forked from GNUsocial/gnu-social
294 lines
8.1 KiB
PHP
294 lines
8.1 KiB
PHP
<?php
|
|
|
|
/*
|
|
* Unit tests for verification of return_to URLs for a realm.
|
|
*/
|
|
|
|
require_once 'Auth/OpenID/Discover.php';
|
|
require_once 'Auth/OpenID/TrustRoot.php';
|
|
|
|
require_once 'Auth/Yadis/Yadis.php';
|
|
|
|
/*
|
|
* Tests for building the discovery URL from a realm and a return_to
|
|
* URL
|
|
*/
|
|
class Tests_Auth_OpenID_BuildDiscoveryURL extends PHPUnit_Framework_TestCase {
|
|
/*
|
|
* Build a discovery URL out of the realm and a return_to and make
|
|
* sure that it matches the expected discovery URL
|
|
*/
|
|
function failUnlessDiscoURL($realm, $expected_discovery_url)
|
|
{
|
|
$actual_discovery_url = Auth_OpenID_TrustRoot::buildDiscoveryURL($realm);
|
|
$this->assertEquals($expected_discovery_url, $actual_discovery_url);
|
|
}
|
|
|
|
/*
|
|
* There is no wildcard and the realm is the same as the return_to
|
|
* URL
|
|
*/
|
|
function test_trivial()
|
|
{
|
|
$this->failUnlessDiscoURL('http://example.com/foo',
|
|
'http://example.com/foo');
|
|
}
|
|
|
|
/*
|
|
* There is a wildcard
|
|
*/
|
|
function test_wildcard()
|
|
{
|
|
$this->failUnlessDiscoURL('http://*.example.com/foo',
|
|
'http://www.example.com/foo');
|
|
}
|
|
}
|
|
|
|
class _MockDiscover {
|
|
function _MockDiscover($data) {
|
|
$this->data =& $data;
|
|
}
|
|
|
|
function mockDiscover($uri, $fetcher, $discover_function=null)
|
|
{
|
|
$result = new Auth_Yadis_DiscoveryResult($uri);
|
|
$result->response_text = $this->data;
|
|
$result->normalized_uri = $uri;
|
|
return $result;
|
|
}
|
|
}
|
|
|
|
class Tests_Auth_OpenID_ExtractReturnToURLs extends PHPUnit_Framework_TestCase {
|
|
var $disco_url = 'http://example.com/';
|
|
|
|
function failUnlessXRDSHasReturnURLs($data, $expected_return_urls)
|
|
{
|
|
$discover_object = new _MockDiscover($data);
|
|
$actual_return_urls = Auth_OpenID_getAllowedReturnURLs($this->disco_url, null, array($discover_object, 'mockDiscover'));
|
|
|
|
$this->assertEquals($expected_return_urls, $actual_return_urls);
|
|
}
|
|
|
|
function failUnlessDiscoveryFailure($text)
|
|
{
|
|
$discover_object = new _MockDiscover($text);
|
|
$this->assertFalse(Auth_OpenID_getAllowedReturnURLs($this->disco_url, null, array($discover_object, 'mockDiscover')));
|
|
}
|
|
|
|
function test_empty()
|
|
{
|
|
$this->failUnlessDiscoveryFailure('');
|
|
}
|
|
|
|
function test_badXML()
|
|
{
|
|
$this->failUnlessDiscoveryFailure('>');
|
|
}
|
|
|
|
function test_noEntries()
|
|
{
|
|
$this->failUnlessXRDSHasReturnURLs('<?xml version="1.0" encoding="UTF-8"?>
|
|
<xrds:XRDS xmlns:xrds="xri://$xrds"
|
|
xmlns="xri://$xrd*($v*2.0)"
|
|
>
|
|
<XRD>
|
|
</XRD>
|
|
</xrds:XRDS>
|
|
', array());
|
|
}
|
|
|
|
function test_noReturnToEntries()
|
|
{
|
|
$this->failUnlessXRDSHasReturnURLs('<?xml version="1.0" encoding="UTF-8"?>
|
|
<xrds:XRDS xmlns:xrds="xri://$xrds"
|
|
xmlns="xri://$xrd*($v*2.0)"
|
|
>
|
|
<XRD>
|
|
<Service priority="10">
|
|
<Type>http://specs.openid.net/auth/2.0/server</Type>
|
|
<URI>http://www.myopenid.com/server</URI>
|
|
</Service>
|
|
</XRD>
|
|
</xrds:XRDS>
|
|
', array());
|
|
}
|
|
|
|
function test_oneEntry()
|
|
{
|
|
$this->failUnlessXRDSHasReturnURLs('<?xml version="1.0" encoding="UTF-8"?>
|
|
<xrds:XRDS xmlns:xrds="xri://$xrds"
|
|
xmlns="xri://$xrd*($v*2.0)"
|
|
>
|
|
<XRD>
|
|
<Service>
|
|
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
|
|
<URI>http://rp.example.com/return</URI>
|
|
</Service>
|
|
</XRD>
|
|
</xrds:XRDS>
|
|
', array('http://rp.example.com/return'));
|
|
}
|
|
|
|
function test_twoEntries()
|
|
{
|
|
$this->failUnlessXRDSHasReturnURLs('<?xml version="1.0" encoding="UTF-8"?>
|
|
<xrds:XRDS xmlns:xrds="xri://$xrds"
|
|
xmlns="xri://$xrd*($v*2.0)"
|
|
>
|
|
<XRD>
|
|
<Service priority="0">
|
|
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
|
|
<URI>http://rp.example.com/return</URI>
|
|
</Service>
|
|
<Service priority="1">
|
|
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
|
|
<URI>http://other.rp.example.com/return</URI>
|
|
</Service>
|
|
</XRD>
|
|
</xrds:XRDS>
|
|
', array('http://rp.example.com/return',
|
|
'http://other.rp.example.com/return'));
|
|
}
|
|
|
|
function test_twoEntries_withOther()
|
|
{
|
|
$this->failUnlessXRDSHasReturnURLs('<?xml version="1.0" encoding="UTF-8"?>
|
|
<xrds:XRDS xmlns:xrds="xri://$xrds"
|
|
xmlns="xri://$xrd*($v*2.0)"
|
|
>
|
|
<XRD>
|
|
<Service priority="0">
|
|
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
|
|
<URI>http://rp.example.com/return</URI>
|
|
</Service>
|
|
<Service priority="1">
|
|
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
|
|
<URI>http://other.rp.example.com/return</URI>
|
|
</Service>
|
|
<Service priority="0">
|
|
<Type>http://example.com/LOLCATS</Type>
|
|
<URI>http://example.com/invisible+uri</URI>
|
|
</Service>
|
|
</XRD>
|
|
</xrds:XRDS>
|
|
', array('http://rp.example.com/return',
|
|
'http://other.rp.example.com/return'));
|
|
}
|
|
}
|
|
|
|
class Tests_Auth_OpenID_ReturnToMatches extends PHPUnit_Framework_TestCase {
|
|
function test_noEntries()
|
|
{
|
|
$this->assertFalse(Auth_OpenID_returnToMatches(array(), 'anything'));
|
|
}
|
|
|
|
function test_exactMatch()
|
|
{
|
|
$r = 'http://example.com/return.to';
|
|
$this->assertTrue(Auth_OpenID_returnToMatches(array($r), $r));
|
|
}
|
|
|
|
function test_garbageMatch()
|
|
{
|
|
$r = 'http://example.com/return.to';
|
|
$this->assertTrue(Auth_OpenID_returnToMatches(
|
|
array('This is not a URL at all. In fact, it has characters, ' .
|
|
'like "<" that are not allowed in URLs', $r), $r));
|
|
}
|
|
|
|
function test_descendant()
|
|
{
|
|
$r = 'http://example.com/return.to';
|
|
$this->assertTrue(Auth_OpenID_returnToMatches(array($r),
|
|
'http://example.com/return.to/user:joe'));
|
|
}
|
|
|
|
function test_wildcard()
|
|
{
|
|
$this->assertFalse(Auth_OpenID_returnToMatches(
|
|
array('http://*.example.com/return.to'),
|
|
'http://example.com/return.to'));
|
|
}
|
|
|
|
function test_noMatch()
|
|
{
|
|
$r = 'http://example.com/return.to';
|
|
$this->assertFalse(Auth_OpenID_returnToMatches(array($r),
|
|
'http://example.com/xss_exploit'));
|
|
}
|
|
}
|
|
|
|
class Verifier {
|
|
function Verifier($test_case, $return_to)
|
|
{
|
|
$this->tc =& $test_case;
|
|
$this->return_to = $return_to;
|
|
}
|
|
|
|
function verify($disco_url)
|
|
{
|
|
$this->tc->assertEquals('http://www.example.com/', $disco_url);
|
|
|
|
if ($this->return_to === false) {
|
|
return false;
|
|
} else {
|
|
return array($this->return_to);
|
|
}
|
|
}
|
|
}
|
|
|
|
class Tests_Auth_OpenID_VerifyReturnTo extends PHPUnit_Framework_TestCase {
|
|
|
|
function test_bogusRealm()
|
|
{
|
|
$this->assertFalse(Auth_OpenID_verifyReturnTo('', 'http://example.com/', null));
|
|
}
|
|
|
|
function test_verifyWithDiscoveryCalled()
|
|
{
|
|
$realm = 'http://*.example.com/';
|
|
$return_to = 'http://www.example.com/foo';
|
|
|
|
$v = new Verifier($this, $return_to);
|
|
|
|
$this->assertTrue(Auth_OpenID_verifyReturnTo($realm, $return_to, null, array($v, 'verify')));
|
|
}
|
|
|
|
function test_verifyFailWithDiscoveryCalled()
|
|
{
|
|
$realm = 'http://*.example.com/';
|
|
$return_to = 'http://www.example.com/foo';
|
|
|
|
$v = new Verifier($this, 'http://something-else.invalid/');
|
|
|
|
$this->assertFalse(Auth_OpenID_verifyReturnTo($realm, $return_to, null, array($v, 'verify')));
|
|
}
|
|
|
|
function test_verifyFailIfDiscoveryRedirects()
|
|
{
|
|
$realm = 'http://*.example.com/';
|
|
$return_to = 'http://www.example.com/foo';
|
|
|
|
$v = new Verifier($this, false);
|
|
|
|
$this->assertFalse(Auth_OpenID_verifyReturnTo($realm, $return_to, null, array($v, 'verify')));
|
|
}
|
|
}
|
|
|
|
class Tests_Auth_OpenID_RPVerify extends PHPUnit_Framework_TestSuite {
|
|
function getName()
|
|
{
|
|
return "Tests_Auth_OpenID_RPVerify";
|
|
}
|
|
|
|
function Tests_Auth_OpenID_RPVerify()
|
|
{
|
|
$this->addTestSuite('Tests_Auth_OpenID_VerifyReturnTo');
|
|
$this->addTestSuite('Tests_Auth_OpenID_ReturnToMatches');
|
|
$this->addTestSuite('Tests_Auth_OpenID_ExtractReturnToURLs');
|
|
$this->addTestSuite('Tests_Auth_OpenID_BuildDiscoveryURL');
|
|
}
|
|
}
|
|
|
|
|