Tests that openid.signed is verified.
function testSignatureValidation() {
module_load_include('inc', 'openid');
// Use a User-supplied Identity that is the URL of an XRDS document.
$identity = url('openid-test/yadis/xrds', array(
'absolute' => TRUE,
));
// Respond with an invalid signature.
state()
->set('openid_test.response', array(
'openid.sig' => 'this-is-an-invalid-signature',
));
$this
->submitLoginForm($identity);
$this
->assertRaw('OpenID login failed.');
// Do not sign the mandatory field openid.assoc_handle.
state()
->set('openid_test.response', array(
'openid.signed' => 'op_endpoint,claimed_id,identity,return_to,response_nonce',
));
$this
->submitLoginForm($identity);
$this
->assertRaw('OpenID login failed.');
// Sign all mandatory fields and a custom field.
$keys_to_sign = array(
'op_endpoint',
'claimed_id',
'identity',
'return_to',
'response_nonce',
'assoc_handle',
'foo',
);
$association = new stdClass();
$association->mac_key = NULL;
$response = array(
'openid.op_endpoint' => url('openid-test/endpoint', array(
'absolute' => TRUE,
)),
'openid.claimed_id' => $identity,
'openid.identity' => $identity,
'openid.return_to' => url('openid/authenticate', array(
'absolute' => TRUE,
)),
'openid.response_nonce' => _openid_nonce(),
'openid.assoc_handle' => 'openid-test',
'openid.foo' => 123,
'openid.signed' => implode(',', $keys_to_sign),
);
$response['openid.sig'] = _openid_signature($association, $response, $keys_to_sign);
state()
->set('openid_test.response', $response);
$this
->submitLoginForm($identity);
$this
->assertNoRaw('OpenID login failed.');
$this
->assertFieldByName('name', '', 'No username was supplied by provider.');
$this
->assertFieldByName('mail', '', 'No e-mail address was supplied by provider.');
// Check that unsigned SREG fields are ignored.
$response = array(
'openid.signed' => 'op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,sreg.nickname',
'openid.sreg.nickname' => 'john',
'openid.sreg.email' => 'john@example.com',
);
state()
->set('openid_test.response', $response);
$this
->submitLoginForm($identity);
$this
->assertNoRaw('OpenID login failed.');
$this
->assertFieldByName('name', 'john', 'Username was supplied by provider.');
$this
->assertFieldByName('mail', '', 'E-mail address supplied by provider was ignored.');
}