in
*
* @var string $_dir
*/
private $_dir;

/**
* Constructs storage object and creates storage directory
*
* @param string $dir directory name to store data files in
* @throws Zend_OpenId_Exception
*/
public function __construct($dir = null)
{
if (is_null($dir)) {
$tmp = getenv('TMP');
if (empty($tmp)) {
$tmp = getenv('TEMP');
if (empty($tmp)) {
$tmp = "/tmp";
}
}
$dir = $tmp . '/openid/provider';
}
$this->_dir = $dir;
if (!is_dir($this->_dir)) {
if (!mkdir($this->_dir, 0700, 1)) {
throw new Zend_OpenId_Exception(
'Cannot access storage directory',
Zend_OpenId_Exception::ERROR_STORAGE);
}
}
}

/**
* Stores information about session identified by $handle
*
* @param string $handle assiciation handle
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param string $expires expiration UNIX time
* @return void
*/
public function addAssociation($handle, $macFunc, $secret, $expires)
{
}

/**
* Gets information about association identified by $handle
* Returns true if given association found and not expired and false
* otherwise
*
* @param string $handle assiciation handle
* @param string $macFunc HMAC function (sha1 or sha256)
* @param string $secret shared secret
* @param string $expires expiration UNIX time
* @return bool
*/
public function getAssociation($handle, &$macFunc, &$secret, &$expires)
{
}

/**
* Register new user with given $id and $password
* Returns true in case of success and false if user with given $id already
* exists
*
* @param string $id user identity URL
* @param string $password encoded user password
* @return bool
*/
public function addUser($id, $password)
{
}

/**
* Returns true if user with given $id exists and false otherwise
*
* @param string $id user identity URL
* @return bool
*/
public function hasUser($id)
{
}

/**
* Verify if user with given $id exists and has specified $password
*
* @param string $id user identity URL
* @param string $password user password
* @return bool
*/
public function checkUser($id, $password)
{
}

/**
* Returns array of all trusted/untrusted sites for given user identified
* by $id
*
* @param string $id user identity URL
* @return array
*/
public function getTrustedSites($id)
{
}

/**
* Stores information about trusted/untrusted site for given user
*
* @param string $id user identity URL
* @param string $site site URL
* @param bool $trusted
* @return bool
*/
public function addSite($id, $site, $trusted)
{
}
}
{code}
{code}
/**
* Abstract class to get/store information about logged in user in Web Browser
*
* @category Zend
* @package Zend_OpenId
* @subpackage Zend_OpenId_Provider
* @copyright Copyright (c) 2005-2007 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
abstract class Zend_OpenId_Provider_User
{

/**
* Stores information about logged in user
*
* @param string $id user identity URL
* @return void
*/
abstract public function setLoggedInUser($id);

/**
* Returns identity URL of logged in user or false
*
* @return mixed
*/
abstract public function getLoggedInUser();

/**
* Performs logout. Clears information about logged in user.
*
* @return void
*/
abstract public function delLoggedInUser();
}
{code}
{code}
/**
* Class to get/store information about logged in user in Web Browser using
* PHP session
*
* @category Zend
* @package Zend_OpenId
* @subpackage Zend_OpenId_Provider
* @copyright Copyright (c) 2005-2007 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
class Zend_OpenId_Provider_User_Session extends Zend_OpenId_Provider_User
{

/**
* Stores information about logged in user in session data
*
* @param string $id user identity URL
* @return void
*/
public function setLoggedInUser($id)
{
if (session_id() === "") {
session_start();
}
$_SESSION['openid.logged_in'] = $id;
}

/**
* Returns identity URL of logged in user or false
*
* @return mixed
*/
public function getLoggedInUser()
{
if (session_id() === "") {
session_start();
}
if (isset($_SESSION['openid.logged_in'])) {
return $_SESSION['openid.logged_in'];
}
return false;
}

/**
* Performs logout. Clears information about logged in user.
*
* @return void
*/
public function delLoggedInUser()
{
if (session_id() === "") {
session_start();
}
unset($_SESSION['openid.logged_in']);
}

}
{code}
{code}
/**
* Abstract extension class for Zend_OpenId
*
* @category Zend
* @package Zend_OpenId
* @copyright Copyright (c) 2005-2007 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
abstract class Zend_OpenId_Extension
{

/**
* Calls given function with given argument for all extensions
*
* @param mixed $extensions list of extensions or one extension
* @param string $func function to be called
* @param mixed $params argument to pass to given funcion
* @return bool
*/
static public function forAll($extensions, $func, &$params)
{
}

/**
* Method to add additional data to OpenId 'checkid_immediate' or
* 'checkid_setup' request. This method addes nothing but inherited class
* may add additional data into request.
*
* @param array $params request's var/val pairs
* @return bool
*/
public function prepareRequest(&$params)
{
return true;
}

/**
* Method to parse OpenId 'checkid_immediate' or 'checkid_setup' request
* and initialize object with passed data. This method parses nothing but
* inherited class may override this method to do somthing.
*
* @param array $params request's var/val pairs
* @return bool
*/
public function parseRequest($params)
{
return true;
}

/**
* Method to add additional data to OpenId 'id_res' response. This method
* addes nothing but inherited class may add additional data into response.
*
* @param array $params response's var/val pairs
* @return bool
*/
public function prepareResponse(&$params)
{
return true;
}

/**
* Method to parse OpenId 'id_res' response and initialize object with
* passed data. This method parses nothing but inherited class may override
* this method to do somthing.
*
* @param array $params response's var/val pairs
* @return bool
*/
public function parseResponse($params)
{
return true;
}

/**
* Method to prepare data to store it in trusted servers database.
*
* @param array $data data to be stored in tusted servers database
* @return bool
*/
public function getTrustData(&$data)
{
return true;
}

/**
* Method to check if data from trusted servers database is enough to
* sutisfy request.
*
* @param array $data data from tusted servers database
* @return bool
*/
public function checkTrustData($data)
{
return true;
}
}
{code}
{code}
/**
* 'Simple Refistration Extension' for Zend_OpenId
*
* @category Zend
* @package Zend_OpenId
* @copyright Copyright (c) 2005-2007 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
*/
class Zend_OpenId_Extension_Sreg extends Zend_OpenId_Extension
{
/**
* SREG 1.1 namespace. All OpenID SREG 1.1 messages MUST contain variable
* openid.ns.sreg with its value.
*/
const NAMESPACE_1_1 = "http://openid.net/extensions/sreg/1.1";

private $_props;
private $_policy_url;
private $_version;

/**
* Creates SREG extension object
*
* @param array $props associative array of SREG variables
* @param string policy_url SREG policy URL
* @param float $version SREG version
* @return array
*/
public function __construct(array $props=null, $policy_url=null, $version=1.0)
{
$this->_props = $props;
$this->_policy_url = $policy_url;
$this->_version = $version;
}

/**
* Returns associative array of SREG variables
*
* @return array
*/
public function getProperties() {
if (is_array($this->_props)) {
return $this->_props;
} else {
return array();
}
}

/**
* Returns SREG policy URL
*
* @return string
*/
public function getPolicyUrl() {
return $this->_policy_url;
}

/**
* Returns array of allowed SREG variable names.
*
* @return array
*/
public static function getSregProperties()
{
return array(
"nickname",
"email",
"fullname",
"dob",
"gender",
"postcode",
"country",
"language",
"timezone"
);
}

/**
* Adds additional SREG data to OpenId 'checkid_immediate' or
* 'checkid_setup' request.
*
* @param array $params request's var/val pairs
* @return bool
*/
public function prepareRequest(&$params)
{
}

/**
* Parses OpenId 'checkid_immediate' or 'checkid_setup' request,
* extracts SREG variables and sets ovject properties to corresponding
* values.
*
* @param array $params request's var/val pairs
* @return bool
*/
public function parseRequest($params)
{
}

/**
* Adds additional SREG data to OpenId 'id_res' response.
*
* @param array $params response's var/val pairs
* @return bool
*/
public function prepareResponse(&$params)
{
}

/**
* Parses OpenId 'id_res' response and sets object's properties according
* to 'openid.sreg.*' variables in response
*
* @param array $params response's var/val pairs
* @return bool
*/
public function parseResponse($params)
{
}

/**
* Addes SREG properties that are allowed to be send to consumer to
* the given $data argument.
*
* @param array $data data to be stored in tusted servers database
* @return bool
*/
public function getTrustData(&$data)
{
}

/**
* Check if given $data contains necessury SREG properties to sutisfy
* OpenId request. On success sets SREG response properties from given
* $data and returns true, on failure returns false.
*
* @param array $data data from tusted servers database
* @return bool
*/
public function checkTrustData($data)
{
}
}
{code}
{zone-data}

{zone-template-instance}]]></ac:plain-text-body></ac:macro>