function OpenIDFunctionalTest::testSignatureValidation

Tests that openid.signed is verified.

File

drupal/core/modules/openid/lib/Drupal/openid/Tests/OpenIDFunctionalTest.php, line 358
Definition of Drupal\openid\Tests\OpenIDFunctionalTest.

Class

OpenIDFunctionalTest
Test discovery and login using OpenID

Namespace

Drupal\openid\Tests

Code

function testSignatureValidation() {
  module_load_include('inc', 'openid');

  // Use a User-supplied Identity that is the URL of an XRDS document.
  $identity = url('openid-test/yadis/xrds', array(
    'absolute' => TRUE,
  ));

  // Respond with an invalid signature.
  state()
    ->set('openid_test.response', array(
    'openid.sig' => 'this-is-an-invalid-signature',
  ));
  $this
    ->submitLoginForm($identity);
  $this
    ->assertRaw('OpenID login failed.');

  // Do not sign the mandatory field openid.assoc_handle.
  state()
    ->set('openid_test.response', array(
    'openid.signed' => 'op_endpoint,claimed_id,identity,return_to,response_nonce',
  ));
  $this
    ->submitLoginForm($identity);
  $this
    ->assertRaw('OpenID login failed.');

  // Sign all mandatory fields and a custom field.
  $keys_to_sign = array(
    'op_endpoint',
    'claimed_id',
    'identity',
    'return_to',
    'response_nonce',
    'assoc_handle',
    'foo',
  );
  $association = new stdClass();
  $association->mac_key = NULL;
  $response = array(
    'openid.op_endpoint' => url('openid-test/endpoint', array(
      'absolute' => TRUE,
    )),
    'openid.claimed_id' => $identity,
    'openid.identity' => $identity,
    'openid.return_to' => url('openid/authenticate', array(
      'absolute' => TRUE,
    )),
    'openid.response_nonce' => _openid_nonce(),
    'openid.assoc_handle' => 'openid-test',
    'openid.foo' => 123,
    'openid.signed' => implode(',', $keys_to_sign),
  );
  $response['openid.sig'] = _openid_signature($association, $response, $keys_to_sign);
  state()
    ->set('openid_test.response', $response);
  $this
    ->submitLoginForm($identity);
  $this
    ->assertNoRaw('OpenID login failed.');
  $this
    ->assertFieldByName('name', '', 'No username was supplied by provider.');
  $this
    ->assertFieldByName('mail', '', 'No e-mail address was supplied by provider.');

  // Check that unsigned SREG fields are ignored.
  $response = array(
    'openid.signed' => 'op_endpoint,claimed_id,identity,return_to,response_nonce,assoc_handle,sreg.nickname',
    'openid.sreg.nickname' => 'john',
    'openid.sreg.email' => 'john@example.com',
  );
  state()
    ->set('openid_test.response', $response);
  $this
    ->submitLoginForm($identity);
  $this
    ->assertNoRaw('OpenID login failed.');
  $this
    ->assertFieldByName('name', 'john', 'Username was supplied by provider.');
  $this
    ->assertFieldByName('mail', '', 'E-mail address supplied by provider was ignored.');
}