ILIAS  Release_4_1_x_branch Revision 61804
 All Data Structures Namespaces Files Functions Variables Groups Pages
PAPE.php
Go to the documentation of this file.
1 <?php
2 
11 require_once "Auth/OpenID/Extension.php";
12 
13 define('Auth_OpenID_PAPE_NS_URI',
14  "http://specs.openid.net/extensions/pape/1.0");
15 
16 define('PAPE_AUTH_MULTI_FACTOR_PHYSICAL',
17  'http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical');
18 define('PAPE_AUTH_MULTI_FACTOR',
19  'http://schemas.openid.net/pape/policies/2007/06/multi-factor');
20 define('PAPE_AUTH_PHISHING_RESISTANT',
21  'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant');
22 
23 define('PAPE_TIME_VALIDATOR',
24  '/^[0-9]{4,4}-[0-9][0-9]-[0-9][0-9]T[0-9][0-9]:[0-9][0-9]:[0-9][0-9]Z$/');
35 class Auth_OpenID_PAPE_Request extends Auth_OpenID_Extension {
36 
37  var $ns_alias = 'pape';
38  var $ns_uri = Auth_OpenID_PAPE_NS_URI;
39 
40  function Auth_OpenID_PAPE_Request($preferred_auth_policies=null,
41  $max_auth_age=null)
42  {
43  if ($preferred_auth_policies === null) {
44  $preferred_auth_policies = array();
45  }
46 
47  $this->preferred_auth_policies = $preferred_auth_policies;
48  $this->max_auth_age = $max_auth_age;
49  }
50 
60  function addPolicyURI($policy_uri)
61  {
62  if (!in_array($policy_uri, $this->preferred_auth_policies)) {
63  $this->preferred_auth_policies[] = $policy_uri;
64  }
65  }
66 
67  function getExtensionArgs()
68  {
69  $ns_args = array(
70  'preferred_auth_policies' =>
71  implode(' ', $this->preferred_auth_policies)
72  );
73 
74  if ($this->max_auth_age !== null) {
75  $ns_args['max_auth_age'] = strval($this->max_auth_age);
76  }
77 
78  return $ns_args;
79  }
80 
85  static function fromOpenIDRequest($request)
86  {
87  $obj = new Auth_OpenID_PAPE_Request();
88  $args = $request->message->getArgs(Auth_OpenID_PAPE_NS_URI);
89 
90  if ($args === null || $args === array()) {
91  return null;
92  }
93 
94  $obj->parseExtensionArgs($args);
95  return $obj;
96  }
97 
104  function parseExtensionArgs($args)
105  {
106  // preferred_auth_policies is a space-separated list of policy
107  // URIs
108  $this->preferred_auth_policies = array();
109 
110  $policies_str = Auth_OpenID::arrayGet($args, 'preferred_auth_policies');
111  if ($policies_str) {
112  foreach (explode(' ', $policies_str) as $uri) {
113  if (!in_array($uri, $this->preferred_auth_policies)) {
114  $this->preferred_auth_policies[] = $uri;
115  }
116  }
117  }
118 
119  // max_auth_age is base-10 integer number of seconds
120  $max_auth_age_str = Auth_OpenID::arrayGet($args, 'max_auth_age');
121  if ($max_auth_age_str) {
122  $this->max_auth_age = Auth_OpenID::intval($max_auth_age_str);
123  } else {
124  $this->max_auth_age = null;
125  }
126  }
127 
142  function preferredTypes($supported_types)
143  {
144  $result = array();
145 
146  foreach ($supported_types as $st) {
147  if (in_array($st, $this->preferred_auth_policies)) {
148  $result[] = $st;
149  }
150  }
151  return $result;
152  }
153 }
154 
159 class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension {
160 
161  var $ns_alias = 'pape';
162  var $ns_uri = Auth_OpenID_PAPE_NS_URI;
163 
164  function Auth_OpenID_PAPE_Response($auth_policies=null, $auth_time=null,
165  $nist_auth_level=null)
166  {
167  if ($auth_policies) {
168  $this->auth_policies = $auth_policies;
169  } else {
170  $this->auth_policies = array();
171  }
172 
173  $this->auth_time = $auth_time;
174  $this->nist_auth_level = $nist_auth_level;
175  }
176 
187  function addPolicyURI($policy_uri)
188  {
189  if (!in_array($policy_uri, $this->auth_policies)) {
190  $this->auth_policies[] = $policy_uri;
191  }
192  }
193 
204  static function fromSuccessResponse($success_response)
205  {
206  $obj = new Auth_OpenID_PAPE_Response();
207 
208  // PAPE requires that the args be signed.
209  $args = $success_response->getSignedNS(Auth_OpenID_PAPE_NS_URI);
210 
211  if ($args === null || $args === array()) {
212  return null;
213  }
214 
215  $result = $obj->parseExtensionArgs($args);
216 
217  if ($result === false) {
218  return null;
219  } else {
220  return $obj;
221  }
222  }
223 
237  function parseExtensionArgs($args, $strict=false)
238  {
239  $policies_str = Auth_OpenID::arrayGet($args, 'auth_policies');
240  if ($policies_str && $policies_str != "none") {
241  $this->auth_policies = explode(" ", $policies_str);
242  }
243 
244  $nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level');
245  if ($nist_level_str !== null) {
246  $nist_level = Auth_OpenID::intval($nist_level_str);
247 
248  if ($nist_level === false) {
249  if ($strict) {
250  return false;
251  } else {
252  $nist_level = null;
253  }
254  }
255 
256  if (0 <= $nist_level && $nist_level < 5) {
257  $this->nist_auth_level = $nist_level;
258  } else if ($strict) {
259  return false;
260  }
261  }
262 
263  $auth_time = Auth_OpenID::arrayGet($args, 'auth_time');
264  if ($auth_time !== null) {
265  if (preg_match(PAPE_TIME_VALIDATOR, $auth_time)) {
266  $this->auth_time = $auth_time;
267  } else if ($strict) {
268  return false;
269  }
270  }
271  }
272 
273  function getExtensionArgs()
274  {
275  $ns_args = array();
276  if (count($this->auth_policies) > 0) {
277  $ns_args['auth_policies'] = implode(' ', $this->auth_policies);
278  } else {
279  $ns_args['auth_policies'] = 'none';
280  }
281 
282  if ($this->nist_auth_level !== null) {
283  if (!in_array($this->nist_auth_level, range(0, 4), true)) {
284  return false;
285  }
286  $ns_args['nist_auth_level'] = strval($this->nist_auth_level);
287  }
288 
289  if ($this->auth_time !== null) {
290  if (!preg_match(PAPE_TIME_VALIDATOR, $this->auth_time)) {
291  return false;
292  }
293 
294  $ns_args['auth_time'] = $this->auth_time;
295  }
296 
297  return $ns_args;
298  }
299 }
300