pax_global_header00006660000000000000000000000064126534774310014526gustar00rootroot0000000000000052 comment=c664ff59169105c26f11850f4b6f91ba2845111b wordpress-openid-3.4.1/000077500000000000000000000000001265347743100150375ustar00rootroot00000000000000wordpress-openid-3.4.1/.editorconfig000066400000000000000000000003061265347743100175130ustar00rootroot00000000000000# EditorConfig is awesome: http://EditorConfig.org # top-most EditorConfig file root = true [*] end_of_line = lf trim_trailing_whitespace = true charset = utf-8 indent_style = tab indent_size = 4 wordpress-openid-3.4.1/LICENSE000066400000000000000000000261361265347743100160540ustar00rootroot00000000000000 Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. wordpress-openid-3.4.1/README.md000066400000000000000000000341311265347743100163200ustar00rootroot00000000000000# OpenID # **Contributors:** willnorris, factoryjoe, pfefferle **Tags:** openid, authentication, login, comments **Requires at least:** 2.8 **Tested up to:** 4.4.1 **Stable tag:** 3.4.1 **License:** Apache 2.0 **License URI:** https://www.apache.org/licenses/LICENSE-2.0 Allows WordPress to provide and consumer OpenIDs for authentication of users and comments. ## Description ## OpenID is an [open standard][] that allows users to authenticate to websites without having to create a new password. This plugin allows users to login to their local WordPress account using an OpenID, as well as enabling commenters to leave authenticated comments with OpenID. The plugin also includes an OpenID provider, enabling users to login to OpenID-enabled sites using their own personal WordPress account. [XRDS-Simple][] is required for the OpenID Provider and some features of the OpenID Consumer. Developer documentation, which includes all of the public methods and hooks for integrating with and extending the plugin, can be found [here][dev-doc]. [open standard]: http://openid.net/ [XRDS-Simple]: http://wordpress.org/plugins/xrds-simple/ [dev-doc]: http://wiki.diso-project.org/wordpress-openid-api ## Installation ## This plugin follows the [standard WordPress installation method][]: 1. Upload the `openid` folder to the `/wp-content/plugins/` directory 1. Activate the plugin through the 'Plugins' menu in WordPress 1. Configure the plugin through the 'OpenID' section of the 'Options' menu [standard WordPress installation method]: http://codex.wordpress.org/Managing_Plugins#Installing_Plugins ## Frequently Asked Questions ## ### Why do I get blank screens when I activate the plugin? ### In some cases the plugin may have problems if not enough memory has been allocated to PHP. Try ensuring that the PHP memory\_limit is at least 8MB (limits of 64MB are not uncommon). ### Why don't `https` OpenIDs work? ### SSL certificate problems creep up when working with some OpenID providers (namely MyOpenID). This is typically due to an outdated CA cert bundle being used by libcurl. An explanation of the problem and a couple of solutions can be found [here][libcurl]. [libcurl]: http://lists.openidenabled.com/pipermail/dev/2007-August/000784.html ### Why do I get the error "Invalid openid.mode ''"? ### There are actually a couple of reasons that can cause this, but it seems one of the more common causes is a conflict with certain mod_security rules. See [this blog post][ioni2] for instructions on how to resolve this issue. [ioni2]: http://ioni2.com/2009/wordpress-openid-login-failed-invalid-openid-mode-no-mode-set-solved-for-both-wordpress-and-drupal/ ### How do I use SSL for OpenID transactions? ### First, be aware that this only works in WordPress 2.6 and up. Make sure you've turned on SSL in WordPress by [defining either of the following][wp-ssl] globals as "true" in your `wp-config.php` file: - FORCE\_SSL\_LOGIN - FORCE\_SSL\_ADMIN Then, also define the following global as "true" in your `wp-config.php` file: - OPENID\_SSL Be aware that you will almost certainly have trouble with this if you are not using a certificate purchased from a well-known certificate authority. [wp-ssl]: http://codex.wordpress.org/Administration_Over_SSL ### How do I get help if I have a problem? ### Please direct support questions to the "Plugins and Hacks" section of the [WordPress.org Support Forum][]. Just make sure and include the tag 'openid' so that I'll see your post. Additionally, you can file a bug report at . [WordPress.org Support Forum]: http://wordpress.org/support/ ## Screenshots ## ### 1. Commentors can use their OpenID when leaving a comment ### ![Commentors can use their OpenID when leaving a comment](http://s.wordpress.org/extend/plugins/openid/screenshot-1.png) ### 2. Users can login with their OpenID in place of a traditional username and password ### ![Users can login with their OpenID in place of a traditional username and password](http://s.wordpress.org/extend/plugins/openid/screenshot-2.png) ### 3. Users authorized to use the OpenID Provider can delegate to a different provider ### ![Users authorized to use the OpenID Provider can delegate to a different provider](http://s.wordpress.org/extend/plugins/openid/screenshot-3.png) ### 4. Users can add additional OpenIDs which they can use to login to WordPress ### ![Users can add additional OpenIDs which they can use to login to WordPress](http://s.wordpress.org/extend/plugins/openid/screenshot-4.png) ### 5. Users authorized to use the OpenID Provider can monitor which sites they've logged in to ### ![Users authorized to use the OpenID Provider can monitor which sites they've logged in to](http://s.wordpress.org/extend/plugins/openid/screenshot-5.png) ## Changelog ## Project maintined on github at [diso/wordpress-openid](https://github.com/diso/wordpress-openid). ### version 3.4.1 (Jan 31, 2016) ### - update to latest OpenID library. Full changelog [on github](https://github.com/openid/php-openid). - fix comment bug https://wordpress.org/support/topic/false-error-please-fill-the-required-fields-name-email-commenting?replies=5 - fix XRDS-simple bug https://github.com/diso/wordpress-xrds-simple/issues/4 ### version 3.4.0 (Jul 22, 2015) ### - update to latest OpenID library (includes lots of bug fixes, particularly with PHP 5.3). Full changelog [on github](https://github.com/openid/php-openid). - fixed various PHP warnings/errors. - various improvements and bugfixes (props @rodrigoprimo). - attempt to use email as username before url for open id new user (props @yincrash). - chinese and german (props Stephan Richter) translations. - added WebFinger support Full changelog on [github](https://github.com/diso/wordpress-openid/compare/v3.3.4...v3.4.0). ### version 3.3.4 (Nov 16, 2012) ### - update to latest OpenID library (includes lots of bug fixes, particularly with PHP 5.3). Full changelog [on github](https://github.com/openid/php-openid). - various bug fixes. Full changelog [on github](https://github.com/diso/wordpress-openid). ### version 3.3.3 (Aug 24, 2010) ### - add/update danish, japanese, and spanish translations - update to latest version of php-openid library - fix a few PHP and WordPress warnings and notices ### version 3.3.2 (Nov 06, 2009) ### - add localizations for czech, danish, french, spanish, and vietnamese. Some are more up to date than others. More are welcome, see http://code.google.com/p/diso/issues/detail?id=26 - remove stylesheet for recent comments widget, since it breaks the style for OpenID comments - various fixes with administration panels ### version 3.3.1 (Sep 28, 2009) ### - tiny bug in get_user_openids causing it to always return empty array ### version 3.3 (Sep 28, 2009) ### - minimum required version has been bumped to WordPress 2.8 - fix support for WordPress MU - new, less obtrusive UI for comment form. Should also work with all themes in some form (with or without js). - many administrative options have been moved to their respective locations on core WordPress Settings pages - drop support for experimental EAUT and IDIB protocols - drop support for installing the plugin in mu-plugins folder - always include 'index.php' on OpenID endpoint URLs. Without that, some deployments were having problems. - fix bug relating to trackbacks and pingbacks - fix bug (#121) relating to unregistered options (props tom.tdw for the patch) - lots of minor bug fixes ### version 3.2.3 (Jul 20, 2009) ### - fix XSS vulnerability. (props Stuart Metcalfe) ### version 3.2.2 (Mar 19, 2009) ### - fix problems when using non-index.php permalinks with non-apache web servers - ensure that show\_on\_front option is not empty - function name typo (props gunemalli) - fix deprecated pass-by-reference call in php-openid library (props jschuur) - fix UI bug on registration form with IE browsers (props oledole) - UI tweaks to better match WP 2.7 - update a few strings for localization and POT file ### version 3.2.1 (Feb 13, 2009) ### - patch php-openid library to fix XRDS handling (thanks Mike Jones for helping find this) - add default values for some openid vars -- necessary for OP-initiated login - fix bug with OpenID server where OpenID request was sometimes lost - add filter for openid\_trust\_root ### version 3.2 (Jan 20, 2009) ### - add uninstall hook for WordPress 2.7 -- this will remove all traces of the plugin from the database - UI fixes for WordPress 2.7 - add settings link to plugins page - silence XML parsing errors with PHP4 - ensure wp\_scripts is set - ensure openid comment processing occurs after akismet - add ellipses to truncated OpenIDs (fixes #94) - fix bug where Yahoo! OpenIDs weren't matching profile URL (fixes #98) - don't return empty SREG values - Add support for consuming Attribute Exchange - use a single return\_to URL for all OpenID actions - cleaner OpenID service URLs when permalinks configured to do so (all path, no query string) - fixed issue where OpenID Server would sometimes break depending on a users permalink structure (fixed #101) - fixed issue where OpenID consumer would sometimes break if mod\_encoding was enabled in Apache (used for WebDAV) (fixed #96) - don't redirect when performing discovery on OpenID trust root ### version 3.1.4 (Nov 04, 2008) ### - allow OP extensions to include XRDS Types in login service - run OpenID comment processor after Akismet, and skip if Akismet marks comment as spam ### version 3.1.3 (Oct 27, 2008) ### - fix error message if /dev/urandom is not readable ### version 3.1.2 (Oct 26, 2008) ### - ensure source of randomness is set properly - prevent duplicate cleanup\_openid cron jobs - prevent SQL errors on activation - suppress verbose error logging with XML parsing ### version 3.1.1 (Oct 20, 2008) ### - fix bug with OpenID Provider XRDS code that prevents ability to login to some sites (like plaxo.com) ### version 3.1 (Oct 19, 2008) ### - added hidden constant to set custom comments post page (OPENID\_COMMENTS\_POST\_PAGE) - additional option to skip name and email check for OpenID comments - use preferred username (from SREG) if possible when creating new account - truncate long URLs when used as display\_name for comments - numerous bug fixes, including bug with registration form ### version 3.0 (Oct 02, 2008) ### - includes OpenID Provider - supports OpenID delegation - add experimental support for Email Address to URL Transformation - many new hooks for extension and integration - major code refactoring ### version 2.2.2 (Aug 06, 2008) ### - fix bug with "unauthorized return\_to URL" (only known problem with [openid.pl][]) - fix bug with comments containing non-latin characters - respect CUSTOM\_USER\_META\_TABLE constant if present (also added CUSTOM\_OPENID\_IDENTITY\_TABLE constant) - add experimental support for Identity in the Browser ### version 2.2.1 (Jul 25, 2008) ### - fixed EAUT handling code - fixed bug that broke comments containing double quotes (") ### version 2.2.0 (Jul 23, 2008) ### - use POST replay for comments (fixes compatibility with other comment plugins) - only build openid object when needed (much better memory usage) - support for Email Address to URL Transformation (see eaut.org) - fixed bug when using suhosin (hardened php) - use hooks for gathering user data (more extensible) - fixed openid spoofing vulnerability (http://plugins.trac.wordpress.org/ticket/702) - lots code refactoring and UI cleanup ### version 2.1.9 (May 20, 2008) ### - fix javascript loading issues - fix various bugs when creating new account with OpenID - fix error message, and add new warning prompt when removing last OpenID for account ### version 2.1.8 (Apr 02, 2008) ### - fix UI issue with wp-login.php page in WP2.5 - fix bug printing supported curl protocols (http://wordpress.org/support/topic/159062) - fix jquery bug while adding category in WP2.5 (http://wordpress.org/support/topic/164305) ### version 2.1.7 (Mar 21, 2008) ### - remove php5 dependency bug... AGAIN! - also remove some other custom changes to php-openid I forgot were in there. This may actually re-introduce some edge-case bugs, but I'd rather expose them so that we can get the appropriate patches pushed upstream if they really are necessary. ### version 2.1.6 (Mar 20, 2008) ### - update php-openid library to latest. Now properly supports Yahoo's OpenID provider. ### version 2.1.5 (Mar 20, 2008) ### - add support for wordpress v2.5 ### version 2.1.4 (Feb 13, 2008) ### - fix php5 dependency bug - improve jQuery code to reduce problems with other js libraries ### version 2.1.3 (Feb 06, 2008) ### - address security bug mentioned [here](http://www.gnucitizen.org/blog/hijacking-openid-enabled-accounts). Props Sam Alexander ### version 2.1.2 ### - minor typo in profile data code ### version 2.1.1 ### - minor bug where profile data is being overwritten ### version 2.1 ### - added FAQ items for plugin updater and adding an OpenID field to a comment form - better tracking of which users have OpenIDs linked to their local WP account - better automatic username generation - fixed bug where non-OpenID websites had problems (bug [729]) - upgrade to version 2.0 of JanRain OpenID library - admin option to rebuild tables ### version 2.0 ### - simplified admin interface by using reasonable defaults. Default behaviors include: - "unobtrusive mode" - always add openid to wp-login.php - always use WP option 'home' for the trust root - new features - hook for trust engine, with very simple implementation included - supports OpenID 2.0 (draft 12) as well as OpenID 1.1 and SReg 1.0 - normal collection of bug fixes ### version 1.0.1 ### - added wordpress.org style readme.txt ### version 1.0 (also known as r13) ### Full SVN logs are available at . [729]: http://dev.wp-plugins.org/ticket/729 [openid.pl]: http://openid.pl/ The original OpenID plugin for WordPress was a collaborative effort between Alan Castonguay and Hans Granqvist. Will Norris forked the plugin and has since become the maintainer. [Alan Castonguay]: http://verselogic.net/ [Hans Granqvist]: http://commented.org/ [Will Norris]: http://willnorris.com/ wordpress-openid-3.4.1/admin_panels.php000066400000000000000000001017211265347743100202040ustar00rootroot00000000000000has_cap('use_openid_provider')) { add_action('show_user_profile', 'openid_extend_profile', 5); add_action('profile_update', 'openid_profile_update'); add_action('user_profile_update_errors', 'openid_profile_update_errors', 10, 3); add_action('load-profile.php', 'openid_style'); if (!get_user_meta($user->ID, 'openid_delegate', true)) { $hookname = add_submenu_page('profile.php', __('Your Trusted Sites', 'openid'), __('Your Trusted Sites', 'openid'), 'read', 'openid_trusted_sites', 'openid_manage_trusted_sites' ); add_action("load-$hookname", 'openid_style' ); add_action("load-$hookname", create_function('', 'wp_enqueue_script("admin-forms");')); } } if ( function_exists('is_site_admin') ) { // add OpenID options to WPMU Site Admin page add_action('wpmu_options', 'openid_wpmu_options'); add_action('update_wpmu_options', 'openid_update_wpmu_options'); } else { // add OpenID options to General Settings page. For now, the only option on this page is dependent on the // 'users_can_register' option, so only add the OpenID Settings if that is set. If additional OpenID settings // are added to the General Settings page, this check may no longer be necessary if ( get_option('users_can_register') ) { add_settings_field('openid_general_settings', __('OpenID Settings', 'openid'), 'openid_general_settings', 'general', 'default'); } } // add OpenID options to Discussion Settings page add_settings_field('openid_disucssion_settings', __('OpenID Settings', 'openid'), 'openid_discussion_settings', 'discussion', 'default'); } /** * Register OpenID admin settings. */ function openid_admin_register_settings() { register_setting('general', 'openid_required_for_registration'); register_setting('discussion', 'openid_no_require_name'); register_setting('discussion', 'openid_enable_approval'); register_setting('discussion', 'openid_enable_commentform'); register_setting('openid', 'openid_blog_owner'); register_setting('openid', 'openid_cap'); } /** * Intercept the call to set the openid_cap option. Instead of storing * this in the options table, set the capability on the appropriate roles. */ function openid_set_cap($newvalue, $oldvalue) { global $wp_roles; $newvalue = (array) $newvalue; foreach ($wp_roles->role_names as $key => $name) { $role = $wp_roles->get_role($key); if (array_key_exists($key, $newvalue) && $newvalue[$key] == 'on') { $option_set = true; } else { $option_set = false; } if ($role->has_cap('use_openid_provider')) { if (!$option_set) $role->remove_cap('use_openid_provider'); } else { if ($option_set) $role->add_cap('use_openid_provider'); } } return $oldvalue; } /** * Add settings link to plugin page. */ function openid_plugin_action_links($links, $file) { $this_plugin = openid_plugin_file(); if($file == $this_plugin) { $links[] = '' . __('Settings') . ''; } return $links; } /* * Display and handle updates from the Admin screen options page. * * @options_page */ function openid_options_page() { global $wpdb, $wp_roles; if ( isset($_REQUEST['action']) ) { switch($_REQUEST['action']) { case 'rebuild_tables' : check_admin_referer('rebuild_tables'); $store = openid_getStore(); $store->reset(); echo '

'.__('OpenID cache refreshed.', 'openid').'

'; break; } } // Display the options page form screen_icon('openid'); ?>

General Settings and Discussion Settings pages.', 'openid') ?>

ID); ?>

ID); return $u->has_cap("use_openid_provider");')); if (!empty($users)): ?>

role_names as $key => $name) { $name = _x($name, null); $role = $wp_roles->get_role($key); $checked = $role->has_cap('use_openid_provider') ? ' checked="checked"' : ''; $option_name = 'openid_cap[' . htmlentities($key) . ']'; echo '
' . "\n"; } ?>

%1$s) as an OpenID. ' . 'The Blog Owner will be able to use the blog address (%2$s) as their OpenID. If this is a ' . 'single-user blog, you should set this to your account.', 'openid'), sprintf('%1$s', $current_user_url), sprintf('%1$s', trailingslashit(get_option('home'))) ); ?>

' . __('A Blog Owner cannot be set for this blog. To set a Blog Owner, ' . 'first remove the following line from your wp-config.php:', 'openid') . '
define("OPENID_DISALLOW_OWNER", 1);

'; } else { $blog_owner = get_option('openid_blog_owner'); if (empty($blog_owner) || $blog_owner == $current_user->user_login) { echo ''; } else { echo '

' . sprintf(__('Only the current Blog Owner (%s) can change this setting.', 'openid'), $blog_owner) . '

'; } } ?>

', ''); ?>

'.__('Success:', 'openid').' '.openid_message().'

'; } elseif( 'warning' == $status ) { echo '

'.__('Warning:', 'openid').' '.openid_message().'

'; } elseif( 'error' == $status ) { echo '

'.__('Error:', 'openid').' '.openid_message().'

'; } if (!empty($error)) { echo '

'.__('Error:', 'openid').' '.$error.'

'; unset($error); } screen_icon('openid'); ?>

Learn more...', 'openid')?>

ID); if (empty($urls)) { echo ''; } else { foreach ($urls as $url) { echo ' '; } } ?>
'.__('No Verified Accounts.', 'openid').'
'.openid_display_identity($url).'

ID, 'openid_trusted_sites', true); if (!is_array($trusted_sites)) $trusted_sites = array(); $sites = explode(PHP_EOL, $_REQUEST['sites']); $count = 0; foreach ($sites as $site) { $site = trim($site); if (empty($site)) continue; if (strpos($site, 'http') === false || strpos($site, 'http') != 0) { $site = 'http://' . $site; } $site = esc_url($site); $site_hash = md5($site); if (array_key_exists($site_hash, $trusted_sites)) continue; $count++; $trusted_sites[$site_hash] = array('url' => $site); } if ($count) { update_user_meta($user->ID, 'openid_trusted_sites', $trusted_sites); echo '

'; printf( _n('Added %d trusted site.', 'Added %d trusted sites.', $count, 'openid'), $count); echo '

'; } break; case 'delete': if (empty($_REQUEST['delete'])) break; check_admin_referer('openid-delete_trusted_sites'); $trusted_sites = get_user_meta($user->ID, 'openid_trusted_sites', true); $count = 0; foreach ($_REQUEST['delete'] as $site_hash) { if (array_key_exists($site_hash, $trusted_sites)) { $trusted_sites[$site_hash] = null; $count++; } } update_user_meta($user->ID, 'openid_trusted_sites', array_filter($trusted_sites)); if ($count) { echo '

'; printf( _n('Deleted %d trusted site.', 'Deleted %d trusted sites.', $count, 'openid'), $count); echo '

'; } break; } screen_icon('openid'); ?>

ID, 'openid_trusted_sites', true); if(empty($trusted_sites)) { echo ''; } else { foreach( $trusted_sites as $site_hash => $site ) { if (array_key_exists('last_login', $site) && $site['last_login']) { $last_login = date(get_option('date_format') . ' - ' . get_option('time_format'), $site['last_login']); } else { $last_login = '-'; } echo ' '; } } ?>
'.__('No Trusted Sites.', 'openid').'
'.$site['url'].' '.$last_login.'



base_prefix) ? $wpdb->base_prefix : $wpdb->prefix ); if ( extension_loaded('suhosin') ) { $status[] = array( 'Curl', false, 'Hardened php (suhosin) extension active -- curl version checking skipped.' ); } else { $curl_message = ''; if( function_exists('curl_version') ) { $curl_version = curl_version(); if(isset($curl_version['version'])) $curl_message .= 'Version ' . $curl_version['version'] . '. '; if(isset($curl_version['ssl_version'])) $curl_message .= 'SSL: ' . $curl_version['ssl_version'] . '. '; if(isset($curl_message['libz_version'])) $curl_message .= 'zlib: ' . $curl_version['libz_version'] . '. '; if(isset($curl_version['protocols'])) { if (is_array($curl_version['protocols'])) { $curl_message .= 'Supports: ' . implode(', ',$curl_version['protocols']) . '. '; } else { $curl_message .= 'Supports: ' . $curl_version['protocols'] . '. '; } } } else { $curl_message = 'This PHP installation does not have support for libcurl. Some functionality, such as ' . 'fetching https:// URLs, will be missing and performance will slightly impared. See ' . 'php.net/manual/en/ref.curl.php about ' . 'enabling libcurl support for PHP.'; } $status[] = array( 'Curl Support', isset($curl_version), $curl_message ); } if (extension_loaded('gmp') and @gmp_init(1)) { $status[] = array( 'Big Integer support', true, 'GMP is installed.' ); } elseif (extension_loaded('bcmath') and @bcadd(1,1)==2) { $status[] = array( 'Big Integer support', true, 'BCMath is installed (though GMP is preferred).' ); } elseif (defined('Auth_OpenID_NO_MATH_SUPPORT')) { $status[] = array( 'Big Integer support', false, 'The OpenID Library is operating in Dumb Mode. Recommend installing GMP support.' ); } $status[] = array( 'Plugin Revision', 'info', OPENID_PLUGIN_REVISION); $status[] = array( 'Plugin Database Revision', 'info', get_option('openid_db_revision')); if (function_exists('xrds_meta')) { $status[] = array( 'XRDS-Simple', 'info', 'XRDS-Simple plugin is installed.'); } else { $status[] = array( 'XRDS-Simple', false, 'XRDS-Simple plugin is not installed. Some features may not work properly (including providing OpenIDs).'); } $openid_enabled = openid_enabled(); $status[] = array( 'Overall Plugin Status', ($openid_enabled), ($openid_enabled ? '' : 'There are problems above that must be dealt with before the plugin can be used.') ); if( $openid_enabled ) { // Display status information echo'

' . __('Status information:', 'openid') . ' ' . __('All Systems Nominal', 'openid') . ' (' . __('Toggle More/Less', 'openid') . ')

'; } else { echo '

' . __('Plugin is currently disabled. Fix the problem, then Deactivate/Reactivate the plugin.', 'openid') . '

'; } echo '
'; foreach( $status as $s ) { list ($name, $state, $message) = $s; echo '
'; if( $state === false ) { echo "[".__('FAIL', 'openid')."] $name"; } elseif( $state === true ) { echo "[".__('OK', 'openid')."] $name"; } else { echo "[".__('INFO', 'openid')."] $name"; } echo ($message ? ': ' : '') . ''; echo (is_array($message) ? '
  • ' . implode('
  • ', $message) . '
' : $message); echo '
'; } echo '
'; } /** * Handle OpenID profile management. */ function openid_profile_management() { global $action; wp_reset_vars( array('action') ); switch( $action ) { case 'add': check_admin_referer('openid-add_openid'); $user = wp_get_current_user(); $auth_request = openid_begin_consumer($_POST['openid_identifier']); $userid = get_user_by_openid($auth_request->endpoint->claimed_id); if ($userid) { global $error; if ($user->ID == $userid) { $error = __('You already have this OpenID!', 'openid'); } else { $error = __('This OpenID is already associated with another user.', 'openid'); } return; } $finish_url = admin_url(current_user_can('edit_users') ? 'users.php' : 'profile.php'); $finish_url = add_query_arg('page', $_REQUEST['page'], $finish_url); openid_start_login($_POST['openid_identifier'], 'verify', $finish_url); break; case 'delete': openid_profile_delete_openids($_REQUEST['delete']); break; default: if ( array_key_exists('message', $_REQUEST) ) { $message = $_REQUEST['message']; $messages = array( '', __('Unable to authenticate OpenID.', 'openid'), __('OpenID assertion successful, but this URL is already associated with another user on this blog.', 'openid'), __('Added association with OpenID.', 'openid') ); if (is_numeric($message)) { $message = $messages[$message]; } else { $message = htmlentities2( $message ); } $message = __($message, 'openid'); if (array_key_exists('update_url', $_REQUEST) && $_REQUEST['update_url']) { $message .= '
' . __('Note: For security reasons, your profile URL has been updated to match your OpenID.', 'openid'); } openid_message($message); openid_status($_REQUEST['status']); } break; } } /** * Remove identity URL from current user account. * * @param int $id id of identity URL to remove */ function openid_profile_delete_openids($delete) { if (empty($delete) || array_key_exists('cancel', $_REQUEST)) return; check_admin_referer('openid-delete_openids'); $user = wp_get_current_user(); $urls = get_user_openids($user->ID); if (sizeof($urls) == sizeof($delete) && !@$_REQUEST['confirm']) { $html = '

'.__('OpenID Warning', 'openid').'

'.__('Are you sure you want to delete all of your OpenID associations? Doing so may prevent you from logging in.', 'openid').'

'; foreach ($delete as $d) { $html .= ''; } $html .= wp_nonce_field('openid-delete_openids', '_wpnonce', true, false) . '
'; openid_page($html, __('OpenID Warning', 'openid')); return; } $count = 0; foreach ($urls as $url) { if (in_array(md5($url), $_REQUEST['delete'])) { if (openid_drop_identity($user->ID, $url)) { $count++; } } } if ($count) { openid_message( sprintf(_n('Deleted %d OpenID association.', 'Deleted %d OpenID associations.', $count, 'openid'), $count) ); openid_status('success'); // ensure that profile URL is still a verified OpenID require_once 'Auth/OpenID.php'; @include_once(ABSPATH . WPINC . '/registration.php'); // WP < 2.3 @include_once(ABSPATH . 'wp-admin/includes/admin.php'); // WP >= 2.3 if (!openid_ensure_url_match($user)) { $identities = get_user_openids($user->ID); wp_update_user( array('ID' => $user->ID, 'user_url' => $identities[0]) ); openid_message(openid_message() . '
'.__('Note: For security reasons, your profile URL has been updated to match your OpenID.', 'openid')); } return; } openid_message(__('OpenID association delete failed: Unknown reason.', 'openid')); openid_status('error'); } /** * Action method for completing the 'verify' action. This action is used adding an identity URL to a * WordPress user through the admin interface. * * @param string $identity_url verified OpenID URL */ function openid_finish_verify($identity_url, $action) { if ($action != 'verify') return; $message; $user = wp_get_current_user(); if (empty($identity_url)) { $message = openid_message(); if (empty($message)) $message = 1; } else { if( !openid_add_identity($user->ID, $identity_url) ) { $message = 2; } else { $message = 3; // ensure that profile URL is a verified OpenID require_once 'Auth/OpenID.php'; require_once(ABSPATH . 'wp-admin/includes/admin.php'); if (!openid_ensure_url_match($user)) { wp_update_user( array('ID' => $user->ID, 'user_url' => $identity_url) ); $update_url = 1; } } } $finish_url = $_SESSION['openid_finish_url']; $finish_url = add_query_arg('status', openid_status(), $finish_url); $finish_url = add_query_arg('message', $message, $finish_url); if ( isset($update_url) && $update_url ) { $finish_url = add_query_arg('update_url', $update_url, $finish_url); } wp_safe_redirect($finish_url); exit; } /** * hook in and call when user is updating their profile URL... make sure it is an OpenID they control. */ function openid_personal_options_update() { $user = wp_get_current_user(); if (!openid_ensure_url_match($user, $_POST['url'])) { wp_die(sprintf(__('For security reasons, your profile URL must be one of your claimed OpenIDs: %s', 'openid'), '
  • ' . join('
  • ', get_user_openids($user->ID)) . '
')); } } /** * Ensure that the user's profile URL matches one of their OpenIDs */ function openid_ensure_url_match($user, $url = null) { $identities = get_user_openids($user->ID); if (empty($identities)) return true; require_once 'Auth/OpenID.php'; if ($url == null) $url = $user->user_url; $url = Auth_OpenID::normalizeUrl($url); foreach ($identities as $id) { $id = Auth_OpenID::normalizeUrl($id); if ($id == $url) return true; } return false; } /** * Add OpenID options to the WordPress user profile page. */ function openid_extend_profile() { $user = wp_get_current_user(); echo '

'.__('OpenID Delegation allows you to use an external OpenID provider of your choice.', 'openid').'

' . __('To delegate, enter a valid OpenID. Otherwise leave this blank.', 'openid') . '
'; } /** * Update OpenID options set from the WordPress user profile page. */ function openid_profile_update($user_id) { global $openid_user_delegation_info; if ( empty($_POST['openid_delegate']) ) { delete_user_meta($user_id, 'openid_delegate'); delete_user_meta($user_id, 'openid_delegate_services'); } else { update_user_meta($user_id, 'openid_delegate', $openid_user_delegation_info['url']); update_user_meta($user_id, 'openid_delegate_services', $openid_user_delegation_info['services']); } } /** * Report any OpenID errors during user profile updating. */ function openid_profile_update_errors($errors, $update, $user) { global $openid_user_delegation_info; $delegate = Auth_OpenID::normalizeUrl($_POST['openid_delegate']); if ( empty($delegate) ) return $errors; $openid_user_delegation_info = openid_server_get_delegation_info($user->ID, $delegate); if (!$openid_user_delegation_info) { $errors->add('openid_delegate', sprintf(__('Unable to find any OpenID information for delegate URL %s', 'openid'), ''.$delegate.'')); } else { $id_select_count = 0; foreach ($openid_user_delegation_info['services'] as $service) { if ( array_key_exists('LocalID', $service) && $service['LocalID'] == Auth_OpenID_IDENTIFIER_SELECT ) { $id_select_count++; } } if ( count($openid_user_delegation_info['services']) <= $id_select_count ) { $errors->add('openid_delegate', sprintf(__('You cannot delegate to an OpenID provider which uses Identifier Select.', 'openid'))); } } return $errors; } /** * Add OpenID options to the WordPress MU site options page. */ function openid_wpmu_options() { $registration = get_site_option('registration'); if ( $registration == 'all' || $registration == 'user' ): ?>



ID ) { if ( 6 > strlen($comment_author_email) || '' == $comment_author ) { wp_die( __('Error: please fill the required fields (name, email).', 'openid') ); } elseif ( !is_email($comment_author_email)) { wp_die( __('Error: please enter a valid email address.', 'openid') ); } } } /** * This filter callback simply approves all OpenID comments, but later it could do more complicated logic * like whitelists. * * @param string $approved comment approval status * @return string new comment approval status */ function openid_comment_approval($approved) { return ($_SESSION['openid_posted_comment'] ? 1 : $approved); } /** * If the comment contains a valid OpenID, skip the check for requiring a name and email address. Even if * this data isn't provided in the form, we may get it through other methods, so we don't want to bail out * prematurely. After OpenID authentication has completed (and $_REQUEST['openid_skip'] is set), we don't * interfere so that this data can be required if desired. * * @param boolean $value existing value of flag, whether to require name and email * @return boolean new value of flag, whether to require name and email * @see get_user_data */ function openid_option_require_name_email( $value ) { $comment_page = (defined('OPENID_COMMENTS_POST_PAGE') ? OPENID_COMMENTS_POST_PAGE : 'wp-comments-post.php'); if ($GLOBALS['pagenow'] != $comment_page) { return $value; } if (array_key_exists('openid_skip', $_REQUEST) && $_REQUEST['openid_skip']) { return get_option('openid_no_require_name') ? false : $value; } // make sure we only process this once per request static $bypass; if ($bypass) { return $value; } else { $bypass = true; } if (array_key_exists('openid_identifier', $_POST)) { if( !empty( $_POST['openid_identifier'] ) ) { return false; } } else { global $comment_author_url; if ( !empty($comment_author_url) ) { return false; } } return $value; } /** * Make sure that a user's OpenID is stored and retrieved properly. This is important because the OpenID * may be an i-name, but WordPress is expecting the comment URL cookie to be a valid URL. * * @wordpress-action sanitize_comment_cookies */ function openid_sanitize_comment_cookies() { if ( isset($_COOKIE['comment_author_openid_'.COOKIEHASH]) ) { // this might be an i-name, so we don't want to run clean_url() remove_filter('pre_comment_author_url', 'clean_url'); $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_openid_'.COOKIEHASH]); $comment_author_url = stripslashes($comment_author_url); $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url; } } /** * Add OpenID class to author link. * * @filter: get_comment_author_link **/ function openid_comment_author_link( $html ) { if( is_comment_openid() ) { if (preg_match('/]* class=[^>]+>/', $html)) { return preg_replace( '/(]* class=[\'"]?)/', '\\1openid_link ' , $html ); } else { return preg_replace( '/(]*)/', '\\1 class="openid_link"' , $html ); } } return $html; } /** * Check if the comment was posted with OpenID, either directly or by an author registered with OpenID. Update the comment accordingly. * * @action post_comment */ function update_comment_openid($comment_ID) { session_start(); if ($_SESSION['openid_posted_comment']) { set_comment_openid($comment_ID); unset($_SESSION['openid_posted_comment']); } else { $comment = get_comment($comment_ID); if ( is_user_openid($comment->user_id) ) { set_comment_openid($comment_ID); } } } /** * Print jQuery call for slylizing profile link. * * @action: comment_form **/ function openid_comment_profilelink() { global $wp_scripts; if (comments_open() && is_user_openid() && $wp_scripts->query('openid')) { echo ''; } } /** * Print jQuery call to modify comment form. * * @action: comment_form **/ function openid_comment_form() { global $wp_scripts; if (comments_open() && !is_user_logged_in() && isset($wp_scripts) && $wp_scripts->query('openid')) { ?> .', 'openid'); ?> '.__('OpenID Authentication Error', 'openid').'

'.__('We were unable to authenticate your claimed OpenID, however you ' . 'can continue to post your comment without OpenID:', 'openid').'

Name:

Email:

URL:

'; foreach ($post as $name => $value) { if (!in_array($name, array('author', 'email', 'url', 'comment', 'submit'))) { $html .= ' '; } } $html .= '
'; openid_page($html, __('OpenID Authentication Error', 'openid')); } /** * Action method for completing the 'comment' action. This action is used when leaving a comment. * * @param string $identity_url verified OpenID URL */ function openid_finish_comment($identity_url, $action) { if ($action != 'comment') return; if (empty($identity_url)) { openid_repost_comment_anonymously($_SESSION['openid_comment_post']); } openid_set_current_user($identity_url); if (is_user_logged_in()) { // simulate an authenticated comment submission $_SESSION['openid_comment_post']['author'] = null; $_SESSION['openid_comment_post']['email'] = null; $_SESSION['openid_comment_post']['url'] = null; } else { // try to get user data from the verified OpenID $user_data = openid_get_user_data($identity_url); if (!empty($user_data['display_name'])) { $_SESSION['openid_comment_post']['author'] = $user_data['display_name']; } if (!empty($user_data['user_email'])) { $_SESSION['openid_comment_post']['email'] = $user_data['user_email']; } $_SESSION['openid_comment_post']['url'] = $identity_url; } // record that we're about to post an OpenID authenticated comment. // We can't actually record it in the database until after the repost below. $_SESSION['openid_posted_comment'] = true; $comment_page = (defined('OPENID_COMMENTS_POST_PAGE') ? OPENID_COMMENTS_POST_PAGE : 'wp-comments-post.php'); openid_repost(site_url("/$comment_page"), array_filter($_SESSION['openid_comment_post'])); } /** * Mark the specified comment as an OpenID comment. * * @param int $id id of comment to set as OpenID */ function set_comment_openid($id) { $comment = get_comment($id); $openid_comments = get_post_meta($comment->comment_post_ID, 'openid_comments', true); if (!is_array($openid_comments)) { $openid_comments = array(); } $openid_comments[] = $id; update_post_meta($comment->comment_post_ID, 'openid_comments', array_unique($openid_comments)); } /** * Unmark the specified comment as an OpenID comment * * @param int $id id of comment to set as OpenID */ function unset_comment_openid($id) { $comment = get_comment($id); $openid_comments = get_post_meta($comment->comment_post_ID, 'openid_comments', true); if (is_array($openid_comments) && in_array($id, $openid_comments)) { $new = array(); foreach($openid_comments as $c) { if ($c == $id) continue; $new[] = $c; } update_post_meta($comment->comment_post_ID, 'openid_comments', array_unique($new)); } } /** * Retrieve user data from comment form. * * @param string $identity_url OpenID to get user data about * @param reference $data reference to user data array * @see get_user_data */ function openid_get_user_data_form($data, $identity_url) { if ( array_key_exists('openid_comment_post', $_SESSION) ) { $comment = $_SESSION['openid_comment_post']; } if ( !isset($comment) || !$comment) { return $data; } if ($comment['email']) { $data['user_email'] = $comment['email']; } if ($comment['author']) { $data['nickname'] = $comment['author']; $data['user_nicename'] = $comment['author']; $data['display_name'] = $comment['author']; } return $data; } /** * Remove the CSS snippet added by the Recent Comments widget because it breaks entries that include the OpenID logo. */ function openid_recent_comments() { global $wp_widget_factory; if ( $wp_widget_factory && array_key_exists('WP_Widget_Recent_Comments', $wp_widget_factory->widgets) ) { // this is an ugly hack because remove_action doesn't actually work the way it should with objects foreach ( array_keys($GLOBALS['wp_filter']['wp_head'][10]) as $key ) { if ( strpos($key, 'WP_Widget_Recent_Commentsrecent_comments_style') === 0 ) { remove_action('wp_head', $key); return; } } } } wordpress-openid-3.4.1/common.php000066400000000000000000000575141265347743100170540ustar00rootroot00000000000000get_role('administrator'); if ($role) $role->add_cap('use_openid_provider'); } // for some reason, show_on_front is not always set, causing is_front_page() to fail $show_on_front = get_option('show_on_front'); if ( empty($show_on_front) ) { update_option('show_on_front', 'posts'); } // Add custom OpenID options add_option( 'openid_enable_commentform', true ); add_option( 'openid_plugin_enabled', true ); add_option( 'openid_plugin_revision', 0 ); add_option( 'openid_db_revision', 0 ); add_option( 'openid_enable_approval', false ); add_option( 'openid_xrds_returnto', true ); add_option( 'openid_comment_displayname_length', 12 ); openid_create_tables(); openid_migrate_old_data(); // setup schedule cleanup wp_clear_scheduled_hook('cleanup_openid'); wp_schedule_event(time(), 'hourly', 'cleanup_openid'); // flush rewrite rules if ( !isset($wp_rewrite) ) { $wp_rewrite = new WP_Rewrite(); } $wp_rewrite->flush_rules(); // set current revision update_option( 'openid_plugin_revision', OPENID_PLUGIN_REVISION ); openid_remove_historical_options(); } /** * Remove options that were used by previous versions of the plugin. */ function openid_remove_historical_options() { delete_option('oid_db_revision'); delete_option('oid_db_version'); delete_option('oid_enable_approval'); delete_option('oid_enable_commentform'); delete_option('oid_enable_email_mapping'); delete_option('oid_enable_foaf'); delete_option('oid_enable_localaccounts'); delete_option('oid_enable_loginform'); delete_option('oid_enable_selfstyle'); delete_option('oid_enable_unobtrusive'); delete_option('oid_plugin_enabled'); delete_option('oid_plugin_revision'); delete_option('oid_plugin_version'); delete_option('oid_trust_root'); delete_option('force_openid_registration'); delete_option('openid_skip_require_name'); delete_option('openid_enable_email_mapping'); delete_option('openid_xrds_idib'); delete_option('openid_xrds_eaut'); } /** * Called on plugin deactivation. Cleanup all transient data. * * @see register_deactivation_hook */ function openid_deactivate_plugin() { wp_clear_scheduled_hook('cleanup_openid'); delete_option('openid_associations'); delete_option('openid_nonces'); delete_option('openid_server_associations'); delete_option('openid_server_nonces'); } /** * Delete options in database */ function openid_uninstall_plugin() { openid_delete_tables(); wp_clear_scheduled_hook('cleanup_openid'); // current options delete_option('openid_enable_commentform'); delete_option('openid_plugin_enabled'); delete_option('openid_plugin_revision'); delete_option('openid_db_revision'); delete_option('openid_enable_approval'); delete_option('openid_xrds_returnto'); delete_option('openid_comment_displayname_length'); delete_option('openid_associations'); delete_option('openid_nonces'); delete_option('openid_server_associations'); delete_option('openid_server_nonces'); delete_option('openid_blog_owner'); delete_option('openid_no_require_name'); delete_option('openid_required_for_registration'); // historical options openid_remove_historical_options(); } /** * Cleanup expired nonces and associations from the OpenID store. */ function openid_cleanup() { $store = openid_getStore(); $store->cleanupNonces(); $store->cleanupAssociations(); } /* * Customer error handler for calls into the JanRain library */ function openid_customer_error_handler($errno, $errmsg, $filename, $linenum, $vars) { if( (2048 & $errno) == 2048 ) return; if (!defined('WP_DEBUG') || !(WP_DEBUG)) { // XML errors if (strpos($errmsg, 'DOMDocument::loadXML') === 0) return; if (strpos($errmsg, 'domxml') === 0) return; // php-openid errors //if (strpos($errmsg, 'Successfully fetched') === 0) return; //if (strpos($errmsg, 'Got no response code when fetching') === 0) return; //if (strpos($errmsg, 'Fetching URL not allowed') === 0) return; // curl errors //if (strpos($errmsg, 'CURL error (6)') === 0) return; // couldn't resolve host //if (strpos($errmsg, 'CURL error (7)') === 0) return; // couldn't connect to host } openid_error( "Library Error $errno: $errmsg in $filename :$linenum"); } /** * Generate a unique WordPress username for the given OpenID URL. * * @param string $url OpenID URL to generate username for * @param boolean $append should we try appending a number if the username is already taken * @return mixed generated username or null if unable to generate */ function openid_generate_new_username($url, $append = true) { $base = openid_normalize_username($url); $i=''; while(true) { $username = openid_normalize_username( $base . $i ); $user = get_user_by('login', $username); if ( $user ) { if (!$append) return null; $i++; continue; } // TODO: add hook return $username; } } /** * Normalize the OpenID URL into a username. This includes rules like: * - remove protocol prefixes like 'http://' and 'xri://' * - remove the 'xri.net' domain for i-names * - substitute certain characters which are not allowed by WordPress * * @param string $username username to be normalized * @return string normalized username * @uses apply_filters() Calls 'openid_normalize_username' just before returning normalized username */ function openid_normalize_username($username) { $normalized = $username; $normalized = preg_replace('|^https?://(xri.net/([^@]!?)?)?|', '', $normalized); $normalized = preg_replace('|^xri://([^@]!?)?|', '', $normalized); $normalized = preg_replace('|/$|', '', $normalized); $normalized = sanitize_user( $normalized ); $normalized = preg_replace('|[^a-z0-9 _.\-@]+|i', '-', $normalized); $normalized = apply_filters('openid_normalize_username', $normalized, $username); return $normalized; } /** * Get the OpenID trust root for the given return_to URL. * * @param string $return_to OpenID return_to URL * @return string OpenID trust root */ function openid_trust_root($return_to = null) { $trust_root = trailingslashit(get_option('home')); // If return_to is HTTPS, trust_root must be as well if (!empty($return_to) && preg_match('/^https/', $return_to)) { $trust_root = preg_replace('/^http\:/', 'https:', $trust_root); } $trust_root = apply_filters('openid_trust_root', $trust_root, $return_to); return $trust_root; } /** * Login user with specified identity URL. This will find the WordPress user account connected to this * OpenID and set it as the current user. Only call this function AFTER you've verified the identity URL. * * @param string $identity userID or OpenID to set as current user * @param boolean $remember should we set the "remember me" cookie * @return void */ function openid_set_current_user($identity, $remember = true) { if (is_numeric($identity)) { $user_id = $identity; } else { $user_id = get_user_by_openid($identity); } if (!$user_id) return; $user = set_current_user($user_id); wp_set_auth_cookie($user->ID, $remember); do_action('wp_login', $user->user_login); } /** * Create a new WordPress user with the specified identity URL and user data. * * @param string $identity_url OpenID to associate with the newly * created account * @param array $user_data array of user data * @uses do_action() Calls 'openid_consumer_new_user_custom_data' hook action after creating user */ function openid_create_new_user($identity_url, &$user_data) { global $wpdb; // Identity URL is new, so create a user @include_once( ABSPATH . 'wp-admin/upgrade-functions.php'); // 2.1 @include_once( ABSPATH . WPINC . '/registration-functions.php'); // 2.0.4 // otherwise, try to use preferred username if ( empty($username) && array_key_exists('nickname', $user_data) ) { $username = openid_generate_new_username($user_data['nickname'], false); } // try using email address before resorting to URL if (empty($username) && array_key_exists('user_email', $user_data)) { $username = openid_generate_new_username($user_data['user_email'], false); } // finally, build username from OpenID URL if (empty($username)) { $username = openid_generate_new_username($identity_url); } $user_data['user_login'] = $username; $user_data['display_name'] = $username; $user_data['user_pass'] = substr( md5( uniqid( microtime() ) ), 0, 7); $user_id = wp_insert_user( $user_data ); if ($user_id instanceof WP_Error) { openid_message($user_id->get_error_message()); openid_status('error'); return; } else if ( is_integer($user_id) ) { // created ok $user_data['ID'] = $user_id; // XXX this all looks redundant, see openid_set_current_user $user = new WP_User( $user_id ); $credentials = array('user_login' => $user->user_login, 'user_password' => $user_data['user_pass'], 'remember' => true); if( ! wp_signon( $credentials ) ) { openid_message(__('User was created fine, but wp_signon() for the new user failed. This is probably a bug.', 'openid')); openid_status('error'); openid_error(openid_message()); return; } // notify of user creation wp_new_user_notification( $user_id ); wp_clear_auth_cookie(); wp_set_auth_cookie($user_id, true); // Bind the provided identity to the just-created user openid_add_user_identity($user_id, $identity_url); openid_status('redirect'); do_action('openid_consumer_new_user_custom_data', $user_id, $user_data); if ( !$user->has_cap('edit_posts') ) $redirect_to = '/wp-admin/profile.php'; } else { // failed to create user for some reason. openid_message(__('OpenID authentication successful, but failed to create WordPress user. This is probably a bug.', 'openid')); openid_status('error'); openid_error(openid_message()); } } /** * Get user data for the given identity URL. Data is returned as an associative array with the keys: * ID, user_url, user_nicename, display_name * * Multiple soures of data may be available and are attempted in the following order: * - OpenID Attribute Exchange !! not yet implemented * - OpenID Simple Registration * - hCard discovery !! not yet implemented * - default to identity URL * * @param string $identity_url OpenID to get user data about * @return array user data * @uses apply_filters() Calls 'openid_user_data' to gather profile data associated with the identity URL */ function openid_get_user_data($identity_url) { $data = array( 'ID' => null, 'user_url' => $identity_url, 'user_nicename' => $identity_url, 'display_name' => $identity_url ); // create proper website URL if OpenID is an i-name if (preg_match('/^[\=\@\+].+$/', $identity_url)) { $data['user_url'] = 'http://xri.net/' . $identity_url; } $data = apply_filters('openid_user_data', $data, $identity_url); // if display_name is still the same as the URL, clean that up a bit if ($data['display_name'] == $identity_url) { $parts = parse_url($identity_url); if ($parts !== false) { $host = preg_replace('/^www./', '', $parts['host']); $path = substr($parts['path'], 0, get_option('openid_comment_displayname_length')); if (strlen($path) < strlen($parts['path'])) $path .= '…'; $data['display_name'] = $host . $path; } } return $data; } /** * Retrieve user data from OpenID Attribute Exchange. * * @param string $identity_url OpenID to get user data about * @param reference $data reference to user data array * @see get_user_data */ function openid_get_user_data_ax($data, $identity_url) { require_once('Auth/OpenID/AX.php'); $response = openid_response(); $ax = Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response); if (!$ax) return $data; $email = $ax->getSingle('http://axschema.org/contact/email'); if ($email && !is_a($email, 'Auth_OpenID_AX_Error')) { $data['user_email'] = $email; } $nickname = $ax->getSingle('http://axschema.org/namePerson/friendly'); if ($nickname && !is_a($nickname, 'Auth_OpenID_AX_Error')) { $data['nickname'] = $ax->getSingle('http://axschema.org/namePerson/friendly'); $data['user_nicename'] = $ax->getSingle('http://axschema.org/namePerson/friendly'); $data['display_name'] = $ax->getSingle('http://axschema.org/namePerson/friendly'); } $fullname = $ax->getSingle('http://axschema.org/namePerson'); if ($fullname && !is_a($fullname, 'Auth_OpenID_AX_Error')) { $namechunks = explode( ' ', $fullname, 2 ); if( isset($namechunks[0]) ) $data['first_name'] = $namechunks[0]; if( isset($namechunks[1]) ) $data['last_name'] = $namechunks[1]; $data['display_name'] = $fullname; } return $data; } /** * Retrieve user data from OpenID Simple Registration. * * @param string $identity_url OpenID to get user data about * @param reference $data reference to user data array * @see get_user_data */ function openid_get_user_data_sreg($data, $identity_url) { require_once('Auth/OpenID/SReg.php'); $response = openid_response(); $sreg_resp = Auth_OpenID_SRegResponse::fromSuccessResponse($response); $sreg = $sreg_resp->contents(); if (!$sreg) return $data; if (array_key_exists('email', $sreg) && $sreg['email']) { $data['user_email'] = $sreg['email']; } if (array_key_exists('nickname', $sreg) && $sreg['nickname']) { $data['nickname'] = $sreg['nickname']; $data['user_nicename'] = $sreg['nickname']; $data['display_name'] = $sreg['nickname']; } if (array_key_exists('fullname', $sreg) && $sreg['fullname']) { $namechunks = explode( ' ', $sreg['fullname'], 2 ); if( isset($namechunks[0]) ) $data['first_name'] = $namechunks[0]; if( isset($namechunks[1]) ) $data['last_name'] = $namechunks[1]; $data['display_name'] = $sreg['fullname']; } return $data; } /** * Retrieve user data from hCard discovery. * * @param string $identity_url OpenID to get user data about * @param reference $data reference to user data array * @see get_user_data */ function openid_get_user_data_hcard($data, $identity_url) { // TODO implement hcard discovery return $data; } /** * Parse the WordPress request. If the query var 'openid' is present, then * handle the request accordingly. * * @param WP $wp WP instance for the current request */ function openid_parse_request($wp) { if (array_key_exists('openid', $wp->query_vars)) { openid_clean_request(); switch ($wp->query_vars['openid']) { case 'consumer': @session_start(); $action = $_SESSION['openid_action']; // no action, which probably means OP-initiated login. Set // action to 'login', and redirect to home page when finished if (empty($action)) { $action = 'login'; if (empty($_SESSION['openid_finish_url'])) { //$_SESSION['openid_finish_url'] = get_option('home'); } } finish_openid($action); break; case 'server': $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : null; openid_server_request($action); break; case 'ajax': if ( check_admin_referer('openid_ajax') ) { header('Content-Type: application/json'); echo '{ "valid":' . ( is_url_openid( $_REQUEST['url'] ) ? 'true' : 'false' ) . ', "nonce":"' . wp_create_nonce('openid_ajax') . '" }'; exit; } } } } /** * Check if the provided URL is a valid OpenID. * * @param string $url URL to check * @return boolean true if the URL is a valid OpenID */ function is_url_openid( $url ) { $auth_request = openid_begin_consumer( $url ); return ( $auth_request != null ); } /** * Clean HTTP request parameters for OpenID. * * Apache's rewrite module is often used to produce "pretty URLs" in WordPress. * Other webservers, such as lighttpd, nginx, and Microsoft IIS each have ways * (read: hacks) for simulating this kind of functionality. This function * reverses the side-effects of these hacks so that the OpenID request * variables are in the form that the OpenID library expects. */ function openid_clean_request() { if (array_key_exists('q', $_GET)) { // handle nginx web server, which adds an additional query string parameter named "q" unset($_GET['q']); $vars = explode('&', $_SERVER['QUERY_STRING']); $clean = array(); foreach ($vars as $v) { if (strpos($v, 'q=') !== 0) { $clean[] = $v; } } $_SERVER['QUERY_STRING'] = implode('&', $clean); } else if (isset($_SERVER['argc']) && $_SERVER['argc'] >= 1 && $_SERVER['argv'][0] == 'error=404') { // handle lighttpd hack which uses a custom error-handler, passing 404 errors to WordPress. // This results in the QUERY_STRING not having the correct information, but fortunately we // can pull it out of REQUEST_URI list($path, $query) = explode('?', $_SERVER['REQUEST_URI'], 2); $_SERVER['QUERY_STRING'] = $query; } } /** * Build an OpenID service URL. * * @param string $service service to build URL for * @param string $scheme URL scheme to use for URL (see site_url()) * @return string service URL * @see site_url */ function openid_service_url($service, $scheme = null) { global $wp_rewrite; if (!$wp_rewrite) $wp_rewrite = new WP_Rewrite(); if (!defined('OPENID_SSL') || !OPENID_SSL) $scheme = null; $url = site_url('/?openid=' . $service, $scheme); return $url; } /** * Add rewrite rules to WP_Rewrite for the OpenID services. */ function openid_rewrite_rules($wp_rewrite) { $openid_rules = array( 'openid/(.+)' => 'index.php?openid=$matches[1]', ); $wp_rewrite->rules = $openid_rules + $wp_rewrite->rules; } /** * Add valid query vars to WordPress for OpenID. */ function openid_query_vars($vars) { $vars[] = 'openid'; return $vars; } function openid_status($new = null) { static $status; return ($new == null) ? $status : $status = $new; } function openid_message($new = null) { static $message; return ($new == null) ? $message : $message = $new; } function openid_response($new = null) { static $response; return ($new == null) ? $response : $response = $new; } function openid_enabled($new = null) { static $enabled; if ($enabled == null) $enabled = true; return ($new == null) ? $enabled : $enabled = $new; } /** * Send HTTP post through the user-agent. If javascript is not supported, the * user will need to click on a "continue" button. * * @param string $action form action (URL to POST form to) * @param array $parameters key-value pairs of parameters to include in the form * @uses do_action() Calls 'openid_page_head' hook action */ function openid_repost($action, $parameters) { $html = '
'; foreach ($parameters as $k => $v) { if ($k == 'submit') continue; $html .= "\n" . ''; } $html .= '
'; openid_page($html, __('OpenID Authentication Redirect', 'openid')); } function openid_page($message, $title = '') { global $wp_locale; ?> > <?php echo $title ?> text_direction) ) { wp_admin_css('login-rtl', true); } do_action('admin_head'); do_action('openid_page_head'); ?> prepare('INSERT INTO ' . openid_identity_table() . ' (user_id,url,hash) VALUES ( %s, %s, MD5(%s) )', $user_id, $url, $url); return $wpdb->query( $sql ); } /** * Remove identity url from user. * * @param int $user_id user id * @param string $identity_url identity url to remove */ function openid_drop_identity($user_id, $identity_url) { global $wpdb; return $wpdb->query( $wpdb->prepare('DELETE FROM '.openid_identity_table().' WHERE user_id = %s AND url = %s', $user_id, $identity_url) ); } /** * Remove all identity urls from user. * * @param int $user_id user id */ function openid_drop_all_identities($user_id) { global $wpdb; return $wpdb->query( $wpdb->prepare('DELETE FROM '.openid_identity_table().' WHERE user_id = %s', $user_id ) ); } // -------------- // // Other Function // // -------------- // /** * Format OpenID for display... namely, remove the fragment if present. * @param string $url url to display * @return url formatted for display */ function openid_display_identity($url) { return preg_replace('/#.+$/', '', $url); } function openid_error($msg) { error_log('[OpenID] ' . $msg); } function openid_debug($msg) { if (defined('WP_DEBUG') && WP_DEBUG) { openid_error($msg); } } wordpress-openid-3.4.1/consumer.php000066400000000000000000000165501265347743100174120ustar00rootroot00000000000000getMessage($trust_root, $return_to, false); if (Auth_OpenID::isFailure($message)) { return openid_error('Could not redirect to server: '.$message->message); } $_SESSION['openid_return_to'] = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); // send 302 redirect or POST if ($auth_request->shouldSendRedirect()) { $redirect_url = $auth_request->redirectURL($trust_root, $return_to); wp_redirect( $redirect_url ); } else { openid_repost($auth_request->endpoint->server_url, $message->toPostArgs()); } } /** * Finish OpenID Authentication. * * @return String authenticated identity URL, or null if authentication failed. */ function finish_openid_auth() { @session_start(); $consumer = openid_getConsumer(); if ( array_key_exists('openid_return_to', $_SESSION) ) { $openid_return_to = $_SESSION['openid_return_to']; } if ( empty($openid_return_to) ) { $openid_return_to = openid_service_url('consumer'); } $response = $consumer->complete($openid_return_to); unset($_SESSION['openid_return_to']); openid_response($response); switch( $response->status ) { case Auth_OpenID_CANCEL: openid_message(__('OpenID login was cancelled.', 'openid')); openid_status('error'); break; case Auth_OpenID_FAILURE: openid_message(sprintf(__('OpenID login failed: %s', 'openid'), $response->message)); openid_status('error'); break; case Auth_OpenID_SUCCESS: openid_message(__('OpenID login successful', 'openid')); openid_status('success'); $identity_url = $response->identity_url; $escaped_url = htmlspecialchars($identity_url, ENT_QUOTES); return $escaped_url; default: openid_message(__('Unknown Status. Bind not successful. This is probably a bug.', 'openid')); openid_status('error'); } return null; } /** * Begin login by activating the OpenID consumer. * * @param string $url claimed ID * @return Auth_OpenID_Request OpenID Request */ function openid_begin_consumer($url) { static $request; @session_start(); if ($request == NULL) { set_error_handler( 'openid_customer_error_handler'); $consumer = openid_getConsumer(); $request = $consumer->begin($url); restore_error_handler(); } return $request; } /** * Start the OpenID authentication process. * * @param string $claimed_url claimed OpenID URL * @param string $action OpenID action being performed * @param string $finish_url stored in user session for later redirect * @uses apply_filters() Calls 'openid_auth_request_extensions' to gather extensions to be attached to auth request */ function openid_start_login( $claimed_url, $action, $finish_url = null) { if ( empty($claimed_url) ) return; // do nothing. $auth_request = openid_begin_consumer( $claimed_url ); if ( null === $auth_request ) { openid_status('error'); openid_message(sprintf( __('Could not discover an OpenID identity server endpoint at the url: %s', 'openid'), htmlentities($claimed_url) )); return; } @session_start(); $_SESSION['openid_action'] = $action; $_SESSION['openid_finish_url'] = $finish_url; $extensions = apply_filters('openid_auth_request_extensions', array(), $auth_request); foreach ($extensions as $e) { if (is_a($e, 'Auth_OpenID_Extension')) { $auth_request->addExtension($e); } } $return_to = openid_service_url('consumer', 'login_post'); $return_to = apply_filters('openid_return_to', $return_to); $trust_root = openid_trust_root($return_to); openid_redirect($auth_request, $trust_root, $return_to); exit(0); } /** * Build an Attribute Exchange attribute query extension if we've never seen this OpenID before. */ function openid_add_ax_extension($extensions, $auth_request) { if(!get_user_by_openid($auth_request->endpoint->claimed_id)) { require_once('Auth/OpenID/AX.php'); if ($auth_request->endpoint->usesExtension(Auth_OpenID_AX_NS_URI)) { $default_fields = array( Auth_OpenID_AX_AttrInfo::make('http://axschema.org/namePerson/friendly', 1, true), Auth_OpenID_AX_AttrInfo::make('http://axschema.org/contact/email', 1, true), Auth_OpenID_AX_AttrInfo::make('http://axschema.org/namePerson', 1, true) ); $fields = apply_filters('openid_consumer_ax_fields', $default_fields); $ax_request = new Auth_OpenID_AX_FetchRequest(); foreach ($fields as $field) { $ax_request->add($field); } $extensions[] = $ax_request; } } return $extensions; } /** * Build an SReg attribute query extension if we've never seen this OpenID before. * * @uses apply_filters() Calls 'openid_consumer_sreg_required_fields' and * 'openid_consumer_sreg_required_fields' to collect sreg fields. */ function openid_add_sreg_extension($extensions, $auth_request) { if(!get_user_by_openid($auth_request->endpoint->claimed_id)) { require_once('Auth/OpenID/SReg.php'); if ($auth_request->endpoint->usesExtension(Auth_OpenID_SREG_NS_URI_1_0) || $auth_request->endpoint->usesExtension(Auth_OpenID_SREG_NS_URI_1_1)) { $required = apply_filters('openid_consumer_sreg_required_fields', array()); $optional = apply_filters('openid_consumer_sreg_optional_fields', array('nickname','email','fullname')); $extensions[] = Auth_OpenID_SRegRequest::build($required, $optional); } } return $extensions; } /** * Finish OpenID authentication. * * @param string $action login action that is being performed * @uses do_action() Calls 'openid_finish_auth' hook action after processing the authentication response. */ function finish_openid($action) { $identity_url = finish_openid_auth(); do_action('openid_finish_auth', $identity_url, $action); } /** * * @uses apply_filters() Calls 'openid_consumer_return_urls' to collect return_to URLs to be included in XRDS document. */ function openid_consumer_xrds_simple($xrds) { if (get_option('openid_xrds_returnto')) { // OpenID Consumer Service $return_urls = array_unique(apply_filters('openid_consumer_return_urls', array(openid_service_url('consumer', 'login_post')))); if (!empty($return_urls)) { // fixes https://github.com/diso/wordpress-xrds-simple/issues/4 unset( $xrds['main']['type'] ); $xrds = xrds_add_simple_service($xrds, 'OpenID Consumer Service', 'http://specs.openid.net/auth/2.0/return_to', $return_urls); } } return $xrds; } wordpress-openid-3.4.1/f/000077500000000000000000000000001265347743100152645ustar00rootroot00000000000000wordpress-openid-3.4.1/f/ajax-loader.gif000066400000000000000000000034711265347743100201470ustar00rootroot00000000000000GIF89aFFFzzzXXX$$$666hhh! NETSCAPE2.0!Created with ajaxload.info! ,w  !DBAH¬aD@ ^AXP@"UQ# B\; 1 o:2$v@ $|,3 _# d53" s5 e!! ,v i@e9DAA/`ph$Ca%@ pHxFuSx# .݄YfL_" p 3BW ]|L \6{|z87[7!! ,x  e9DE"2r,qPj`8@8bH, *0- mFW9LPE3+ (B"  f{*BW_/ @_$~Kr7Ar7!! ,v 4e9!H"* Q/@-4ép4R+-pȧ`P(6᠝U/  *,)(+/]"lO/*Ak K]A~666!! ,l ie9"* -80H=N; TEqe UoK2_WZ݌V1jgWe@tuH//w`?f~#6#!! ,~ ,e9"* ; pR%#0` 'c(J@@/1i4`VBV u}"caNi/ ] ))-Lel  mi} me[+!! ,y Ie9"M6*¨"7E͖@G((L&pqj@Z %@wZ) pl( ԭqu*R&c `))( s_J>_\'Gm7$+!! ,w Ie9*, (*(B5[1 ZIah!GexzJ0e6@V|U4Dm%$͛p \Gx }@+| =+ 1- Ea5l)+!! ,y )䨞'AKڍ,E\(l&;5 5D03a0--ÃpH4V % i p[R"| #  6iZwcw*!! ,y )䨞,K*0 a;׋аY8b`4n ¨Bbbx,( Ƚ  % >  2*i* /:+$v*!! ,u )䨞l[$ Jq[q 3`Q[5:IX!0rAD8 CvHPfiiQAP@pC %D PQ46  iciNj0w )#!! ,y ). q ,G Jr(J8 C*B,&< h W~-`, ,>; 8RN<, <1T] c' qk$ @)#!;wordpress-openid-3.4.1/f/icon.png000066400000000000000000000031041265347743100167200ustar00rootroot00000000000000PNG  IHDR$$tEXtSoftwareAdobe ImageReadyqe<IDATx̘kH[Wsyg5_[ U}1&됭:$d谝 i0; 6t]PjdisӛƲ NuBP nt߅ CjN;hR˙~5j ߋ.lH}4 O_>IK:=,a#a7|`KQaZtu" Y͏2/OQPCF夈"av-yYoz0D#vo&Z@*o)$kY;ȑ=ȅ"0UeߏDɒp8rSSSK"X+]=gr? pu#v Rӝ={֞w<&&5F8j ƫ""4i=QcjkkGkjjfffTTT!|: f߆@^(WE$"fF`XŒ]?22enn۰w͓'OJ5>---j~j! EDEQLNlRw$x7JJJ.TAwܹu__O^.ZTFa6pmiii~YYٛ{{Wt  X,ɓ'[abKKK7oommzp':N4JSap*xP ȢizUe&UA? Y\\koob v*F:5sPYulwѷ¾6D/Ce:؁c AXm{9O,*1Ζվ S !Z_svXk IU;vo^1LD>>%0b(%7VryJn),,ԃo%ly [())irljeMfvXS{JnC-"9VQda؆=&PjOΒ]FV-NMC$8 oGFPr8l**΍h/EFpDxDh!>O*5ǣud Cqə[n*&&&~qesjHt5( u2$$$\ܜ.Ô ܡ8uMá_9pVA1.??󖖖i S!n¯pa3`>TYY.dSJ Q9ؽguk)}mOBt +V+/dXNu[`4lr-+:"xku>97ֺ"YKFyP=Νs ~ %%%d2Y5.CA%*~h IM+Sdoh¥J#4WŖey=Zn,%uC6cZ@*Y ѐ9N-򛽲X$Q*VVQ%PV*߁_жO?ۡIENDB`wordpress-openid-3.4.1/f/openid.css000066400000000000000000000011501265347743100172510ustar00rootroot00000000000000/* yuicompress openid.css -o openid.min.css * @see http://developer.yahoo.com/yui/compressor/ */ #openid_enabled_link, .openid_link, #openid_identifier, #commentform #openid_identifier { background-image: url('openid.gif'); background-position: 3px 50%; background-repeat: no-repeat; padding-left: 21px !important; } .openid_loading { background: url('ajax-loader.gif') right center no-repeat; } #openid_comment { margin: 0.8em 1em; } #openid_comment input { width: auto; } /* fix link color on wp-login.php */ body.login form#loginform a.legacy, body.login form#registerform a.legacy { color: #FFF; } wordpress-openid-3.4.1/f/openid.gif000066400000000000000000000003231265347743100172270ustar00rootroot00000000000000GIF89acfi kx)оļ!,P'diHi9-) 75Ms(Bq 2ȑ4(0~(EMV{֒0 Vm;wordpress-openid-3.4.1/f/openid.js000066400000000000000000000035271265347743100171070ustar00rootroot00000000000000/* yuicompress openid.js -o openid.min.js * @see http://developer.yahoo.com/yui/compressor/ */ jQuery(function() { jQuery('#openid_system_status').hide(); jQuery('#openid_status_link').click( function() { jQuery('#openid_system_status').toggle(); return false; }); }); function stylize_profilelink() { jQuery("#commentform a[href$='profile.php']").addClass('openid_link'); } /** * Properly integrate the 'Authenticate with OpenID' checkbox into the comment form. * This will move the checkbox below the Website field, and add an AJAX hook to * show/hide the checkbox depending on whether the given URL is a valid OpenID. */ function add_openid_to_comment_form(wp_url, nonce) { var openid_nonce = nonce; var openid_comment = jQuery('#openid_comment'); var openid_checkbox = jQuery('#login_with_openid'); var url = jQuery('#url'); jQuery('label[for="url"],#url').filter(':last').after(openid_comment.hide()); if ( url.val() ) check_openid( url ); url.blur( function() { check_openid(jQuery(this)); } ); /** * Make AJAX call to WordPress to check if the given URL is a valid OpenID. * AJAX response should be a JSON structure with two values: * 'valid' - (boolean) whether or not the given URL is a valid OpenID * 'nonce' - (string) new nonce to use for next AJAX call */ function check_openid( url ) { url.addClass('openid_loading'); if ( url.val() == '' ) { openid_checkbox.attr('checked', ''); openid_comment.slideUp(); return; } jQuery.getJSON(wp_url + '?openid=ajax', {url: url.val(), _wpnonce: openid_nonce}, function(data, textStatus) { url.removeClass('openid_loading'); if ( data.valid ) { openid_checkbox.attr('checked', 'checked'); openid_comment.slideDown(); } else { openid_checkbox.attr('checked', ''); openid_comment.slideUp(); } openid_nonce = data.nonce; }); } } wordpress-openid-3.4.1/f/register.js000066400000000000000000000004721265347743100174510ustar00rootroot00000000000000jQuery(document).ready(function() { jQuery(function() { jQuery("#registerform > p:first").hide(); jQuery("#registerform > p:first + p").hide(); jQuery("#reg_passmail").hide(); jQuery("p.submit").css("margin", "1em 0"); var link = jQuery("#nav a:first"); jQuery("#nav").text("").append(link); }); }); wordpress-openid-3.4.1/lib/000077500000000000000000000000001265347743100156055ustar00rootroot00000000000000wordpress-openid-3.4.1/lib/Auth/000077500000000000000000000000001265347743100165065ustar00rootroot00000000000000wordpress-openid-3.4.1/lib/Auth/OpenID.php000077500000000000000000000364351265347743100203530ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ /** * The library version string */ define('Auth_OpenID_VERSION', '2.2.2'); /** * Require the fetcher code. */ require_once "Auth/Yadis/PlainHTTPFetcher.php"; require_once "Auth/Yadis/ParanoidHTTPFetcher.php"; require_once "Auth/OpenID/BigMath.php"; require_once "Auth/OpenID/URINorm.php"; /** * Status code returned by the server when the only option is to show * an error page, since we do not have enough information to redirect * back to the consumer. The associated value is an error message that * should be displayed on an HTML error page. * * @see Auth_OpenID_Server */ define('Auth_OpenID_LOCAL_ERROR', 'local_error'); /** * Status code returned when there is an error to return in key-value * form to the consumer. The caller should return a 400 Bad Request * response with content-type text/plain and the value as the body. * * @see Auth_OpenID_Server */ define('Auth_OpenID_REMOTE_ERROR', 'remote_error'); /** * Status code returned when there is a key-value form OK response to * the consumer. The value associated with this code is the * response. The caller should return a 200 OK response with * content-type text/plain and the value as the body. * * @see Auth_OpenID_Server */ define('Auth_OpenID_REMOTE_OK', 'remote_ok'); /** * Status code returned when there is a redirect back to the * consumer. The value is the URL to redirect back to. The caller * should return a 302 Found redirect with a Location: header * containing the URL. * * @see Auth_OpenID_Server */ define('Auth_OpenID_REDIRECT', 'redirect'); /** * Status code returned when the caller needs to authenticate the * user. The associated value is a {@link Auth_OpenID_ServerRequest} * object that can be used to complete the authentication. If the user * has taken some authentication action, use the retry() method of the * {@link Auth_OpenID_ServerRequest} object to complete the request. * * @see Auth_OpenID_Server */ define('Auth_OpenID_DO_AUTH', 'do_auth'); /** * Status code returned when there were no OpenID arguments * passed. This code indicates that the caller should return a 200 OK * response and display an HTML page that says that this is an OpenID * server endpoint. * * @see Auth_OpenID_Server */ define('Auth_OpenID_DO_ABOUT', 'do_about'); /** * Defines for regexes and format checking. */ define('Auth_OpenID_letters', "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"); define('Auth_OpenID_digits', "0123456789"); define('Auth_OpenID_punct', "!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~"); Auth_OpenID_include_init(); /** * The OpenID utility function class. * * @package OpenID * @access private */ class Auth_OpenID { /** * Return true if $thing is an Auth_OpenID_FailureResponse object; * false if not. * * @access private */ static function isFailure($thing) { return is_a($thing, 'Auth_OpenID_FailureResponse'); } /** * Gets the query data from the server environment based on the * request method used. If GET was used, this looks at * $_SERVER['QUERY_STRING'] directly. If POST was used, this * fetches data from the special php://input file stream. * * Returns an associative array of the query arguments. * * Skips invalid key/value pairs (i.e. keys with no '=value' * portion). * * Returns an empty array if neither GET nor POST was used, or if * POST was used but php://input cannot be opened. * * See background: * http://lists.openidenabled.com/pipermail/dev/2007-March/000395.html * * @access private */ static function getQuery($query_str=null) { $data = array(); if ($query_str !== null) { $data = Auth_OpenID::params_from_string($query_str); } else if (!array_key_exists('REQUEST_METHOD', $_SERVER)) { // Do nothing. } else { // XXX HACK FIXME HORRIBLE. // // POSTing to a URL with query parameters is acceptable, but // we don't have a clean way to distinguish those parameters // when we need to do things like return_to verification // which only want to look at one kind of parameter. We're // going to emulate the behavior of some other environments // by defaulting to GET and overwriting with POST if POST // data is available. $data = Auth_OpenID::params_from_string($_SERVER['QUERY_STRING']); if ($_SERVER['REQUEST_METHOD'] == 'POST') { $str = file_get_contents('php://input'); if ($str === false) { $post = array(); } else { $post = Auth_OpenID::params_from_string($str); } $data = array_merge($data, $post); } } return $data; } static function params_from_string($str) { $chunks = explode("&", $str); $data = array(); foreach ($chunks as $chunk) { $parts = explode("=", $chunk, 2); if (count($parts) != 2) { continue; } list($k, $v) = $parts; $data[urldecode($k)] = urldecode($v); } return $data; } /** * Create dir_name as a directory if it does not exist. If it * exists, make sure that it is, in fact, a directory. Returns * true if the operation succeeded; false if not. * * @access private */ static function ensureDir($dir_name) { if (is_dir($dir_name) || @mkdir($dir_name)) { return true; } else { $parent_dir = dirname($dir_name); // Terminal case; there is no parent directory to create. if ($parent_dir == $dir_name) { return true; } return (Auth_OpenID::ensureDir($parent_dir) && @mkdir($dir_name)); } } /** * Adds a string prefix to all values of an array. Returns a new * array containing the prefixed values. * * @access private */ static function addPrefix($values, $prefix) { $new_values = array(); foreach ($values as $s) { $new_values[] = $prefix . $s; } return $new_values; } /** * Convenience function for getting array values. Given an array * $arr and a key $key, get the corresponding value from the array * or return $default if the key is absent. * * @access private */ static function arrayGet($arr, $key, $fallback = null) { if (is_array($arr)) { if (array_key_exists($key, $arr)) { return $arr[$key]; } else { return $fallback; } } else { trigger_error("Auth_OpenID::arrayGet (key = ".$key.") expected " . "array as first parameter, got " . gettype($arr), E_USER_WARNING); return false; } } /** * Replacement for PHP's broken parse_str. */ static function parse_str($query) { if ($query === null) { return null; } $parts = explode('&', $query); $new_parts = array(); for ($i = 0; $i < count($parts); $i++) { $pair = explode('=', $parts[$i]); if (count($pair) != 2) { continue; } list($key, $value) = $pair; $new_parts[urldecode($key)] = urldecode($value); } return $new_parts; } /** * Implements the PHP 5 'http_build_query' functionality. * * @access private * @param array $data Either an array key/value pairs or an array * of arrays, each of which holding two values: a key and a value, * sequentially. * @return string $result The result of url-encoding the key/value * pairs from $data into a URL query string * (e.g. "username=bob&id=56"). */ static function httpBuildQuery($data) { $pairs = array(); foreach ($data as $key => $value) { if (is_array($value)) { $pairs[] = urlencode($value[0])."=".urlencode($value[1]); } else { $pairs[] = urlencode($key)."=".urlencode($value); } } return implode("&", $pairs); } /** * "Appends" query arguments onto a URL. The URL may or may not * already have arguments (following a question mark). * * @access private * @param string $url A URL, which may or may not already have * arguments. * @param array $args Either an array key/value pairs or an array of * arrays, each of which holding two values: a key and a value, * sequentially. If $args is an ordinary key/value array, the * parameters will be added to the URL in sorted alphabetical order; * if $args is an array of arrays, their order will be preserved. * @return string $url The original URL with the new parameters added. * */ static function appendArgs($url, $args) { if (count($args) == 0) { return $url; } // Non-empty array; if it is an array of arrays, use // multisort; otherwise use sort. if (array_key_exists(0, $args) && is_array($args[0])) { // Do nothing here. } else { $keys = array_keys($args); sort($keys); $new_args = array(); foreach ($keys as $key) { $new_args[] = array($key, $args[$key]); } $args = $new_args; } $sep = '?'; if (strpos($url, '?') !== false) { $sep = '&'; } return $url . $sep . Auth_OpenID::httpBuildQuery($args); } /** * Implements python's urlunparse, which is not available in PHP. * Given the specified components of a URL, this function rebuilds * and returns the URL. * * @access private * @param string $scheme The scheme (e.g. 'http'). Defaults to 'http'. * @param string $host The host. Required. * @param string $port The port. * @param string $path The path. * @param string $query The query. * @param string $fragment The fragment. * @return string $url The URL resulting from assembling the * specified components. */ static function urlunparse($scheme, $host, $port = null, $path = '/', $query = '', $fragment = '') { if (!$scheme) { $scheme = 'http'; } if (!$host) { return false; } if (!$path) { $path = ''; } $result = $scheme . "://" . $host; if ($port) { $result .= ":" . $port; } $result .= $path; if ($query) { $result .= "?" . $query; } if ($fragment) { $result .= "#" . $fragment; } return $result; } /** * Given a URL, this "normalizes" it by adding a trailing slash * and / or a leading http:// scheme where necessary. Returns * null if the original URL is malformed and cannot be normalized. * * @access private * @param string $url The URL to be normalized. * @return mixed $new_url The URL after normalization, or null if * $url was malformed. */ static function normalizeUrl($url) { @$parsed = parse_url($url); if (!$parsed) { return null; } if (isset($parsed['scheme']) && isset($parsed['host'])) { $scheme = strtolower($parsed['scheme']); if (!in_array($scheme, array('http', 'https'))) { return null; } } else { $url = 'http://' . $url; } $normalized = Auth_OpenID_urinorm($url); if ($normalized === null) { return null; } list($defragged, $frag) = Auth_OpenID::urldefrag($normalized); return $defragged; } /** * Replacement (wrapper) for PHP's intval() because it's broken. * * @access private */ static function intval($value) { $re = "/^\\d+$/"; if (!preg_match($re, $value)) { return false; } return intval($value); } /** * Count the number of bytes in a string independently of * multibyte support conditions. * * @param string $str The string of bytes to count. * @return int The number of bytes in $str. */ static function bytes($str) { return strlen(bin2hex($str)) / 2; } /** * Get the bytes in a string independently of multibyte support * conditions. */ static function toBytes($str) { $hex = bin2hex($str); if (!$hex) { return array(); } $b = array(); for ($i = 0; $i < strlen($hex); $i += 2) { $b[] = chr(base_convert(substr($hex, $i, 2), 16, 10)); } return $b; } static function urldefrag($url) { $parts = explode("#", $url, 2); if (count($parts) == 1) { return array($parts[0], ""); } else { return $parts; } } static function filter($callback, &$sequence) { $result = array(); foreach ($sequence as $item) { if (call_user_func_array($callback, array($item))) { $result[] = $item; } } return $result; } static function update(&$dest, &$src) { foreach ($src as $k => $v) { $dest[$k] = $v; } } /** * Wrap PHP's standard error_log functionality. Use this to * perform all logging. It will interpolate any additional * arguments into the format string before logging. * * @param string $format_string The sprintf format for the message */ static function log($format_string) { $args = func_get_args(); $message = call_user_func_array('sprintf', $args); error_log($message); } static function autoSubmitHTML($form, $title="OpenId transaction in progress") { return("". "". $title . "". "". $form . "". "". ""); } } /* * Function to run when this file is included. * Abstracted to a function to make life easier * for some PHP optimizers. */ function Auth_OpenID_include_init() { if (Auth_OpenID_getMathLib() === null) { Auth_OpenID_setNoMathSupport(); } } wordpress-openid-3.4.1/lib/Auth/OpenID/000077500000000000000000000000001265347743100176245ustar00rootroot00000000000000wordpress-openid-3.4.1/lib/Auth/OpenID/AX.php000077500000000000000000000751651265347743100206660ustar00rootroot00000000000000message = $message; } } /** * Abstract class containing common code for attribute exchange * messages. * * @package OpenID */ class Auth_OpenID_AX_Message extends Auth_OpenID_Extension { /** * ns_alias: The preferred namespace alias for attribute exchange * messages */ var $ns_alias = 'ax'; /** * mode: The type of this attribute exchange message. This must be * overridden in subclasses. */ var $mode = null; var $ns_uri = Auth_OpenID_AX_NS_URI; /** * Return Auth_OpenID_AX_Error if the mode in the attribute * exchange arguments does not match what is expected for this * class; true otherwise. * * @access private */ function _checkMode($ax_args) { $mode = Auth_OpenID::arrayGet($ax_args, 'mode'); if ($mode != $this->mode) { return new Auth_OpenID_AX_Error( sprintf( "Expected mode '%s'; got '%s'", $this->mode, $mode)); } return true; } /** * Return a set of attribute exchange arguments containing the * basic information that must be in every attribute exchange * message. * * @access private */ function _newArgs() { return array('mode' => $this->mode); } } /** * Represents a single attribute in an attribute exchange * request. This should be added to an AXRequest object in order to * request the attribute. * * @package OpenID */ class Auth_OpenID_AX_AttrInfo { /** * Construct an attribute information object. Do not call this * directly; call make(...) instead. * * @param string $type_uri The type URI for this attribute. * * @param int $count The number of values of this type to request. * * @param bool $required Whether the attribute will be marked as * required in the request. * * @param string $alias The name that should be given to this * attribute in the request. */ function Auth_OpenID_AX_AttrInfo($type_uri, $count, $required, $alias) { /** * required: Whether the attribute will be marked as required * when presented to the subject of the attribute exchange * request. */ $this->required = $required; /** * count: How many values of this type to request from the * subject. Defaults to one. */ $this->count = $count; /** * type_uri: The identifier that determines what the attribute * represents and how it is serialized. For example, one type * URI representing dates could represent a Unix timestamp in * base 10 and another could represent a human-readable * string. */ $this->type_uri = $type_uri; /** * alias: The name that should be given to this attribute in * the request. If it is not supplied, a generic name will be * assigned. For example, if you want to call a Unix timestamp * value 'tstamp', set its alias to that value. If two * attributes in the same message request to use the same * alias, the request will fail to be generated. */ $this->alias = $alias; } /** * Construct an attribute information object. For parameter * details, see the constructor. */ static function make($type_uri, $count=1, $required=false, $alias=null) { if ($alias !== null) { $result = Auth_OpenID_AX_checkAlias($alias); if (Auth_OpenID_AX::isError($result)) { return $result; } } return new Auth_OpenID_AX_AttrInfo($type_uri, $count, $required, $alias); } /** * When processing a request for this attribute, the OP should * call this method to determine whether all available attribute * values were requested. If self.count == UNLIMITED_VALUES, this * returns True. Otherwise this returns False, in which case * self.count is an integer. */ function wantsUnlimitedValues() { return $this->count === Auth_OpenID_AX_UNLIMITED_VALUES; } } /** * Given a namespace mapping and a string containing a comma-separated * list of namespace aliases, return a list of type URIs that * correspond to those aliases. * * @param $namespace_map The mapping from namespace URI to alias * @param $alias_list_s The string containing the comma-separated * list of aliases. May also be None for convenience. * * @return $seq The list of namespace URIs that corresponds to the * supplied list of aliases. If the string was zero-length or None, an * empty list will be returned. * * return null If an alias is present in the list of aliases but * is not present in the namespace map. */ function Auth_OpenID_AX_toTypeURIs($namespace_map, $alias_list_s) { $uris = array(); if ($alias_list_s) { foreach (explode(',', $alias_list_s) as $alias) { $type_uri = $namespace_map->getNamespaceURI($alias); if ($type_uri === null) { // raise KeyError( // 'No type is defined for attribute name %r' % (alias,)) return new Auth_OpenID_AX_Error( sprintf('No type is defined for attribute name %s', $alias) ); } else { $uris[] = $type_uri; } } } return $uris; } /** * An attribute exchange 'fetch_request' message. This message is sent * by a relying party when it wishes to obtain attributes about the * subject of an OpenID authentication request. * * @package OpenID */ class Auth_OpenID_AX_FetchRequest extends Auth_OpenID_AX_Message { var $mode = 'fetch_request'; function Auth_OpenID_AX_FetchRequest($update_url=null) { /** * requested_attributes: The attributes that have been * requested thus far, indexed by the type URI. */ $this->requested_attributes = array(); /** * update_url: A URL that will accept responses for this * attribute exchange request, even in the absence of the user * who made this request. */ $this->update_url = $update_url; } /** * Add an attribute to this attribute exchange request. * * @param attribute: The attribute that is being requested * @return true on success, false when the requested attribute is * already present in this fetch request. */ function add($attribute) { if ($this->contains($attribute->type_uri)) { return new Auth_OpenID_AX_Error( sprintf("The attribute %s has already been requested", $attribute->type_uri)); } $this->requested_attributes[$attribute->type_uri] = $attribute; return true; } /** * Get the serialized form of this attribute fetch request. * * @returns Auth_OpenID_AX_FetchRequest The fetch request message parameters */ function getExtensionArgs() { $aliases = new Auth_OpenID_NamespaceMap(); $required = array(); $if_available = array(); $ax_args = $this->_newArgs(); foreach ($this->requested_attributes as $type_uri => $attribute) { if ($attribute->alias === null) { $alias = $aliases->add($type_uri); } else { $alias = $aliases->addAlias($type_uri, $attribute->alias); if ($alias === null) { return new Auth_OpenID_AX_Error( sprintf("Could not add alias %s for URI %s", $attribute->alias, $type_uri )); } } if ($attribute->required) { $required[] = $alias; } else { $if_available[] = $alias; } if ($attribute->count != 1) { $ax_args['count.' . $alias] = strval($attribute->count); } $ax_args['type.' . $alias] = $type_uri; } if ($required) { $ax_args['required'] = implode(',', $required); } if ($if_available) { $ax_args['if_available'] = implode(',', $if_available); } return $ax_args; } /** * Get the type URIs for all attributes that have been marked as * required. * * @return A list of the type URIs for attributes that have been * marked as required. */ function getRequiredAttrs() { $required = array(); foreach ($this->requested_attributes as $type_uri => $attribute) { if ($attribute->required) { $required[] = $type_uri; } } return $required; } /** * Extract a FetchRequest from an OpenID message * * @param request: The OpenID request containing the attribute * fetch request * * @returns mixed An Auth_OpenID_AX_Error or the * Auth_OpenID_AX_FetchRequest extracted from the request message if * successful */ static function fromOpenIDRequest($request) { $m = $request->message; $obj = new Auth_OpenID_AX_FetchRequest(); $ax_args = $m->getArgs($obj->ns_uri); $result = $obj->parseExtensionArgs($ax_args); if (Auth_OpenID_AX::isError($result)) { return $result; } if ($obj->update_url) { // Update URL must match the openid.realm of the // underlying OpenID 2 message. $realm = $m->getArg(Auth_OpenID_OPENID_NS, 'realm', $m->getArg( Auth_OpenID_OPENID_NS, 'return_to')); if (!$realm) { $obj = new Auth_OpenID_AX_Error( sprintf("Cannot validate update_url %s " . "against absent realm", $obj->update_url)); } else if (!Auth_OpenID_TrustRoot::match($realm, $obj->update_url)) { $obj = new Auth_OpenID_AX_Error( sprintf("Update URL %s failed validation against realm %s", $obj->update_url, $realm)); } } return $obj; } /** * Given attribute exchange arguments, populate this FetchRequest. * * @return $result Auth_OpenID_AX_Error if the data to be parsed * does not follow the attribute exchange specification. At least * when 'if_available' or 'required' is not specified for a * particular attribute type. Returns true otherwise. */ function parseExtensionArgs($ax_args) { $result = $this->_checkMode($ax_args); if (Auth_OpenID_AX::isError($result)) { return $result; } $aliases = new Auth_OpenID_NamespaceMap(); foreach ($ax_args as $key => $value) { if (strpos($key, 'type.') === 0) { $alias = substr($key, 5); $type_uri = $value; $alias = $aliases->addAlias($type_uri, $alias); if ($alias === null) { return new Auth_OpenID_AX_Error( sprintf("Could not add alias %s for URI %s", $alias, $type_uri) ); } $count_s = Auth_OpenID::arrayGet($ax_args, 'count.' . $alias); if ($count_s) { $count = Auth_OpenID::intval($count_s); if (($count === false) && ($count_s === Auth_OpenID_AX_UNLIMITED_VALUES)) { $count = $count_s; } } else { $count = 1; } if ($count === false) { return new Auth_OpenID_AX_Error( sprintf("Integer value expected for %s, got %s", 'count.' . $alias, $count_s)); } $attrinfo = Auth_OpenID_AX_AttrInfo::make($type_uri, $count, false, $alias); if (Auth_OpenID_AX::isError($attrinfo)) { return $attrinfo; } $this->add($attrinfo); } } $required = Auth_OpenID_AX_toTypeURIs($aliases, Auth_OpenID::arrayGet($ax_args, 'required')); foreach ($required as $type_uri) { $attrib = $this->requested_attributes[$type_uri]; $attrib->required = true; } $if_available = Auth_OpenID_AX_toTypeURIs($aliases, Auth_OpenID::arrayGet($ax_args, 'if_available')); $all_type_uris = array_merge($required, $if_available); foreach ($aliases->iterNamespaceURIs() as $type_uri) { if (!in_array($type_uri, $all_type_uris)) { return new Auth_OpenID_AX_Error( sprintf('Type URI %s was in the request but not ' . 'present in "required" or "if_available"', $type_uri)); } } $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url'); return true; } /** * Iterate over the AttrInfo objects that are contained in this * fetch_request. */ function iterAttrs() { return array_values($this->requested_attributes); } function iterTypes() { return array_keys($this->requested_attributes); } /** * Is the given type URI present in this fetch_request? */ function contains($type_uri) { return in_array($type_uri, $this->iterTypes()); } } /** * An abstract class that implements a message that has attribute keys * and values. It contains the common code between fetch_response and * store_request. * * @package OpenID */ class Auth_OpenID_AX_KeyValueMessage extends Auth_OpenID_AX_Message { function Auth_OpenID_AX_KeyValueMessage() { $this->data = array(); } /** * Add a single value for the given attribute type to the * message. If there are already values specified for this type, * this value will be sent in addition to the values already * specified. * * @param type_uri: The URI for the attribute * @param value: The value to add to the response to the relying * party for this attribute * @return null */ function addValue($type_uri, $value) { if (!array_key_exists($type_uri, $this->data)) { $this->data[$type_uri] = array(); } $values =& $this->data[$type_uri]; $values[] = $value; } /** * Set the values for the given attribute type. This replaces any * values that have already been set for this attribute. * * @param type_uri: The URI for the attribute * @param values: A list of values to send for this attribute. */ function setValues($type_uri, &$values) { $this->data[$type_uri] =& $values; } /** * Get the extension arguments for the key/value pairs contained * in this message. * * @param aliases: An alias mapping. Set to None if you don't care * about the aliases for this request. * * @access private */ function _getExtensionKVArgs($aliases) { if ($aliases === null) { $aliases = new Auth_OpenID_NamespaceMap(); } $ax_args = array(); foreach ($this->data as $type_uri => $values) { $alias = $aliases->add($type_uri); $ax_args['type.' . $alias] = $type_uri; $ax_args['count.' . $alias] = strval(count($values)); foreach ($values as $i => $value) { $key = sprintf('value.%s.%d', $alias, $i + 1); $ax_args[$key] = $value; } } return $ax_args; } /** * Parse attribute exchange key/value arguments into this object. * * @param ax_args: The attribute exchange fetch_response * arguments, with namespacing removed. * * @return Auth_OpenID_AX_Error or true */ function parseExtensionArgs($ax_args) { $result = $this->_checkMode($ax_args); if (Auth_OpenID_AX::isError($result)) { return $result; } $aliases = new Auth_OpenID_NamespaceMap(); foreach ($ax_args as $key => $value) { if (strpos($key, 'type.') === 0) { $type_uri = $value; $alias = substr($key, 5); $result = Auth_OpenID_AX_checkAlias($alias); if (Auth_OpenID_AX::isError($result)) { return $result; } $alias = $aliases->addAlias($type_uri, $alias); if ($alias === null) { return new Auth_OpenID_AX_Error( sprintf("Could not add alias %s for URI %s", $alias, $type_uri) ); } } } foreach ($aliases->iteritems() as $pair) { list($type_uri, $alias) = $pair; if (array_key_exists('count.' . $alias, $ax_args) && ($ax_args['count.' . $alias] !== Auth_OpenID_AX_UNLIMITED_VALUES)) { $count_key = 'count.' . $alias; $count_s = $ax_args[$count_key]; $count = Auth_OpenID::intval($count_s); if ($count === false) { return new Auth_OpenID_AX_Error( sprintf("Integer value expected for %s, got %s", 'count. %s' . $alias, $count_s, Auth_OpenID_AX_UNLIMITED_VALUES) ); } $values = array(); for ($i = 1; $i < $count + 1; $i++) { $value_key = sprintf('value.%s.%d', $alias, $i); if (!array_key_exists($value_key, $ax_args)) { return new Auth_OpenID_AX_Error( sprintf( "No value found for key %s", $value_key)); } $value = $ax_args[$value_key]; $values[] = $value; } } else { $key = 'value.' . $alias; if (!array_key_exists($key, $ax_args)) { return new Auth_OpenID_AX_Error( sprintf( "No value found for key %s", $key)); } $value = $ax_args['value.' . $alias]; if ($value == '') { $values = array(); } else { $values = array($value); } } $this->data[$type_uri] = $values; } return true; } /** * Get a single value for an attribute. If no value was sent for * this attribute, use the supplied default. If there is more than * one value for this attribute, this method will fail. * * @param type_uri: The URI for the attribute * @param default: The value to return if the attribute was not * sent in the fetch_response. * * @return $value Auth_OpenID_AX_Error on failure or the value of * the attribute in the fetch_response message, or the default * supplied */ function getSingle($type_uri, $default=null) { $values = Auth_OpenID::arrayGet($this->data, $type_uri); if (!$values) { return $default; } else if (count($values) == 1) { return $values[0]; } else { return new Auth_OpenID_AX_Error( sprintf('More than one value present for %s', $type_uri) ); } } /** * Get the list of values for this attribute in the * fetch_response. * * XXX: what to do if the values are not present? default * parameter? this is funny because it's always supposed to return * a list, so the default may break that, though it's provided by * the user's code, so it might be okay. If no default is * supplied, should the return be None or []? * * @param type_uri: The URI of the attribute * * @return $values The list of values for this attribute in the * response. May be an empty list. If the attribute was not sent * in the response, returns Auth_OpenID_AX_Error. */ function get($type_uri) { if (array_key_exists($type_uri, $this->data)) { return $this->data[$type_uri]; } else { return new Auth_OpenID_AX_Error( sprintf("Type URI %s not found in response", $type_uri) ); } } /** * Get the number of responses for a particular attribute in this * fetch_response message. * * @param type_uri: The URI of the attribute * * @returns int The number of values sent for this attribute. If * the attribute was not sent in the response, returns * Auth_OpenID_AX_Error. */ function count($type_uri) { if (array_key_exists($type_uri, $this->data)) { return count($this->get($type_uri)); } else { return new Auth_OpenID_AX_Error( sprintf("Type URI %s not found in response", $type_uri) ); } } } /** * A fetch_response attribute exchange message. * * @package OpenID */ class Auth_OpenID_AX_FetchResponse extends Auth_OpenID_AX_KeyValueMessage { var $mode = 'fetch_response'; function Auth_OpenID_AX_FetchResponse($update_url=null) { $this->Auth_OpenID_AX_KeyValueMessage(); $this->update_url = $update_url; } /** * Serialize this object into arguments in the attribute exchange * namespace * * @return $args The dictionary of unqualified attribute exchange * arguments that represent this fetch_response, or * Auth_OpenID_AX_Error on error. */ function getExtensionArgs($request=null) { $aliases = new Auth_OpenID_NamespaceMap(); $zero_value_types = array(); if ($request !== null) { // Validate the data in the context of the request (the // same attributes should be present in each, and the // counts in the response must be no more than the counts // in the request) foreach ($this->data as $type_uri => $unused) { if (!$request->contains($type_uri)) { return new Auth_OpenID_AX_Error( sprintf("Response attribute not present in request: %s", $type_uri) ); } } foreach ($request->iterAttrs() as $attr_info) { // Copy the aliases from the request so that reading // the response in light of the request is easier if ($attr_info->alias === null) { $aliases->add($attr_info->type_uri); } else { $alias = $aliases->addAlias($attr_info->type_uri, $attr_info->alias); if ($alias === null) { return new Auth_OpenID_AX_Error( sprintf("Could not add alias %s for URI %s", $attr_info->alias, $attr_info->type_uri) ); } } if (array_key_exists($attr_info->type_uri, $this->data)) { $values = $this->data[$attr_info->type_uri]; } else { $values = array(); $zero_value_types[] = $attr_info; } if (($attr_info->count != Auth_OpenID_AX_UNLIMITED_VALUES) && ($attr_info->count < count($values))) { return new Auth_OpenID_AX_Error( sprintf("More than the number of requested values " . "were specified for %s", $attr_info->type_uri) ); } } } $kv_args = $this->_getExtensionKVArgs($aliases); // Add the KV args into the response with the args that are // unique to the fetch_response $ax_args = $this->_newArgs(); // For each requested attribute, put its type/alias and count // into the response even if no data were returned. foreach ($zero_value_types as $attr_info) { $alias = $aliases->getAlias($attr_info->type_uri); $kv_args['type.' . $alias] = $attr_info->type_uri; $kv_args['count.' . $alias] = '0'; } $update_url = null; if ($request) { $update_url = $request->update_url; } else { $update_url = $this->update_url; } if ($update_url) { $ax_args['update_url'] = $update_url; } Auth_OpenID::update($ax_args, $kv_args); return $ax_args; } /** * @return $result Auth_OpenID_AX_Error on failure or true on * success. */ function parseExtensionArgs($ax_args) { $result = parent::parseExtensionArgs($ax_args); if (Auth_OpenID_AX::isError($result)) { return $result; } $this->update_url = Auth_OpenID::arrayGet($ax_args, 'update_url'); return true; } /** * Construct a FetchResponse object from an OpenID library * SuccessResponse object. * * @param success_response: A successful id_res response object * * @param signed: Whether non-signed args should be processsed. If * True (the default), only signed arguments will be processsed. * * @return $response A FetchResponse containing the data from the * OpenID message */ static function fromSuccessResponse($success_response, $signed=true) { $obj = new Auth_OpenID_AX_FetchResponse(); if ($signed) { $ax_args = $success_response->getSignedNS($obj->ns_uri); } else { $ax_args = $success_response->message->getArgs($obj->ns_uri); } if ($ax_args === null || Auth_OpenID::isFailure($ax_args) || sizeof($ax_args) == 0) { return null; } $result = $obj->parseExtensionArgs($ax_args); if (Auth_OpenID_AX::isError($result)) { #XXX log me return null; } return $obj; } } /** * A store request attribute exchange message representation. * * @package OpenID */ class Auth_OpenID_AX_StoreRequest extends Auth_OpenID_AX_KeyValueMessage { var $mode = 'store_request'; /** * @param array $aliases The namespace aliases to use when making * this store response. Leave as None to use defaults. */ function getExtensionArgs($aliases=null) { $ax_args = $this->_newArgs(); $kv_args = $this->_getExtensionKVArgs($aliases); Auth_OpenID::update($ax_args, $kv_args); return $ax_args; } } /** * An indication that the store request was processed along with this * OpenID transaction. Use make(), NOT the constructor, to create * response objects. * * @package OpenID */ class Auth_OpenID_AX_StoreResponse extends Auth_OpenID_AX_Message { var $SUCCESS_MODE = 'store_response_success'; var $FAILURE_MODE = 'store_response_failure'; /** * Returns Auth_OpenID_AX_Error on error or an * Auth_OpenID_AX_StoreResponse object on success. */ function make($succeeded=true, $error_message=null) { if (($succeeded) && ($error_message !== null)) { return new Auth_OpenID_AX_Error('An error message may only be '. 'included in a failing fetch response'); } return new Auth_OpenID_AX_StoreResponse($succeeded, $error_message); } function Auth_OpenID_AX_StoreResponse($succeeded=true, $error_message=null) { if ($succeeded) { $this->mode = $this->SUCCESS_MODE; } else { $this->mode = $this->FAILURE_MODE; } $this->error_message = $error_message; } /** * Was this response a success response? */ function succeeded() { return $this->mode == $this->SUCCESS_MODE; } function getExtensionArgs() { $ax_args = $this->_newArgs(); if ((!$this->succeeded()) && $this->error_message) { $ax_args['error'] = $this->error_message; } return $ax_args; } } wordpress-openid-3.4.1/lib/Auth/OpenID/Association.php000077500000000000000000000436261265347743100226270ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ /** * @access private */ require_once 'Auth/OpenID/CryptUtil.php'; /** * @access private */ require_once 'Auth/OpenID/KVForm.php'; /** * @access private */ require_once 'Auth/OpenID/HMAC.php'; /** * This class represents an association between a server and a * consumer. In general, users of this library will never see * instances of this object. The only exception is if you implement a * custom {@link Auth_OpenID_OpenIDStore}. * * If you do implement such a store, it will need to store the values * of the handle, secret, issued, lifetime, and assoc_type instance * variables. * * @package OpenID */ class Auth_OpenID_Association { /** * This is a HMAC-SHA1 specific value. * * @access private */ var $SIG_LENGTH = 20; /** * The ordering and name of keys as stored by serialize. * * @access private */ var $assoc_keys = array( 'version', 'handle', 'secret', 'issued', 'lifetime', 'assoc_type' ); var $_macs = array( 'HMAC-SHA1' => 'Auth_OpenID_HMACSHA1', 'HMAC-SHA256' => 'Auth_OpenID_HMACSHA256' ); /** * This is an alternate constructor (factory method) used by the * OpenID consumer library to create associations. OpenID store * implementations shouldn't use this constructor. * * @access private * * @param integer $expires_in This is the amount of time this * association is good for, measured in seconds since the * association was issued. * * @param string $handle This is the handle the server gave this * association. * * @param string secret This is the shared secret the server * generated for this association. * * @param assoc_type This is the type of association this * instance represents. The only valid values of this field at * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may * be defined in the future. * * @return association An {@link Auth_OpenID_Association} * instance. */ static function fromExpiresIn($expires_in, $handle, $secret, $assoc_type) { $issued = time(); $lifetime = $expires_in; return new Auth_OpenID_Association($handle, $secret, $issued, $lifetime, $assoc_type); } /** * This is the standard constructor for creating an association. * The library should create all of the necessary associations, so * this constructor is not part of the external API. * * @access private * * @param string $handle This is the handle the server gave this * association. * * @param string $secret This is the shared secret the server * generated for this association. * * @param integer $issued This is the time this association was * issued, in seconds since 00:00 GMT, January 1, 1970. (ie, a * unix timestamp) * * @param integer $lifetime This is the amount of time this * association is good for, measured in seconds since the * association was issued. * * @param string $assoc_type This is the type of association this * instance represents. The only valid values of this field at * this time is 'HMAC-SHA1' and 'HMAC-SHA256', but new types may * be defined in the future. */ function Auth_OpenID_Association( $handle, $secret, $issued, $lifetime, $assoc_type) { if (!in_array($assoc_type, Auth_OpenID_getSupportedAssociationTypes(), true)) { $fmt = 'Unsupported association type (%s)'; trigger_error(sprintf($fmt, $assoc_type), E_USER_ERROR); } $this->handle = $handle; $this->secret = $secret; $this->issued = $issued; $this->lifetime = $lifetime; $this->assoc_type = $assoc_type; } /** * This returns the number of seconds this association is still * valid for, or 0 if the association is no longer valid. * * @return integer $seconds The number of seconds this association * is still valid for, or 0 if the association is no longer valid. */ function getExpiresIn($now = null) { if ($now == null) { $now = time(); } return max(0, $this->issued + $this->lifetime - $now); } /** * This checks to see if two {@link Auth_OpenID_Association} * instances represent the same association. * * @return bool $result true if the two instances represent the * same association, false otherwise. */ function equal($other) { return ((gettype($this) == gettype($other)) && ($this->handle == $other->handle) && ($this->secret == $other->secret) && ($this->issued == $other->issued) && ($this->lifetime == $other->lifetime) && ($this->assoc_type == $other->assoc_type)); } /** * Convert an association to KV form. * * @return string $result String in KV form suitable for * deserialization by deserialize. */ function serialize() { $data = array( 'version' => '2', 'handle' => $this->handle, 'secret' => base64_encode($this->secret), 'issued' => strval(intval($this->issued)), 'lifetime' => strval(intval($this->lifetime)), 'assoc_type' => $this->assoc_type ); assert(array_keys($data) == $this->assoc_keys); return Auth_OpenID_KVForm::fromArray($data, $strict = true); } /** * Parse an association as stored by serialize(). This is the * inverse of serialize. * * @param string $assoc_s Association as serialized by serialize() * @return Auth_OpenID_Association $result instance of this class */ static function deserialize($class_name, $assoc_s) { $pairs = Auth_OpenID_KVForm::toArray($assoc_s, $strict = true); $keys = array(); $values = array(); foreach ($pairs as $key => $value) { if (is_array($value)) { list($key, $value) = $value; } $keys[] = $key; $values[] = $value; } $class_vars = get_class_vars($class_name); $class_assoc_keys = $class_vars['assoc_keys']; sort($keys); sort($class_assoc_keys); if ($keys != $class_assoc_keys) { trigger_error('Unexpected key values: ' . var_export($keys, true), E_USER_WARNING); return null; } $version = $pairs['version']; $handle = $pairs['handle']; $secret = $pairs['secret']; $issued = $pairs['issued']; $lifetime = $pairs['lifetime']; $assoc_type = $pairs['assoc_type']; if ($version != '2') { trigger_error('Unknown version: ' . $version, E_USER_WARNING); return null; } $issued = intval($issued); $lifetime = intval($lifetime); $secret = base64_decode($secret); return new $class_name( $handle, $secret, $issued, $lifetime, $assoc_type); } /** * Generate a signature for a sequence of (key, value) pairs * * @access private * @param array $pairs The pairs to sign, in order. This is an * array of two-tuples. * @return string $signature The binary signature of this sequence * of pairs */ function sign($pairs) { $kv = Auth_OpenID_KVForm::fromArray($pairs); /* Invalid association types should be caught at constructor */ $callback = $this->_macs[$this->assoc_type]; return call_user_func_array($callback, array($this->secret, $kv)); } /** * Generate a signature for some fields in a dictionary * * @access private * @param array $fields The fields to sign, in order; this is an * array of strings. * @param array $data Dictionary of values to sign (an array of * string => string pairs). * @return string $signature The signature, base64 encoded */ function signMessage($message) { if ($message->hasKey(Auth_OpenID_OPENID_NS, 'sig') || $message->hasKey(Auth_OpenID_OPENID_NS, 'signed')) { // Already has a sig return null; } $extant_handle = $message->getArg(Auth_OpenID_OPENID_NS, 'assoc_handle'); if ($extant_handle && ($extant_handle != $this->handle)) { // raise ValueError("Message has a different association handle") return null; } $signed_message = $message; $signed_message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle', $this->handle); $message_keys = array_keys($signed_message->toPostArgs()); $signed_list = array(); $signed_prefix = 'openid.'; foreach ($message_keys as $k) { if (strpos($k, $signed_prefix) === 0) { $signed_list[] = substr($k, strlen($signed_prefix)); } } $signed_list[] = 'signed'; sort($signed_list); $signed_message->setArg(Auth_OpenID_OPENID_NS, 'signed', implode(',', $signed_list)); $sig = $this->getMessageSignature($signed_message); $signed_message->setArg(Auth_OpenID_OPENID_NS, 'sig', $sig); return $signed_message; } /** * Given a {@link Auth_OpenID_Message}, return the key/value pairs * to be signed according to the signed list in the message. If * the message lacks a signed list, return null. * * @access private */ function _makePairs($message) { $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); if (!$signed || Auth_OpenID::isFailure($signed)) { // raise ValueError('Message has no signed list: %s' % (message,)) return null; } $signed_list = explode(',', $signed); $pairs = array(); $data = $message->toPostArgs(); foreach ($signed_list as $field) { $pairs[] = array($field, Auth_OpenID::arrayGet($data, 'openid.' . $field, '')); } return $pairs; } /** * Given an {@link Auth_OpenID_Message}, return the signature for * the signed list in the message. * * @access private */ function getMessageSignature($message) { $pairs = $this->_makePairs($message); return base64_encode($this->sign($pairs)); } /** * Confirm that the signature of these fields matches the * signature contained in the data. * * @access private */ function checkMessageSignature($message) { $sig = $message->getArg(Auth_OpenID_OPENID_NS, 'sig'); if (!$sig || Auth_OpenID::isFailure($sig)) { return false; } $calculated_sig = $this->getMessageSignature($message); return Auth_OpenID_CryptUtil::constEq($calculated_sig, $sig); } } function Auth_OpenID_getSecretSize($assoc_type) { if ($assoc_type == 'HMAC-SHA1') { return 20; } else if ($assoc_type == 'HMAC-SHA256') { return 32; } else { return null; } } function Auth_OpenID_getAllAssociationTypes() { return array('HMAC-SHA1', 'HMAC-SHA256'); } function Auth_OpenID_getSupportedAssociationTypes() { $a = array('HMAC-SHA1'); if (Auth_OpenID_HMACSHA256_SUPPORTED) { $a[] = 'HMAC-SHA256'; } return $a; } function Auth_OpenID_getSessionTypes($assoc_type) { $assoc_to_session = array( 'HMAC-SHA1' => array('DH-SHA1', 'no-encryption')); if (Auth_OpenID_HMACSHA256_SUPPORTED) { $assoc_to_session['HMAC-SHA256'] = array('DH-SHA256', 'no-encryption'); } return Auth_OpenID::arrayGet($assoc_to_session, $assoc_type, array()); } function Auth_OpenID_checkSessionType($assoc_type, $session_type) { if (!in_array($session_type, Auth_OpenID_getSessionTypes($assoc_type))) { return false; } return true; } function Auth_OpenID_getDefaultAssociationOrder() { $order = array(); if (!Auth_OpenID_noMathSupport()) { $order[] = array('HMAC-SHA1', 'DH-SHA1'); if (Auth_OpenID_HMACSHA256_SUPPORTED) { $order[] = array('HMAC-SHA256', 'DH-SHA256'); } } $order[] = array('HMAC-SHA1', 'no-encryption'); if (Auth_OpenID_HMACSHA256_SUPPORTED) { $order[] = array('HMAC-SHA256', 'no-encryption'); } return $order; } function Auth_OpenID_getOnlyEncryptedOrder() { $result = array(); foreach (Auth_OpenID_getDefaultAssociationOrder() as $pair) { list($assoc, $session) = $pair; if ($session != 'no-encryption') { if (Auth_OpenID_HMACSHA256_SUPPORTED && ($assoc == 'HMAC-SHA256')) { $result[] = $pair; } else if ($assoc != 'HMAC-SHA256') { $result[] = $pair; } } } return $result; } function Auth_OpenID_getDefaultNegotiator() { return new Auth_OpenID_SessionNegotiator( Auth_OpenID_getDefaultAssociationOrder()); } function Auth_OpenID_getEncryptedNegotiator() { return new Auth_OpenID_SessionNegotiator( Auth_OpenID_getOnlyEncryptedOrder()); } /** * A session negotiator controls the allowed and preferred association * types and association session types. Both the {@link * Auth_OpenID_Consumer} and {@link Auth_OpenID_Server} use * negotiators when creating associations. * * You can create and use negotiators if you: * - Do not want to do Diffie-Hellman key exchange because you use * transport-layer encryption (e.g. SSL) * * - Want to use only SHA-256 associations * * - Do not want to support plain-text associations over a non-secure * channel * * It is up to you to set a policy for what kinds of associations to * accept. By default, the library will make any kind of association * that is allowed in the OpenID 2.0 specification. * * Use of negotiators in the library * ================================= * * When a consumer makes an association request, it calls {@link * getAllowedType} to get the preferred association type and * association session type. * * The server gets a request for a particular association/session type * and calls {@link isAllowed} to determine if it should create an * association. If it is supported, negotiation is complete. If it is * not, the server calls {@link getAllowedType} to get an allowed * association type to return to the consumer. * * If the consumer gets an error response indicating that the * requested association/session type is not supported by the server * that contains an assocation/session type to try, it calls {@link * isAllowed} to determine if it should try again with the given * combination of association/session type. * * @package OpenID */ class Auth_OpenID_SessionNegotiator { function Auth_OpenID_SessionNegotiator($allowed_types) { $this->allowed_types = array(); $this->setAllowedTypes($allowed_types); } /** * Set the allowed association types, checking to make sure each * combination is valid. * * @access private */ function setAllowedTypes($allowed_types) { foreach ($allowed_types as $pair) { list($assoc_type, $session_type) = $pair; if (!Auth_OpenID_checkSessionType($assoc_type, $session_type)) { return false; } } $this->allowed_types = $allowed_types; return true; } /** * Add an association type and session type to the allowed types * list. The assocation/session pairs are tried in the order that * they are added. * * @access private */ function addAllowedType($assoc_type, $session_type = null) { if ($this->allowed_types === null) { $this->allowed_types = array(); } if ($session_type === null) { $available = Auth_OpenID_getSessionTypes($assoc_type); if (!$available) { return false; } foreach ($available as $session_type) { $this->addAllowedType($assoc_type, $session_type); } } else { if (Auth_OpenID_checkSessionType($assoc_type, $session_type)) { $this->allowed_types[] = array($assoc_type, $session_type); } else { return false; } } return true; } // Is this combination of association type and session type allowed? function isAllowed($assoc_type, $session_type) { $assoc_good = in_array(array($assoc_type, $session_type), $this->allowed_types); $matches = in_array($session_type, Auth_OpenID_getSessionTypes($assoc_type)); return ($assoc_good && $matches); } /** * Get a pair of assocation type and session type that are * supported. */ function getAllowedType() { if (!$this->allowed_types) { return array(null, null); } return $this->allowed_types[0]; } } wordpress-openid-3.4.1/lib/Auth/OpenID/BigMath.php000077500000000000000000000261721265347743100216630ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ /** * Needed for random number generation */ require_once 'Auth/OpenID/CryptUtil.php'; /** * Need Auth_OpenID::bytes(). */ require_once 'Auth/OpenID.php'; /** * The superclass of all big-integer math implementations * @access private * @package OpenID */ class Auth_OpenID_MathLibrary { /** * Given a long integer, returns the number converted to a binary * string. This function accepts long integer values of arbitrary * magnitude and uses the local large-number math library when * available. * * @param integer $long The long number (can be a normal PHP * integer or a number created by one of the available long number * libraries) * @return string $binary The binary version of $long */ function longToBinary($long) { $cmp = $this->cmp($long, 0); if ($cmp < 0) { $msg = __FUNCTION__ . " takes only positive integers."; trigger_error($msg, E_USER_ERROR); return null; } if ($cmp == 0) { return "\x00"; } $bytes = array(); while ($this->cmp($long, 0) > 0) { array_unshift($bytes, $this->mod($long, 256)); $long = $this->div($long, pow(2, 8)); } if ($bytes && ($bytes[0] > 127)) { array_unshift($bytes, 0); } $string = ''; foreach ($bytes as $byte) { $string .= pack('C', $byte); } return $string; } /** * Given a binary string, returns the binary string converted to a * long number. * * @param string $binary The binary version of a long number, * probably as a result of calling longToBinary * @return integer $long The long number equivalent of the binary * string $str */ function binaryToLong($str) { if ($str === null) { return null; } // Use array_merge to return a zero-indexed array instead of a // one-indexed array. $bytes = array_merge(unpack('C*', $str)); $n = $this->init(0); if ($bytes && ($bytes[0] > 127)) { trigger_error("bytesToNum works only for positive integers.", E_USER_WARNING); return null; } foreach ($bytes as $byte) { $n = $this->mul($n, pow(2, 8)); $n = $this->add($n, $byte); } return $n; } function base64ToLong($str) { $b64 = base64_decode($str); if ($b64 === false) { return false; } return $this->binaryToLong($b64); } function longToBase64($str) { return base64_encode($this->longToBinary($str)); } /** * Returns a random number in the specified range. This function * accepts $start, $stop, and $step values of arbitrary magnitude * and will utilize the local large-number math library when * available. * * @param integer $start The start of the range, or the minimum * random number to return * @param integer $stop The end of the range, or the maximum * random number to return * @param integer $step The step size, such that $result - ($step * * N) = $start for some N * @return integer $result The resulting randomly-generated number */ function rand($stop) { static $duplicate_cache = array(); // Used as the key for the duplicate cache $rbytes = $this->longToBinary($stop); if (array_key_exists($rbytes, $duplicate_cache)) { list($duplicate, $nbytes) = $duplicate_cache[$rbytes]; } else { if ($rbytes[0] == "\x00") { $nbytes = Auth_OpenID::bytes($rbytes) - 1; } else { $nbytes = Auth_OpenID::bytes($rbytes); } $mxrand = $this->pow(256, $nbytes); // If we get a number less than this, then it is in the // duplicated range. $duplicate = $this->mod($mxrand, $stop); if (count($duplicate_cache) > 10) { $duplicate_cache = array(); } $duplicate_cache[$rbytes] = array($duplicate, $nbytes); } do { $bytes = "\x00" . Auth_OpenID_CryptUtil::getBytes($nbytes); $n = $this->binaryToLong($bytes); // Keep looping if this value is in the low duplicated range } while ($this->cmp($n, $duplicate) < 0); return $this->mod($n, $stop); } } /** * Exposes BCmath math library functionality. * * {@link Auth_OpenID_BcMathWrapper} wraps the functionality provided * by the BCMath extension. * * @access private * @package OpenID */ class Auth_OpenID_BcMathWrapper extends Auth_OpenID_MathLibrary{ var $type = 'bcmath'; function add($x, $y) { return bcadd($x, $y); } function sub($x, $y) { return bcsub($x, $y); } function pow($base, $exponent) { return bcpow($base, $exponent); } function cmp($x, $y) { return bccomp($x, $y); } function init($number, $base = 10) { return $number; } function mod($base, $modulus) { return bcmod($base, $modulus); } function mul($x, $y) { return bcmul($x, $y); } function div($x, $y) { return bcdiv($x, $y); } /** * Same as bcpowmod when bcpowmod is missing * * @access private */ function _powmod($base, $exponent, $modulus) { $square = $this->mod($base, $modulus); $result = 1; while($this->cmp($exponent, 0) > 0) { if ($this->mod($exponent, 2)) { $result = $this->mod($this->mul($result, $square), $modulus); } $square = $this->mod($this->mul($square, $square), $modulus); $exponent = $this->div($exponent, 2); } return $result; } function powmod($base, $exponent, $modulus) { if (function_exists('bcpowmod')) { return bcpowmod($base, $exponent, $modulus); } else { return $this->_powmod($base, $exponent, $modulus); } } function toString($num) { return $num; } } /** * Exposes GMP math library functionality. * * {@link Auth_OpenID_GmpMathWrapper} wraps the functionality provided * by the GMP extension. * * @access private * @package OpenID */ class Auth_OpenID_GmpMathWrapper extends Auth_OpenID_MathLibrary{ var $type = 'gmp'; function add($x, $y) { return gmp_add($x, $y); } function sub($x, $y) { return gmp_sub($x, $y); } function pow($base, $exponent) { return gmp_pow($base, $exponent); } function cmp($x, $y) { return gmp_cmp($x, $y); } function init($number, $base = 10) { return gmp_init($number, $base); } function mod($base, $modulus) { return gmp_mod($base, $modulus); } function mul($x, $y) { return gmp_mul($x, $y); } function div($x, $y) { return gmp_div_q($x, $y); } function powmod($base, $exponent, $modulus) { return gmp_powm($base, $exponent, $modulus); } function toString($num) { return gmp_strval($num); } } /** * Define the supported extensions. An extension array has keys * 'modules', 'extension', and 'class'. 'modules' is an array of PHP * module names which the loading code will attempt to load. These * values will be suffixed with a library file extension (e.g. ".so"). * 'extension' is the name of a PHP extension which will be tested * before 'modules' are loaded. 'class' is the string name of a * {@link Auth_OpenID_MathWrapper} subclass which should be * instantiated if a given extension is present. * * You can define new math library implementations and add them to * this array. */ function Auth_OpenID_math_extensions() { $result = array(); if (!defined('Auth_OpenID_BUGGY_GMP')) { $result[] = array('modules' => array('gmp', 'php_gmp'), 'extension' => 'gmp', 'class' => 'Auth_OpenID_GmpMathWrapper'); } $result[] = array('modules' => array('bcmath', 'php_bcmath'), 'extension' => 'bcmath', 'class' => 'Auth_OpenID_BcMathWrapper'); return $result; } /** * Detect which (if any) math library is available */ function Auth_OpenID_detectMathLibrary($exts) { $loaded = false; foreach ($exts as $extension) { if (extension_loaded($extension['extension'])) { return $extension; } } return false; } /** * {@link Auth_OpenID_getMathLib} checks for the presence of long * number extension modules and returns an instance of * {@link Auth_OpenID_MathWrapper} which exposes the module's * functionality. * * Checks for the existence of an extension module described by the * result of {@link Auth_OpenID_math_extensions()} and returns an * instance of a wrapper for that extension module. If no extension * module is found, an instance of {@link Auth_OpenID_MathWrapper} is * returned, which wraps the native PHP integer implementation. The * proper calling convention for this method is $lib = * Auth_OpenID_getMathLib(). * * This function checks for the existence of specific long number * implementations in the following order: GMP followed by BCmath. * * @return Auth_OpenID_MathWrapper $instance An instance of * {@link Auth_OpenID_MathWrapper} or one of its subclasses * * @package OpenID */ function Auth_OpenID_getMathLib() { // The instance of Auth_OpenID_MathWrapper that we choose to // supply will be stored here, so that subseqent calls to this // method will return a reference to the same object. static $lib = null; if (isset($lib)) { return $lib; } if (Auth_OpenID_noMathSupport()) { $null = null; return $null; } // If this method has not been called before, look at // Auth_OpenID_math_extensions and try to find an extension that // works. $ext = Auth_OpenID_detectMathLibrary(Auth_OpenID_math_extensions()); if ($ext === false) { $tried = array(); foreach (Auth_OpenID_math_extensions() as $extinfo) { $tried[] = $extinfo['extension']; } $triedstr = implode(", ", $tried); Auth_OpenID_setNoMathSupport(); $result = null; return $result; } // Instantiate a new wrapper $class = $ext['class']; $lib = new $class(); return $lib; } function Auth_OpenID_setNoMathSupport() { if (!defined('Auth_OpenID_NO_MATH_SUPPORT')) { define('Auth_OpenID_NO_MATH_SUPPORT', true); } } function Auth_OpenID_noMathSupport() { return defined('Auth_OpenID_NO_MATH_SUPPORT'); } wordpress-openid-3.4.1/lib/Auth/OpenID/Consumer.php000077500000000000000000002321371265347743100221430ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ /** * Require utility classes and functions for the consumer. */ require_once "Auth/OpenID.php"; require_once "Auth/OpenID/Message.php"; require_once "Auth/OpenID/HMAC.php"; require_once "Auth/OpenID/Association.php"; require_once "Auth/OpenID/CryptUtil.php"; require_once "Auth/OpenID/DiffieHellman.php"; require_once "Auth/OpenID/KVForm.php"; require_once "Auth/OpenID/Nonce.php"; require_once "Auth/OpenID/Discover.php"; require_once "Auth/OpenID/URINorm.php"; require_once "Auth/Yadis/Manager.php"; require_once "Auth/Yadis/XRI.php"; /** * This is the status code returned when the complete method returns * successfully. */ define('Auth_OpenID_SUCCESS', 'success'); /** * Status to indicate cancellation of OpenID authentication. */ define('Auth_OpenID_CANCEL', 'cancel'); /** * This is the status code completeAuth returns when the value it * received indicated an invalid login. */ define('Auth_OpenID_FAILURE', 'failure'); /** * This is the status code completeAuth returns when the * {@link Auth_OpenID_Consumer} instance is in immediate mode, and the * identity server sends back a URL to send the user to to complete his * or her login. */ define('Auth_OpenID_SETUP_NEEDED', 'setup needed'); /** * This is the status code beginAuth returns when the page fetched * from the entered OpenID URL doesn't contain the necessary link tags * to function as an identity page. */ define('Auth_OpenID_PARSE_ERROR', 'parse error'); /** * An OpenID consumer implementation that performs discovery and does * session management. See the Consumer.php file documentation for * more information. * * @package OpenID */ class Auth_OpenID_Consumer { /** * @access private */ var $discoverMethod = 'Auth_OpenID_discover'; /** * @access private */ var $session_key_prefix = "_openid_consumer_"; /** * @access private */ var $_token_suffix = "last_token"; /** * Initialize a Consumer instance. * * You should create a new instance of the Consumer object with * every HTTP request that handles OpenID transactions. * * @param Auth_OpenID_OpenIDStore $store This must be an object * that implements the interface in {@link * Auth_OpenID_OpenIDStore}. Several concrete implementations are * provided, to cover most common use cases. For stores backed by * MySQL, PostgreSQL, or SQLite, see the {@link * Auth_OpenID_SQLStore} class and its sublcasses. For a * filesystem-backed store, see the {@link Auth_OpenID_FileStore} * module. As a last resort, if it isn't possible for the server * to store state at all, an instance of {@link * Auth_OpenID_DumbStore} can be used. * * @param mixed $session An object which implements the interface * of the {@link Auth_Yadis_PHPSession} class. Particularly, this * object is expected to have these methods: get($key), set($key), * $value), and del($key). This defaults to a session object * which wraps PHP's native session machinery. You should only * need to pass something here if you have your own sessioning * implementation. * * @param str $consumer_cls The name of the class to instantiate * when creating the internal consumer object. This is used for * testing. */ function Auth_OpenID_Consumer($store, $session = null, $consumer_cls = null) { if ($session === null) { $session = new Auth_Yadis_PHPSession(); } $this->session = $session; if ($consumer_cls !== null) { $this->consumer = new $consumer_cls($store); } else { $this->consumer = new Auth_OpenID_GenericConsumer($store); } $this->_token_key = $this->session_key_prefix . $this->_token_suffix; } /** * Used in testing to define the discovery mechanism. * * @access private */ function getDiscoveryObject($session, $openid_url, $session_key_prefix) { return new Auth_Yadis_Discovery($session, $openid_url, $session_key_prefix); } /** * Start the OpenID authentication process. See steps 1-2 in the * overview at the top of this file. * * @param string $user_url Identity URL given by the user. This * method performs a textual transformation of the URL to try and * make sure it is normalized. For example, a user_url of * example.com will be normalized to http://example.com/ * normalizing and resolving any redirects the server might issue. * * @param bool $anonymous True if the OpenID request is to be sent * to the server without any identifier information. Use this * when you want to transport data but don't want to do OpenID * authentication with identifiers. * * @return Auth_OpenID_AuthRequest $auth_request An object * containing the discovered information will be returned, with a * method for building a redirect URL to the server, as described * in step 3 of the overview. This object may also be used to add * extension arguments to the request, using its 'addExtensionArg' * method. */ function begin($user_url, $anonymous=false) { $openid_url = $user_url; $disco = $this->getDiscoveryObject($this->session, $openid_url, $this->session_key_prefix); // Set the 'stale' attribute of the manager. If discovery // fails in a fatal way, the stale flag will cause the manager // to be cleaned up next time discovery is attempted. $m = $disco->getManager(); $loader = new Auth_Yadis_ManagerLoader(); if ($m) { if ($m->stale) { $disco->destroyManager(); } else { $m->stale = true; $disco->session->set($disco->session_key, serialize($loader->toSession($m))); } } $endpoint = $disco->getNextService($this->discoverMethod, $this->consumer->fetcher); // Reset the 'stale' attribute of the manager. $m = $disco->getManager(); if ($m) { $m->stale = false; $disco->session->set($disco->session_key, serialize($loader->toSession($m))); } if ($endpoint === null) { return null; } else { return $this->beginWithoutDiscovery($endpoint, $anonymous); } } /** * Start OpenID verification without doing OpenID server * discovery. This method is used internally by Consumer.begin * after discovery is performed, and exists to provide an * interface for library users needing to perform their own * discovery. * * @param Auth_OpenID_ServiceEndpoint $endpoint an OpenID service * endpoint descriptor. * * @param bool anonymous Set to true if you want to perform OpenID * without identifiers. * * @return Auth_OpenID_AuthRequest $auth_request An OpenID * authentication request object. */ function beginWithoutDiscovery($endpoint, $anonymous=false) { $loader = new Auth_OpenID_ServiceEndpointLoader(); $auth_req = $this->consumer->begin($endpoint); $this->session->set($this->_token_key, $loader->toSession($auth_req->endpoint)); if (!$auth_req->setAnonymous($anonymous)) { return new Auth_OpenID_FailureResponse(null, "OpenID 1 requests MUST include the identifier " . "in the request."); } return $auth_req; } /** * Called to interpret the server's response to an OpenID * request. It is called in step 4 of the flow described in the * consumer overview. * * @param string $current_url The URL used to invoke the application. * Extract the URL from your application's web * request framework and specify it here to have it checked * against the openid.current_url value in the response. If * the current_url URL check fails, the status of the * completion will be FAILURE. * * @param array $query An array of the query parameters (key => * value pairs) for this HTTP request. Defaults to null. If * null, the GET or POST data are automatically gotten from the * PHP environment. It is only useful to override $query for * testing. * * @return Auth_OpenID_ConsumerResponse $response A instance of an * Auth_OpenID_ConsumerResponse subclass. The type of response is * indicated by the status attribute, which will be one of * SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED. */ function complete($current_url, $query=null) { if ($current_url && !is_string($current_url)) { // This is ugly, but we need to complain loudly when // someone uses the API incorrectly. trigger_error("current_url must be a string; see NEWS file " . "for upgrading notes.", E_USER_ERROR); } if ($query === null) { $query = Auth_OpenID::getQuery(); } $loader = new Auth_OpenID_ServiceEndpointLoader(); $endpoint_data = $this->session->get($this->_token_key); $endpoint = $loader->fromSession($endpoint_data); $message = Auth_OpenID_Message::fromPostArgs($query); $response = $this->consumer->complete($message, $endpoint, $current_url); $this->session->del($this->_token_key); if (in_array($response->status, array(Auth_OpenID_SUCCESS, Auth_OpenID_CANCEL))) { if ($response->identity_url !== null) { $disco = $this->getDiscoveryObject($this->session, $response->identity_url, $this->session_key_prefix); $disco->cleanup(true); } } return $response; } } /** * A class implementing HMAC/DH-SHA1 consumer sessions. * * @package OpenID */ class Auth_OpenID_DiffieHellmanSHA1ConsumerSession { var $session_type = 'DH-SHA1'; var $hash_func = 'Auth_OpenID_SHA1'; var $secret_size = 20; var $allowed_assoc_types = array('HMAC-SHA1'); function Auth_OpenID_DiffieHellmanSHA1ConsumerSession($dh = null) { if ($dh === null) { $dh = new Auth_OpenID_DiffieHellman(); } $this->dh = $dh; } function getRequest() { $math = Auth_OpenID_getMathLib(); $cpub = $math->longToBase64($this->dh->public); $args = array('dh_consumer_public' => $cpub); if (!$this->dh->usingDefaultValues()) { $args = array_merge($args, array( 'dh_modulus' => $math->longToBase64($this->dh->mod), 'dh_gen' => $math->longToBase64($this->dh->gen))); } return $args; } function extractSecret($response) { if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'dh_server_public')) { return null; } if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'enc_mac_key')) { return null; } $math = Auth_OpenID_getMathLib(); $spub = $math->base64ToLong($response->getArg(Auth_OpenID_OPENID_NS, 'dh_server_public')); $enc_mac_key = base64_decode($response->getArg(Auth_OpenID_OPENID_NS, 'enc_mac_key')); return $this->dh->xorSecret($spub, $enc_mac_key, $this->hash_func); } } /** * A class implementing HMAC/DH-SHA256 consumer sessions. * * @package OpenID */ class Auth_OpenID_DiffieHellmanSHA256ConsumerSession extends Auth_OpenID_DiffieHellmanSHA1ConsumerSession { var $session_type = 'DH-SHA256'; var $hash_func = 'Auth_OpenID_SHA256'; var $secret_size = 32; var $allowed_assoc_types = array('HMAC-SHA256'); } /** * A class implementing plaintext consumer sessions. * * @package OpenID */ class Auth_OpenID_PlainTextConsumerSession { var $session_type = 'no-encryption'; var $allowed_assoc_types = array('HMAC-SHA1', 'HMAC-SHA256'); function getRequest() { return array(); } function extractSecret($response) { if (!$response->hasKey(Auth_OpenID_OPENID_NS, 'mac_key')) { return null; } return base64_decode($response->getArg(Auth_OpenID_OPENID_NS, 'mac_key')); } } /** * Returns available session types. */ function Auth_OpenID_getAvailableSessionTypes() { $types = array( 'no-encryption' => 'Auth_OpenID_PlainTextConsumerSession', 'DH-SHA1' => 'Auth_OpenID_DiffieHellmanSHA1ConsumerSession', 'DH-SHA256' => 'Auth_OpenID_DiffieHellmanSHA256ConsumerSession'); return $types; } /** * This class is the interface to the OpenID consumer logic. * Instances of it maintain no per-request state, so they can be * reused (or even used by multiple threads concurrently) as needed. * * @package OpenID */ class Auth_OpenID_GenericConsumer { /** * @access private */ var $discoverMethod = 'Auth_OpenID_discover'; /** * This consumer's store object. */ var $store; /** * @access private */ var $_use_assocs; /** * @access private */ var $openid1_nonce_query_arg_name = 'janrain_nonce'; /** * Another query parameter that gets added to the return_to for * OpenID 1; if the user's session state is lost, use this claimed * identifier to do discovery when verifying the response. */ var $openid1_return_to_identifier_name = 'openid1_claimed_id'; /** * This method initializes a new {@link Auth_OpenID_Consumer} * instance to access the library. * * @param Auth_OpenID_OpenIDStore $store This must be an object * that implements the interface in {@link Auth_OpenID_OpenIDStore}. * Several concrete implementations are provided, to cover most common use * cases. For stores backed by MySQL, PostgreSQL, or SQLite, see * the {@link Auth_OpenID_SQLStore} class and its sublcasses. For a * filesystem-backed store, see the {@link Auth_OpenID_FileStore} module. * As a last resort, if it isn't possible for the server to store * state at all, an instance of {@link Auth_OpenID_DumbStore} can be used. * * @param bool $immediate This is an optional boolean value. It * controls whether the library uses immediate mode, as explained * in the module description. The default value is False, which * disables immediate mode. */ function Auth_OpenID_GenericConsumer($store) { $this->store = $store; $this->negotiator = Auth_OpenID_getDefaultNegotiator(); $this->_use_assocs = (is_null($this->store) ? false : true); if (get_class($this->store) == "Auth_OpenID_DumbStore") { $this->_use_assocs = false; } $this->fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); $this->session_types = Auth_OpenID_getAvailableSessionTypes(); } /** * Called to begin OpenID authentication using the specified * {@link Auth_OpenID_ServiceEndpoint}. * * @access private */ function begin($service_endpoint) { $assoc = $this->_getAssociation($service_endpoint); $r = new Auth_OpenID_AuthRequest($service_endpoint, $assoc); $r->return_to_args[$this->openid1_nonce_query_arg_name] = Auth_OpenID_mkNonce(); if ($r->message->isOpenID1()) { $r->return_to_args[$this->openid1_return_to_identifier_name] = $r->endpoint->claimed_id; } return $r; } /** * Given an {@link Auth_OpenID_Message}, {@link * Auth_OpenID_ServiceEndpoint} and optional return_to URL, * complete OpenID authentication. * * @access private */ function complete($message, $endpoint, $return_to) { $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', ''); $mode_methods = array( 'cancel' => '_complete_cancel', 'error' => '_complete_error', 'setup_needed' => '_complete_setup_needed', 'id_res' => '_complete_id_res', ); $method = Auth_OpenID::arrayGet($mode_methods, $mode, '_completeInvalid'); return call_user_func_array(array($this, $method), array($message, $endpoint, $return_to)); } /** * @access private */ function _completeInvalid($message, $endpoint, $unused) { $mode = $message->getArg(Auth_OpenID_OPENID_NS, 'mode', ''); return new Auth_OpenID_FailureResponse($endpoint, sprintf("Invalid openid.mode '%s'", $mode)); } /** * @access private */ function _complete_cancel($message, $endpoint, $unused) { return new Auth_OpenID_CancelResponse($endpoint); } /** * @access private */ function _complete_error($message, $endpoint, $unused) { $error = $message->getArg(Auth_OpenID_OPENID_NS, 'error'); $contact = $message->getArg(Auth_OpenID_OPENID_NS, 'contact'); $reference = $message->getArg(Auth_OpenID_OPENID_NS, 'reference'); return new Auth_OpenID_FailureResponse($endpoint, $error, $contact, $reference); } /** * @access private */ function _complete_setup_needed($message, $endpoint, $unused) { if (!$message->isOpenID2()) { return $this->_completeInvalid($message, $endpoint); } $user_setup_url = $message->getArg(Auth_OpenID_OPENID2_NS, 'user_setup_url'); return new Auth_OpenID_SetupNeededResponse($endpoint, $user_setup_url); } /** * @access private */ function _complete_id_res($message, $endpoint, $return_to) { $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, 'user_setup_url'); if ($this->_checkSetupNeeded($message)) { return new Auth_OpenID_SetupNeededResponse( $endpoint, $user_setup_url); } else { return $this->_doIdRes($message, $endpoint, $return_to); } } /** * @access private */ function _checkSetupNeeded($message) { // In OpenID 1, we check to see if this is a cancel from // immediate mode by the presence of the user_setup_url // parameter. if ($message->isOpenID1()) { $user_setup_url = $message->getArg(Auth_OpenID_OPENID1_NS, 'user_setup_url'); if ($user_setup_url !== null) { return true; } } return false; } /** * @access private */ function _doIdRes($message, $endpoint, $return_to) { // Checks for presence of appropriate fields (and checks // signed list fields) $result = $this->_idResCheckForFields($message); if (Auth_OpenID::isFailure($result)) { return $result; } if (!$this->_checkReturnTo($message, $return_to)) { return new Auth_OpenID_FailureResponse(null, sprintf("return_to does not match return URL. Expected %s, got %s", $return_to, $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'))); } // Verify discovery information: $result = $this->_verifyDiscoveryResults($message, $endpoint); if (Auth_OpenID::isFailure($result)) { return $result; } $endpoint = $result; $result = $this->_idResCheckSignature($message, $endpoint->server_url); if (Auth_OpenID::isFailure($result)) { return $result; } $result = $this->_idResCheckNonce($message, $endpoint); if (Auth_OpenID::isFailure($result)) { return $result; } $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed', Auth_OpenID_NO_DEFAULT); if (Auth_OpenID::isFailure($signed_list_str)) { return $signed_list_str; } $signed_list = explode(',', $signed_list_str); $signed_fields = Auth_OpenID::addPrefix($signed_list, "openid."); return new Auth_OpenID_SuccessResponse($endpoint, $message, $signed_fields); } /** * @access private */ function _checkReturnTo($message, $return_to) { // Check an OpenID message and its openid.return_to value // against a return_to URL from an application. Return True // on success, False on failure. // Check the openid.return_to args against args in the // original message. $result = Auth_OpenID_GenericConsumer::_verifyReturnToArgs( $message->toPostArgs()); if (Auth_OpenID::isFailure($result)) { return false; } // Check the return_to base URL against the one in the // message. $msg_return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); if (Auth_OpenID::isFailure($return_to)) { // XXX log me return false; } $return_to_parts = parse_url(Auth_OpenID_urinorm($return_to)); $msg_return_to_parts = parse_url(Auth_OpenID_urinorm($msg_return_to)); // If port is absent from both, add it so it's equal in the // check below. if ((!array_key_exists('port', $return_to_parts)) && (!array_key_exists('port', $msg_return_to_parts))) { $return_to_parts['port'] = null; $msg_return_to_parts['port'] = null; } // If path is absent from both, add it so it's equal in the // check below. if ((!array_key_exists('path', $return_to_parts)) && (!array_key_exists('path', $msg_return_to_parts))) { $return_to_parts['path'] = null; $msg_return_to_parts['path'] = null; } // The URL scheme, authority, and path MUST be the same // between the two URLs. foreach (array('scheme', 'host', 'port', 'path') as $component) { // If the url component is absent in either URL, fail. // There should always be a scheme, host, port, and path. if (!array_key_exists($component, $return_to_parts)) { return false; } if (!array_key_exists($component, $msg_return_to_parts)) { return false; } if (Auth_OpenID::arrayGet($return_to_parts, $component) !== Auth_OpenID::arrayGet($msg_return_to_parts, $component)) { return false; } } return true; } /** * @access private */ function _verifyReturnToArgs($query) { // Verify that the arguments in the return_to URL are present in this // response. $message = Auth_OpenID_Message::fromPostArgs($query); $return_to = $message->getArg(Auth_OpenID_OPENID_NS, 'return_to'); if (Auth_OpenID::isFailure($return_to)) { return $return_to; } // XXX: this should be checked by _idResCheckForFields if (!$return_to) { return new Auth_OpenID_FailureResponse(null, "Response has no return_to"); } $parsed_url = parse_url($return_to); $q = array(); if (array_key_exists('query', $parsed_url)) { $rt_query = $parsed_url['query']; $q = Auth_OpenID::parse_str($rt_query); } foreach ($q as $rt_key => $rt_value) { if (!array_key_exists($rt_key, $query)) { return new Auth_OpenID_FailureResponse(null, sprintf("return_to parameter %s absent from query", $rt_key)); } else { $value = $query[$rt_key]; if ($rt_value != $value) { return new Auth_OpenID_FailureResponse(null, sprintf("parameter %s value %s does not match " . "return_to value %s", $rt_key, $value, $rt_value)); } } } // Make sure all non-OpenID arguments in the response are also // in the signed return_to. $bare_args = $message->getArgs(Auth_OpenID_BARE_NS); foreach ($bare_args as $key => $value) { if (Auth_OpenID::arrayGet($q, $key) != $value) { return new Auth_OpenID_FailureResponse(null, sprintf("Parameter %s = %s not in return_to URL", $key, $value)); } } return true; } /** * @access private */ function _idResCheckSignature($message, $server_url) { $assoc_handle = $message->getArg(Auth_OpenID_OPENID_NS, 'assoc_handle'); if (Auth_OpenID::isFailure($assoc_handle)) { return $assoc_handle; } $assoc = $this->store->getAssociation($server_url, $assoc_handle); if ($assoc) { if ($assoc->getExpiresIn() <= 0) { // XXX: It might be a good idea sometimes to re-start // the authentication with a new association. Doing it // automatically opens the possibility for // denial-of-service by a server that just returns // expired associations (or really short-lived // associations) return new Auth_OpenID_FailureResponse(null, 'Association with ' . $server_url . ' expired'); } if (!$assoc->checkMessageSignature($message)) { // If we get a "bad signature" here, it means that the association // is unrecoverabley corrupted in some way. Any futher attempts // to login with this association is likely to fail. Drop it. $this->store->removeAssociation($server_url, $assoc_handle); return new Auth_OpenID_FailureResponse(null, "Bad signature"); } } else { // It's not an association we know about. Stateless mode // is our only possible path for recovery. XXX - async // framework will not want to block on this call to // _checkAuth. if (!$this->_checkAuth($message, $server_url)) { return new Auth_OpenID_FailureResponse(null, "Server denied check_authentication"); } } return null; } /** * @access private */ function _verifyDiscoveryResults($message, $endpoint=null) { if ($message->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS) { return $this->_verifyDiscoveryResultsOpenID2($message, $endpoint); } else { return $this->_verifyDiscoveryResultsOpenID1($message, $endpoint); } } /** * @access private */ function _verifyDiscoveryResultsOpenID1($message, $endpoint) { $claimed_id = $message->getArg(Auth_OpenID_BARE_NS, $this->openid1_return_to_identifier_name); if (($endpoint === null) && ($claimed_id === null)) { return new Auth_OpenID_FailureResponse($endpoint, 'When using OpenID 1, the claimed ID must be supplied, ' . 'either by passing it through as a return_to parameter ' . 'or by using a session, and supplied to the GenericConsumer ' . 'as the argument to complete()'); } else if (($endpoint !== null) && ($claimed_id === null)) { $claimed_id = $endpoint->claimed_id; } $to_match = new Auth_OpenID_ServiceEndpoint(); $to_match->type_uris = array(Auth_OpenID_TYPE_1_1); $to_match->local_id = $message->getArg(Auth_OpenID_OPENID1_NS, 'identity'); // Restore delegate information from the initiation phase $to_match->claimed_id = $claimed_id; if ($to_match->local_id === null) { return new Auth_OpenID_FailureResponse($endpoint, "Missing required field openid.identity"); } $to_match_1_0 = $to_match->copy(); $to_match_1_0->type_uris = array(Auth_OpenID_TYPE_1_0); if ($endpoint !== null) { $result = $this->_verifyDiscoverySingle($endpoint, $to_match); if (is_a($result, 'Auth_OpenID_TypeURIMismatch')) { $result = $this->_verifyDiscoverySingle($endpoint, $to_match_1_0); } if (Auth_OpenID::isFailure($result)) { // oidutil.log("Error attempting to use stored // discovery information: " + str(e)) // oidutil.log("Attempting discovery to // verify endpoint") } else { return $endpoint; } } // Endpoint is either bad (failed verification) or None return $this->_discoverAndVerify($to_match->claimed_id, array($to_match, $to_match_1_0)); } /** * @access private */ function _verifyDiscoverySingle($endpoint, $to_match) { // Every type URI that's in the to_match endpoint has to be // present in the discovered endpoint. foreach ($to_match->type_uris as $type_uri) { if (!$endpoint->usesExtension($type_uri)) { return new Auth_OpenID_TypeURIMismatch($endpoint, "Required type ".$type_uri." not present"); } } // Fragments do not influence discovery, so we can't compare a // claimed identifier with a fragment to discovered // information. list($defragged_claimed_id, $_) = Auth_OpenID::urldefrag($to_match->claimed_id); if ($defragged_claimed_id != $endpoint->claimed_id) { return new Auth_OpenID_FailureResponse($endpoint, sprintf('Claimed ID does not match (different subjects!), ' . 'Expected %s, got %s', $defragged_claimed_id, $endpoint->claimed_id)); } if ($to_match->getLocalID() != $endpoint->getLocalID()) { return new Auth_OpenID_FailureResponse($endpoint, sprintf('local_id mismatch. Expected %s, got %s', $to_match->getLocalID(), $endpoint->getLocalID())); } // If the server URL is None, this must be an OpenID 1 // response, because op_endpoint is a required parameter in // OpenID 2. In that case, we don't actually care what the // discovered server_url is, because signature checking or // check_auth should take care of that check for us. if ($to_match->server_url === null) { if ($to_match->preferredNamespace() != Auth_OpenID_OPENID1_NS) { return new Auth_OpenID_FailureResponse($endpoint, "Preferred namespace mismatch (bug)"); } } else if ($to_match->server_url != $endpoint->server_url) { return new Auth_OpenID_FailureResponse($endpoint, sprintf('OP Endpoint mismatch. Expected %s, got %s', $to_match->server_url, $endpoint->server_url)); } return null; } /** * @access private */ function _verifyDiscoveryResultsOpenID2($message, $endpoint) { $to_match = new Auth_OpenID_ServiceEndpoint(); $to_match->type_uris = array(Auth_OpenID_TYPE_2_0); $to_match->claimed_id = $message->getArg(Auth_OpenID_OPENID2_NS, 'claimed_id'); $to_match->local_id = $message->getArg(Auth_OpenID_OPENID2_NS, 'identity'); $to_match->server_url = $message->getArg(Auth_OpenID_OPENID2_NS, 'op_endpoint'); if ($to_match->server_url === null) { return new Auth_OpenID_FailureResponse($endpoint, "OP Endpoint URL missing"); } // claimed_id and identifier must both be present or both be // absent if (($to_match->claimed_id === null) && ($to_match->local_id !== null)) { return new Auth_OpenID_FailureResponse($endpoint, 'openid.identity is present without openid.claimed_id'); } if (($to_match->claimed_id !== null) && ($to_match->local_id === null)) { return new Auth_OpenID_FailureResponse($endpoint, 'openid.claimed_id is present without openid.identity'); } if ($to_match->claimed_id === null) { // This is a response without identifiers, so there's // really no checking that we can do, so return an // endpoint that's for the specified `openid.op_endpoint' return Auth_OpenID_ServiceEndpoint::fromOPEndpointURL( $to_match->server_url); } if (!$endpoint) { // The claimed ID doesn't match, so we have to do // discovery again. This covers not using sessions, OP // identifier endpoints and responses that didn't match // the original request. // oidutil.log('No pre-discovered information supplied.') return $this->_discoverAndVerify($to_match->claimed_id, array($to_match)); } else { // The claimed ID matches, so we use the endpoint that we // discovered in initiation. This should be the most // common case. $result = $this->_verifyDiscoverySingle($endpoint, $to_match); if (Auth_OpenID::isFailure($result)) { $endpoint = $this->_discoverAndVerify($to_match->claimed_id, array($to_match)); if (Auth_OpenID::isFailure($endpoint)) { return $endpoint; } } } // The endpoint we return should have the claimed ID from the // message we just verified, fragment and all. if ($endpoint->claimed_id != $to_match->claimed_id) { $endpoint->claimed_id = $to_match->claimed_id; } return $endpoint; } /** * @access private */ function _discoverAndVerify($claimed_id, $to_match_endpoints) { // oidutil.log('Performing discovery on %s' % (claimed_id,)) list($unused, $services) = call_user_func_array($this->discoverMethod, array( $claimed_id, $this->fetcher, )); if (!$services) { return new Auth_OpenID_FailureResponse(null, sprintf("No OpenID information found at %s", $claimed_id)); } return $this->_verifyDiscoveryServices($claimed_id, $services, $to_match_endpoints); } /** * @access private */ function _verifyDiscoveryServices($claimed_id, $services, $to_match_endpoints) { // Search the services resulting from discovery to find one // that matches the information from the assertion foreach ($services as $endpoint) { foreach ($to_match_endpoints as $to_match_endpoint) { $result = $this->_verifyDiscoverySingle($endpoint, $to_match_endpoint); if (!Auth_OpenID::isFailure($result)) { // It matches, so discover verification has // succeeded. Return this endpoint. return $endpoint; } } } return new Auth_OpenID_FailureResponse(null, sprintf('No matching endpoint found after discovering %s: %s', $claimed_id, $result->message)); } /** * Extract the nonce from an OpenID 1 response. Return the nonce * from the BARE_NS since we independently check the return_to * arguments are the same as those in the response message. * * See the openid1_nonce_query_arg_name class variable * * @returns $nonce The nonce as a string or null * * @access private */ function _idResGetNonceOpenID1($message, $endpoint) { return $message->getArg(Auth_OpenID_BARE_NS, $this->openid1_nonce_query_arg_name); } /** * @access private */ function _idResCheckNonce($message, $endpoint) { if ($message->isOpenID1()) { // This indicates that the nonce was generated by the consumer $nonce = $this->_idResGetNonceOpenID1($message, $endpoint); $server_url = ''; } else { $nonce = $message->getArg(Auth_OpenID_OPENID2_NS, 'response_nonce'); $server_url = $endpoint->server_url; } if ($nonce === null) { return new Auth_OpenID_FailureResponse($endpoint, "Nonce missing from response"); } $parts = Auth_OpenID_splitNonce($nonce); if ($parts === null) { return new Auth_OpenID_FailureResponse($endpoint, "Malformed nonce in response"); } list($timestamp, $salt) = $parts; if (!$this->store->useNonce($server_url, $timestamp, $salt)) { return new Auth_OpenID_FailureResponse($endpoint, "Nonce already used or out of range"); } return null; } /** * @access private */ function _idResCheckForFields($message) { $basic_fields = array('return_to', 'assoc_handle', 'sig', 'signed'); $basic_sig_fields = array('return_to', 'identity'); $require_fields = array( Auth_OpenID_OPENID2_NS => array_merge($basic_fields, array('op_endpoint')), Auth_OpenID_OPENID1_NS => array_merge($basic_fields, array('identity')) ); $require_sigs = array( Auth_OpenID_OPENID2_NS => array_merge($basic_sig_fields, array('response_nonce', 'claimed_id', 'assoc_handle', 'op_endpoint')), Auth_OpenID_OPENID1_NS => array_merge($basic_sig_fields, array('nonce')) ); foreach ($require_fields[$message->getOpenIDNamespace()] as $field) { if (!$message->hasKey(Auth_OpenID_OPENID_NS, $field)) { return new Auth_OpenID_FailureResponse(null, "Missing required field '".$field."'"); } } $signed_list_str = $message->getArg(Auth_OpenID_OPENID_NS, 'signed', Auth_OpenID_NO_DEFAULT); if (Auth_OpenID::isFailure($signed_list_str)) { return $signed_list_str; } $signed_list = explode(',', $signed_list_str); foreach ($require_sigs[$message->getOpenIDNamespace()] as $field) { // Field is present and not in signed list if ($message->hasKey(Auth_OpenID_OPENID_NS, $field) && (!in_array($field, $signed_list))) { return new Auth_OpenID_FailureResponse(null, "'".$field."' not signed"); } } return null; } /** * @access private */ function _checkAuth($message, $server_url) { $request = $this->_createCheckAuthRequest($message); if ($request === null) { return false; } $resp_message = $this->_makeKVPost($request, $server_url); if (($resp_message === null) || (is_a($resp_message, 'Auth_OpenID_ServerErrorContainer'))) { return false; } return $this->_processCheckAuthResponse($resp_message, $server_url); } /** * @access private */ function _createCheckAuthRequest($message) { $signed = $message->getArg(Auth_OpenID_OPENID_NS, 'signed'); if ($signed) { foreach (explode(',', $signed) as $k) { $value = $message->getAliasedArg($k); if ($value === null) { return null; } } } $ca_message = $message->copy(); $ca_message->setArg(Auth_OpenID_OPENID_NS, 'mode', 'check_authentication'); return $ca_message; } /** * @access private */ function _processCheckAuthResponse($response, $server_url) { $is_valid = $response->getArg(Auth_OpenID_OPENID_NS, 'is_valid', 'false'); $invalidate_handle = $response->getArg(Auth_OpenID_OPENID_NS, 'invalidate_handle'); if ($invalidate_handle !== null) { $this->store->removeAssociation($server_url, $invalidate_handle); } if ($is_valid == 'true') { return true; } return false; } /** * Adapt a POST response to a Message. * * @param $response Result of a POST to an OpenID endpoint. * * @access private */ static function _httpResponseToMessage($response, $server_url) { // Should this function be named Message.fromHTTPResponse instead? $response_message = Auth_OpenID_Message::fromKVForm($response->body); if ($response->status == 400) { return Auth_OpenID_ServerErrorContainer::fromMessage( $response_message); } else if ($response->status != 200 and $response->status != 206) { return null; } return $response_message; } /** * @access private */ function _makeKVPost($message, $server_url) { $body = $message->toURLEncoded(); $resp = $this->fetcher->post($server_url, $body); if ($resp === null) { return null; } return $this->_httpResponseToMessage($resp, $server_url); } /** * @access private */ function _getAssociation($endpoint) { if (!$this->_use_assocs) { return null; } $assoc = $this->store->getAssociation($endpoint->server_url); if (($assoc === null) || ($assoc->getExpiresIn() <= 0)) { $assoc = $this->_negotiateAssociation($endpoint); if ($assoc !== null) { $this->store->storeAssociation($endpoint->server_url, $assoc); } } return $assoc; } /** * Handle ServerErrors resulting from association requests. * * @return $result If server replied with an C{unsupported-type} * error, return a tuple of supported C{association_type}, * C{session_type}. Otherwise logs the error and returns null. * * @access private */ function _extractSupportedAssociationType($server_error, $endpoint, $assoc_type) { // Any error message whose code is not 'unsupported-type' // should be considered a total failure. if (($server_error->error_code != 'unsupported-type') || ($server_error->message->isOpenID1())) { return null; } // The server didn't like the association/session type that we // sent, and it sent us back a message that might tell us how // to handle it. // Extract the session_type and assoc_type from the error // message $assoc_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, 'assoc_type'); $session_type = $server_error->message->getArg(Auth_OpenID_OPENID_NS, 'session_type'); if (($assoc_type === null) || ($session_type === null)) { return null; } else if (!$this->negotiator->isAllowed($assoc_type, $session_type)) { return null; } else { return array($assoc_type, $session_type); } } /** * @access private */ function _negotiateAssociation($endpoint) { // Get our preferred session/association type from the negotiatior. list($assoc_type, $session_type) = $this->negotiator->getAllowedType(); $assoc = $this->_requestAssociation( $endpoint, $assoc_type, $session_type); if (Auth_OpenID::isFailure($assoc)) { return null; } if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { $why = $assoc; $supportedTypes = $this->_extractSupportedAssociationType( $why, $endpoint, $assoc_type); if ($supportedTypes !== null) { list($assoc_type, $session_type) = $supportedTypes; // Attempt to create an association from the assoc_type // and session_type that the server told us it // supported. $assoc = $this->_requestAssociation( $endpoint, $assoc_type, $session_type); if (is_a($assoc, 'Auth_OpenID_ServerErrorContainer')) { // Do not keep trying, since it rejected the // association type that it told us to use. // oidutil.log('Server %s refused its suggested association // 'type: session_type=%s, assoc_type=%s' // % (endpoint.server_url, session_type, // assoc_type)) return null; } else { return $assoc; } } else { return null; } } else { return $assoc; } } /** * @access private */ function _requestAssociation($endpoint, $assoc_type, $session_type) { list($assoc_session, $args) = $this->_createAssociateRequest( $endpoint, $assoc_type, $session_type); $response_message = $this->_makeKVPost($args, $endpoint->server_url); if ($response_message === null) { // oidutil.log('openid.associate request failed: %s' % (why[0],)) return null; } else if (is_a($response_message, 'Auth_OpenID_ServerErrorContainer')) { return $response_message; } return $this->_extractAssociation($response_message, $assoc_session); } /** * @access private */ function _extractAssociation($assoc_response, $assoc_session) { // Extract the common fields from the response, raising an // exception if they are not found $assoc_type = $assoc_response->getArg( Auth_OpenID_OPENID_NS, 'assoc_type', Auth_OpenID_NO_DEFAULT); if (Auth_OpenID::isFailure($assoc_type)) { return $assoc_type; } $assoc_handle = $assoc_response->getArg( Auth_OpenID_OPENID_NS, 'assoc_handle', Auth_OpenID_NO_DEFAULT); if (Auth_OpenID::isFailure($assoc_handle)) { return $assoc_handle; } // expires_in is a base-10 string. The Python parsing will // accept literals that have whitespace around them and will // accept negative values. Neither of these are really in-spec, // but we think it's OK to accept them. $expires_in_str = $assoc_response->getArg( Auth_OpenID_OPENID_NS, 'expires_in', Auth_OpenID_NO_DEFAULT); if (Auth_OpenID::isFailure($expires_in_str)) { return $expires_in_str; } $expires_in = Auth_OpenID::intval($expires_in_str); if ($expires_in === false) { $err = sprintf("Could not parse expires_in from association ". "response %s", print_r($assoc_response, true)); return new Auth_OpenID_FailureResponse(null, $err); } // OpenID 1 has funny association session behaviour. if ($assoc_response->isOpenID1()) { $session_type = $this->_getOpenID1SessionType($assoc_response); } else { $session_type = $assoc_response->getArg( Auth_OpenID_OPENID2_NS, 'session_type', Auth_OpenID_NO_DEFAULT); if (Auth_OpenID::isFailure($session_type)) { return $session_type; } } // Session type mismatch if ($assoc_session->session_type != $session_type) { if ($assoc_response->isOpenID1() && ($session_type == 'no-encryption')) { // In OpenID 1, any association request can result in // a 'no-encryption' association response. Setting // assoc_session to a new no-encryption session should // make the rest of this function work properly for // that case. $assoc_session = new Auth_OpenID_PlainTextConsumerSession(); } else { // Any other mismatch, regardless of protocol version // results in the failure of the association session // altogether. return null; } } // Make sure assoc_type is valid for session_type if (!in_array($assoc_type, $assoc_session->allowed_assoc_types)) { return null; } // Delegate to the association session to extract the secret // from the response, however is appropriate for that session // type. $secret = $assoc_session->extractSecret($assoc_response); if ($secret === null) { return null; } return Auth_OpenID_Association::fromExpiresIn( $expires_in, $assoc_handle, $secret, $assoc_type); } /** * @access private */ function _createAssociateRequest($endpoint, $assoc_type, $session_type) { if (array_key_exists($session_type, $this->session_types)) { $session_type_class = $this->session_types[$session_type]; if (is_callable($session_type_class)) { $assoc_session = $session_type_class(); } else { $assoc_session = new $session_type_class(); } } else { return null; } $args = array( 'mode' => 'associate', 'assoc_type' => $assoc_type); if (!$endpoint->compatibilityMode()) { $args['ns'] = Auth_OpenID_OPENID2_NS; } // Leave out the session type if we're in compatibility mode // *and* it's no-encryption. if ((!$endpoint->compatibilityMode()) || ($assoc_session->session_type != 'no-encryption')) { $args['session_type'] = $assoc_session->session_type; } $args = array_merge($args, $assoc_session->getRequest()); $message = Auth_OpenID_Message::fromOpenIDArgs($args); return array($assoc_session, $message); } /** * Given an association response message, extract the OpenID 1.X * session type. * * This function mostly takes care of the 'no-encryption' default * behavior in OpenID 1. * * If the association type is plain-text, this function will * return 'no-encryption' * * @access private * @return $typ The association type for this message */ function _getOpenID1SessionType($assoc_response) { // If it's an OpenID 1 message, allow session_type to default // to None (which signifies "no-encryption") $session_type = $assoc_response->getArg(Auth_OpenID_OPENID1_NS, 'session_type'); // Handle the differences between no-encryption association // respones in OpenID 1 and 2: // no-encryption is not really a valid session type for OpenID // 1, but we'll accept it anyway, while issuing a warning. if ($session_type == 'no-encryption') { // oidutil.log('WARNING: OpenID server sent "no-encryption"' // 'for OpenID 1.X') } else if (($session_type == '') || ($session_type === null)) { // Missing or empty session type is the way to flag a // 'no-encryption' response. Change the session type to // 'no-encryption' so that it can be handled in the same // way as OpenID 2 'no-encryption' respones. $session_type = 'no-encryption'; } return $session_type; } } /** * This class represents an authentication request from a consumer to * an OpenID server. * * @package OpenID */ class Auth_OpenID_AuthRequest { /** * Initialize an authentication request with the specified token, * association, and endpoint. * * Users of this library should not create instances of this * class. Instances of this class are created by the library when * needed. */ function Auth_OpenID_AuthRequest($endpoint, $assoc) { $this->assoc = $assoc; $this->endpoint = $endpoint; $this->return_to_args = array(); $this->message = new Auth_OpenID_Message( $endpoint->preferredNamespace()); $this->_anonymous = false; } /** * Add an extension to this checkid request. * * $extension_request: An object that implements the extension * request interface for adding arguments to an OpenID message. */ function addExtension($extension_request) { $extension_request->toMessage($this->message); } /** * Add an extension argument to this OpenID authentication * request. * * Use caution when adding arguments, because they will be * URL-escaped and appended to the redirect URL, which can easily * get quite long. * * @param string $namespace The namespace for the extension. For * example, the simple registration extension uses the namespace * 'sreg'. * * @param string $key The key within the extension namespace. For * example, the nickname field in the simple registration * extension's key is 'nickname'. * * @param string $value The value to provide to the server for * this argument. */ function addExtensionArg($namespace, $key, $value) { return $this->message->setArg($namespace, $key, $value); } /** * Set whether this request should be made anonymously. If a * request is anonymous, the identifier will not be sent in the * request. This is only useful if you are making another kind of * request with an extension in this request. * * Anonymous requests are not allowed when the request is made * with OpenID 1. */ function setAnonymous($is_anonymous) { if ($is_anonymous && $this->message->isOpenID1()) { return false; } else { $this->_anonymous = $is_anonymous; return true; } } /** * Produce a {@link Auth_OpenID_Message} representing this * request. * * @param string $realm The URL (or URL pattern) that identifies * your web site to the user when she is authorizing it. * * @param string $return_to The URL that the OpenID provider will * send the user back to after attempting to verify her identity. * * Not specifying a return_to URL means that the user will not be * returned to the site issuing the request upon its completion. * * @param bool $immediate If true, the OpenID provider is to send * back a response immediately, useful for behind-the-scenes * authentication attempts. Otherwise the OpenID provider may * engage the user before providing a response. This is the * default case, as the user may need to provide credentials or * approve the request before a positive response can be sent. */ function getMessage($realm, $return_to=null, $immediate=false) { if ($return_to) { $return_to = Auth_OpenID::appendArgs($return_to, $this->return_to_args); } else if ($immediate) { // raise ValueError( // '"return_to" is mandatory when //using "checkid_immediate"') return new Auth_OpenID_FailureResponse(null, "'return_to' is mandatory when using checkid_immediate"); } else if ($this->message->isOpenID1()) { // raise ValueError('"return_to" is // mandatory for OpenID 1 requests') return new Auth_OpenID_FailureResponse(null, "'return_to' is mandatory for OpenID 1 requests"); } else if ($this->return_to_args) { // raise ValueError('extra "return_to" arguments // were specified, but no return_to was specified') return new Auth_OpenID_FailureResponse(null, "extra 'return_to' arguments where specified, " . "but no return_to was specified"); } if ($immediate) { $mode = 'checkid_immediate'; } else { $mode = 'checkid_setup'; } $message = $this->message->copy(); if ($message->isOpenID1()) { $realm_key = 'trust_root'; } else { $realm_key = 'realm'; } $message->updateArgs(Auth_OpenID_OPENID_NS, array( $realm_key => $realm, 'mode' => $mode, 'return_to' => $return_to)); if (!$this->_anonymous) { if ($this->endpoint->isOPIdentifier()) { // This will never happen when we're in compatibility // mode, as long as isOPIdentifier() returns False // whenever preferredNamespace() returns OPENID1_NS. $claimed_id = $request_identity = Auth_OpenID_IDENTIFIER_SELECT; } else { $request_identity = $this->endpoint->getLocalID(); $claimed_id = $this->endpoint->claimed_id; } // This is true for both OpenID 1 and 2 $message->setArg(Auth_OpenID_OPENID_NS, 'identity', $request_identity); if ($message->isOpenID2()) { $message->setArg(Auth_OpenID_OPENID2_NS, 'claimed_id', $claimed_id); } } if ($this->assoc) { $message->setArg(Auth_OpenID_OPENID_NS, 'assoc_handle', $this->assoc->handle); } return $message; } function redirectURL($realm, $return_to = null, $immediate = false) { $message = $this->getMessage($realm, $return_to, $immediate); if (Auth_OpenID::isFailure($message)) { return $message; } return $message->toURL($this->endpoint->server_url); } /** * Get html for a form to submit this request to the IDP. * * form_tag_attrs: An array of attributes to be added to the form * tag. 'accept-charset' and 'enctype' have defaults that can be * overridden. If a value is supplied for 'action' or 'method', it * will be replaced. */ function formMarkup($realm, $return_to=null, $immediate=false, $form_tag_attrs=null) { $message = $this->getMessage($realm, $return_to, $immediate); if (Auth_OpenID::isFailure($message)) { return $message; } return $message->toFormMarkup($this->endpoint->server_url, $form_tag_attrs); } /** * Get a complete html document that will autosubmit the request * to the IDP. * * Wraps formMarkup. See the documentation for that function. */ function htmlMarkup($realm, $return_to=null, $immediate=false, $form_tag_attrs=null) { $form = $this->formMarkup($realm, $return_to, $immediate, $form_tag_attrs); if (Auth_OpenID::isFailure($form)) { return $form; } return Auth_OpenID::autoSubmitHTML($form); } function shouldSendRedirect() { return $this->endpoint->compatibilityMode(); } } /** * The base class for responses from the Auth_OpenID_Consumer. * * @package OpenID */ class Auth_OpenID_ConsumerResponse { var $status = null; function setEndpoint($endpoint) { $this->endpoint = $endpoint; if ($endpoint === null) { $this->identity_url = null; } else { $this->identity_url = $endpoint->claimed_id; } } /** * Return the display identifier for this response. * * The display identifier is related to the Claimed Identifier, but the * two are not always identical. The display identifier is something the * user should recognize as what they entered, whereas the response's * claimed identifier (in the identity_url attribute) may have extra * information for better persistence. * * URLs will be stripped of their fragments for display. XRIs will * display the human-readable identifier (i-name) instead of the * persistent identifier (i-number). * * Use the display identifier in your user interface. Use * identity_url for querying your database or authorization server. * */ function getDisplayIdentifier() { if ($this->endpoint !== null) { return $this->endpoint->getDisplayIdentifier(); } return null; } } /** * A response with a status of Auth_OpenID_SUCCESS. Indicates that * this request is a successful acknowledgement from the OpenID server * that the supplied URL is, indeed controlled by the requesting * agent. This has three relevant attributes: * * claimed_id - The identity URL that has been authenticated * * signed_args - The arguments in the server's response that were * signed and verified. * * status - Auth_OpenID_SUCCESS. * * @package OpenID */ class Auth_OpenID_SuccessResponse extends Auth_OpenID_ConsumerResponse { var $status = Auth_OpenID_SUCCESS; /** * @access private */ function Auth_OpenID_SuccessResponse($endpoint, $message, $signed_args=null) { $this->endpoint = $endpoint; $this->identity_url = $endpoint->claimed_id; $this->signed_args = $signed_args; $this->message = $message; if ($this->signed_args === null) { $this->signed_args = array(); } } /** * Extract signed extension data from the server's response. * * @param string $prefix The extension namespace from which to * extract the extension data. */ function extensionResponse($namespace_uri, $require_signed) { if ($require_signed) { return $this->getSignedNS($namespace_uri); } else { return $this->message->getArgs($namespace_uri); } } function isOpenID1() { return $this->message->isOpenID1(); } function isSigned($ns_uri, $ns_key) { // Return whether a particular key is signed, regardless of // its namespace alias return in_array($this->message->getKey($ns_uri, $ns_key), $this->signed_args); } function getSigned($ns_uri, $ns_key, $default = null) { // Return the specified signed field if available, otherwise // return default if ($this->isSigned($ns_uri, $ns_key)) { return $this->message->getArg($ns_uri, $ns_key, $default); } else { return $default; } } function getSignedNS($ns_uri) { $args = array(); $msg_args = $this->message->getArgs($ns_uri); if (Auth_OpenID::isFailure($msg_args)) { return null; } foreach ($msg_args as $key => $value) { if (!$this->isSigned($ns_uri, $key)) { unset($msg_args[$key]); } } return $msg_args; } /** * Get the openid.return_to argument from this response. * * This is useful for verifying that this request was initiated by * this consumer. * * @return string $return_to The return_to URL supplied to the * server on the initial request, or null if the response did not * contain an 'openid.return_to' argument. */ function getReturnTo() { return $this->getSigned(Auth_OpenID_OPENID_NS, 'return_to'); } } /** * A response with a status of Auth_OpenID_FAILURE. Indicates that the * OpenID protocol has failed. This could be locally or remotely * triggered. This has three relevant attributes: * * claimed_id - The identity URL for which authentication was * attempted, if it can be determined. Otherwise, null. * * message - A message indicating why the request failed, if one is * supplied. Otherwise, null. * * status - Auth_OpenID_FAILURE. * * @package OpenID */ class Auth_OpenID_FailureResponse extends Auth_OpenID_ConsumerResponse { var $status = Auth_OpenID_FAILURE; function Auth_OpenID_FailureResponse($endpoint, $message = null, $contact = null, $reference = null) { $this->setEndpoint($endpoint); $this->message = $message; $this->contact = $contact; $this->reference = $reference; } } /** * A specific, internal failure used to detect type URI mismatch. * * @package OpenID */ class Auth_OpenID_TypeURIMismatch extends Auth_OpenID_FailureResponse { } /** * Exception that is raised when the server returns a 400 response * code to a direct request. * * @package OpenID */ class Auth_OpenID_ServerErrorContainer { function Auth_OpenID_ServerErrorContainer($error_text, $error_code, $message) { $this->error_text = $error_text; $this->error_code = $error_code; $this->message = $message; } /** * @access private */ static function fromMessage($message) { $error_text = $message->getArg( Auth_OpenID_OPENID_NS, 'error', ''); $error_code = $message->getArg(Auth_OpenID_OPENID_NS, 'error_code'); return new Auth_OpenID_ServerErrorContainer($error_text, $error_code, $message); } } /** * A response with a status of Auth_OpenID_CANCEL. Indicates that the * user cancelled the OpenID authentication request. This has two * relevant attributes: * * claimed_id - The identity URL for which authentication was * attempted, if it can be determined. Otherwise, null. * * status - Auth_OpenID_SUCCESS. * * @package OpenID */ class Auth_OpenID_CancelResponse extends Auth_OpenID_ConsumerResponse { var $status = Auth_OpenID_CANCEL; function Auth_OpenID_CancelResponse($endpoint) { $this->setEndpoint($endpoint); } } /** * A response with a status of Auth_OpenID_SETUP_NEEDED. Indicates * that the request was in immediate mode, and the server is unable to * authenticate the user without further interaction. * * claimed_id - The identity URL for which authentication was * attempted. * * setup_url - A URL that can be used to send the user to the server * to set up for authentication. The user should be redirected in to * the setup_url, either in the current window or in a new browser * window. Null in OpenID 2. * * status - Auth_OpenID_SETUP_NEEDED. * * @package OpenID */ class Auth_OpenID_SetupNeededResponse extends Auth_OpenID_ConsumerResponse { var $status = Auth_OpenID_SETUP_NEEDED; function Auth_OpenID_SetupNeededResponse($endpoint, $setup_url = null) { $this->setEndpoint($endpoint); $this->setup_url = $setup_url; } } wordpress-openid-3.4.1/lib/Auth/OpenID/CryptUtil.php000077500000000000000000000070041265347743100223000ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ if (!defined('Auth_OpenID_RAND_SOURCE')) { /** * The filename for a source of random bytes. Define this yourself * if you have a different source of randomness. */ define('Auth_OpenID_RAND_SOURCE', '/dev/urandom'); } class Auth_OpenID_CryptUtil { /** * Get the specified number of random bytes. * * Attempts to use a cryptographically secure (not predictable) * source of randomness if available. If there is no high-entropy * randomness source available, it will fail. As a last resort, * for non-critical systems, define * Auth_OpenID_RAND_SOURCE as null, and * the code will fall back on a pseudo-random number generator. * * @param int $num_bytes The length of the return value * @return string $bytes random bytes */ static function getBytes($num_bytes) { static $f = null; $bytes = ''; if ($f === null) { if (Auth_OpenID_RAND_SOURCE === null) { $f = false; } else { $f = @fopen(Auth_OpenID_RAND_SOURCE, "r"); if ($f === false) { $msg = 'Define Auth_OpenID_RAND_SOURCE as null to ' . ' continue with an insecure random number generator.'; trigger_error($msg, E_USER_ERROR); } } } if ($f === false) { // pseudorandom used $bytes = ''; for ($i = 0; $i < $num_bytes; $i += 4) { $bytes .= pack('L', mt_rand()); } $bytes = substr($bytes, 0, $num_bytes); } else { $bytes = fread($f, $num_bytes); } return $bytes; } /** * Produce a string of length random bytes, chosen from chrs. If * $chrs is null, the resulting string may contain any characters. * * @param integer $length The length of the resulting * randomly-generated string * @param string $chrs A string of characters from which to choose * to build the new string * @return string $result A string of randomly-chosen characters * from $chrs */ static function randomString($length, $population = null) { if ($population === null) { return Auth_OpenID_CryptUtil::getBytes($length); } $popsize = strlen($population); if ($popsize > 256) { $msg = 'More than 256 characters supplied to ' . __FUNCTION__; trigger_error($msg, E_USER_ERROR); } $duplicate = 256 % $popsize; $str = ""; for ($i = 0; $i < $length; $i++) { do { $n = ord(Auth_OpenID_CryptUtil::getBytes(1)); } while ($n < $duplicate); $n %= $popsize; $str .= $population[$n]; } return $str; } static function constEq($s1, $s2) { if (strlen($s1) != strlen($s2)) { return false; } $result = true; $length = strlen($s1); for ($i = 0; $i < $length; $i++) { $result &= ($s1[$i] == $s2[$i]); } return $result; } } wordpress-openid-3.4.1/lib/Auth/OpenID/DatabaseConnection.php000077500000000000000000000075601265347743100240740ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ /** * An empty base class intended to emulate PEAR connection * functionality in applications that supply their own database * abstraction mechanisms. See {@link Auth_OpenID_SQLStore} for more * information. You should subclass this class if you need to create * an SQL store that needs to access its database using an * application's database abstraction layer instead of a PEAR database * connection. Any subclass of Auth_OpenID_DatabaseConnection MUST * adhere to the interface specified here. * * @package OpenID */ class Auth_OpenID_DatabaseConnection { /** * Sets auto-commit mode on this database connection. * * @param bool $mode True if auto-commit is to be used; false if * not. */ function autoCommit($mode) { } /** * Run an SQL query with the specified parameters, if any. * * @param string $sql An SQL string with placeholders. The * placeholders are assumed to be specific to the database engine * for this connection. * * @param array $params An array of parameters to insert into the * SQL string using this connection's escaping mechanism. * * @return mixed $result The result of calling this connection's * internal query function. The type of result depends on the * underlying database engine. This method is usually used when * the result of a query is not important, like a DDL query. */ function query($sql, $params = array()) { } /** * Starts a transaction on this connection, if supported. */ function begin() { } /** * Commits a transaction on this connection, if supported. */ function commit() { } /** * Performs a rollback on this connection, if supported. */ function rollback() { } /** * Run an SQL query and return the first column of the first row * of the result set, if any. * * @param string $sql An SQL string with placeholders. The * placeholders are assumed to be specific to the database engine * for this connection. * * @param array $params An array of parameters to insert into the * SQL string using this connection's escaping mechanism. * * @return mixed $result The value of the first column of the * first row of the result set. False if no such result was * found. */ function getOne($sql, $params = array()) { } /** * Run an SQL query and return the first row of the result set, if * any. * * @param string $sql An SQL string with placeholders. The * placeholders are assumed to be specific to the database engine * for this connection. * * @param array $params An array of parameters to insert into the * SQL string using this connection's escaping mechanism. * * @return array $result The first row of the result set, if any, * keyed on column name. False if no such result was found. */ function getRow($sql, $params = array()) { } /** * Run an SQL query with the specified parameters, if any. * * @param string $sql An SQL string with placeholders. The * placeholders are assumed to be specific to the database engine * for this connection. * * @param array $params An array of parameters to insert into the * SQL string using this connection's escaping mechanism. * * @return array $result An array of arrays representing the * result of the query; each array is keyed on column name. */ function getAll($sql, $params = array()) { } } wordpress-openid-3.4.1/lib/Auth/OpenID/DiffieHellman.php000077500000000000000000000056101265347743100230310ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ require_once 'Auth/OpenID.php'; require_once 'Auth/OpenID/BigMath.php'; function Auth_OpenID_getDefaultMod() { return '155172898181473697471232257763715539915724801'. '966915404479707795314057629378541917580651227423'. '698188993727816152646631438561595825688188889951'. '272158842675419950341258706556549803580104870537'. '681476726513255747040765857479291291572334510643'. '245094715007229621094194349783925984760375594985'. '848253359305585439638443'; } function Auth_OpenID_getDefaultGen() { return '2'; } /** * The Diffie-Hellman key exchange class. This class relies on * {@link Auth_OpenID_MathLibrary} to perform large number operations. * * @access private * @package OpenID */ class Auth_OpenID_DiffieHellman { var $mod; var $gen; var $private; var $lib = null; function Auth_OpenID_DiffieHellman($mod = null, $gen = null, $private = null, $lib = null) { if ($lib === null) { $this->lib = Auth_OpenID_getMathLib(); } else { $this->lib = $lib; } if ($mod === null) { $this->mod = $this->lib->init(Auth_OpenID_getDefaultMod()); } else { $this->mod = $mod; } if ($gen === null) { $this->gen = $this->lib->init(Auth_OpenID_getDefaultGen()); } else { $this->gen = $gen; } if ($private === null) { $r = $this->lib->rand($this->mod); $this->private = $this->lib->add($r, 1); } else { $this->private = $private; } $this->public = $this->lib->powmod($this->gen, $this->private, $this->mod); } function getSharedSecret($composite) { return $this->lib->powmod($composite, $this->private, $this->mod); } function getPublicKey() { return $this->public; } function usingDefaultValues() { return ($this->mod == Auth_OpenID_getDefaultMod() && $this->gen == Auth_OpenID_getDefaultGen()); } function xorSecret($composite, $secret, $hash_func) { $dh_shared = $this->getSharedSecret($composite); $dh_shared_str = $this->lib->longToBinary($dh_shared); $hash_dh_shared = $hash_func($dh_shared_str); $xsecret = ""; for ($i = 0; $i < Auth_OpenID::bytes($secret); $i++) { $xsecret .= chr(ord($secret[$i]) ^ ord($hash_dh_shared[$i])); } return $xsecret; } } wordpress-openid-3.4.1/lib/Auth/OpenID/Discover.php000077500000000000000000000442031265347743100221210ustar00rootroot00000000000000claimed_id = null; $this->server_url = null; $this->type_uris = array(); $this->local_id = null; $this->canonicalID = null; $this->used_yadis = false; // whether this came from an XRDS $this->display_identifier = null; } function getDisplayIdentifier() { if ($this->display_identifier) { return $this->display_identifier; } if (! $this->claimed_id) { return $this->claimed_id; } $parsed = parse_url($this->claimed_id); $scheme = $parsed['scheme']; $host = $parsed['host']; $path = $parsed['path']; if (array_key_exists('query', $parsed)) { $query = $parsed['query']; $no_frag = "$scheme://$host$path?$query"; } else { $no_frag = "$scheme://$host$path"; } return $no_frag; } function usesExtension($extension_uri) { return in_array($extension_uri, $this->type_uris); } function preferredNamespace() { if (in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris) || in_array(Auth_OpenID_TYPE_2_0, $this->type_uris)) { return Auth_OpenID_OPENID2_NS; } else { return Auth_OpenID_OPENID1_NS; } } /* * Query this endpoint to see if it has any of the given type * URIs. This is useful for implementing other endpoint classes * that e.g. need to check for the presence of multiple versions * of a single protocol. * * @param $type_uris The URIs that you wish to check * * @return all types that are in both in type_uris and * $this->type_uris */ function matchTypes($type_uris) { $result = array(); foreach ($type_uris as $test_uri) { if ($this->supportsType($test_uri)) { $result[] = $test_uri; } } return $result; } function supportsType($type_uri) { // Does this endpoint support this type? return ((in_array($type_uri, $this->type_uris)) || (($type_uri == Auth_OpenID_TYPE_2_0) && $this->isOPIdentifier())); } function compatibilityMode() { return $this->preferredNamespace() != Auth_OpenID_OPENID2_NS; } function isOPIdentifier() { return in_array(Auth_OpenID_TYPE_2_0_IDP, $this->type_uris); } static function fromOPEndpointURL($op_endpoint_url) { // Construct an OP-Identifier OpenIDServiceEndpoint object for // a given OP Endpoint URL $obj = new Auth_OpenID_ServiceEndpoint(); $obj->server_url = $op_endpoint_url; $obj->type_uris = array(Auth_OpenID_TYPE_2_0_IDP); return $obj; } function parseService($yadis_url, $uri, $type_uris, $service_element) { // Set the state of this object based on the contents of the // service element. Return true if successful, false if not // (if findOPLocalIdentifier returns false). $this->type_uris = $type_uris; $this->server_url = $uri; $this->used_yadis = true; if (!$this->isOPIdentifier()) { $this->claimed_id = $yadis_url; $this->local_id = Auth_OpenID_findOPLocalIdentifier( $service_element, $this->type_uris); if ($this->local_id === false) { return false; } } return true; } function getLocalID() { // Return the identifier that should be sent as the // openid.identity_url parameter to the server. if ($this->local_id === null && $this->canonicalID === null) { return $this->claimed_id; } else { if ($this->local_id) { return $this->local_id; } else { return $this->canonicalID; } } } /* * Parse the given document as XRDS looking for OpenID consumer services. * * @return array of Auth_OpenID_ServiceEndpoint or null if the * document cannot be parsed. */ function consumerFromXRDS($uri, $xrds_text) { $xrds =& Auth_Yadis_XRDS::parseXRDS($xrds_text); if ($xrds) { $yadis_services = $xrds->services(array('filter_MatchesAnyOpenIDConsumerType')); return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services); } return null; } /* * Parse the given document as XRDS looking for OpenID services. * * @return array of Auth_OpenID_ServiceEndpoint or null if the * document cannot be parsed. */ static function fromXRDS($uri, $xrds_text) { $xrds = Auth_Yadis_XRDS::parseXRDS($xrds_text); if ($xrds) { $yadis_services = $xrds->services(array('filter_MatchesAnyOpenIDType')); return Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services); } return null; } /* * Create endpoints from a DiscoveryResult. * * @param discoveryResult Auth_Yadis_DiscoveryResult * @return array of Auth_OpenID_ServiceEndpoint or null if * endpoints cannot be created. */ static function fromDiscoveryResult($discoveryResult) { if ($discoveryResult->isXRDS()) { return Auth_OpenID_ServiceEndpoint::fromXRDS( $discoveryResult->normalized_uri, $discoveryResult->response_text); } else { return Auth_OpenID_ServiceEndpoint::fromHTML( $discoveryResult->normalized_uri, $discoveryResult->response_text); } } static function fromHTML($uri, $html) { $discovery_types = array( array(Auth_OpenID_TYPE_2_0, 'openid2.provider', 'openid2.local_id'), array(Auth_OpenID_TYPE_1_1, 'openid.server', 'openid.delegate') ); $services = array(); foreach ($discovery_types as $triple) { list($type_uri, $server_rel, $delegate_rel) = $triple; $urls = Auth_OpenID_legacy_discover($html, $server_rel, $delegate_rel); if ($urls === false) { continue; } list($delegate_url, $server_url) = $urls; $service = new Auth_OpenID_ServiceEndpoint(); $service->claimed_id = $uri; $service->local_id = $delegate_url; $service->server_url = $server_url; $service->type_uris = array($type_uri); $services[] = $service; } return $services; } function copy() { $x = new Auth_OpenID_ServiceEndpoint(); $x->claimed_id = $this->claimed_id; $x->server_url = $this->server_url; $x->type_uris = $this->type_uris; $x->local_id = $this->local_id; $x->canonicalID = $this->canonicalID; $x->used_yadis = $this->used_yadis; return $x; } } function Auth_OpenID_findOPLocalIdentifier($service, $type_uris) { // Extract a openid:Delegate value from a Yadis Service element. // If no delegate is found, returns null. Returns false on // discovery failure (when multiple delegate/localID tags have // different values). $service->parser->registerNamespace('openid', Auth_OpenID_XMLNS_1_0); $service->parser->registerNamespace('xrd', Auth_Yadis_XMLNS_XRD_2_0); $parser = $service->parser; $permitted_tags = array(); if (in_array(Auth_OpenID_TYPE_1_1, $type_uris) || in_array(Auth_OpenID_TYPE_1_0, $type_uris)) { $permitted_tags[] = 'openid:Delegate'; } if (in_array(Auth_OpenID_TYPE_2_0, $type_uris)) { $permitted_tags[] = 'xrd:LocalID'; } $local_id = null; foreach ($permitted_tags as $tag_name) { $tags = $service->getElements($tag_name); foreach ($tags as $tag) { $content = $parser->content($tag); if ($local_id === null) { $local_id = $content; } else if ($local_id != $content) { return false; } } } return $local_id; } function filter_MatchesAnyOpenIDType($service) { $uris = $service->getTypes(); foreach ($uris as $uri) { if (in_array($uri, Auth_OpenID_getOpenIDTypeURIs())) { return true; } } return false; } function filter_MatchesAnyOpenIDConsumerType(&$service) { $uris = $service->getTypes(); foreach ($uris as $uri) { if (in_array($uri, Auth_OpenID_getOpenIDConsumerTypeURIs())) { return true; } } return false; } function Auth_OpenID_bestMatchingService($service, $preferred_types) { // Return the index of the first matching type, or something // higher if no type matches. // // This provides an ordering in which service elements that // contain a type that comes earlier in the preferred types list // come before service elements that come later. If a service // element has more than one type, the most preferred one wins. foreach ($preferred_types as $index => $typ) { if (in_array($typ, $service->type_uris)) { return $index; } } return count($preferred_types); } function Auth_OpenID_arrangeByType($service_list, $preferred_types) { // Rearrange service_list in a new list so services are ordered by // types listed in preferred_types. Return the new list. // Build a list with the service elements in tuples whose // comparison will prefer the one with the best matching service $prio_services = array(); foreach ($service_list as $index => $service) { $prio_services[] = array(Auth_OpenID_bestMatchingService($service, $preferred_types), $index, $service); } sort($prio_services); // Now that the services are sorted by priority, remove the sort // keys from the list. foreach ($prio_services as $index => $s) { $prio_services[$index] = $prio_services[$index][2]; } return $prio_services; } // Extract OP Identifier services. If none found, return the rest, // sorted with most preferred first according to // OpenIDServiceEndpoint.openid_type_uris. // // openid_services is a list of OpenIDServiceEndpoint objects. // // Returns a list of OpenIDServiceEndpoint objects.""" function Auth_OpenID_getOPOrUserServices($openid_services) { $op_services = Auth_OpenID_arrangeByType($openid_services, array(Auth_OpenID_TYPE_2_0_IDP)); $openid_services = Auth_OpenID_arrangeByType($openid_services, Auth_OpenID_getOpenIDTypeURIs()); if ($op_services) { return $op_services; } else { return $openid_services; } } function Auth_OpenID_makeOpenIDEndpoints($uri, $yadis_services) { $s = array(); if (!$yadis_services) { return $s; } foreach ($yadis_services as $service) { $type_uris = $service->getTypes(); $uris = $service->getURIs(); // If any Type URIs match and there is an endpoint URI // specified, then this is an OpenID endpoint if ($type_uris && $uris) { foreach ($uris as $service_uri) { $openid_endpoint = new Auth_OpenID_ServiceEndpoint(); if ($openid_endpoint->parseService($uri, $service_uri, $type_uris, $service)) { $s[] = $openid_endpoint; } } } } return $s; } function Auth_OpenID_discoverWithYadis($uri, $fetcher, $endpoint_filter='Auth_OpenID_getOPOrUserServices', $discover_function=null) { // Discover OpenID services for a URI. Tries Yadis and falls back // on old-style discovery if Yadis fails. // Might raise a yadis.discover.DiscoveryFailure if no document // came back for that URI at all. I don't think falling back to // OpenID 1.0 discovery on the same URL will help, so don't bother // to catch it. if ($discover_function === null) { $discover_function = array('Auth_Yadis_Yadis', 'discover'); } $openid_services = array(); $response = call_user_func_array($discover_function, array($uri, $fetcher)); $yadis_url = $response->normalized_uri; $yadis_services = array(); if ($response->isFailure() && !$response->isXRDS()) { return array($uri, array()); } $openid_services = Auth_OpenID_ServiceEndpoint::fromXRDS( $yadis_url, $response->response_text); if (!$openid_services) { if ($response->isXRDS()) { return Auth_OpenID_discoverWithoutYadis($uri, $fetcher); } // Try to parse the response as HTML to get OpenID 1.0/1.1 // $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML( $yadis_url, $response->response_text); } $openid_services = call_user_func_array($endpoint_filter, array($openid_services)); return array($yadis_url, $openid_services); } function Auth_OpenID_discoverURI($uri, $fetcher) { $uri = Auth_OpenID::normalizeUrl($uri); return Auth_OpenID_discoverWithYadis($uri, $fetcher); } function Auth_OpenID_discoverWithoutYadis($uri, $fetcher) { $http_resp = @$fetcher->get($uri); if ($http_resp->status != 200 and $http_resp->status != 206) { return array($uri, array()); } $identity_url = $http_resp->final_url; // Try to parse the response as HTML to get OpenID 1.0/1.1 $openid_services = Auth_OpenID_ServiceEndpoint::fromHTML( $identity_url, $http_resp->body); return array($identity_url, $openid_services); } function Auth_OpenID_discoverXRI($iname, $fetcher) { $resolver = new Auth_Yadis_ProxyResolver($fetcher); list($canonicalID, $yadis_services) = $resolver->query($iname, Auth_OpenID_getOpenIDTypeURIs(), array('filter_MatchesAnyOpenIDType')); $openid_services = Auth_OpenID_makeOpenIDEndpoints($iname, $yadis_services); $openid_services = Auth_OpenID_getOPOrUserServices($openid_services); for ($i = 0; $i < count($openid_services); $i++) { $openid_services[$i]->canonicalID = $canonicalID; $openid_services[$i]->claimed_id = $canonicalID; $openid_services[$i]->display_identifier = $iname; } // FIXME: returned xri should probably be in some normal form return array($iname, $openid_services); } function Auth_OpenID_discover($uri, $fetcher) { // If the fetcher (i.e., PHP) doesn't support SSL, we can't do // discovery on an HTTPS URL. if ($fetcher->isHTTPS($uri) && !$fetcher->supportsSSL()) { return array($uri, array()); } if (Auth_Yadis_identifierScheme($uri) == 'XRI') { $result = Auth_OpenID_discoverXRI($uri, $fetcher); } else { $result = Auth_OpenID_discoverURI($uri, $fetcher); } // If the fetcher doesn't support SSL, we can't interact with // HTTPS server URLs; remove those endpoints from the list. if (!$fetcher->supportsSSL()) { $http_endpoints = array(); list($new_uri, $endpoints) = $result; foreach ($endpoints as $e) { if (!$fetcher->isHTTPS($e->server_url)) { $http_endpoints[] = $e; } } $result = array($new_uri, $http_endpoints); } return $result; } wordpress-openid-3.4.1/lib/Auth/OpenID/DumbStore.php000077500000000000000000000053151265347743100222500ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ /** * Import the interface for creating a new store class. */ require_once 'Auth/OpenID/Interface.php'; require_once 'Auth/OpenID/HMAC.php'; /** * This is a store for use in the worst case, when you have no way of * saving state on the consumer site. Using this store makes the * consumer vulnerable to replay attacks, as it's unable to use * nonces. Avoid using this store if it is at all possible. * * Most of the methods of this class are implementation details. * Users of this class need to worry only about the constructor. * * @package OpenID */ class Auth_OpenID_DumbStore extends Auth_OpenID_OpenIDStore { /** * Creates a new {@link Auth_OpenID_DumbStore} instance. For the security * of the tokens generated by the library, this class attempts to * at least have a secure implementation of getAuthKey. * * When you create an instance of this class, pass in a secret * phrase. The phrase is hashed with sha1 to make it the correct * length and form for an auth key. That allows you to use a long * string as the secret phrase, which means you can make it very * difficult to guess. * * Each {@link Auth_OpenID_DumbStore} instance that is created for use by * your consumer site needs to use the same $secret_phrase. * * @param string secret_phrase The phrase used to create the auth * key returned by getAuthKey */ function Auth_OpenID_DumbStore($secret_phrase) { $this->auth_key = Auth_OpenID_SHA1($secret_phrase); } /** * This implementation does nothing. */ function storeAssociation($server_url, $association) { } /** * This implementation always returns null. */ function getAssociation($server_url, $handle = null) { return null; } /** * This implementation always returns false. */ function removeAssociation($server_url, $handle) { return false; } /** * In a system truly limited to dumb mode, nonces must all be * accepted. This therefore always returns true, which makes * replay attacks feasible. */ function useNonce($server_url, $timestamp, $salt) { return true; } /** * This method returns the auth key generated by the constructor. */ function getAuthKey() { return $this->auth_key; } } wordpress-openid-3.4.1/lib/Auth/OpenID/Extension.php000077500000000000000000000031051265347743100223130ustar00rootroot00000000000000isOpenID1(); $added = $message->namespaces->addAlias($this->ns_uri, $this->ns_alias, $implicit); if ($added === null) { if ($message->namespaces->getAlias($this->ns_uri) != $this->ns_alias) { return null; } } if ($request !== null) { $message->updateArgs($this->ns_uri, $this->getExtensionArgs($request)); } else { $message->updateArgs($this->ns_uri, $this->getExtensionArgs()); } return $message; } } wordpress-openid-3.4.1/lib/Auth/OpenID/FileStore.php000077500000000000000000000436521265347743100222460ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ /** * Require base class for creating a new interface. */ require_once 'Auth/OpenID.php'; require_once 'Auth/OpenID/Interface.php'; require_once 'Auth/OpenID/HMAC.php'; require_once 'Auth/OpenID/Nonce.php'; /** * This is a filesystem-based store for OpenID associations and * nonces. This store should be safe for use in concurrent systems on * both windows and unix (excluding NFS filesystems). There are a * couple race conditions in the system, but those failure cases have * been set up in such a way that the worst-case behavior is someone * having to try to log in a second time. * * Most of the methods of this class are implementation details. * People wishing to just use this store need only pay attention to * the constructor. * * @package OpenID */ class Auth_OpenID_FileStore extends Auth_OpenID_OpenIDStore { /** * Initializes a new {@link Auth_OpenID_FileStore}. This * initializes the nonce and association directories, which are * subdirectories of the directory passed in. * * @param string $directory This is the directory to put the store * directories in. */ function Auth_OpenID_FileStore($directory) { if (!Auth_OpenID::ensureDir($directory)) { trigger_error('Not a directory and failed to create: ' . $directory, E_USER_ERROR); } $directory = realpath($directory); $this->directory = $directory; $this->active = true; $this->nonce_dir = $directory . DIRECTORY_SEPARATOR . 'nonces'; $this->association_dir = $directory . DIRECTORY_SEPARATOR . 'associations'; // Temp dir must be on the same filesystem as the assciations // $directory. $this->temp_dir = $directory . DIRECTORY_SEPARATOR . 'temp'; $this->max_nonce_age = 6 * 60 * 60; // Six hours, in seconds if (!$this->_setup()) { trigger_error('Failed to initialize OpenID file store in ' . $directory, E_USER_ERROR); } } function destroy() { Auth_OpenID_FileStore::_rmtree($this->directory); $this->active = false; } /** * Make sure that the directories in which we store our data * exist. * * @access private */ function _setup() { return (Auth_OpenID::ensureDir($this->nonce_dir) && Auth_OpenID::ensureDir($this->association_dir) && Auth_OpenID::ensureDir($this->temp_dir)); } /** * Create a temporary file on the same filesystem as * $this->association_dir. * * The temporary directory should not be cleaned if there are any * processes using the store. If there is no active process using * the store, it is safe to remove all of the files in the * temporary directory. * * @return array ($fd, $filename) * @access private */ function _mktemp() { $name = Auth_OpenID_FileStore::_mkstemp($dir = $this->temp_dir); $file_obj = @fopen($name, 'wb'); if ($file_obj !== false) { return array($file_obj, $name); } else { Auth_OpenID_FileStore::_removeIfPresent($name); } } function cleanupNonces() { global $Auth_OpenID_SKEW; $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir); $now = time(); $removed = 0; // Check all nonces for expiry foreach ($nonces as $nonce_fname) { $base = basename($nonce_fname); $parts = explode('-', $base, 2); $timestamp = $parts[0]; $timestamp = intval($timestamp, 16); if (abs($timestamp - $now) > $Auth_OpenID_SKEW) { Auth_OpenID_FileStore::_removeIfPresent($nonce_fname); $removed += 1; } } return $removed; } /** * Create a unique filename for a given server url and * handle. This implementation does not assume anything about the * format of the handle. The filename that is returned will * contain the domain name from the server URL for ease of human * inspection of the data directory. * * @return string $filename */ function getAssociationFilename($server_url, $handle) { if (!$this->active) { trigger_error("FileStore no longer active", E_USER_ERROR); return null; } if (strpos($server_url, '://') === false) { trigger_error(sprintf("Bad server URL: %s", $server_url), E_USER_WARNING); return null; } list($proto, $rest) = explode('://', $server_url, 2); $parts = explode('/', $rest); $domain = Auth_OpenID_FileStore::_filenameEscape($parts[0]); $url_hash = Auth_OpenID_FileStore::_safe64($server_url); if ($handle) { $handle_hash = Auth_OpenID_FileStore::_safe64($handle); } else { $handle_hash = ''; } $filename = sprintf('%s-%s-%s-%s', $proto, $domain, $url_hash, $handle_hash); return $this->association_dir. DIRECTORY_SEPARATOR . $filename; } /** * Store an association in the association directory. */ function storeAssociation($server_url, $association) { if (!$this->active) { trigger_error("FileStore no longer active", E_USER_ERROR); return false; } $association_s = $association->serialize(); $filename = $this->getAssociationFilename($server_url, $association->handle); list($tmp_file, $tmp) = $this->_mktemp(); if (!$tmp_file) { trigger_error("_mktemp didn't return a valid file descriptor", E_USER_WARNING); return false; } fwrite($tmp_file, $association_s); fflush($tmp_file); fclose($tmp_file); if (@rename($tmp, $filename)) { return true; } else { // In case we are running on Windows, try unlinking the // file in case it exists. @unlink($filename); // Now the target should not exist. Try renaming again, // giving up if it fails. if (@rename($tmp, $filename)) { return true; } } // If there was an error, don't leave the temporary file // around. Auth_OpenID_FileStore::_removeIfPresent($tmp); return false; } /** * Retrieve an association. If no handle is specified, return the * association with the most recent issue time. * * @return mixed $association */ function getAssociation($server_url, $handle = null) { if (!$this->active) { trigger_error("FileStore no longer active", E_USER_ERROR); return null; } if ($handle === null) { $handle = ''; } // The filename with the empty handle is a prefix of all other // associations for the given server URL. $filename = $this->getAssociationFilename($server_url, $handle); if ($handle) { return $this->_getAssociation($filename); } else { $association_files = Auth_OpenID_FileStore::_listdir($this->association_dir); $matching_files = array(); // strip off the path to do the comparison $name = basename($filename); foreach ($association_files as $association_file) { $base = basename($association_file); if (strpos($base, $name) === 0) { $matching_files[] = $association_file; } } $matching_associations = array(); // read the matching files and sort by time issued foreach ($matching_files as $full_name) { $association = $this->_getAssociation($full_name); if ($association !== null) { $matching_associations[] = array($association->issued, $association); } } $issued = array(); $assocs = array(); foreach ($matching_associations as $key => $assoc) { $issued[$key] = $assoc[0]; $assocs[$key] = $assoc[1]; } array_multisort($issued, SORT_DESC, $assocs, SORT_DESC, $matching_associations); // return the most recently issued one. if ($matching_associations) { list($issued, $assoc) = $matching_associations[0]; return $assoc; } else { return null; } } } /** * @access private */ function _getAssociation($filename) { if (!$this->active) { trigger_error("FileStore no longer active", E_USER_ERROR); return null; } if (file_exists($filename) !== true) { return null; } $assoc_file = @fopen($filename, 'rb'); if ($assoc_file === false) { return null; } $filesize = filesize($filename); if ($filesize === false || $filesize <= 0) { return null; } $assoc_s = fread($assoc_file, $filesize); fclose($assoc_file); if (!$assoc_s) { return null; } $association = Auth_OpenID_Association::deserialize('Auth_OpenID_Association', $assoc_s); if (!$association) { Auth_OpenID_FileStore::_removeIfPresent($filename); return null; } if ($association->getExpiresIn() == 0) { Auth_OpenID_FileStore::_removeIfPresent($filename); return null; } else { return $association; } } /** * Remove an association if it exists. Do nothing if it does not. * * @return bool $success */ function removeAssociation($server_url, $handle) { if (!$this->active) { trigger_error("FileStore no longer active", E_USER_ERROR); return null; } $assoc = $this->getAssociation($server_url, $handle); if ($assoc === null) { return false; } else { $filename = $this->getAssociationFilename($server_url, $handle); return Auth_OpenID_FileStore::_removeIfPresent($filename); } } /** * Return whether this nonce is present. As a side effect, mark it * as no longer present. * * @return bool $present */ function useNonce($server_url, $timestamp, $salt) { global $Auth_OpenID_SKEW; if (!$this->active) { trigger_error("FileStore no longer active", E_USER_ERROR); return null; } if ( abs($timestamp - time()) > $Auth_OpenID_SKEW ) { return false; } if ($server_url) { list($proto, $rest) = explode('://', $server_url, 2); } else { $proto = ''; $rest = ''; } $parts = explode('/', $rest, 2); $domain = $this->_filenameEscape($parts[0]); $url_hash = $this->_safe64($server_url); $salt_hash = $this->_safe64($salt); $filename = sprintf('%08x-%s-%s-%s-%s', $timestamp, $proto, $domain, $url_hash, $salt_hash); $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $filename; $result = @fopen($filename, 'x'); if ($result === false) { return false; } else { fclose($result); return true; } } /** * Remove expired entries from the database. This is potentially * expensive, so only run when it is acceptable to take time. * * @access private */ function _allAssocs() { $all_associations = array(); $association_filenames = Auth_OpenID_FileStore::_listdir($this->association_dir); foreach ($association_filenames as $association_filename) { $association_file = fopen($association_filename, 'rb'); if ($association_file !== false) { $assoc_s = fread($association_file, filesize($association_filename)); fclose($association_file); // Remove expired or corrupted associations $association = Auth_OpenID_Association::deserialize( 'Auth_OpenID_Association', $assoc_s); if ($association === null) { Auth_OpenID_FileStore::_removeIfPresent( $association_filename); } else { if ($association->getExpiresIn() == 0) { $all_associations[] = array($association_filename, $association); } } } } return $all_associations; } function clean() { if (!$this->active) { trigger_error("FileStore no longer active", E_USER_ERROR); return null; } $nonces = Auth_OpenID_FileStore::_listdir($this->nonce_dir); $now = time(); // Check all nonces for expiry foreach ($nonces as $nonce) { if (!Auth_OpenID_checkTimestamp($nonce, $now)) { $filename = $this->nonce_dir . DIRECTORY_SEPARATOR . $nonce; Auth_OpenID_FileStore::_removeIfPresent($filename); } } foreach ($this->_allAssocs() as $pair) { list($assoc_filename, $assoc) = $pair; if ($assoc->getExpiresIn() == 0) { Auth_OpenID_FileStore::_removeIfPresent($assoc_filename); } } } /** * @access private */ function _rmtree($dir) { if ($dir[strlen($dir) - 1] != DIRECTORY_SEPARATOR) { $dir .= DIRECTORY_SEPARATOR; } if ($handle = opendir($dir)) { while (false !== ($item = readdir($handle))) { if (!in_array($item, array('.', '..'))) { if (is_dir($dir . $item)) { if (!Auth_OpenID_FileStore::_rmtree($dir . $item)) { return false; } } else if (is_file($dir . $item)) { if (!unlink($dir . $item)) { return false; } } } } closedir($handle); if (!@rmdir($dir)) { return false; } return true; } else { // Couldn't open directory. return false; } } /** * @access private */ function _mkstemp($dir) { foreach (range(0, 4) as $i) { $name = tempnam($dir, "php_openid_filestore_"); if ($name !== false) { return $name; } } return false; } /** * @access private */ static function _mkdtemp($dir) { foreach (range(0, 4) as $i) { $name = $dir . strval(DIRECTORY_SEPARATOR) . strval(getmypid()) . "-" . strval(rand(1, time())); if (!mkdir($name, 0700)) { return false; } else { return $name; } } return false; } /** * @access private */ function _listdir($dir) { $handle = opendir($dir); $files = array(); while (false !== ($filename = readdir($handle))) { if (!in_array($filename, array('.', '..'))) { $files[] = $dir . DIRECTORY_SEPARATOR . $filename; } } return $files; } /** * @access private */ function _isFilenameSafe($char) { $_Auth_OpenID_filename_allowed = Auth_OpenID_letters . Auth_OpenID_digits . "."; return (strpos($_Auth_OpenID_filename_allowed, $char) !== false); } /** * @access private */ function _safe64($str) { $h64 = base64_encode(Auth_OpenID_SHA1($str)); $h64 = str_replace('+', '_', $h64); $h64 = str_replace('/', '.', $h64); $h64 = str_replace('=', '', $h64); return $h64; } /** * @access private */ function _filenameEscape($str) { $filename = ""; $b = Auth_OpenID::toBytes($str); for ($i = 0; $i < count($b); $i++) { $c = $b[$i]; if (Auth_OpenID_FileStore::_isFilenameSafe($c)) { $filename .= $c; } else { $filename .= sprintf("_%02X", ord($c)); } } return $filename; } /** * Attempt to remove a file, returning whether the file existed at * the time of the call. * * @access private * @return bool $result True if the file was present, false if not. */ function _removeIfPresent($filename) { return @unlink($filename); } function cleanupAssociations() { $removed = 0; foreach ($this->_allAssocs() as $pair) { list($assoc_filename, $assoc) = $pair; if ($assoc->getExpiresIn() == 0) { $this->_removeIfPresent($assoc_filename); $removed += 1; } } return $removed; } } wordpress-openid-3.4.1/lib/Auth/OpenID/HMAC.php000077500000000000000000000055671265347743100210650ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ require_once 'Auth/OpenID.php'; /** * SHA1_BLOCKSIZE is this module's SHA1 blocksize used by the fallback * implementation. */ define('Auth_OpenID_SHA1_BLOCKSIZE', 64); function Auth_OpenID_SHA1($text) { if (function_exists('hash') && function_exists('hash_algos') && (in_array('sha1', hash_algos()))) { // PHP 5 case (sometimes): 'hash' available and 'sha1' algo // supported. return hash('sha1', $text, true); } else if (function_exists('sha1')) { // PHP 4 case: 'sha1' available. $hex = sha1($text); $raw = ''; for ($i = 0; $i < 40; $i += 2) { $hexcode = substr($hex, $i, 2); $charcode = (int)base_convert($hexcode, 16, 10); $raw .= chr($charcode); } return $raw; } else { // Explode. trigger_error('No SHA1 function found', E_USER_ERROR); } } /** * Compute an HMAC/SHA1 hash. * * @access private * @param string $key The HMAC key * @param string $text The message text to hash * @return string $mac The MAC */ function Auth_OpenID_HMACSHA1($key, $text) { if (Auth_OpenID::bytes($key) > Auth_OpenID_SHA1_BLOCKSIZE) { $key = Auth_OpenID_SHA1($key, true); } if (function_exists('hash_hmac') && function_exists('hash_algos') && (in_array('sha1', hash_algos()))) { return hash_hmac('sha1', $text, $key, true); } // Home-made solution $key = str_pad($key, Auth_OpenID_SHA1_BLOCKSIZE, chr(0x00)); $ipad = str_repeat(chr(0x36), Auth_OpenID_SHA1_BLOCKSIZE); $opad = str_repeat(chr(0x5c), Auth_OpenID_SHA1_BLOCKSIZE); $hash1 = Auth_OpenID_SHA1(($key ^ $ipad) . $text, true); $hmac = Auth_OpenID_SHA1(($key ^ $opad) . $hash1, true); return $hmac; } if (function_exists('hash') && function_exists('hash_algos') && (in_array('sha256', hash_algos()))) { function Auth_OpenID_SHA256($text) { // PHP 5 case: 'hash' available and 'sha256' algo supported. return hash('sha256', $text, true); } define('Auth_OpenID_SHA256_SUPPORTED', true); } else { define('Auth_OpenID_SHA256_SUPPORTED', false); } if (function_exists('hash_hmac') && function_exists('hash_algos') && (in_array('sha256', hash_algos()))) { function Auth_OpenID_HMACSHA256($key, $text) { // Return raw MAC (not hex string). return hash_hmac('sha256', $text, $key, true); } define('Auth_OpenID_HMACSHA256_SUPPORTED', true); } else { define('Auth_OpenID_HMACSHA256_SUPPORTED', false); } wordpress-openid-3.4.1/lib/Auth/OpenID/Interface.php000077500000000000000000000154261265347743100222500ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ /** * This is the interface for the store objects the OpenID library * uses. It is a single class that provides all of the persistence * mechanisms that the OpenID library needs, for both servers and * consumers. If you want to create an SQL-driven store, please see * then {@link Auth_OpenID_SQLStore} class. * * Change: Version 2.0 removed the storeNonce, getAuthKey, and isDumb * methods, and changed the behavior of the useNonce method to support * one-way nonces. * * @package OpenID * @author JanRain, Inc. */ class Auth_OpenID_OpenIDStore { /** * This method puts an Association object into storage, * retrievable by server URL and handle. * * @param string $server_url The URL of the identity server that * this association is with. Because of the way the server portion * of the library uses this interface, don't assume there are any * limitations on the character set of the input string. In * particular, expect to see unescaped non-url-safe characters in * the server_url field. * * @param Association $association The Association to store. */ function storeAssociation($server_url, $association) { trigger_error("Auth_OpenID_OpenIDStore::storeAssociation ". "not implemented", E_USER_ERROR); } /* * Remove expired nonces from the store. * * Discards any nonce from storage that is old enough that its * timestamp would not pass useNonce(). * * This method is not called in the normal operation of the * library. It provides a way for store admins to keep their * storage from filling up with expired data. * * @return the number of nonces expired */ function cleanupNonces() { trigger_error("Auth_OpenID_OpenIDStore::cleanupNonces ". "not implemented", E_USER_ERROR); } /* * Remove expired associations from the store. * * This method is not called in the normal operation of the * library. It provides a way for store admins to keep their * storage from filling up with expired data. * * @return the number of associations expired. */ function cleanupAssociations() { trigger_error("Auth_OpenID_OpenIDStore::cleanupAssociations ". "not implemented", E_USER_ERROR); } /* * Shortcut for cleanupNonces(), cleanupAssociations(). * * This method is not called in the normal operation of the * library. It provides a way for store admins to keep their * storage from filling up with expired data. */ function cleanup() { return array($this->cleanupNonces(), $this->cleanupAssociations()); } /** * Report whether this storage supports cleanup */ function supportsCleanup() { return true; } /** * This method returns an Association object from storage that * matches the server URL and, if specified, handle. It returns * null if no such association is found or if the matching * association is expired. * * If no handle is specified, the store may return any association * which matches the server URL. If multiple associations are * valid, the recommended return value for this method is the one * most recently issued. * * This method is allowed (and encouraged) to garbage collect * expired associations when found. This method must not return * expired associations. * * @param string $server_url The URL of the identity server to get * the association for. Because of the way the server portion of * the library uses this interface, don't assume there are any * limitations on the character set of the input string. In * particular, expect to see unescaped non-url-safe characters in * the server_url field. * * @param mixed $handle This optional parameter is the handle of * the specific association to get. If no specific handle is * provided, any valid association matching the server URL is * returned. * * @return Association The Association for the given identity * server. */ function getAssociation($server_url, $handle = null) { trigger_error("Auth_OpenID_OpenIDStore::getAssociation ". "not implemented", E_USER_ERROR); } /** * This method removes the matching association if it's found, and * returns whether the association was removed or not. * * @param string $server_url The URL of the identity server the * association to remove belongs to. Because of the way the server * portion of the library uses this interface, don't assume there * are any limitations on the character set of the input * string. In particular, expect to see unescaped non-url-safe * characters in the server_url field. * * @param string $handle This is the handle of the association to * remove. If there isn't an association found that matches both * the given URL and handle, then there was no matching handle * found. * * @return mixed Returns whether or not the given association existed. */ function removeAssociation($server_url, $handle) { trigger_error("Auth_OpenID_OpenIDStore::removeAssociation ". "not implemented", E_USER_ERROR); } /** * Called when using a nonce. * * This method should return C{True} if the nonce has not been * used before, and store it for a while to make sure nobody * tries to use the same value again. If the nonce has already * been used, return C{False}. * * Change: In earlier versions, round-trip nonces were used and a * nonce was only valid if it had been previously stored with * storeNonce. Version 2.0 uses one-way nonces, requiring a * different implementation here that does not depend on a * storeNonce call. (storeNonce is no longer part of the * interface. * * @param string $nonce The nonce to use. * * @return bool Whether or not the nonce was valid. */ function useNonce($server_url, $timestamp, $salt) { trigger_error("Auth_OpenID_OpenIDStore::useNonce ". "not implemented", E_USER_ERROR); } /** * Removes all entries from the store; implementation is optional. */ function reset() { } } wordpress-openid-3.4.1/lib/Auth/OpenID/KVForm.php000077500000000000000000000047351265347743100215150ustar00rootroot00000000000000 * @copyright 2005-2008 Janrain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache */ /** * Container for key-value/comma-newline OpenID format and parsing */ class Auth_OpenID_KVForm { /** * Convert an OpenID colon/newline separated string into an * associative array * * @static * @access private */ static function toArray($kvs, $strict=false) { $lines = explode("\n", $kvs); $last = array_pop($lines); if ($last !== '') { array_push($lines, $last); if ($strict) { return false; } } $values = array(); for ($lineno = 0; $lineno < count($lines); $lineno++) { $line = $lines[$lineno]; $kv = explode(':', $line, 2); if (count($kv) != 2) { if ($strict) { return false; } continue; } $key = $kv[0]; $tkey = trim($key); if ($tkey != $key) { if ($strict) { return false; } } $value = $kv[1]; $tval = trim($value); if ($tval != $value) { if ($strict) { return false; } } $values[$tkey] = $tval; } return $values; } /** * Convert an array into an OpenID colon/newline separated string * * @static * @access private */ static function fromArray($values) { if ($values === null) { return null; } ksort($values); $serialized = ''; foreach ($values as $key => $value) { if (is_array($value)) { list($key, $value) = array($value[0], $value[1]); } if (strpos($key, ':') !== false) { return null; } if (strpos($key, "\n") !== false) { return null; } if (strpos($value, "\n") !== false) { return null; } $serialized .= "$key:$value\n"; } return $serialized; } } wordpress-openid-3.4.1/lib/Auth/OpenID/MDB2Store.php000077500000000000000000000335741265347743100220550ustar00rootroot00000000000000 * @copyright 2005 Janrain, Inc. * @license http://www.gnu.org/copyleft/lesser.html LGPL */ require_once 'MDB2.php'; /** * @access private */ require_once 'Auth/OpenID/Interface.php'; /** * @access private */ require_once 'Auth/OpenID.php'; /** * @access private */ require_once 'Auth/OpenID/Nonce.php'; /** * This store uses a PEAR::MDB2 connection to store persistence * information. * * The table names used are determined by the class variables * associations_table_name and nonces_table_name. To change the name * of the tables used, pass new table names into the constructor. * * To create the tables with the proper schema, see the createTables * method. * * @package OpenID */ class Auth_OpenID_MDB2Store extends Auth_OpenID_OpenIDStore { /** * This creates a new MDB2Store instance. It requires an * established database connection be given to it, and it allows * overriding the default table names. * * @param connection $connection This must be an established * connection to a database of the correct type for the SQLStore * subclass you're using. This must be a PEAR::MDB2 connection * handle. * * @param associations_table: This is an optional parameter to * specify the name of the table used for storing associations. * The default value is 'oid_associations'. * * @param nonces_table: This is an optional parameter to specify * the name of the table used for storing nonces. The default * value is 'oid_nonces'. */ function Auth_OpenID_MDB2Store($connection, $associations_table = null, $nonces_table = null) { $this->associations_table_name = "oid_associations"; $this->nonces_table_name = "oid_nonces"; // Check the connection object type to be sure it's a PEAR // database connection. if (!is_object($connection) || !is_subclass_of($connection, 'mdb2_driver_common')) { trigger_error("Auth_OpenID_MDB2Store expected PEAR connection " . "object (got ".get_class($connection).")", E_USER_ERROR); return; } $this->connection = $connection; // Be sure to set the fetch mode so the results are keyed on // column name instead of column index. $this->connection->setFetchMode(MDB2_FETCHMODE_ASSOC); if (@PEAR::isError($this->connection->loadModule('Extended'))) { trigger_error("Unable to load MDB2_Extended module", E_USER_ERROR); return; } if ($associations_table) { $this->associations_table_name = $associations_table; } if ($nonces_table) { $this->nonces_table_name = $nonces_table; } $this->max_nonce_age = 6 * 60 * 60; } function tableExists($table_name) { return !@PEAR::isError($this->connection->query( sprintf("SELECT * FROM %s LIMIT 0", $table_name))); } function createTables() { $n = $this->create_nonce_table(); $a = $this->create_assoc_table(); if (!$n || !$a) { return false; } return true; } function create_nonce_table() { if (!$this->tableExists($this->nonces_table_name)) { switch ($this->connection->phptype) { case "mysql": case "mysqli": // Custom SQL for MySQL to use InnoDB and variable- // length keys $r = $this->connection->exec( sprintf("CREATE TABLE %s (\n". " server_url VARCHAR(2047) NOT NULL DEFAULT '',\n". " timestamp INTEGER NOT NULL,\n". " salt CHAR(40) NOT NULL,\n". " UNIQUE (server_url(255), timestamp, salt)\n". ") TYPE=InnoDB", $this->nonces_table_name)); if (@PEAR::isError($r)) { return false; } break; default: if (@PEAR::isError( $this->connection->loadModule('Manager'))) { return false; } $fields = array( "server_url" => array( "type" => "text", "length" => 2047, "notnull" => true ), "timestamp" => array( "type" => "integer", "notnull" => true ), "salt" => array( "type" => "text", "length" => 40, "fixed" => true, "notnull" => true ) ); $constraint = array( "unique" => 1, "fields" => array( "server_url" => true, "timestamp" => true, "salt" => true ) ); $r = $this->connection->createTable($this->nonces_table_name, $fields); if (@PEAR::isError($r)) { return false; } $r = $this->connection->createConstraint( $this->nonces_table_name, $this->nonces_table_name . "_constraint", $constraint); if (@PEAR::isError($r)) { return false; } break; } } return true; } function create_assoc_table() { if (!$this->tableExists($this->associations_table_name)) { switch ($this->connection->phptype) { case "mysql": case "mysqli": // Custom SQL for MySQL to use InnoDB and variable- // length keys $r = $this->connection->exec( sprintf("CREATE TABLE %s(\n". " server_url VARCHAR(2047) NOT NULL DEFAULT '',\n". " handle VARCHAR(255) NOT NULL,\n". " secret BLOB NOT NULL,\n". " issued INTEGER NOT NULL,\n". " lifetime INTEGER NOT NULL,\n". " assoc_type VARCHAR(64) NOT NULL,\n". " PRIMARY KEY (server_url(255), handle)\n". ") TYPE=InnoDB", $this->associations_table_name)); if (@PEAR::isError($r)) { return false; } break; default: if (@PEAR::isError( $this->connection->loadModule('Manager'))) { return false; } $fields = array( "server_url" => array( "type" => "text", "length" => 2047, "notnull" => true ), "handle" => array( "type" => "text", "length" => 255, "notnull" => true ), "secret" => array( "type" => "blob", "length" => "255", "notnull" => true ), "issued" => array( "type" => "integer", "notnull" => true ), "lifetime" => array( "type" => "integer", "notnull" => true ), "assoc_type" => array( "type" => "text", "length" => 64, "notnull" => true ) ); $options = array( "primary" => array( "server_url" => true, "handle" => true ) ); $r = $this->connection->createTable( $this->associations_table_name, $fields, $options); if (@PEAR::isError($r)) { return false; } break; } } return true; } function storeAssociation($server_url, $association) { $fields = array( "server_url" => array( "value" => $server_url, "key" => true ), "handle" => array( "value" => $association->handle, "key" => true ), "secret" => array( "value" => $association->secret, "type" => "blob" ), "issued" => array( "value" => $association->issued ), "lifetime" => array( "value" => $association->lifetime ), "assoc_type" => array( "value" => $association->assoc_type ) ); return !@PEAR::isError($this->connection->replace( $this->associations_table_name, $fields)); } function cleanupNonces() { global $Auth_OpenID_SKEW; $v = time() - $Auth_OpenID_SKEW; return $this->connection->exec( sprintf("DELETE FROM %s WHERE timestamp < %d", $this->nonces_table_name, $v)); } function cleanupAssociations() { return $this->connection->exec( sprintf("DELETE FROM %s WHERE issued + lifetime < %d", $this->associations_table_name, time())); } function getAssociation($server_url, $handle = null) { $sql = ""; $params = null; $types = array( "text", "blob", "integer", "integer", "text" ); if ($handle !== null) { $sql = sprintf("SELECT handle, secret, issued, lifetime, assoc_type " . "FROM %s WHERE server_url = ? AND handle = ?", $this->associations_table_name); $params = array($server_url, $handle); } else { $sql = sprintf("SELECT handle, secret, issued, lifetime, assoc_type " . "FROM %s WHERE server_url = ? ORDER BY issued DESC", $this->associations_table_name); $params = array($server_url); } $assoc = $this->connection->getRow($sql, $types, $params); if (!$assoc || @PEAR::isError($assoc)) { return null; } else { $association = new Auth_OpenID_Association($assoc['handle'], stream_get_contents( $assoc['secret']), $assoc['issued'], $assoc['lifetime'], $assoc['assoc_type']); fclose($assoc['secret']); return $association; } } function removeAssociation($server_url, $handle) { $r = $this->connection->execParam( sprintf("DELETE FROM %s WHERE server_url = ? AND handle = ?", $this->associations_table_name), array($server_url, $handle)); if (@PEAR::isError($r) || $r == 0) { return false; } return true; } function useNonce($server_url, $timestamp, $salt) { global $Auth_OpenID_SKEW; if (abs($timestamp - time()) > $Auth_OpenID_SKEW ) { return false; } $fields = array( "timestamp" => $timestamp, "salt" => $salt ); if (!empty($server_url)) { $fields["server_url"] = $server_url; } $r = $this->connection->autoExecute( $this->nonces_table_name, $fields, MDB2_AUTOQUERY_INSERT); if (@PEAR::isError($r)) { return false; } return true; } /** * Resets the store by removing all records from the store's * tables. */ function reset() { $this->connection->query(sprintf("DELETE FROM %s", $this->associations_table_name)); $this->connection->query(sprintf("DELETE FROM %s", $this->nonces_table_name)); } } ?> wordpress-openid-3.4.1/lib/Auth/OpenID/MemcachedStore.php000077500000000000000000000146071265347743100232330ustar00rootroot00000000000000 * @copyright 2008 JanRain, Inc. * @license http://www.apache.org/licenses/LICENSE-2.0 Apache * Contributed by Open Web Technologies */ /** * Import the interface for creating a new store class. */ require_once 'Auth/OpenID/Interface.php'; /** * This is a memcached-based store for OpenID associations and * nonces. * * As memcache has limit of 250 chars for key length, * server_url, handle and salt are hashed with sha1(). * * Most of the methods of this class are implementation details. * People wishing to just use this store need only pay attention to * the constructor. * * @package OpenID */ class Auth_OpenID_MemcachedStore extends Auth_OpenID_OpenIDStore { /** * Initializes a new {@link Auth_OpenID_MemcachedStore} instance. * Just saves memcached object as property. * * @param resource connection Memcache connection resourse */ function Auth_OpenID_MemcachedStore($connection, $compress = false) { $this->connection = $connection; $this->compress = $compress ? MEMCACHE_COMPRESSED : 0; } /** * Store association until its expiration time in memcached. * Overwrites any existing association with same server_url and * handle. Handles list of associations for every server. */ function storeAssociation($server_url, $association) { // create memcached keys for association itself // and list of associations for this server $associationKey = $this->associationKey($server_url, $association->handle); $serverKey = $this->associationServerKey($server_url); // get list of associations $serverAssociations = $this->connection->get($serverKey); // if no such list, initialize it with empty array if (!$serverAssociations) { $serverAssociations = array(); } // and store given association key in it $serverAssociations[$association->issued] = $associationKey; // save associations' keys list $this->connection->set( $serverKey, $serverAssociations, $this->compress ); // save association itself $this->connection->set( $associationKey, $association, $this->compress, $association->issued + $association->lifetime); } /** * Read association from memcached. If no handle given * and multiple associations found, returns latest issued */ function getAssociation($server_url, $handle = null) { // simple case: handle given if ($handle !== null) { // get association, return null if failed $association = $this->connection->get( $this->associationKey($server_url, $handle)); return $association ? $association : null; } // no handle given, working with list // create key for list of associations $serverKey = $this->associationServerKey($server_url); // get list of associations $serverAssociations = $this->connection->get($serverKey); // return null if failed or got empty list if (!$serverAssociations) { return null; } // get key of most recently issued association $keys = array_keys($serverAssociations); sort($keys); $lastKey = $serverAssociations[array_pop($keys)]; // get association, return null if failed $association = $this->connection->get($lastKey); return $association ? $association : null; } /** * Immediately delete association from memcache. */ function removeAssociation($server_url, $handle) { // create memcached keys for association itself // and list of associations for this server $serverKey = $this->associationServerKey($server_url); $associationKey = $this->associationKey($server_url, $handle); // get list of associations $serverAssociations = $this->connection->get($serverKey); // return null if failed or got empty list if (!$serverAssociations) { return false; } // ensure that given association key exists in list $serverAssociations = array_flip($serverAssociations); if (!array_key_exists($associationKey, $serverAssociations)) { return false; } // remove given association key from list unset($serverAssociations[$associationKey]); $serverAssociations = array_flip($serverAssociations); // save updated list $this->connection->set( $serverKey, $serverAssociations, $this->compress ); // delete association return $this->connection->delete($associationKey); } /** * Create nonce for server and salt, expiring after * $Auth_OpenID_SKEW seconds. */ function useNonce($server_url, $timestamp, $salt) { global $Auth_OpenID_SKEW; // save one request to memcache when nonce obviously expired if (abs($timestamp - time()) > $Auth_OpenID_SKEW) { return false; } // returns false when nonce already exists // otherwise adds nonce return $this->connection->add( 'openid_nonce_' . sha1($server_url) . '_' . sha1($salt), 1, // any value here $this->compress, $Auth_OpenID_SKEW); } /** * Memcache key is prefixed with 'openid_association_' string. */ function associationKey($server_url, $handle = null) { return 'openid_association_' . sha1($server_url) . '_' . sha1($handle); } /** * Memcache key is prefixed with 'openid_association_' string. */ function associationServerKey($server_url) { return 'openid_association_server_' . sha1($server_url); } /** * Report that this storage doesn't support cleanup */ function supportsCleanup() { return false; } } wordpress-openid-3.4.1/lib/Auth/OpenID/Message.php000077500000000000000000000637131265347743100217360ustar00rootroot00000000000000keys = array(); $this->values = array(); if (is_array($classic_array)) { foreach ($classic_array as $key => $value) { $this->set($key, $value); } } } /** * Returns true if $thing is an Auth_OpenID_Mapping object; false * if not. */ static function isA($thing) { return (is_object($thing) && strtolower(get_class($thing)) == 'auth_openid_mapping'); } /** * Returns an array of the keys in the mapping. */ function keys() { return $this->keys; } /** * Returns an array of values in the mapping. */ function values() { return $this->values; } /** * Returns an array of (key, value) pairs in the mapping. */ function items() { $temp = array(); for ($i = 0; $i < count($this->keys); $i++) { $temp[] = array($this->keys[$i], $this->values[$i]); } return $temp; } /** * Returns the "length" of the mapping, or the number of keys. */ function len() { return count($this->keys); } /** * Sets a key-value pair in the mapping. If the key already * exists, its value is replaced with the new value. */ function set($key, $value) { $index = array_search($key, $this->keys); if ($index !== false) { $this->values[$index] = $value; } else { $this->keys[] = $key; $this->values[] = $value; } } /** * Gets a specified value from the mapping, associated with the * specified key. If the key does not exist in the mapping, * $default is returned instead. */ function get($key, $default = null) { $index = array_search($key, $this->keys); if ($index !== false) { return $this->values[$index]; } else { return $default; } } /** * @access private */ function _reflow() { // PHP is broken yet again. Sort the arrays to remove the // hole in the numeric indexes that make up the array. $old_keys = $this->keys; $old_values = $this->values; $this->keys = array(); $this->values = array(); foreach ($old_keys as $k) { $this->keys[] = $k; } foreach ($old_values as $v) { $this->values[] = $v; } } /** * Deletes a key-value pair from the mapping with the specified * key. */ function del($key) { $index = array_search($key, $this->keys); if ($index !== false) { unset($this->keys[$index]); unset($this->values[$index]); $this->_reflow(); return true; } return false; } /** * Returns true if the specified value has a key in the mapping; * false if not. */ function contains($value) { return (array_search($value, $this->keys) !== false); } } /** * Maintains a bijective map between namespace uris and aliases. * * @package OpenID */ class Auth_OpenID_NamespaceMap { function Auth_OpenID_NamespaceMap() { $this->alias_to_namespace = new Auth_OpenID_Mapping(); $this->namespace_to_alias = new Auth_OpenID_Mapping(); $this->implicit_namespaces = array(); } function getAlias($namespace_uri) { return $this->namespace_to_alias->get($namespace_uri); } function getNamespaceURI($alias) { return $this->alias_to_namespace->get($alias); } function iterNamespaceURIs() { // Return an iterator over the namespace URIs return $this->namespace_to_alias->keys(); } function iterAliases() { // Return an iterator over the aliases""" return $this->alias_to_namespace->keys(); } function iteritems() { return $this->namespace_to_alias->items(); } function isImplicit($namespace_uri) { return in_array($namespace_uri, $this->implicit_namespaces); } function addAlias($namespace_uri, $desired_alias, $implicit=false) { // Add an alias from this namespace URI to the desired alias global $Auth_OpenID_OPENID_PROTOCOL_FIELDS; // Check that desired_alias is not an openid protocol field as // per the spec. if (in_array($desired_alias, $Auth_OpenID_OPENID_PROTOCOL_FIELDS)) { Auth_OpenID::log("\"%s\" is not an allowed namespace alias", $desired_alias); return null; } // Check that desired_alias does not contain a period as per // the spec. if (strpos($desired_alias, '.') !== false) { Auth_OpenID::log('"%s" must not contain a dot', $desired_alias); return null; } // Check that there is not a namespace already defined for the // desired alias $current_namespace_uri = $this->alias_to_namespace->get($desired_alias); if (($current_namespace_uri !== null) && ($current_namespace_uri != $namespace_uri)) { Auth_OpenID::log('Cannot map "%s" because previous mapping exists', $namespace_uri); return null; } // Check that there is not already a (different) alias for // this namespace URI $alias = $this->namespace_to_alias->get($namespace_uri); if (($alias !== null) && ($alias != $desired_alias)) { Auth_OpenID::log('Cannot map %s to alias %s. ' . 'It is already mapped to alias %s', $namespace_uri, $desired_alias, $alias); return null; } assert((Auth_OpenID_NULL_NAMESPACE === $desired_alias) || is_string($desired_alias)); $this->alias_to_namespace->set($desired_alias, $namespace_uri); $this->namespace_to_alias->set($namespace_uri, $desired_alias); if ($implicit) { array_push($this->implicit_namespaces, $namespace_uri); } return $desired_alias; } function add($namespace_uri) { // Add this namespace URI to the mapping, without caring what // alias it ends up with // See if this namespace is already mapped to an alias $alias = $this->namespace_to_alias->get($namespace_uri); if ($alias !== null) { return $alias; } // Fall back to generating a numerical alias $i = 0; while (1) { $alias = 'ext' . strval($i); if ($this->addAlias($namespace_uri, $alias) === null) { $i += 1; } else { return $alias; } } // Should NEVER be reached! return null; } function contains($namespace_uri) { return $this->isDefined($namespace_uri); } function isDefined($namespace_uri) { return $this->namespace_to_alias->contains($namespace_uri); } } /** * In the implementation of this object, null represents the global * namespace as well as a namespace with no key. * * @package OpenID */ class Auth_OpenID_Message { function Auth_OpenID_Message($openid_namespace = null) { // Create an empty Message $this->allowed_openid_namespaces = array( Auth_OpenID_OPENID1_NS, Auth_OpenID_THE_OTHER_OPENID1_NS, Auth_OpenID_OPENID2_NS); $this->args = new Auth_OpenID_Mapping(); $this->namespaces = new Auth_OpenID_NamespaceMap(); if ($openid_namespace === null) { $this->_openid_ns_uri = null; } else { $implicit = Auth_OpenID_isOpenID1($openid_namespace); $this->setOpenIDNamespace($openid_namespace, $implicit); } } function isOpenID1() { return Auth_OpenID_isOpenID1($this->getOpenIDNamespace()); } function isOpenID2() { return $this->getOpenIDNamespace() == Auth_OpenID_OPENID2_NS; } static function fromPostArgs($args) { // Construct a Message containing a set of POST arguments $obj = new Auth_OpenID_Message(); // Partition into "openid." args and bare args $openid_args = array(); foreach ($args as $key => $value) { if (is_array($value)) { return null; } $parts = explode('.', $key, 2); if (count($parts) == 2) { list($prefix, $rest) = $parts; } else { $prefix = null; } if ($prefix != 'openid') { $obj->args->set(array(Auth_OpenID_BARE_NS, $key), $value); } else { $openid_args[$rest] = $value; } } if ($obj->_fromOpenIDArgs($openid_args)) { return $obj; } else { return null; } } static function fromOpenIDArgs($openid_args) { // Takes an array. // Construct a Message from a parsed KVForm message $obj = new Auth_OpenID_Message(); if ($obj->_fromOpenIDArgs($openid_args)) { return $obj; } else { return null; } } /** * @access private */ function _fromOpenIDArgs($openid_args) { global $Auth_OpenID_registered_aliases; // Takes an Auth_OpenID_Mapping instance OR an array. if (!Auth_OpenID_Mapping::isA($openid_args)) { $openid_args = new Auth_OpenID_Mapping($openid_args); } $ns_args = array(); // Resolve namespaces foreach ($openid_args->items() as $pair) { list($rest, $value) = $pair; $parts = explode('.', $rest, 2); if (count($parts) == 2) { list($ns_alias, $ns_key) = $parts; } else { $ns_alias = Auth_OpenID_NULL_NAMESPACE; $ns_key = $rest; } if ($ns_alias == 'ns') { if ($this->namespaces->addAlias($value, $ns_key) === null) { return false; } } else if (($ns_alias == Auth_OpenID_NULL_NAMESPACE) && ($ns_key == 'ns')) { // null namespace if ($this->setOpenIDNamespace($value, false) === false) { return false; } } else { $ns_args[] = array($ns_alias, $ns_key, $value); } } if (!$this->getOpenIDNamespace()) { if ($this->setOpenIDNamespace(Auth_OpenID_OPENID1_NS, true) === false) { return false; } } // Actually put the pairs into the appropriate namespaces foreach ($ns_args as $triple) { list($ns_alias, $ns_key, $value) = $triple; $ns_uri = $this->namespaces->getNamespaceURI($ns_alias); if ($ns_uri === null) { $ns_uri = $this->_getDefaultNamespace($ns_alias); if ($ns_uri === null) { $ns_uri = Auth_OpenID_OPENID_NS; $ns_key = sprintf('%s.%s', $ns_alias, $ns_key); } else { $this->namespaces->addAlias($ns_uri, $ns_alias, true); } } $this->setArg($ns_uri, $ns_key, $value); } return true; } function _getDefaultNamespace($mystery_alias) { global $Auth_OpenID_registered_aliases; if ($this->isOpenID1()) { return @$Auth_OpenID_registered_aliases[$mystery_alias]; } return null; } function setOpenIDNamespace($openid_ns_uri, $implicit) { if (!in_array($openid_ns_uri, $this->allowed_openid_namespaces)) { Auth_OpenID::log('Invalid null namespace: "%s"', $openid_ns_uri); return false; } $succeeded = $this->namespaces->addAlias($openid_ns_uri, Auth_OpenID_NULL_NAMESPACE, $implicit); if ($succeeded === false) { return false; } $this->_openid_ns_uri = $openid_ns_uri; return true; } function getOpenIDNamespace() { return $this->_openid_ns_uri; } static function fromKVForm($kvform_string) { // Create a Message from a KVForm string return Auth_OpenID_Message::fromOpenIDArgs( Auth_OpenID_KVForm::toArray($kvform_string)); } function copy() { return $this; } function toPostArgs() { // Return all arguments with openid. in front of namespaced // arguments. $args = array(); // Add namespace definitions to the output foreach ($this->namespaces->iteritems() as $pair) { list($ns_uri, $alias) = $pair; if ($this->namespaces->isImplicit($ns_uri)) { continue; } if ($alias == Auth_OpenID_NULL_NAMESPACE) { $ns_key = 'openid.ns'; } else { $ns_key = 'openid.ns.' . $alias; } $args[$ns_key] = $ns_uri; } foreach ($this->args->items() as $pair) { list($ns_parts, $value) = $pair; list($ns_uri, $ns_key) = $ns_parts; $key = $this->getKey($ns_uri, $ns_key); $args[$key] = $value; } return $args; } function toArgs() { // Return all namespaced arguments, failing if any // non-namespaced arguments exist. $post_args = $this->toPostArgs(); $kvargs = array(); foreach ($post_args as $k => $v) { if (strpos($k, 'openid.') !== 0) { // raise ValueError( // 'This message can only be encoded as a POST, because it ' // 'contains arguments that are not prefixed with "openid."') return null; } else { $kvargs[substr($k, 7)] = $v; } } return $kvargs; } function toFormMarkup($action_url, $form_tag_attrs = null, $submit_text = "Continue") { $form = "
$attr) { $form .= sprintf(" %s=\"%s\"", $name, htmlspecialchars($attr)); } } $form .= ">\n"; foreach ($this->toPostArgs() as $name => $value) { $form .= sprintf( "\n", htmlspecialchars($name), htmlspecialchars($value)); } $form .= sprintf("\n", htmlspecialchars($submit_text)); $form .= "
\n"; return $form; } function toURL($base_url) { // Generate a GET URL with the parameters in this message // attached as query parameters. return Auth_OpenID::appendArgs($base_url, $this->toPostArgs()); } function toKVForm() { // Generate a KVForm string that contains the parameters in // this message. This will fail if the message contains // arguments outside of the 'openid.' prefix. return Auth_OpenID_KVForm::fromArray($this->toArgs()); } function toURLEncoded() { // Generate an x-www-urlencoded string $args = array(); foreach ($this->toPostArgs() as $k => $v) { $args[] = array($k, $v); } sort($args); return Auth_OpenID::httpBuildQuery($args); } /** * @access private */ function _fixNS($namespace) { // Convert an input value into the internally used values of // this object if ($namespace == Auth_OpenID_OPENID_NS) { if ($this->_openid_ns_uri === null) { return new Auth_OpenID_FailureResponse(null, 'OpenID namespace not set'); } else { $namespace = $this->_openid_ns_uri; } } if (($namespace != Auth_OpenID_BARE_NS) && (!is_string($namespace))) { //TypeError $err_msg = sprintf("Namespace must be Auth_OpenID_BARE_NS, ". "Auth_OpenID_OPENID_NS or a string. got %s", print_r($namespace, true)); return new Auth_OpenID_FailureResponse(null, $err_msg); } if (($namespace != Auth_OpenID_BARE_NS) && (strpos($namespace, ':') === false)) { // fmt = 'OpenID 2.0 namespace identifiers SHOULD be URIs. Got %r' // warnings.warn(fmt % (namespace,), DeprecationWarning) if ($namespace == 'sreg') { // fmt = 'Using %r instead of "sreg" as namespace' // warnings.warn(fmt % (SREG_URI,), DeprecationWarning,) return Auth_OpenID_SREG_URI; } } return $namespace; } function hasKey($namespace, $ns_key) { $namespace = $this->_fixNS($namespace); if (Auth_OpenID::isFailure($namespace)) { // XXX log me return false; } else { return $this->args->contains(array($namespace, $ns_key)); } } function getKey($namespace, $ns_key) { // Get the key for a particular namespaced argument $namespace = $this->_fixNS($namespace); if (Auth_OpenID::isFailure($namespace)) { return $namespace; } if ($namespace == Auth_OpenID_BARE_NS) { return $ns_key; } $ns_alias = $this->namespaces->getAlias($namespace); // No alias is defined, so no key can exist if ($ns_alias === null) { return null; } if ($ns_alias == Auth_OpenID_NULL_NAMESPACE) { $tail = $ns_key; } else { $tail = sprintf('%s.%s', $ns_alias, $ns_key); } return 'openid.' . $tail; } function getArg($namespace, $key, $default = null) { // Get a value for a namespaced key. $namespace = $this->_fixNS($namespace); if (Auth_OpenID::isFailure($namespace)) { return $namespace; } else { if ((!$this->args->contains(array($namespace, $key))) && ($default == Auth_OpenID_NO_DEFAULT)) { $err_msg = sprintf("Namespace %s missing required field %s", $namespace, $key); return new Auth_OpenID_FailureResponse(null, $err_msg); } else { return $this->args->get(array($namespace, $key), $default); } } } function getArgs($namespace) { // Get the arguments that are defined for this namespace URI $namespace = $this->_fixNS($namespace); if (Auth_OpenID::isFailure($namespace)) { return $namespace; } else { $stuff = array(); foreach ($this->args->items() as $pair) { list($key, $value) = $pair; list($pair_ns, $ns_key) = $key; if ($pair_ns == $namespace) { $stuff[$ns_key] = $value; } } return $stuff; } } function updateArgs($namespace, $updates) { // Set multiple key/value pairs in one call $namespace = $this->_fixNS($namespace); if (Auth_OpenID::isFailure($namespace)) { return $namespace; } else { foreach ($updates as $k => $v) { $this->setArg($namespace, $k, $v); } return true; } } function setArg($namespace, $key, $value) { // Set a single argument in this namespace $namespace = $this->_fixNS($namespace); if (Auth_OpenID::isFailure($namespace)) { return $namespace; } else { $this->args->set(array($namespace, $key), $value); if ($namespace !== Auth_OpenID_BARE_NS) { $this->namespaces->add($namespace); } return true; } } function delArg($namespace, $key) { $namespace = $this->_fixNS($namespace); if (Auth_OpenID::isFailure($namespace)) { return $namespace; } else { return $this->args->del(array($namespace, $key)); } } function getAliasedArg($aliased_key, $default = null) { if ($aliased_key == 'ns') { // Return the namespace URI for the OpenID namespace return $this->getOpenIDNamespace(); } $parts = explode('.', $aliased_key, 2); if (count($parts) != 2) { $ns = null; } else { list($alias, $key) = $parts; if ($alias == 'ns') { // Return the namespace URI for a namespace alias // parameter. return $this->namespaces->getNamespaceURI($key); } else { $ns = $this->namespaces->getNamespaceURI($alias); } } if ($ns === null) { $key = $aliased_key; $ns = $this->getOpenIDNamespace(); } return $this->getArg($ns, $key, $default); } } wordpress-openid-3.4.1/lib/Auth/OpenID/MySQLStore.php000077500000000000000000000040701265347743100223230ustar00rootroot00000000000000sql['nonce_table'] = "CREATE TABLE %s (\n". " server_url VARCHAR(2047) NOT NULL,\n". " timestamp INTEGER NOT NULL,\n". " salt CHAR(40) NOT NULL,\n". " UNIQUE (server_url(255), timestamp, salt)\n". ") ENGINE=InnoDB"; $this->sql['assoc_table'] = "CREATE TABLE %s (\n". " server_url VARCHAR(2047) NOT NULL,\n". " handle VARCHAR(255) NOT NULL,\n". " secret BLOB NOT NULL,\n". " issued INTEGER NOT NULL,\n". " lifetime INTEGER NOT NULL,\n". " assoc_type VARCHAR(64) NOT NULL,\n". " PRIMARY KEY (server_url(255), handle)\n". ") ENGINE=InnoDB"; $this->sql['set_assoc'] = "REPLACE INTO %s (server_url, handle, secret, issued,\n". " lifetime, assoc_type) VALUES (?, ?, !, ?, ?, ?)"; $this->sql['get_assocs'] = "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ". "WHERE server_url = ?"; $this->sql['get_assoc'] = "SELECT handle, secret, issued, lifetime, assoc_type FROM %s ". "WHERE server_url = ? AND handle = ?"; $this->sql['remove_assoc'] = "DELETE FROM %s WHERE server_url = ? AND handle = ?"; $this->sql['add_nonce'] = "INSERT INTO %s (server_url, timestamp, salt) VALUES (?, ?, ?)"; $this->sql['clean_nonce'] = "DELETE FROM %s WHERE timestamp < ?"; $this->sql['clean_assoc'] = "DELETE FROM %s WHERE issued + lifetime < ?"; } /** * @access private */ function blobEncode($blob) { return "0x" . bin2hex($blob); } } wordpress-openid-3.4.1/lib/Auth/OpenID/Nonce.php000077500000000000000000000054751265347743100214150ustar00rootroot00000000000000preferred_auth_policies = $preferred_auth_policies; $this->max_auth_age = $max_auth_age; } /** * Add an acceptable authentication policy URI to this request * * This method is intended to be used by the relying party to add * acceptable authentication types to the request. * * policy_uri: The identifier for the preferred type of * authentication. */ function addPolicyURI($policy_uri) { if (!in_array($policy_uri, $this->preferred_auth_policies)) { $this->preferred_auth_policies[] = $policy_uri; } } function getExtensionArgs() { $ns_args = array( 'preferred_auth_policies' => implode(' ', $this->preferred_auth_policies) ); if ($this->max_auth_age !== null) { $ns_args['max_auth_age'] = strval($this->max_auth_age); } return $ns_args; } /** * Instantiate a Request object from the arguments in a checkid_* * OpenID message */ static function fromOpenIDRequest($request) { $obj = new Auth_OpenID_PAPE_Request(); $args = $request->message->getArgs(Auth_OpenID_PAPE_NS_URI); if ($args === null || $args === array()) { return null; } $obj->parseExtensionArgs($args); return $obj; } /** * Set the state of this request to be that expressed in these * PAPE arguments * * @param args: The PAPE arguments without a namespace */ function parseExtensionArgs($args) { // preferred_auth_policies is a space-separated list of policy // URIs $this->preferred_auth_policies = array(); $policies_str = Auth_OpenID::arrayGet($args, 'preferred_auth_policies'); if ($policies_str) { foreach (explode(' ', $policies_str) as $uri) { if (!in_array($uri, $this->preferred_auth_policies)) { $this->preferred_auth_policies[] = $uri; } } } // max_auth_age is base-10 integer number of seconds $max_auth_age_str = Auth_OpenID::arrayGet($args, 'max_auth_age'); if ($max_auth_age_str) { $this->max_auth_age = Auth_OpenID::intval($max_auth_age_str); } else { $this->max_auth_age = null; } } /** * Given a list of authentication policy URIs that a provider * supports, this method returns the subsequence of those types * that are preferred by the relying party. * * @param supported_types: A sequence of authentication policy * type URIs that are supported by a provider * * @return array The sub-sequence of the supported types that are * preferred by the relying party. This list will be ordered in * the order that the types appear in the supported_types * sequence, and may be empty if the provider does not prefer any * of the supported authentication types. */ function preferredTypes($supported_types) { $result = array(); foreach ($supported_types as $st) { if (in_array($st, $this->preferred_auth_policies)) { $result[] = $st; } } return $result; } } /** * A Provider Authentication Policy response, sent from a provider to * a relying party */ class Auth_OpenID_PAPE_Response extends Auth_OpenID_Extension { var $ns_alias = 'pape'; var $ns_uri = Auth_OpenID_PAPE_NS_URI; function Auth_OpenID_PAPE_Response($auth_policies=null, $auth_time=null, $nist_auth_level=null) { if ($auth_policies) { $this->auth_policies = $auth_policies; } else { $this->auth_policies = array(); } $this->auth_time = $auth_time; $this->nist_auth_level = $nist_auth_level; } /** * Add a authentication policy to this response * * This method is intended to be used by the provider to add a * policy that the provider conformed to when authenticating the * user. * * @param policy_uri: The identifier for the preferred type of * authentication. */ function addPolicyURI($policy_uri) { if (!in_array($policy_uri, $this->auth_policies)) { $this->auth_policies[] = $policy_uri; } } /** * Create an Auth_OpenID_PAPE_Response object from a successful * OpenID library response. * * @param success_response $success_response A SuccessResponse * from Auth_OpenID_Consumer::complete() * * @returns: A provider authentication policy response from the * data that was supplied with the id_res response. */ static function fromSuccessResponse($success_response) { $obj = new Auth_OpenID_PAPE_Response(); // PAPE requires that the args be signed. $args = $success_response->getSignedNS(Auth_OpenID_PAPE_NS_URI); if ($args === null || $args === array()) { return null; } $result = $obj->parseExtensionArgs($args); if ($result === false) { return null; } else { return $obj; } } /** * Parse the provider authentication policy arguments into the * internal state of this object * * @param args: unqualified provider authentication policy * arguments * * @param strict: Whether to return false when bad data is * encountered * * @return null The data is parsed into the internal fields of * this object. */ function parseExtensionArgs($args, $strict=false) { $policies_str = Auth_OpenID::arrayGet($args, 'auth_policies'); if ($policies_str && $policies_str != "none") { $this->auth_policies = explode(" ", $policies_str); } $nist_level_str = Auth_OpenID::arrayGet($args, 'nist_auth_level'); if ($nist_level_str !== null) { $nist_level = Auth_OpenID::intval($nist_level_str); if ($nist_level === false) { if ($strict) { return false; } else { $nist_level = null; } } if (0 <= $nist_level && $nist_level < 5) { $this->nist_auth_level = $nist_level; } else if ($strict) { return false; } } $auth_time = Auth_OpenID::arrayGet($args, 'auth_time'); if ($auth_time !== null) { if (preg_match(PAPE_TIME_VALIDATOR, $auth_time)) { $this->auth_time = $auth_time; } else if ($strict) { return false; } } } function getExtensionArgs() { $ns_args = array(); if (count($this->auth_policies) > 0) { $ns_args['auth_policies'] = implode(' ', $this->auth_policies); } else { $ns_args['auth_policies'] = 'none'; } if ($this->nist_auth_level !== null) { if (!in_array($this->nist_auth_level, range(0, 4), true)) { return false; } $ns_args['nist_auth_level'] = strval($this->nist_auth_level); } if ($this->auth_time !== null) { if (!preg_match(PAPE_TIME_VALIDATOR, $this->auth_time)) { return false; } $ns_args['auth_time'] = $this->auth_time; } return $ns_args; } } wordpress-openid-3.4.1/lib/Auth/OpenID/Parse.php000077500000000000000000000274071265347743100214240ustar00rootroot00000000000000 tags * in the head of HTML or XHTML documents and parses out their * attributes according to the OpenID spec. It is a liberal parser, * but it requires these things from the data in order to work: * * - There must be an open tag * * - There must be an open tag inside of the tag * * - Only s that are found inside of the tag are parsed * (this is by design) * * - The parser follows the OpenID specification in resolving the * attributes of the link tags. This means that the attributes DO * NOT get resolved as they would by an XML or HTML parser. In * particular, only certain entities get replaced, and href * attributes do not get resolved relative to a base URL. * * From http://openid.net/specs.bml: * * - The openid.server URL MUST be an absolute URL. OpenID consumers * MUST NOT attempt to resolve relative URLs. * * - The openid.server URL MUST NOT include entities other than &, * <, >, and ". * * The parser ignores SGML comments and . Both kinds * of quoting are allowed for attributes. * * The parser deals with invalid markup in these ways: * * - Tag names are not case-sensitive * * - The tag is accepted even when it is not at the top level * * - The tag is accepted even when it is not a direct child of * the tag, but a tag must be an ancestor of the * tag * * - tags are accepted even when they are not direct children * of the tag, but a tag must be an ancestor of the * tag * * - If there is no closing tag for an open or tag, the * remainder of the document is viewed as being inside of the * tag. If there is no closing tag for a tag, the link tag is * treated as a short tag. Exceptions to this rule are that * closes and or closes * * - Attributes of the tag are not required to be quoted. * * - In the case of duplicated attribute names, the attribute coming * last in the tag will be the value returned. * * - Any text that does not parse as an attribute within a link tag * will be ignored. (e.g. will * ignore pumpkin) * * - If there are more than one or tag, the parser only * looks inside of the first one. * * - The contents of '; } echo '

'.__('Learn about OpenID', 'openid').'

'; } /** * Clean out registration errors that don't apply. */ function openid_clean_registration_errors($errors) { if (get_option('openid_required_for_registration') || !empty($_POST['openid_identifier'])) { $new = new WP_Error(); foreach ($errors->get_error_codes() as $code) { if (in_array($code, array('empty_username', 'empty_email'))) continue; $message = $errors->get_error_message($code); $data = $errors->get_error_data($code); $new->add($code, $message, $data); } $errors = $new; } if (get_option('openid_required_for_registration') && empty($_POST['openid_identifier'])) { $errors->add('openid_only', __('ERROR: ', 'openid') . __('New users must register using OpenID.', 'openid')); } return $errors; } /** * Handle WordPress registration errors. */ function openid_registration_errors($errors) { if (!empty($_POST['openid_identifier'])) { $errors->add('invalid_openid', __('ERROR: ', 'openid') . openid_message()); } return $errors; } /** * Handle WordPress registrations. */ function openid_register_post($username, $password, $errors) { if ( !empty($_POST['openid_identifier']) ) { wp_signon(); } } wordpress-openid-3.4.1/openid.php000066400000000000000000000137671265347743100170440ustar00rootroot00000000000000 * * @param int $id comment ID to check for. If not provided, the current comment will be used. * @return bool true if the comment was submitted using an OpenID * @access public * @since 1.0 */ function is_comment_openid($id = null) { if ( is_numeric( $id ) ) { $comment = get_comment( $id ); } else { global $comment; } if ( ! $comment ) { return false; } $openid_comments = get_post_meta( $comment->comment_post_ID, 'openid_comments', true ); if ( is_array( $openid_comments ) ) { if ( in_array( $comment->comment_ID, $openid_comments ) ) { return true; } } return false; } /** * Get the OpenID identities for the specified user. * * @param mixed $id_or_name the username or ID. If not provided, the current user will be used. * @return array array of user's OpenID identities * @access public * @since 3.0 */ function get_user_openids( $id_or_name = null ) { $user = get_userdata_by_various( $id_or_name ); if ( $user ) { global $wpdb; return $wpdb->get_col( $wpdb->prepare( 'SELECT url FROM '.openid_identity_table().' WHERE user_id = %s', $user->ID ) ); } else { return array(); } } /** * Get the user associated with the specified OpenID. * * @param string $openid identifier to match * @return int|null ID of associated user, or null if no associated user * @access public * @since 3.0 */ function get_user_by_openid($url) { global $wpdb; return $wpdb->get_var( $wpdb->prepare( 'SELECT user_id FROM '.openid_identity_table().' WHERE url = %s', $url ) ); } /** * Get a simple OpenID input field. * * @access public * @since 2.0 */ function openid_input() { return ''; } /** * Convenience method to get user data by ID, username, or from current user. * * @param mixed $id_or_name the username or ID. If not provided, the current user will be used. * @return bool|object False on failure, User DB row object * @access public * @since 3.0 */ if ( ! function_exists( 'get_userdata_by_various' ) ) : function get_userdata_by_various($id_or_name = null) { if ( null === $id_or_name ) { if ( ! is_user_logged_in() ) { return false; } $user = wp_get_current_user(); if ( null === $user ) { return false; } return $user->data; } else if ( is_numeric( $id_or_name ) ) { return get_user_by( 'id', $id_or_name ); } else { return get_user_by( 'login', $id_or_name ); } } endif; // -- end of public functions /** * Get the file for the plugin, including the path. This method will handle the case where the * actual plugin files do not reside within the WordPress directory on the filesystem (such as * a symlink). The standard value should be 'openid/openid.php' unless files or folders have * been renamed. * * @return string plugin file */ function openid_plugin_file() { static $file; if ( empty( $file ) ) { $path = 'openid'; $base = plugin_basename( __FILE__ ); if ( __FILE__ != $base ) { $path = basename( dirname( $base ) ); } $file = $path . '/' . basename( __FILE__ ); } return $file; } wordpress-openid-3.4.1/phpcs.xml000066400000000000000000000002221265347743100166720ustar00rootroot00000000000000 WordPress Coding Standard. wordpress-openid-3.4.1/readme.txt000066400000000000000000000322471265347743100170450ustar00rootroot00000000000000=== OpenID === Contributors: willnorris, factoryjoe, pfefferle Tags: openid, authentication, login, comments Requires at least: 2.8 Tested up to: 4.4.1 Stable tag: 3.4.1 License: Apache 2.0 License URI: https://www.apache.org/licenses/LICENSE-2.0 Allows WordPress to provide and consumer OpenIDs for authentication of users and comments. == Description == OpenID is an [open standard][] that allows users to authenticate to websites without having to create a new password. This plugin allows users to login to their local WordPress account using an OpenID, as well as enabling commenters to leave authenticated comments with OpenID. The plugin also includes an OpenID provider, enabling users to login to OpenID-enabled sites using their own personal WordPress account. [XRDS-Simple][] is required for the OpenID Provider and some features of the OpenID Consumer. Developer documentation, which includes all of the public methods and hooks for integrating with and extending the plugin, can be found [here][dev-doc]. [open standard]: http://openid.net/ [XRDS-Simple]: http://wordpress.org/plugins/xrds-simple/ [dev-doc]: http://wiki.diso-project.org/wordpress-openid-api == Installation == This plugin follows the [standard WordPress installation method][]: 1. Upload the `openid` folder to the `/wp-content/plugins/` directory 1. Activate the plugin through the 'Plugins' menu in WordPress 1. Configure the plugin through the 'OpenID' section of the 'Options' menu [standard WordPress installation method]: http://codex.wordpress.org/Managing_Plugins#Installing_Plugins == Frequently Asked Questions == = Why do I get blank screens when I activate the plugin? = In some cases the plugin may have problems if not enough memory has been allocated to PHP. Try ensuring that the PHP memory\_limit is at least 8MB (limits of 64MB are not uncommon). = Why don't `https` OpenIDs work? = SSL certificate problems creep up when working with some OpenID providers (namely MyOpenID). This is typically due to an outdated CA cert bundle being used by libcurl. An explanation of the problem and a couple of solutions can be found [here][libcurl]. [libcurl]: http://lists.openidenabled.com/pipermail/dev/2007-August/000784.html = Why do I get the error "Invalid openid.mode ''"? = There are actually a couple of reasons that can cause this, but it seems one of the more common causes is a conflict with certain mod_security rules. See [this blog post][ioni2] for instructions on how to resolve this issue. [ioni2]: http://ioni2.com/2009/wordpress-openid-login-failed-invalid-openid-mode-no-mode-set-solved-for-both-wordpress-and-drupal/ = How do I use SSL for OpenID transactions? = First, be aware that this only works in WordPress 2.6 and up. Make sure you've turned on SSL in WordPress by [defining either of the following][wp-ssl] globals as "true" in your `wp-config.php` file: - FORCE\_SSL\_LOGIN - FORCE\_SSL\_ADMIN Then, also define the following global as "true" in your `wp-config.php` file: - OPENID\_SSL Be aware that you will almost certainly have trouble with this if you are not using a certificate purchased from a well-known certificate authority. [wp-ssl]: http://codex.wordpress.org/Administration_Over_SSL = How do I get help if I have a problem? = Please direct support questions to the "Plugins and Hacks" section of the [WordPress.org Support Forum][]. Just make sure and include the tag 'openid' so that I'll see your post. Additionally, you can file a bug report at . [WordPress.org Support Forum]: http://wordpress.org/support/ == Screenshots == 1. Commentors can use their OpenID when leaving a comment 2. Users can login with their OpenID in place of a traditional username and password 3. Users authorized to use the OpenID Provider can delegate to a different provider 4. Users can add additional OpenIDs which they can use to login to WordPress 5. Users authorized to use the OpenID Provider can monitor which sites they've logged in to == Changelog == Project maintined on github at [diso/wordpress-openid](https://github.com/diso/wordpress-openid). = version 3.4.1 (Jan 31, 2016) = - update to latest OpenID library. Full changelog [on github](https://github.com/openid/php-openid). - fix comment bug https://wordpress.org/support/topic/false-error-please-fill-the-required-fields-name-email-commenting?replies=5 - fix XRDS-simple bug https://github.com/diso/wordpress-xrds-simple/issues/4 = version 3.4.0 (Jul 22, 2015) = - update to latest OpenID library (includes lots of bug fixes, particularly with PHP 5.3). Full changelog [on github](https://github.com/openid/php-openid). - fixed various PHP warnings/errors. - various improvements and bugfixes (props @rodrigoprimo). - attempt to use email as username before url for open id new user (props @yincrash). - chinese and german (props Stephan Richter) translations. - added WebFinger support Full changelog on [github](https://github.com/diso/wordpress-openid/compare/v3.3.4...v3.4.0). = version 3.3.4 (Nov 16, 2012) = - update to latest OpenID library (includes lots of bug fixes, particularly with PHP 5.3). Full changelog [on github](https://github.com/openid/php-openid). - various bug fixes. Full changelog [on github](https://github.com/diso/wordpress-openid). = version 3.3.3 (Aug 24, 2010) = - add/update danish, japanese, and spanish translations - update to latest version of php-openid library - fix a few PHP and WordPress warnings and notices = version 3.3.2 (Nov 06, 2009) = - add localizations for czech, danish, french, spanish, and vietnamese. Some are more up to date than others. More are welcome, see http://code.google.com/p/diso/issues/detail?id=26 - remove stylesheet for recent comments widget, since it breaks the style for OpenID comments - various fixes with administration panels = version 3.3.1 (Sep 28, 2009) = - tiny bug in get_user_openids causing it to always return empty array = version 3.3 (Sep 28, 2009) = - minimum required version has been bumped to WordPress 2.8 - fix support for WordPress MU - new, less obtrusive UI for comment form. Should also work with all themes in some form (with or without js). - many administrative options have been moved to their respective locations on core WordPress Settings pages - drop support for experimental EAUT and IDIB protocols - drop support for installing the plugin in mu-plugins folder - always include 'index.php' on OpenID endpoint URLs. Without that, some deployments were having problems. - fix bug relating to trackbacks and pingbacks - fix bug (#121) relating to unregistered options (props tom.tdw for the patch) - lots of minor bug fixes = version 3.2.3 (Jul 20, 2009) = - fix XSS vulnerability. (props Stuart Metcalfe) = version 3.2.2 (Mar 19, 2009) = - fix problems when using non-index.php permalinks with non-apache web servers - ensure that show\_on\_front option is not empty - function name typo (props gunemalli) - fix deprecated pass-by-reference call in php-openid library (props jschuur) - fix UI bug on registration form with IE browsers (props oledole) - UI tweaks to better match WP 2.7 - update a few strings for localization and POT file = version 3.2.1 (Feb 13, 2009) = - patch php-openid library to fix XRDS handling (thanks Mike Jones for helping find this) - add default values for some openid vars -- necessary for OP-initiated login - fix bug with OpenID server where OpenID request was sometimes lost - add filter for openid\_trust\_root = version 3.2 (Jan 20, 2009) = - add uninstall hook for WordPress 2.7 -- this will remove all traces of the plugin from the database - UI fixes for WordPress 2.7 - add settings link to plugins page - silence XML parsing errors with PHP4 - ensure wp\_scripts is set - ensure openid comment processing occurs after akismet - add ellipses to truncated OpenIDs (fixes #94) - fix bug where Yahoo! OpenIDs weren't matching profile URL (fixes #98) - don't return empty SREG values - Add support for consuming Attribute Exchange - use a single return\_to URL for all OpenID actions - cleaner OpenID service URLs when permalinks configured to do so (all path, no query string) - fixed issue where OpenID Server would sometimes break depending on a users permalink structure (fixed #101) - fixed issue where OpenID consumer would sometimes break if mod\_encoding was enabled in Apache (used for WebDAV) (fixed #96) - don't redirect when performing discovery on OpenID trust root = version 3.1.4 (Nov 04, 2008) = - allow OP extensions to include XRDS Types in login service - run OpenID comment processor after Akismet, and skip if Akismet marks comment as spam = version 3.1.3 (Oct 27, 2008) = - fix error message if /dev/urandom is not readable = version 3.1.2 (Oct 26, 2008) = - ensure source of randomness is set properly - prevent duplicate cleanup\_openid cron jobs - prevent SQL errors on activation - suppress verbose error logging with XML parsing = version 3.1.1 (Oct 20, 2008) = - fix bug with OpenID Provider XRDS code that prevents ability to login to some sites (like plaxo.com) = version 3.1 (Oct 19, 2008) = - added hidden constant to set custom comments post page (OPENID\_COMMENTS\_POST\_PAGE) - additional option to skip name and email check for OpenID comments - use preferred username (from SREG) if possible when creating new account - truncate long URLs when used as display\_name for comments - numerous bug fixes, including bug with registration form = version 3.0 (Oct 02, 2008) = - includes OpenID Provider - supports OpenID delegation - add experimental support for Email Address to URL Transformation - many new hooks for extension and integration - major code refactoring = version 2.2.2 (Aug 06, 2008) = - fix bug with "unauthorized return\_to URL" (only known problem with [openid.pl][]) - fix bug with comments containing non-latin characters - respect CUSTOM\_USER\_META\_TABLE constant if present (also added CUSTOM\_OPENID\_IDENTITY\_TABLE constant) - add experimental support for Identity in the Browser = version 2.2.1 (Jul 25, 2008) = - fixed EAUT handling code - fixed bug that broke comments containing double quotes (") = version 2.2.0 (Jul 23, 2008) = - use POST replay for comments (fixes compatibility with other comment plugins) - only build openid object when needed (much better memory usage) - support for Email Address to URL Transformation (see eaut.org) - fixed bug when using suhosin (hardened php) - use hooks for gathering user data (more extensible) - fixed openid spoofing vulnerability (http://plugins.trac.wordpress.org/ticket/702) - lots code refactoring and UI cleanup = version 2.1.9 (May 20, 2008) = - fix javascript loading issues - fix various bugs when creating new account with OpenID - fix error message, and add new warning prompt when removing last OpenID for account = version 2.1.8 (Apr 02, 2008) = - fix UI issue with wp-login.php page in WP2.5 - fix bug printing supported curl protocols (http://wordpress.org/support/topic/159062) - fix jquery bug while adding category in WP2.5 (http://wordpress.org/support/topic/164305) = version 2.1.7 (Mar 21, 2008) = - remove php5 dependency bug... AGAIN! - also remove some other custom changes to php-openid I forgot were in there. This may actually re-introduce some edge-case bugs, but I'd rather expose them so that we can get the appropriate patches pushed upstream if they really are necessary. = version 2.1.6 (Mar 20, 2008) = - update php-openid library to latest. Now properly supports Yahoo's OpenID provider. = version 2.1.5 (Mar 20, 2008) = - add support for wordpress v2.5 = version 2.1.4 (Feb 13, 2008) = - fix php5 dependency bug - improve jQuery code to reduce problems with other js libraries = version 2.1.3 (Feb 06, 2008) = - address security bug mentioned [here](http://www.gnucitizen.org/blog/hijacking-openid-enabled-accounts). Props Sam Alexander = version 2.1.2 = - minor typo in profile data code = version 2.1.1 = - minor bug where profile data is being overwritten = version 2.1 = - added FAQ items for plugin updater and adding an OpenID field to a comment form - better tracking of which users have OpenIDs linked to their local WP account - better automatic username generation - fixed bug where non-OpenID websites had problems (bug [729]) - upgrade to version 2.0 of JanRain OpenID library - admin option to rebuild tables = version 2.0 = - simplified admin interface by using reasonable defaults. Default behaviors include: - "unobtrusive mode" - always add openid to wp-login.php - always use WP option 'home' for the trust root - new features - hook for trust engine, with very simple implementation included - supports OpenID 2.0 (draft 12) as well as OpenID 1.1 and SReg 1.0 - normal collection of bug fixes = version 1.0.1 = - added wordpress.org style readme.txt = version 1.0 (also known as r13) = Full SVN logs are available at . [729]: http://dev.wp-plugins.org/ticket/729 [openid.pl]: http://openid.pl/ The original OpenID plugin for WordPress was a collaborative effort between Alan Castonguay and Hans Granqvist. Will Norris forked the plugin and has since become the maintainer. [Alan Castonguay]: http://verselogic.net/ [Hans Granqvist]: http://commented.org/ [Will Norris]: http://willnorris.com/ wordpress-openid-3.4.1/screenshot-1.png000066400000000000000000000376261265347743100200760ustar00rootroot00000000000000PNG  IHDRO}P9iCCPICC ProfilexgTTsWf{uhRiҤwi{XĂEX) (("?bϾسn9$7OsD<ÃaШ#=>G'g>3p4 kmmS^'wg)> 5]Sj]Wب(>C#c)iǙY9ƹɥu=7*wU<(9g,fi^84#o&o33> _.UY~*71nEf=p Q‚-/BBB g _!DԊLED}EOs;"vK싸x 6˒<69]+RRRRRn%#2222e񲺲Ͳo8l~˟R )+)t**J(z++>Q")+e(u+}SSRS~¡bR2RSMQUM^-DQ=MA=WgUS/VA0DihfjhAZ:ZZZSoi޳gO>s[k;Gг;7ϢVրGC9(Ní:{11544n1jan2l`joztLY9076/2hشԳW6_oɯ p  tl"urhw,]/..Z9pXxfO'Kѥs'MO^?w^Ϩ/#-v| BE|B}9sUU䪏.c55ԙuԟk`lhظ{aFƚK̗.j kzsX-b-L[m2yj5k ]?Nn:;V;;_pˬMrݍ=B=o2!R6cWBo~q!ۡÖFLG5;4j8z{Ll޽?0zhp{m?}d)ߩg6g^0(yrVh9;_O;Ͽ z6]{ᅖj.y,--G/|,zEj/_W`kֹ7T7|[ط_q[3]~ X c,?X c,, ` (n;t Bm*LvnD4#iqT}s'GAR/(y 1gX T ~icx+e%%+"WWWjP5ke5ӛ17naB1=g.njjmch;lt+W Ov}y>7}?3(ZL ) =V~PnDRdZΘwq?0$"–ʜFHXȜʺ}3)<(&"NVc)ti3&VVN[fU;OӨ`x}ǥM ϴ4=ub@R'JMn[b} *Z Xܵ53G~e|ADCG"}2ttta3/h/yfǯ2^;+‡K^Q/~[}&^2ZaUw? 7}#!:c:iLAxH *g0N/:?A"n!uQ^h]bqxaaTCP[XYﳽ\Qz h5F8fz5+7}/lv?88:}-#+ ($}P+&'4<,1t~tp2'gOLw=~lK,+9׶oަ@™gO/._WR6Ҿ}K#/6~y?;$z! Dct?0!nzL]V` <$ ,:U_F[a8~>BX!^b"I0v2e)T$s7Kk[0147 /[؅%DhVb>Rc 9>y=OTr.i4fu) #Mwڇf3(2,{I㦹f)t!om]}C~{G 'n-i:Q>Fsgp-m 0 ?\j~PEDDQWZXL}lF{Nw¯ę䊔T4t ̷Y٭9 y" ?}xqqZI RǓ ^EL\\B9Zrlty:} >/hziiҢkS7;:-ow5|Ceޛۿ=Hsehi豱j&,ޙT{\:UyYǹw)>V޵݄R8B"8r5XqXqh?r %'̚>[>9tx;|؏8BF!#M(~+j̈́DG1X &sUG8* w/sB QFb@2X3T0,H")iI>DK$QJb*5s+ %%k#+av {#YUǭ=c7Oo?\K`0\H8V|X"GP$5# ,k/"ϥPXW\VW~^:m[ɡ% ~CL7M/Hx^c {SOpc5Vm&l^.m:wq<Ѕjr mxx%{wli  y&qh5/][x$k i33r_m/.?rnK{V}.!%ˎ-mWKultu*TS9?s?w"vg*3ggs-Yȹaq_HoH3,ÄaӰp D!WHEztގRG%z1zÁ\Ĭbձ8N?}B1aH&N1H00<"RHOs_3i0fJ!QȔ(UZ͌acbgiec=%mq 9 99z$^s(_'x[(SPG %$K|Ue2w 3UUsNik֮SwH? 0zoQ):va)%Mk>v![9;M{ Cǝ!yW'܆zxyzAAEBBχ-Ҋ(GLINNIy~:c33~f^s@aޣ5EbJ$OT<~FlܹjƚFuK /7U6;RƯ_oY޵QoQ0433z^xGO?|so-@ww?4#4 [³ G#I* >\RQi< MD*1`0@#c$1f0~e bzMOQFFaf{,67ٟu-]}ÃYeNJ/ǿ.)+,,OCt8 $"'x^_*-P}m=t2t; T SĚ>6W(ioVĮmrVq95c2`20ȶ=1tx̔Ґ838S?\x"c%\'{N;Y;[^PR[kr~ޫab%BS}nL[Uʵ Z7Vn1VK 6d8`h==\'U>6z>:]liE,Uܻy7h+m.?V?+\U\_G?ߨw?~,ol.2մE:ղm {OE)$8{joK 0Lӿ{Ϛ@40x77O<ŧ+g-#ŧ 'GMp+ pHYs  )IDATxmp[י1?ڙt:n)Ѵe[lvgٚ&ZZ:t#ؔ +)66"juڈ9l8"c!M@$D@e 6{/ ߢ~*{ι{΅26`U ;C= CBS`'V=qٳg',ȐT؉U+W CBS`'V4 X!!vUn(`EV VbU Xu]JLwUvwW4`U8Z5wj+R1O.P\l2^MLe*ӨOԃ ;#*\74=\ŊSv)B[˧T.~AR!yC*\XvhZ_8eƪSf`˥\twpg׏M4=,ji^"Xiy>ԣ{VIΔ2d aq7SN+J>z;'5"G-GӗRgd^t6T7z#sC̻̆|Jt%gXUވSJPX }94WŴUA xTQ"+VYhz\QV5zkV`UpZ.'zŤ+F<%yͪs@V}j^NOWڜ~X'D>f7sK\RIU>aCG; ɪbUꍐD{\9p4Wu" ;~gXpՖ!5g`j9}&Wv8 { lO$PFsJ.g0Va (r֓rkO:7K_ZzIUaߕQalX~V-v/ĹW]1\U#dUQe"rȻt*| U`U X`7:4420*;ɓ'gff!Û7C20*;*`U U`U X`U WgՇz`A NzĉgNX!!+W`A NʿZ V`U7UWWWi"C*VUKLߜB.WXJ.)*)5XvŪQK4T*Ǒ>9#k24T.No|R˅H$Ҽ*8 gj}( 'MIM6Oq>af:eS= GXU){4GH°[s#*q=9]~>waZӥah~-p\sb?:XLKv?UZшvOjƞD]3)[mw8UZW4"!qXO5yHX@:ti..MY>Fk;j뒨ߡChZ5s8}#ze—Nw$RKiإٽJG4ߑCtoZzBIteƕ*32*GӹԸS'+k=tȑ[Tq=B.p\"@8 /aw$z#1hP tDTH?e]Wz "U-obUz:DȭL|F漾*,#A0V5,x*[\t\2.ofUs)-ENRʎCߓr}@ɒFE[JEk⨪*|U29ݞᰊ웫\>3LcTrlQKHfoEh%nZu|w|j<t}`UwM38(7 ==J+Mn|TЪT:Yx|$4M_VVcڙUՏU*\CiY蛎jٕ9o #-Ī TH0^I۽ QacŤ|/v© %r[+/o@TZvT]_7gXoTjejkj7Uxd;,;nZV-:]QOF WCj;AI*sm3ʞ@UJٽj7j`U F+9V+bzJ"#G|UsmAgU|rkHcܨ[+RPr ;t^y3T&+):oaPrf~鳾Ю{o2K #apŪ '5oo5`4V+%6KZ UU_hP)Kd+5̯V*\U7~Ln?K/TjU})k+Xj(YMWs?hsZ1SG-(F( JorH<0T*\cn)ܰ퐋=b0@uI̙)V:nCGNRo5YVȪ"D"}61oir:;4Hͮ>O.௬bUѬ UV p:4420*;ɓ'gff!Û7C20*;*`U U`U X`U WgՇz`A NzĉgNX!!+W`A NʿZ V`U7UWWWi"C*fբ$-Iwug_٥|L:~֩OѮT+\ύoܔ]3ƇMzB%C:ܧi\lPb.4ܘ>.jzavIYקm]aݪ}+lDƟt:_TQOdECO.UռY'tg/Sd4^jg\ |PSVEv_TJXʥ*ÈQj~L9CkXu:n?g ?fri}o萜m]gfC :p>ʪNitۙƨ%,öXz"wm۾3,wɪDBkx.* | EsJ#=3,gn~X8*)=L) g2 5q8\ħo}#"DCw>$y>#dmihsV4* 9O]On y/t4-ʻf7s+j|=s&^_Tvߠ^3F{/ЪU$h\'q 9Dt*97=S+#}*u=abUSKEsת̙"ۏn{Dfcݶ`3X6*ʫL`U_8] M_}ެZZU鴻\+煈ĢnݭϜx#h$Vu-V͔KHQru_X+W ʪPX# Kt ܼV5ӲF?Iޯ۳ŋwdxuyU:g=gNϪp1羗r~!,nVVfV-.݇+'-*}#ʶ)3BTWWVR_}W".լp¿4Vyy%WUZzfTmj&e Xg+V',;U2=᩼Zum[-iUmxt~QWA÷W^elVĄŪc]j!4Hʌ!Es3o\pAriT[V^_كь8)ɪMW0;*)+/تJ1l|&_b;*ΪRru{I~VIWRT*`U U*`U XVYuhhhuu 2$d`0UvbՓ'O#C7o2$d`0UvbUXVX*VX*Vp]z,`]`zz3ӲUJһ_~}㯟?¿^cśoޚO_:tdrq1nÿO\|7r)R>G3K|37%;vsp[ɎuMzk4}z_ ܘ?+;oIz[[vv;NXhm.bZ|s?X 9==;͞Xmp_6gnC`MRƼ[ f'{[ZƮ"&O Ko]y߁SVƢ1wB:664v=TĺAš.{C+2+~5,;wGy_j|oցbrq.2>458nl|o(7=_{_z+#cពz=_x~l֖m2 lm1-_꣌!񕢣2!vCӾIYh> I_ǷPieüx@6s{hRM7E\F;ڠԼVllYށ5əYā._eoxP^L[JrH3;nLIa|muRu=Bo*@{k`gsCFutuuV }p?k1զ,}WԿ;Jmstnk5Yo7KZrʿs _>C[[˗zO/~1?lE&Q\+c*Z]"YoJq~N٩sptlnNE@hu@T5;C*[\zPqxCnq6oq8ةѹФ@wdUscnT @ؤܽ-1HySxW+{sddk55O}[j1u04B֡$qcZ]ݑ6Jcɹɡd͹Z퓟{*}st0~76{O ^KmE#bPVm j@wͬՃA-sPobeq@͋ߜ5[y.ښ@Xk%yc6Y5_}^JPպwjV=޲U%- \/Ծx|bE k@Ul}W]@XհjkYO+{.?NzKOv en$F;(@c+zn20L&e>79L*kn}U=P,MFuNf]sjX)+p-ޱl>%jIU!@$-c]kzŬWa7WUM[+cxw1nVqK P#_tՍY̮4]2&N4Yc}?[U&j@^=I#n}n||{A.ޱ\+ˁu,;; \sb]^^~뭷~ۄKQbl44488+^#9eV U*V U*`U U`U̪vU/`U U*VXVXbU U*`U U`U U*VX*VX`U U`U X`UU*VU*VX`U X`UX`U U*V U*VŪX`UXVXbU U*`U U*VXVX*VX`U U`U U*VX6XVXbU U*`U U*VXbU U*`U U*VXVX*VX`U U`U U*VX*VU*VX`U X`UU*eUY U*V p?? +C[*F?#}wMtttttt1VNHD/w}<ĄBPZJjO?X/{g}ȑ#xEϟ?'[;A'D.[$U\[:\{LV/_~ws9z?wsхwKι[w6M}K~K^Z} MzqDW?eԫmdx{6RD9EjUzwY*\2 z ;KKK?sŋey(ҥK2XXYYIVdyuxbr{u_-S_N&՟s>眘pr{UoS!ɼsX:e9ZكbU; ]{mx yPz_< Of{gtK,eu-\-OϪɅ7^|U /x{%[}#Wc፟=\|6۽obn)[>tZwJ/zrë?R:py66lM_O߹~HKGKwKK׳ |d'?I0t钘Twp\#U]_ت|m`ZNlw\d霿|[]y.\.o;|:p:W u2[ N_f/}82S?uD7~_陎3On|O}Z±Kڟ2/Tn;[vSNIKguu7xGcL|>{տ!5\&ggg3ٕTj^N&W;)W+ՌQv2m7'j*{G^]KnrՊtrUv Q>+KB@XB nZ+kޕrFX:Z[:[pxgffn#<F Ž9N1yC[s/WaU"SNfډ'x /^( -s#(])**+],Z\m*_?O:t}{Mtttttt1*C։ɤꓓoH'JWJJJ w 'E:DJOw0*nU*VU*GLGz*IENDB`wordpress-openid-3.4.1/screenshot-2.png000066400000000000000000000507621265347743100200730ustar00rootroot00000000000000PNG  IHDR`% iCCPICC ProfilexڭPݲ%sɒ 3HZ$W@,$#(Q "(T$$ " iߠUzunWtϜL6h/kamcA0 @H9c~ ۄi,N$3_V;el~WaWLj^BsUXGLe ,F6&fVZ6evQg]ҝ]v\,S=<.Et /o^ ھs z=&捤X8Hom$ $&%0nJLLx(VC;Mw CJ,Jϔє,hL}o~ځzFه› 9wZ^f=ƴI?A>yӞq)Ӿgѝj]׻{@OOo\ +.*$yU!a#ޘ1}::E<5ϴ l9y 틩0KI?~YY*zr=3Wүc7q;wط?9r;` tA@>kD *eࣃHShX?Q!̫l8\9J_  e ,IJޖޖ5KU,9Uk5?ZϴGutw (^326jkaVjТ5†V>bC΅vǽť~?f}أ@ `!s`$<ڌ^m+{,A6>q/i"&%]t:m5+#/e-ٸ3[75/(߮@PQY2[_VV[\IQ\r/j:kxp3%6a[-Zjsx"ݎ>Q4Y'oW]~=j4k}O^; .lyuHugz9f~lpy`2f;ivX=s I>-YW oޛ׶Rwduvq?w1ۉ*NBP=BàTXHx"d 7~;"A#!Ўș20I<*Z]EJDC:EEBG^@ACDGAyLu:GGKLNLWI/E`1YyŇMm݉I@nV[cB> 5$1Q !Fa R&%*$.">"qMRKU3M2ar& JgeUUUW1Vй;Gor>`ҐŸȼbJߺ¾ 9ǵ]ΣK{w+`׳ʫgCƮy_GD(E.E'J}t%4U:&0k6YnQ^HUD abys{kjw7=o򴭳QOC_]JG N&Θ_Zb\Y ncnkퟂ\~{XQ-WS?ЀăRނt W(*zO"X D1$B*#m!"'%$%TT{45Otu3lg4eBajblҒJ:Φߎ^b'Zg[̦'֛S_wlVi0ՙЂ0{?Bdik,Oj@BcR~JXuD&~HNveA~{G1Yɣ2[ت-4T? lRn/RۍR=~m7_4JѤ1 ɬDfgx?$-}_6X)ưKטo͋[rXvg/_{{1n>;9xuH}hXyy$w|Tu4u:>szy{{ubtr!g U&O;/1bM,ϚO8n~f'X&>`jzQ 4B^&¡ᐒP,5pŌ pHYs  CIDATx[pי]5/>Sa'NVoy7FN*3'3d2Ll Vh(RX)d 0 ( !$Ad;}fW],}p;}3|A  @AĽ{. pɭ[Suw V ?k_3hi&U%(qNȑWN(R4hID@͛7}U|>ύ011Z'S)DZA-SVo' ]-R/Pkb ҠBI2T&tCpXhFJ /R |!t6dmM!4/_?]3MPv4ARҁ-+ W^yAXcbBT,GAP zkxxX$sl4A9PpK^vbSHd%8e' v8yB$brrrG\Aq,"rchhl, o͛|8ݻ׾{+*|PhD"gC-M;Iw`Qr xz|U;h/` [}:A߿I?) U|V;@8a@;Z.\', }twMt.I/\njut؏>p8lR[WOMdl΃3ƧvXBrUH߾p͛7):KK^~^_|EW+sN_s~0߻4-fl*-MIuV-|z6pkUnTTFںzvH4=$I7<fe]|F&@U3l*B&r ׭yKd'rE}x 8VMԜ¡ t[-xB5RILǪt7(0f j *82N]Z/Fd*4,MnxԦ)jYw3|!;0amx˟ᆵpj֥d.ܢ*?8޹k7ó豮)c_!Ϙ5elpdDoJ!zg;n7CiLcb uvv4ByU1="`S=Y, nEƮ m6E2twReP"`/(bY6qUaU_k9]尳)  )X# B7}!2ADmCKq!vLFȓ_F-vfش /cL Xڛ(7&\^A3 g'U8*C5FU BWehAcb2L j'kUEKGu8H)qL FZ<юݷxvՊ~]MH+޿UoWWe^GFf%*C[_UUi}! q'F{A^r Bץomo>geL{Av bݡ OؼY]b = L\eM]y=V:Xb*xVՂ02t^WVŎStwF77Oe.xσ'W<@!!PuMvka ڱXwx ܶm۶:U־| *Cl &ŷ<*CW_>U 1ߦ@oQ3Z[W}v[gI.vYaR[WM` & [+ 'JF* Gg,y I%ޯ㭢DFu8߹s眔~6juۤصG):V D lju6MRM IWeê_ͩ P4fm" ؄"EÙ3/-Ut7Zoݙ>fr,vbv:BGwnn$OX)^3X)V|WLWP[j4J@ľxڊOD`sHJSۓهZF~xMaU_Jkw*tE4D `'n H'>8uQT݀%sNL|vqz?5iqA{y9g+֩荞|>E|SY 1Xj_ߔ6 xB>-@UvE1Msxu9+O7$e/ŪQ:UEٸ}ZǕ}}2 ݻ;wxTSԈ+in-/f׎fu2yCj0Mv_[[z 26г^~k&Z_+ĩV9Qֽ.6㏀hGU^8H+ݝ*2V\i}!s]j:=_}Ha__pђ ᔨS@|}~iwUD~6OrVsߝMh?loo7p~bv"mԔj+R]űtLσ:횗 Hhu1c!)1OѺf/*އ`:#YC–b gżT6p&6?yřQE8taY<(sI)" ӮuWE9 Rr2{X7]?!B^EYW^G.D#(2i4 Vwq~>?JECBZGLqxڵoc'xB`s{'T>Ӯm|ÇSY!N= WN\3)Ū( >)ז V_ڠ;B{ =ūrS =#Ϊ9D#*)U\F EU)r)').|_m$āZ] ֭[J l W,]"N8%`BƁҁ@@wVɅݣE# V 4 2?.jҍENba5A{{*7忤j.xרj`BI2E8,EAZ V72xA,/ $T SuA x1Xt | 4 U/"h♅P95C84 ^ ˶cMV#j0 `*'AثA|a BL )410  h6#Z5p/w__}CFFAG'LՄ#GvЩTX|`@pУ4jjG<3/vuĀ u_K D^}BbL-lL| ,O(D}r2(H)TuIpaU_hzι> “B*2U}^!ܿ R UDYB[_SD}B}%'BIDOA, iAӃDTbx5w}IXPqyBtUk9V*1n<`Kz& yʂ0] T>HQX<󊠴ϪY=e|On-Sd YWXbYZ[+F 5y#UP|:|Q6PHGZ;9]%cH2/˹L*O)A)I6ƚ ӹt\tiex?}4 1( BgUj,iԇ2%C.1{] ?v[l6CyC0hf^.TWhM{$_bA̋ &CrnX"=z%DŽ 󉢆b"h ám}0ar>QPPQ+Cdλyz÷e&L(v(((V (;";eSbӡ0ar>QPPQQ46APE9YѾ˷1a|ء8hZmډ#z{BzElء8h O ֮]    @     AA@@AA@@^ b "=Ж}n1a|ء8hZm?v3>|M zBL09(j(v(((V b]Ve;$ b„iEEjDqPj'H>1a|ء8hZm QvDOL09(j(v(fe$A  @AA@@@A8R"!eyb!G}>?f Snc" "qw} 8URRHDrd74zX 6{ԅ>@X B%U+4gh9HexǛD&NRN0=N)E;>٪5Œ8ɠF4I6ǭ)&uX,H:ං `ҀhJR(#vxZcRfCg%%4;$̂hS%riKWJ]  Rx2]s9V*1nVRxjh*yr!ǂjei2DI<7FZHj&#k % e|2 {[QZ!RoR$|<̄05YJBK)EXm"ؿbȃG BJG[-v4 ZK\:Xw5T!Ĥ\ȲL"uVVF"ͥ"2ܭLCD ZBLF W>ALɩҐ9PҊs є,hl- ϨZEv #QQv ɩ֊#PJ4dYUj331_ @ ` >Z A@    @    @    @4ewձXL  @  @A Qws%@  @A  HJ:OX͂ӱzEYi@,ַ %,h:%Zo4 @5\O%O1qvLV:ɷ]`ram|1>XmuNoT yًb rtd]K) )\>Y bkrZ^x6O+. jQHn'4#ȳFWi,G_(Nv%#>2`eOn7ݚb-#\5Ր#>Z*UJ#~w' sԸ;uJƌC=Xz'XG]w0:CjWt5FAhӦd5Ph@ BB&ې6n97V_0OKAR,[Sl2P͗8l&nT-6"7fQNL-Q7IuZI @G6IbAh2I|nWyy݋F͑T$ؑ>x"T)TegTJ1Xn] b*Aև%%1'AS3T_pڦHxwSa>TXTxBI {mERO<3a]u*Wr7ˉd񢥧 |e^5H >f!r6v{|i+"n6lU:A$&;\yX>eH4aqJz5Jl!M8$M&J% ”ș ՋJ%x72q"y5fFZU +̫U֊9D c1ÜIwyѬ,\<3K[SACzp<_(d,6cjpT7ǔj<4Cu^#\KzwL9kjK7b*AT>4~ycCN54T|iegA' ` ܞIT`ee,ءZKsh^M)mۚd.8b~BM#0O(1)wd:@b-9A;I e2de%CԷ.s8K@jN9 ͍p8@ɥ@3hI~ن"uDP@@A .U+H9A AA@@AA@@+^Sa 0-„'gr N?#\Hb;vĥX п4/}VxqQha/1)b=KM rf 2ZyO (;-/t<"4 fz *4%n޹vɏAA5qڍg+ I      V uoA  @KtfIeD'ba1޳S^jm$x_çgF5u#SSO)f3RR bƦ5$.'9z%%Y<,;&fp ]'oVJC =M|U>Cp$`-Gntܸq#S5l8y{ZS1ĈA3;-4(n5 v ЍP:P{:&&X76 ugںw$=*B֫9i -71LOӔoQAsTl^ Atv?_ eNVl]Z҆Ajm8U)̣G)qȕb>Ďh(û1hjS"A>.N)c#PI[ Y1uaM_]c].1(xv 31"]m;/um/lG漮F{1׽Vw`IlXTfC1=?-߄O̧͇yv'jS!-y "L؂_]Á綞~Оs>ͭA-y5 ɓ'?Oϟ?o@[[??bK(d5Q@ jgG-#lߙ1?coͿ,ͯke3_g?~ya7g?7|_wZ']g>J>fArlŋ_yZB!Y*El:r2r1moPd;4#hA;گ?_ȩ쯟/}#| -xKC_vHݧȹظv8dw>bXrm&}~Ю34>fA?.]4l=uci9''$/ ,A^iR*^rĶ_}^g1eٌ wկ~{ٷ>0 fڻsO4cw{kh >fAr9X,z7ޠDy\BU > 'ᄺd!aOif*ڬ>jqg!au FRքmVv ͑lM+)P"/FXg< D`B?M y%A:olYv<3?TEp'w>a}isDwxbeB!_ 3{<}BRW 6mD%M )ǣp< _Xy ƴBavS + Ԁ'U `,MPHR2?S+*Ift.w U!͑L>}iEP[WV ܍L._g0v7r"@y݁Ygen^6ءlRJebA\IQb~j7/e>)q΀%:س&u@fc7o]qJׅϽ IHH27nΕƝԷ\jM/Qp>6Fg7ϫ\>V]]] :A+5RCƳ,~9_$Yl/NMVSj eV伬V6LAYIAAxSNOK|}_~7p_}=}ԅh(F2w/#YCA}ұ^U.KfRW m;tn "$1)\]<+&eF*[PGRAJ}gЛ~nɯꃯf;K/y$r?v~zUB*Z~Q,wy bX}}y(vބ2W k( OP]sϮ3`xq﩯o>_7i4Ir>z[{\I$;曵S-m,|ٷ}yӛ- ݖyhP3QU.|>mͤ`\섅/{wyN7!7"|bWx ˵_]>zE}Vp7PkcfZѯꃚuj~[i>C gzC?zoy7-]azu37A  @A,C&APPC@K!>" %V,[(X>PHR`RxP:9rv2|G^`؁BǦvP:aX#@B`ΈEF&@aŅ LG"L#XB|˂0ȢC\ |Gb|z8(CY-, FkC7:p5x08ۿ~+bwk{ocpM-7l@UZÑ\zVMݹǫNKY5u*:wy򹱓I ͮǽVFm'Mk>Ce(ZwEtAb['&C 5gcG=O{W B-M}<2|U-`}CDQe͎ Q߾~Tړ25"QSp6GEe4|fm߉jj?Yej|x8vE§]Qy|@_~gOntdAm6Ɍ O_/Auy/ֿB_ntL"?imU%Ciź?J2Oǥ#|?L^=-LsF4 kNwf][;twtMwQX^~BC25c?iq`'ݏ cvܬ3:@l9˧וQoH)kދ~6ԧLZc+n+j "/"yMy'9+#侔d >̵D1vd{Q˭}H\GDmIJl"oֽKԅ;S|rқ-*cY&)OohZ;RDNقy=cl~`O˧҈+bNx'1GFFFvR_sX/*ciZx[|0Gy3k|ZϷ\STdfVt E?,E wX<儡*2cLOrHÔBqWmZC3sfphzs]i::عy?~CIY b>R>cw3젣>#?ǏtXpFg#bMA 說# qATM$V*Oc#Xq r0?k~8<@A  @A  @dX'[5IENDB`wordpress-openid-3.4.1/screenshot-3.png000066400000000000000000000652161265347743100200740ustar00rootroot00000000000000PNG  IHDR&B iCCPiccxڭWw4Տuu{ggH[ֵ3n7DdeK&eJEFB"TBTd~=99{zx^$PF6;:9)'4P2(z,-ﷀxA H_ ^- # J@4zA  X4x{!glpp7}70evtr](%BZhb-hր>|WI>fL"w+J B8)_BW_@2<ҁ@[Rag(|@YDPX,Pߣ }OX~zzP^Ľy%PV##FΎ뼡ymٻ I7SU>NMHSD|BgEݥg˹__U}[^>:6N߼wնA6 zFBS4cbhp 1L|-}C3>"/O([`QDdT,U.uea4j)kq ы7mhxdkqL\ @˳V 6w?9 \<]/,ur { ̼C}  ;45 ^8O c ?+)%~N[/lh72ktoLmn}d};O>߁YLnp>DiDiЅ6VFV'M'E/̰8򇵍.Ͼv#Ss;G}ɗ ," l%kHJHII-Kʊ.*((RP;lL@ ne=l,)sxfgj%db}播ݺ}Cc3eֵd[{7!,{?@x'z]Xox}DلQL#c/Ţcb/]ܸT 0Xp&!Օdڔ4Cg8gdJˁ܄<|kם ֋otTfŔVxVRfZfy[u/ C-M%Iww]ZZ۸aAcGIgÅ.1gRMoT_mɧ+ω/)_=iz5cߪ~p`?`G `I`(-@v`i0w,'0 VD1G$@P4(Y-<&j F+ a ?zM&&3b;(q')0T.TTԞ44i^J&.Lp5ttAto DYS(b1DYhزع٫)EU=K[̧߃M`=ag}KbᒜRn ]!c((*'-7$NPWһ-*Ѫ~jVZJGTttCsך_&8>J_ QK0IOdP4BLXlTaI9ĥu=c̋]w=503)8-x;NU-tnEbѱ5fE&6;ON9CA5GGJEqMtts F LaJ?Y^`3`c8TqӜK?J@[PFWI#-CĴ;qaQ1E %GO6 oh:[׫?mp`eeq4Ѵ컹qollS;:&: PLs{UFX'2zO$YG*v0W~;A8q1irsjQztc|6w(?_)} ʵ+7j[o;ճ54 kj{3:,2?x?5P2\Wé#nco%OL|:c|%e/^_ů$~'\S]gXta~߿R]%UͰȝ,ջ{{{5{o1s7,T>%1Z8 7/AhP( on`Y p>!v6 <`@<jXF=qoOdA(1#|!Yi:,5U= vpAg&ݕ bKGD pHYs  [IDATxWww<] w{7ܻq6OlesN @ $@H $E9u]]~~dٞ`όwuhO}S͆  !v  "  `" &  "   &  `"Y/#+?S7ǕB.p]hdT=C&pk^I8K9ddS]:O%|vI5_NM޴_?^>8^[Ͻwo|^Wܙ/2f2m tY}lsF_l:dvNgsX) Dzd5VM a7aö/=5fD % n|u kOe_;`oڗkݯž287V`<;W#۟sMK^?e!z|!T&IAfZwW[ڭ ?(W goō5g'7:=%@ǭRb"H?^آIKkC*q"/}9<ZbաRN '+YV-Sǁ̻Xz<3ٲ5`Lr8 n6K*:nc.>Ġ]8Q| ^nxrŷ0t#w8Qx88dcRssB>kX4IG(Ea4p0?Cqʱ60Ǭ[V‰L=I6D]n6qac)ݍA|e'$&,2-q:*qr_f$_a:[{7),}fg.O3caYsܯ. :<So*iZܾtꖱ3,xx⣈؛HEc7&Ɏ~[<} jqna{wO`bbQIqD&rAzɶ)m:Sh,1DUm#-MGXh5a;-Sz͚:u6,9j ;H|7[v%7A+&ioG00!ZEii so\9DYH"&QԋŤ >ĕ#H*G4jBvcш}Ŭ"u+1V|O? iNdݑ\g ^^ޔՐ@zROXmj.&KýaG=[.}xnkv%IXֺ~j%#ƒ 7S~(jnVA$4Ǔ-3xxv*YѸFaba:=ٽ;!' .\_fV>Kt -D:fxP^\o /xFt+{!'= t/Ypl*sڛ ;o,͓}>L+_x7o =\=C@DJ#{Q7ai︇W2 svSd5p?^gY9Xh+)NҩJnV͍˭3^#.'Ifϵa[{L_"o'L"\s뗏'!TZXL1ʎv 1d/\q]0yysw`iSI brn߽A-9w?yϟ#'rEfle6 ǒZu1~=qI] Qw0^Rw'ښK{PԇfeL;p/+|̑x! M5\ș=xEփGص'eӋsؤ e+<0O?$=gI ^>\!u?)oT.Qԝ| $YJ0Y(ُGqp8PM6:_9mWmM鳏9xGSs,wzyRǏ~}<(q IVZD|KJxxQpɧ .zXIg(kɋ"D&xvsR9M7 s N*n݃G#=cǯH?㡅?`"cw|ZýlnduuU`d~/|7ؽ+g ӋM9|c4M'9Y t>n-ǵ,/>,Қ*2غ sf_UTDWY!*r"pG<ݝd$l+UGDx0W qd4ֹ{rolcǗuMi7Gv!Îz]Δt/QKx\.+F;̵8Ջ>\\f&sdpaeڋpv ~!T>zJ'oEfQ%d_Svsqf,L5xssxiD):x& 26x/|k%6z0N@M_DǕ@O7biv& 3Lm\<FJt Uy@Ka4U!,>1 vO6fW; 1A\+?ͶOI.kբg)7GV-+$z['B >PiSuY=L>'Q^v ]<ӂ&3-?G$!*xp 8;p9Bue|\>&::s#dq$6 z~N"FjBʽ`dnMw8]h/&FҤ!3bO4RJM=!ۍ'¸RSE+[򙜛0k%+q]Fo{C0kƶ@˨&;ׂܶɚ9 ` Dgr,X0ZH p%J;&Ɂq!^^T<|BEvIU(fDcȎOga/gja6Fw ŪkD;#2j1^^Ccy;I26D2IKY5}$FPt 7v.sj`.r=Bmկ1XZ:;&8Mc]ܡ>OY[wqp6I K‰ݪjyntcKy=,WfbAcXben/ꆔ/9VtNOs* K r'W]yC7RPZ\(Տ'e o &7d{qʅ=w6\n@ku`wa^"{WjpzONzaZFt/2>c'"!.36EN2*k(u2 GBr2N۝8`tna T7"t?ʁ}~zVlèh7 >8OD: Y2t<}^':d$'"8`"F%zMKىDedrfYh, оLlY½#2_(= 'WO26>-,Cdd^,WWTOC9M6ro2Mvdga4"$:׃j} #!ROscaG3&p93ƈqv(m[Xdpw 8dF,>pPGjl'eo{H._L]cnoG-d3AfeOr =s6%μ9|oZR)!<-#JLdfpS:^c5w8Yބ}8]ƒ(|K2i8?7N*b["*đ0xpT熉rR$*,>k }cs*<[IZawbҌV̎5dѶl5qHѩI Ѩk &lVq8[~>nDG 4__8e;D|&:ăp~_G|Għ=ܗ}Ux>ڲv>'$iXqXgINz#L_S0e =(tf[o[CjV  F8A⟔Ȓvڼ8o eVGۅCEg=d? J6,c5XR1g)J%)e$x92]aO14WΟƯĜ,cjyNӂE(׎7e=EY?*gn.[9wońrEN9CAo\2isC1|'yp}F݉cwư-=͝GmIi8FP%vpNKUz/Wl_E7DM4Vg/eOzC0"})4Jbkz7 %鹋m{3_4a50>z}H|A|g];_'(+F9ETs}A܅6nA釟QԾ*fCMTv*Ge9G2rxwO>"8dB=^Po;I.x qzwN7Cd|Ftn5z z za50׀tF8JȎl3/ &vy$| VRj\ҡH|HًSzHtvp 68|c00`(YQPLr<ȟ;:Q5O *^մ4\`Kf.,Ib|eFrbٱ#9S ڟC8Spۺ_XҲ8JN><cHLbK+TduA1"$E.xm:X$,$ % Igg]iD/tԅJr0"ʗ\#i9Ğ]G㱃gi!`_1*I,'ϖ2o03xn;fS%w:L5WמL[%7ST3$xSp<a_, 6{d=ĴI5CanNx{|4F,dcg<@^E'kE۲DO)p&H!3 'qX0ljk=n|pv&"4* yˇwPL>&7/_|}(kT+,L "#7!˘ ưس{xb;QA|7;yRtS,^"1@Jثp$aYyw'gob_g`ŬBN9E\~=fEs U4c14TM"uj%W3^îDe]gbsx{>ܱ'_8pEǥ IE/o@Nxxg//44X4_LeG"O&T`Y 76\\rV Oy ޾m@#`7|.`Ȳ rKى/3 IOþ?nI7C*VXIt2)L &P ^;?"EB?7@vn@jFvF.DZx}Zie O;r #>pKa^Zo3b3(Iï|q}FcV(^i%(MbPSߕ(>VRض3v:a'g=Xl2 #EmgOeTl3{W7<S`.p!=-[[I;׈zeg_+[>͹=#/3I-6rp` }!~ tLXuxXD\J5W7vU,26ϳ!fUX$2qIƧWʘj'dAbרPփYF#$ 5$a(XgnnE4ӛ%I*[@oU^a|lV4FlZVoI#+X-Vfx mmT=0 Fɱ1Q,/0;Q0hVfqEլG`HlV+ 01; IEcITa0K6-*X^cnI^AҭӢԲXaldO2V يMU)hdV)Fƙ[Ta>nyXFW(wU:֫[z3ScO1laE\`ltjYL:'_ja)cl|[I8((Z,N(Sh ZgldԆϯd183, iTz &aԪPj o>/lV+ 3>5Zk¨U"=z$׬091ɊZMU.1>:$JłN|q*IVtJ *ŌrqIJffXT6Wo9lq;Hƙr&&Fcx֩zZ4*4sXgV"/8k63y &f,FSYѬ,0>:zu&akYQi0[ׯWZ~XM,L226 + f*GgqE$YШUn~76Lz3ǾűoFR}c7Dnq~gH#o>eia|rRG<?]\Nq<8'+/C?#1ڥ̚ne"ms+3`d>|ϋ!ĸ{g=W\ F"}v}vqϣwxĖ<݌-U0>5̅`_=Ǥ_}ڋ_(%5uk {Xj+*&ǿI~cS#O ζBf-7% Ijh<\(yi[9r uQXی"s@eiMcU|U/1YbA r6* 2"\i4ɯmo_oǗ z<_h9Ƒ%(,׺4^WMmG׸nM{_5׷KmKsoww\Laݣ1Fdx\t'>ӯ:sf`jYɖĮrr(`p.~kXè9Xr1N[S>qgE*$2 .hF.[s?aH`*|K"'lfѲDnrj4}[_~FL|,.naW6NC_ZFlȒ;Uddds_Ѿh`Fh1LT%]$*y@U*̀JIXOhYC5J6`{kbСq)YP"$+z,zsبע5D7Vc3RyЃ= :vNb~FJfG9䱕#w'YuhdV&+z7zGSZ]G]MZ;Zdz+<*öHF3-o&nX֋LGV$tM/Iɋ`"σN"?^sMcA`2~GDytO3x,~AC,Y_\f'=-Niv O / kdabEezW %9-k(Zp&.zMm}ST則ÉsX\CDQO)'`w yqӶzf1)H/ȡ't;=–wRm+C|eDoE48AaX-濇C^[&q;ϗ~JVޫp.>c.]z 'r#޻ ~orqɰHAf?u^zh] kYmX \OQP/]è zK"<7'[teTU<1b>隇v4궍1HZrE*f]pYo=Ō7deֳWA7ybp];v;v?捷3.nT>jiOuw&! Z-9[,))M^z,Ź)Wb%:krqvڃnn$ҿ6+W7\\w 9,ϙЯq>-]ٳۓCyPIJJj";0(ƹ>ORsP(&;9} r{pxjqh?o.yJSx`Vp:ׄK,hLXi g޽D$V! `"߮1 p0Vgq .^Q^I-PݫIKUiRʹ[$+en1ZeUT䓛{D'>>?"+җǘ5!Rrg Međ}=׈*#iRp7DqžTmPZL[R%Y进lᨚZvv`~S1nT8FJT{ioDWƇrk~qHZn]JfG4FV0ըtFz*9Ôюzx. SolZ ua]wNʂ@ef[cXFQPp6سLXzZ=&Φi&&muO؛^Rv`-P?x%8E5 nsk^y 뚕ke D'Aq&42sM<,H97Ir?OQ!יP]N/cZ|3gYE9vmzEamwI v;0@\,yAN${Jc\AL8Xk倫+LX]jk,',c?dK0IǓΰ0?lC=7òZd4O𴳗ireL IJleezǏ`I-zE˔tm,onI$P̍1O;:\T`cfQϫADHfp %Ib獛eͲ,c />ׇm S leَ!ex%_4v^LDB^fEBAA6, `"   "  `" &  "   &  `"  |$IqmDdqqEAo`aa*q"·78A[]]eiiILLX[[CLbӷZ[[DADLb&& $&LD0L$&1 Yn#YMœ=9TxQⰩ(ˎ9,.J9[fg)=n{R(?ǮqԷ0~7'?~e&{\cК.?'v*=ó/Jrփ 8mm m5ϾDA`RfzzɌ]ZXkvO>ezzZ|ILߺ` Lܽjsx:;6G;|(hnb\"mOELam"LbI |+b2r9ߋ_8@wSa S^F ?ͤ`s l2?昚sI*`F+},5ܿYދmH&5FFFG+Q G?zq3 h4f&d&nǘƚ )PL4#dDqv=>n ;.MIi<def*ΌKI|3' )+OFƐrpqKg`BJeCxG=\O^[g1,xeRVQNE5,O7|-m'B ee\m@Ur(s(U;pvˈYŝdJeA >MکB˨B+czh٪#Fs-lD~jX5( pCq/X[~P.O;}Ha^ul;RBq=J{g+ywzg?CN01bfc>ܚ2݅S-,,221ɊjD\}"Xx()tvg ~x筟r}XlC]7VQayY #;8ddpaPڲ}us,q86 &/Mk5ZoF}uҍRaЪXV1KB%36y]]]٨cE9\X,iFRo' &GnF'.נIT_ʦnaq=.`{=rH l9SgK|(K wP%|O#Μرc;vwU~svUH'pY6HgN[cӌsX6Xq^Y÷i$ɿeSKQ R%4vg\N4UR&f2H_1YxR|l_e S14 KML;y'_9 `"GV$mݺ>dd`l-n$v$ 'Wx8bfٌjVqy,6Y{$n:}kdFH׌IZX-fL&W%+f PgXX,fL&3VIVw$^9{Y9yKMy2 T漛C'b;OhM6$eBՊ06 b^ nY_ołrW? jEYYÝ$ɺ^Y}o28<;E<|)l{Ϭ,cc-$ }u0CMÔ{eYoC?BEccTlV$HVˋm{ U;S-dKbl";Xh/kG O/ʹ>Ì[77_y]6RǙ;ϰHǽE4D0?t  2|dn44{-8;y<ժR {S΢Yxp$wl<{@rd!D$`+vlACv{*U =$&B3S{[ƌ,m*'ߛX#$/|`gP1ZlV8߄J _T/YxZO<^uz;8_OA;N1@B~n+R=9XtGq>EN?zx?d A'3?=D~oεNr73ך}\M_34f,Q%wWqwiK_ &+MxRvg 4-wY+^ΤT=ٝb=?F?g 9×rzܝоl'$HF%W[Y"S͕$8qR+^c]"Wv>tF> aq]{_|G!. t*Qo'+P?!{ n8/'^~}@.?x2.sՈư&m#x=\?J"ޥeC\ϜBAJ'i5O'wtzSUl_EݮtN&68PAzL=VF%i~DC|O9}|{w<-ڏ[$ mx20fa5p:`'>I j(W$&6%N\W[Y:ZbǦ'!ܓ#-X-jj%]H#C䦄n=$. kmȒ!R[|׏3ϠCќ~('C NMF.t:M׹TOyn`N_m847$7->p£Y߯l*~gK~MVk9DjİN }{8_P ( ϗ"s8,:nuE&9b|};k!ϏKX-J*2;|iLm^ [D0ߦIMUB^ Gq[ B2|q/`VL"|(lg^n,š"^ &6َMCO6rLsd|*KfHnRRȾٯvwv˗/S\{5=NŎ&1|O?ލD._Nwef!-U0H Ý\9Ύ0}ЏI\ )wRdpO>!8^g| sb q;:{ME >>Fp#2NRXx[,h728dZΦt9qJGj'Pƍ`R;M0Fa^ ns' Vis0jm /.EGP/1d# /ugv締{@|p(w'- q=lkfjb8&feQ1?)2%3 yصC O(1 R8ĸoйjz"f."7Ul2D\\{2be3u} \#͛MϘ}@(ʙ6WFvi,.){SPZxZnl:mo"!2R]6Ti^be>| ѮDSӨN¬y!fGEӽ…g~q}5(WgYB_g/ #vC=MD%VdzY`Yz|Ɩ9w+Xcva{gC{3dgI-~ɏBǢL; !n!|˦2vDpv]]-`2>. tORwrvx`qC(=lQp%͗`r5ʟ[-\=Grca9T4 b%(&K4HNy19h&ZItu+qrgH?YZ2ӐOu6IGku.n;`Z&GWI3M$pcgz1L6{ [}qs$a)kTa_3Xw+7Xm&kxPxU؍_ ) { qQD,!$ƞ$"WW7qoWe;DEH'Sq|'-'npm~WĻIU|7;ɟϭ 5E݁zf}*]KyXŻYq_wx7:&, rg<0lj$cQRsp?9zwPNﲞ)BߡlXkZwjc)Q,sX%}eJ&v<krƀ~eڶ~,F#}~ʈ :jZ9P˜Ɇve#͜;ƼBԩz,&mWШhz:ަlm@٦uyNU7$  |J_wlrv X[qW5L갊^O5boRz;W c]0؊1S+Ϊ!yU ǯiQ/V`eQA3E5{:ցJp8$Vx<>Ǒ;n|)oW`" _OUz/%|@&o]agivT\oGq9ݥ@1=\Vfkj ΀"j8Y#ݸ`vyMZAtV%)fYH>^Xcn| Gh^ƽ\+'n vSU[;1|ZDyM~{!)r3!ԛ4jyĻ%DFc]!u/@E;] +Vnśb}m}@ oŗu_AA]VuN\ nNLHӜb֮1F3M-}B-#jlFƆY1Zc O鱘 ,.v&ui -.V$ZjȳՓLFAV򝘗1e_GzvE>-lc QQ|oe~H h5+-_%5Q%,`_.f|W_%|#p=@L] /4S%7W)GRe o񓔢MB!;Oxg%މ_Tt=?K){/Bp-%/ώc߸K[oqnΨf:15}ewR;5r&~^ްގ-泂/EwaAA]fa9pvw/ vd߉/ndoGցj ;gj\ݨژލw" }yk_D{7Qۑ|7D]x1w.ξގY_+^{kyފ|m# nT:l>u}W~'ޘKeUr Ll6:Wnb 7΋y'N*gInm2ο,k~ᅨ7l[T߉/#z1$  |mf1Rλ e}w"ξ D/' |' ^-- LdƂZOzC7q&\苼,o |7 {OVhE  |ycXө%b9s^?WLj^BsUXGLe ,F6&fVZ6evQg]ҝ]v\,S=<.Et /o^ ھs z=&捤X8Hom$ $&%0nJLLx(VC;Mw CJ,Jϔє,hL}o~ځzFه› 9wZ^f=ƴI?A>yӞq)Ӿgѝj]׻{@OOo\ +.*$yU!a#ޘ1}::E<5ϴ l9y 틩0KI?~YY*zr=3Wүc7q;wط?9r;` tA@>kD *eࣃHShX?Q!̫l8\9J_  e ,IJޖޖ5KU,9Uk5?ZϴGutw (^326jkaVjТ5†V>bC΅vǽť~?f}أ@ `!s`$<ڌ^m+{,A6>q/i"&%]t:m5+#/e-ٸ3[75/(߮@PQY2[_VV[\IQ\r/j:kxp3%6a[-Zjsx"ݎ>Q4Y'oW]~=j4k}O^; .lyuHugz9f~lpy`2f;ivX=s I>-YW oޛ׶Rwduvq?w1ۉ*NBP=BàTXHx"d 7~;"A#!Ўș20I<*Z]EJDC:EEBG^@ACDGAyLu:GGKLNLWI/E`1YyŇMm݉I@nV[cB> 5$1Q !Fa R&%*$.">"qMRKU3M2ar& JgeUUUW1Vй;Gor>`ҐŸȼbJߺ¾ 9ǵ]ΣK{w+`׳ʫgCƮy_GD(E.E'J}t%4U:&0k6YnQ^HUD abys{kjw7=o򴭳QOC_]JG N&Θ_Zb\Y ncnkퟂ\~{XQ-WS?ЀăRނt W(*zO"X D1$B*#m!"'%$%TT{45Otu3lg4eBajblҒJ:Φߎ^b'Zg[̦'֛S_wlVi0ՙЂ0{?Bdik,Oj@BcR~JXuD&~HNveA~{G1Yɣ2[ت-4T? lRn/RۍR=~m7_4JѤ1 ɬDfgx?$-}_6X)ưKטo͋[rXvg/_{{1n>;9xuH}hXyy$w|Tu4u:>szy{{ubtr!g U&O;/1bM,ϚO8n~f'X&>`jzQ 4B^&¡ᐒP,5iݷ} vpAg&('bKGD pHYs  IDATxs\"!iWo_Įjw{w{I G{M 4h$8w;s&t>NeV7( (P@t:* {5P?Q (mj_+b@ ΈIooߍXHk߯ (PBLFFF |נ[^R (P;"& RE!& (P@ K$R#eյhɿg}WA(D (@WW;եum)6-E&+3w "Ґσy̾WGG_)  (PwDL琁6J8$ŭRTʔ[pf:;hnjvAR>rE=ϣhni?mmm~󯯕"5 1Q@ ~'D~C::Zebrp1>QW@q^OvY=Rsh.8ģbt ^TOr.ũ믨jϘ&$dffAvv63erBL(P@1VLl]Ğ6MvaGwnaz鯮9J|2Xm[s#1✷޽U|TVVAjj hllAiiib@ NАLf f?e=$}gw6iI/;}PYK<|GC+vGu ;弸3/ikweHK<&%I~uҒBL(P@ 1h4 AKs#9o94ei9t.i(GM6N^\K^ce>QWŵV)9s2I~~-3iiHLSPE (GoIAYٻ(yuii4 ."Wp%nߺËITTfw"wRW19{sgOru>56g4ϙFCCr~DRf7iiJLf3FA@݁i٤( (P &$` '3چIP_QOT5TI7ǿ$5C\S_M~'Jjɏg֓k]+TųCZblzqRߝHDӣ+60\O=Y'1괊(P@ bR[[Q@u]ҽH9/wb"-P_/oh>0QF (yI%3k*uuKk ݉^´xZ,`q 1R_ccc2oqO4E ~11 {*dLVC..f4i#8c<֟F6pJQowotY1LLUM?R%.G F7 (#ZjTS M>"5 za9Q&e b2+GlH;c%~+%J&2ާ¢o`)GliǏ",a/׌ι"l2Sm|c,{eԐ1s`3cF(KҩDG_Q ?"!_A[p~vmƖ;HnńdbbQU\2Y4ݏ,?>\̦ylyFFw ƬV} ~+|gW~5@*Y q.1Y19~xK5h+|7s玌wnsU_OC5,:yWSסkE[,*qwuWsaZY`Weݸ)y׮qSY'T>?ED^FgXFɉ7~- X%lYO?} 11nɘUGY{>J-.dC m:zL_ȑ;ED:7`F+%Mܹut[̯|Nsw7 [7e.tƍgÏqwڭIb"<&ALރۏ??5N=:ڈY7@YM6?w%?'H\bw@g/\.߮>1ʟwQ 7>0(+:3eXx3rYx.GALև b _V&>#ɖP,Zc9:t?v\*{ÕxxXd9^xد`OO"d-t]{7y[Or;sE.^<ˁmdn[c 9Q@ݟCHt8YJ`JJRRHN"՝r=],#5|Q^g鑓f%#+W(vg,vƻa&3Ӑղq*CR΀7lc0&Ө1>%*u v .$E1ӄSi;*H|"O,>pg:ofCܓ,c014Ϲq&)K2-r9u eҕMCg4LM'bYpȫB>[T ~\CQ2ߗ5|xpr{HÀѱ0>aE,i-nEm`O o弄.f^e7aS&< 6lB"I$7ox5߼4Ro%&qWH՛kJc"/?jg&1& mk1Y܋; 'dC(b]X? bwb;ws~ L00~ik6\G+ٹ dn2j{6 73ZulɈAi{AX三׹2q]R: )-|O;Y&cҕkKod 6qeC+a_\EZ;o$!uڢ2څMf9z124@g{ڑ4|嵨4!ȅiqX'V'KtG^"B9\r5gE(a}5?a/rZ #6P\X(]LUm }A,ʤ@_/1&%ҒKIILtիW$%%K:Hy 7;)[A>ݻ'#>>~ν$HOU:ꐓ6`5z}/.ޜ}Y2mu7m?77w|)j Ӷ}ܜ]MHɗ0y3';7D?.ۂ=Ξ)-(7lmlXf nЪ7 SkHz[a,%Lb vry۫[0ME9$?ܝqtpЭd:'g'GіuDM'a;zs}"u_|jRc6 lw8[ŋrz\= /7gk\8Ԏ)z5YɃ;quq?OwKQ]nڂ3^>~U,[ugh#%lp`Eǐ٢&20TX%w>E~m#)O銭-~!hSA*{f=z+z*Bjn!<(5;C&uC;>gsaO0؉~[v-bФ6D#EŅdO w>;Ir!dx9C¸$bgY(EUxr='-tOwl.m8‡nFǕ%  4)Idzf6$")"SQY͇7.ܛ|fɣ/*̃%&3-212@Ӭe"oR|A$0h}xBom;X̖#w`g6rAn[BݘŹs8=%+'=3Q]GalGT&p~=YhK-g'a[?HX6NG)?Yā(Y&C\&նTt x~ɆK/KU.WGV-}>tCݼ;,85oOnh:·?Fblr"qs G<5ºz^߽;[R} +W/z77^$lKcyv^X:p+:=%+9LZN  mF79y!o]a{ SZ#N#lY; /|fl&b!X˞P['澳DrFzIUSs>z/ x?\P$*PIL]7RTEd&*)"I o$o:]47-GY?΋/d"=#m4d rb,ZL`L0mBvc%nk+7&I[Uqj.&L0a5Ғ{eKoJTSDxOqwZJ[GvDp>pvV vz/@gG q?,$ ߉d1&Y$hR@u=9z7щ)d!W|#GnIF^8 I7wXd21a& `0;QKjlk<Ó,&0U9lmm7T1Yl+uXҕ}>b::̍|A2F9?%i&:b4<ڥ YfWg4qyauFxw': ?AX{FQձ.Du'XY6,R i7qZnhxUB7pY.t~SrA\9lm~ 鴚uTg`R+}!/ﬧ> =V+Ef?Xm <}[N_m"v $G'tfM[1NDZ1+ ڈt](:;DDJ%i+mRִ}b)"%<}TWorr[O@VDVw q C~"nJ\2/qAAFT8\A ]-<~A|gFA9/+z/]QJq2l1R u {7lB<Oou/$faHmLfG ZKFoFxƜ[?kIIXl֎!, 2o `0aj*\志~A,Fx̹'|7Aݼ?WHeaݢ/ 3Y! ?rRVnⰜ+yUމu3VC?,#lÈϮi\.g7v"j4e#e S9/F,fNx\^|h-O1W#YC-ٯc'g9$,>Xƞǥ] n Vqkʹ!q5Keg;4Zv(e{zx2xܢ8P2E: ׷LF|6S/d"r Y뽑煽sKҤ,pvJ뺞e+Wq3 +[iFo0b* D4:R$W)D"sj)b"%JHD&E[=aRQQ!/“6rd  X܃{Yg/];7nf?53%2h ^2^ve0:{o=*zP|,<8]sDM$Hr$*'J8ɰCG>Xp1{ӯ&vp7Yhg;/ZK4T7fPҊI0pn!m 4HG9w?.dgXr`0~[R2,IYLFJgngc7N`ek[RAQN W{"V;qe*U=Xp 6 ,MIq%?-oѷp&LAlݼy47 ;釵Ay Bs׭V/J7%_q Ph:NR"_.J]cz.]S) b`2` KW*q}`] /| I[O,Y T׷sryl靌 ڹ{ڦ߸ߏ,V"crb 5v/uZ=&\;˪ŬZ͇v .pAo2!VdtKҍvZ, 0J;wb{.燅L|"׭dO|20u7I<4B8/$l=ng@@][ Dh2켶Ʌ،J~ ~DZ";;gϞ!&>|$1꬜nY I^eQU?`LL"/Kk[ {kB/$ң5ԁQ*FßF.ps;kr9C!MkXj-2jjH;jFp. `1Z_XLh7mfO Yo7}ox)?gVex?PVH\cbTHI=YlZWsy)yr&#O?U}SXa rJ&/7&d;n"6qF>GBFŕsj&>OFhL!Wb1"P#m!Ba3gɏUb5pK1^ǖO6M`:9'E]{Gb;ҙ<]7G YdXqCF \E16/*i@څ}8/Jxq])hj鴞k9B6'&RG-dܹij t59wXh!kJ8ݼC>rid\zۊep zj˜?n5kݹ_ u#d2u)Cyh\qP["S[ŶOD\ʜ7d>"Yx x_sɘf>ߋ,]̡'e.X IڙŢoC6nP~\Baϓ6!*'g=x|1#!X*NBi\XV>0O[mΟ#V̈́qY(Cz4>;,|vL~Ũ6V.[jPvs@ͬY55wkxבnn dm<̮s}ȬWa2;{𪢗aǢ<\?2DCke47Wo ~g@"^, 7!0#i#}eqeɢczDi &"΅J|V,ֱȺj|Jx֤^z*9w Kasa#^fE,\lˁ0FPwVsga2(vw9 [7d~V3N,[;H^Hp5\ usj|Bs0a!֊fJ\}Cx <;Kq!Q%@wm;o.WqN e)G]9RrkccSF;"UlMN%RN]BLN{ 6^rV/fpi[AS:i91[XW_PVUN YZ.?8mNz/~aK`p^x8۲lba},|Va q첒Ua׫[lͱV/\{&^:ϖ`8p=Z#M794ܥw[# &=ǟXރM\xj@C w>IK~G[#j \}8p-ԼE /^:/}p'l rl d]92s2<󈚮ɳa_= T/#2 >DJ\^@:&RJIst"lCC]Y:&斤3}ٶm 1lܸqٲ0%s֯Q( %44m\<8|g g7G"]+HI̾ӤVU1o7m֋,z*2Fk7%_z5)ܿ/ ~>4GBPP^[(\v4^lؼO!Ejr__%4$аp"7{ cr[L`߫2س-P6lإx{LX)MM,7r G_7UTn$24 Q;2<")Ȩh~Igsv ss=C=6,Xp,ZZg?6l@xgM9rQ5|-rKzWȮ#w2QOev2ur]Ԫlg\9{)+IDEmFcbbxEcR͢"d*chh{_/WV&D +J;d:::BhRDZ֙}XG"%K|"}/.z8S~0d)j糔O}g7 oWvC$y2Q12πfHLc3 RDE30:6+T*YJ e$19oCwI h0$:;ur{R9qYGoYUӐ:p/e ªAǐFZjLO#$7 y>z0'F11v>MrQIy)=Hd%{Lkk;}ybZ^_׌Œ+وF^DgM̛3$}L*VXZ=>-vr$ZdH3YPYI}}줄_ (P<&ҒDNd#9!9ox1-0v @uapN;}HFNU6KZ&ssoy]i:+x99˼5+W":wu_~mc?^\:d-U/zJ:II\e= Y='i +ir"H^TUHK:9:sb &~c sw:oЖruG4tR$_ϭAW1!ic;>eK166. ]#g\tٿ˳gO0Ǭ}gul|bgmvVoylV_O|Fے}y9m cY~gsm>192=d9.Tz$ߏk_" ֹr.ID%\qr ;hW1b2䲾Mb||61>>DTzoİdjqq3i5&ky͕|3^|nz|n56=.SشΏѩU~0 7p"*wW7\mXO,qՙcOy{- W4L| ϣ\zyeٿ6q`/.bՐ#EZMzZ 陹4h0HMerSa|Q#b袺 "1km"+5O- XLzjIII&-+AL9tH+5wLUJL8֯ #]変{~ȥhiJP OTR*0$%%_фV܊i$eQЍA KS"LxFfN]jDjqW4 u7RV/ _(hS(' ;űh(%59J#&:oѾ>vYomѧTSLNa!6ii*HjJ*yk3 A<ܜ|T5krŻfP.yC@7Q~UJgwg[5>ڛhm"O'>m"]pjK nCՑs% G 4VO38=S #7GEAi4̕٨N^YxV7ڶb8IE5Ļ= rJZEYB>  f!ƲbaL>dg]--=M#V"_AQȤAQ T4q&~?2DcUzt_$=AI]2yt-IJyL&e|}@q1yP]+ cS8E+'#9OJs4VЫ5}LcCLBRFOhLmcxG'w1[1@F#A[r;_|p~^GHDޞNƊ%[|ϣ7_(q&$,}_ޯg "$I0)H'Bvt-9g7w16#u[Ǧ#~kr3U Z"($T<ßW_'lxB@gUaoDl$3nP!BCC fދ뾕i/Kho_( Co2{HμB>@yȜI}lL֥lۺ1 uwٛ)%z ]#D<#D<#7cwcs"# &,rEݔ&^`_E"{Ίy M'<龪cZB2i.Nxc"J5`:}]bs g_Ѹ^KL"{Q D4<򩩗Wg"B稘L{Ls#Nm+WC91c?)7跓!5eĝmQ e<> '+֯% ZxHml#aG:bkZёm>`:TCMHDxN'ԍ}qWجeL8wZAD[8)t;XJ: 1T̹=b,aͩ Rn8zb'A,BC>ؾ!P|r u[Z 'It݇oЬ![?6o$gGgo >Iigɴ?FoU})d?&{o~iF<<3'=Oɲ?[r%Dm B⃐]Ѽ:/&&AH~ȶH1OMN#]@cmFoSӐ(0Ӑr!' Sy]1+;JS.9zrӴoM_ ,L%"o3Ml:\"-ebnmq=,+`'2_L)1ϼkI?CuT<d2qBz%CBjǦ!I<a{V?FfNC&\3gb\Z([Q ,>JmO?j zY.N4]Ŝidz|cPѦB-F#rQ}(|[4uz+EO('Qu?. JkK9=MgH{[v]K[JEkobGMo;/o}O=Fj/&QUƁ` -1 xTRg+IZY"װ&2u]} Y6H:s ^wvTscq ?NAUxX_Mvb]oH訚GY緕">a3E,-w`㺓QZSIzV'Ľc`{x9p!է[D%A+ƾA }%lW~xEmJxZEs} &5 Gut}}-6Uw=\WE,yBz.'ќ#㸝D@ &]},Us0;P$~C,yB_ je1!s21Y( ;ʲ8N,aI?WѦ(|kcPٿ?˦'B߸RU:sٟP3ż5#&fhR1]><,cs>bD~>(y uTl%{:9o+[KًD:B~^/K6 t(sdegz?/D=$8 =-SӒOiQ b2$ anO8u@K\~-G؇r5'Y @O:l{GWG)<u !]1{Uq&w tqyw\O}Q(Ge.ӢL{rkcJ7Sp@.Ԣ7pw+[@ArO3<6Cw$S }!O&hg#Ub3aŭL@a1bҔyGL:r^>ɲߕc "\|gU04֍yd؈kyMfLMC%gD%dX.&ca}#9|3a3& O뼎@(G32;춽 :>p?9ЃL2R &{Bέl m;uqM;oF7۲m"ә%&YӬ2I*:ŐPFٓM{m,D ]/^l~Xg@8QAi9[͍Xń^'mX{ 7r$#K*.>V fńyV"jZ YVR˃3ۉ$-N52:]{{[;m#GU\zp6Gf =qYD8ͽADJhlJ*&^9;w\kT$Ɔovɲtg/+P+H< 4͞}>yCľ._1~_HdBظ1Λf >^C?CE0$ d/GYLo2Naxʲ?,b 1鍐 ^]ēlYb2f&eV\V/#F &%֎|AU5`I!C.G_s{\c:.EogE f ޗ~1hR.b| M)?|hx&M؎&&Rrq_ |} bgw2CB>R;# ixۺDؒ 1׍K)<źazH{}Q&&7al]6P:8bwo71-/ Yvp(X^0t}'[Nm<3);3PzM,!͞~QN1]7/o'|/$Db]brϙ۟:A!9#e?Ṇ2K+ nNq!F,*.lt.(gbM<#KǥgIGWw Uzi-/卓_ž7՘7 O6춒]-9Q2HV$9r }qCxP 1L3xn7?6LyNd-*{P?$b,N^[hЏ$1)O( 1وutŔ>9*O.{EzFYi&aM"&bǨ ZuYq2 .J:<(>JhI;G7^ NoeQ1 bCr}7 Ms9pb?n;H/Cѽ-_֋/}!^!uVMt駢f]٭g19yJIj-'p\J.,8)RT4kߵ[8OǠZw&g"&RRH+w*u*=Àd.Jh0"l-=;v,!YԗZ43DN<îh5kF l v~\b+ so xCG:~>h NHK>Q bq iu +!dbR1'ZuQC?鏎)\,h5򉰵aҙmc?ANBxT&ރ&z9Ʀjd냎YLks=C 7rNoarjH)BGRjHbnf2`4Ҝ;PBzdNƻe%]9. ms]Ô?4_ѫ%h vbwt LS72p'&ҡ"0ޞ,_<^.>$1vp4 ˉt!kZ{I/61L 6]sZ:{'wu5JS3ͧoЫ+Q>جcmovY== ۴}n$QO'{K3ď&1>.&7R+±-D tj EP5\2kíkK9ׄ(erndb˝حxo;NYqP&&1Mh@ύ}5<:+C;LhkA'42NSv<"=kY=>XyW^ʑɉm{(N0|bnL/c)mj؈N).TmOȱTt QECS~>dĆۙUve='_G2CLmНdb}|+6'ȕ^qxh0./[b,j~b"-t 멕d/*!k|45<زԉ3oP"L{M~MR9W9DrF҈F4 l}b v.'F>J_^s?7 u,t\ϧnW${*!ݢ&~ޢi,\|~}_ڃVR봴%qr ɲ%9dDIg[}`X8kc˝rCe,DK9=ݵ[KG4΂?9"w7| ߔ'y܈Fj_"&/vN,l8y ֢dػl xTWlG1NzwZ1)\q;yEO,-A(C:D|dgyX)w7ٶjњ81k)W$f~lB#ۯsDx}]#\w֋E[[sag'a[ v&:oa-NN8{#y}3Ocupf5NݧM8ˋH9: -G(hRު ycokOgSZеrbn&4SFxn9ўr:n܉5}O3Hڃ?qt3*w$fQ,nuxm6]+~)b].m{X*yvq. &ڬ9ĕ]o""c)WKL'ws幘El}'@|C1bd6P7y;: ['+zƨSdKG,&S9]D G}چn:1D:IN^;dcݖH,ٱ{e_˳;Xk〓o )~Qw! qF!:SR6N֮Z|7nl6ixu,7܈u1Ic:kF>\~C0^ċ5&*n沔'(ln5g[x^7 [ ¸M^f'?Bpvl4A0T^zsl0~^W\>t囈ɘe-[)훣pww:[8,d7'gPoU}|=%951 .ƞCW_ѥ1bul$/%-=H 5$QЩ*IJ=`t놣{mݔ\#h# 1hT$7 zgIS#o*r律}#. =jx=%{;!wh/'p &C8$x땷khܭ8vCNQ\:$RN/-8 9yoa#x[C8yT΅p|'W^|@m0cP4':ג̑ȻOTvVq^g^1h?'Bd!p:.( EUL:ʒ+qb~q qF3qg;W[/f}:1CCʵ,[ȁ#.|~k5b,io4ד azyܮsyYئ =ع#=WI=\y&'6?D7)r+ <i[pG%vtҊPTqu. u#tmjV$d`dD-G OWfDe۝I?,>F?NcxXO #(MBQFtk;iوv>j5aybO#ll\x_za܆5twah` !U{a@;2~h=ju_˨AGB3贃m5tS߫ъk' Xz1{U;7zUtukF01KzEL>>.nDd/5jqo΁v[Iߓ*LZd=lD0g{5'emD[W5? #Cz%gX-}LhKcKEn&ens(_KгAJ Ci")['l) 2KϵBwB3|:ݰxZ&NjqbA0}Zw_шnddڹI&s+ZM_Y^/2O뇤GuM/0Bt-6%%KE{TblD1$?PL3,)Pc_QsJZ 6W K|i3ސ42I}.dg:-_jynYfCdo^zn;Cq ҘKaT}k :Լ ylkb.랜f'3K:>FnAfK J S:o6 P]]MEu-yɜSNeƠ4ͣS6Ky1 yAslBLa"G[6*i|Ҳ_[^JcC|fӹjz};'L 200v6ZlDnd!A>S۫qfGu(xۺs#1Wve$TZ=#S[4CZ9*aЗ-+/[a-hZv@~d%m[Yڲ^v5ϺeQpy/uY>N?Z2~ed,VsIՏ-/+nz;2449ܳu,lgI`Q_svhvzy2&d?<<قdȡ.! m; Miӊ1w0nDŽDNH%k{{4/H2;ݞAy0kH͓޶:Y:Ao'#eYggmӞV.O1Er]hSLk[.'^C 7 No6KIbu_>7La!^Ʃm_]- #d$n3%N>_ml|&Q\g}*_?քfZ<9]!&?b4xg Kyg=y)hogll}>&'lQ%fy A :.ezXuOxؑuQGwD z>|7%CEYMܰYŧQb㷝'ٍX'Ie_;΄my| g{6p%B PYthwYZ>/mei,#?.V3C.pvWNl}N~ș^y;RU8ƦJn݈#!\{/O>[R3Wt\q{Gr~6E~_y֧\`gS5pd"mu<>b캊.T,5Pxr_i3W>tGqwsy UIC=nlѦ0^m5 ybw.rsAGJbwc"7_U?&<@+b<>Y՗RYry c0APK\s{qtt$Sc{q g[;lzsy|8@[%x&/Ss6&'{I! QzM_uyk[|Jd'vvo<ŧNA$\_:®cر)K}^ ƴ77_OX.؅}1pAAjlT#! DK]^V x9;cˎ뙘&tV~`od?\'}-k#Sco%V{G]gvD^W&WTiw'5W/qL89;Co~M0b|o"&zOY}vqIl`d[m /`':Bj&=E^Ib㝷D$T򱰘{yŠOYBRvިnx'9ǦYx=W?VsQk?~BfA?ǞJ1HJal/[5Yx}c\kǬbb2ox!NN|ɭa#}۳z5k)ŋl=򐲺ıTgׁ^O"><̩S= ><]6{xYj`X%[;q Cavv3N8svqeCM/MYupuA n+`3]fTn9*-;؄s gi,M-ސzUnLy|QƩH>Z/|DrV%>!x~~{uR!vWvEe r!Ȭ~:IN#~*arbk|JsNRب'-w+D0m=u<##0DIM=ٯȓRW祈mLhGB@AOJqe12g902[7pdQ,r<+Wc^ 'ɋgCtԒ- EEcoO{4m:M=7iK6{_}3YANʦ8"-o4j*D]a. ʨ-Kc!~]\ds; amij5֧ʉhVs ԁU|MLsHYG>={\Xy~2ɪh4,bl>LmI] {Km] U_؋}^j@3.>i3 g Oi`73a>Q(p)j^V:. i *?ͺdb:1H~'ɨkxlfnJvY -ĜyBdr\--3D>HA\Vò/gx2VwYx6YQ`$|f'jP[];Nk^V̅'x=+U'k˞?/ҢOxy%1d+T:ؘBL_tՑ=7s1n/=gGVܺ[K`?W:a>9ŠrJm9:FK!IP5yB[LVKM#;=p>]zJccJz|x^5n|7lΥUјC 3{H+C%&137̗Sן rҊ`Ƚ]4y\ ^8';t^Ltjn3o!tg7vW ^ѯ33XAWN$|U \x ixr)Njqۂ=>nnE8?޺dALlCz*8ǣҾoJ֛GH - YVGOxr.~fH$ܼyOGhl웸 [|mrҩ|vpeZAf;r uD{s)Vq1VkƇ_3ٚUeӸQ/^k(HU~M +tvOjЎOOb4_E_fMVDsnc }b1'9IR*sP؅ĕt!WRi5(Odd+2ylXt%ޗp=1.*+G:X^7~qaݔwI}kY}A>*ޟg-1CWU|bx_F(=˓a#x15c鮵/6 brI&&^؝2Zڻu1ḁ#6PΘ{'Xx=[r`~=Ƈ^Yپ1G7οEkq'*&DWs%d? 7B<97>w&Y+KMW6@ &)oGol7 DzƐAab'~[d<&15ޏ0J3 #ۄQ06oϰ==)\>.F! %%MFm}K-ak^˩)ӛrI{+,3"0 U*VY\_)Q pynLn-1F7YALvKX́{/6P_Ml{h_W"O󩵗1.-`#v}d?9W!F?˺ޒ(`|=Ϟ$&' yd?ٗZ;}ƪa{TU<^yeǴ<;neG3J`L6=TZ$eu Orp?u b,,bI&OP;"7-O1ky}~ Ք=!&rj- tsfLIY=|"IẐ$>%)zw O'5`C"ttGJyS[;pa:Vl=[kI3xɆ`)a2)Og?, %&Ib"pnQGhIbre.CSd &!&yuWY_++wWp {C}x8st^͎% b+* o*Jf_rxcx 0TשI= r zqZb;jmื'Va(t;u BUAWǠfh;GӅ&&ssL`osV}d>s#}9_bd2/1q<]2CLBɰLJZyr^φtY_XРqD^ō؆kb">![y^҃4H`V_UKOCVr'Q:::Md=:*/21Hkq^FԤ݈?"|mz Vc=6;b ;cǭ `i-u!S bfî kzɼ} |hm QLBf%#_mWt &n'y8nxD.0MUAz)^F8[/=b[R-{ju1IF&]Yh2= byD&&1 |P@EȾSO\M "KO%s1[ް|Z%brnLW711`S!Gq$/BxKXy^&&U %eґ=ۆQɞ^xx!zё/i!AlـO ^oE?>6m ax:n!F ˖nʵ\+Ū%v7ۀUZ'uJNpTfvq䕷vK 9Ĥ^OiTWyJ{[Z(.lHx';Sګ[Al/k׹Mh:_$&%p-1rMA Oema'{OcȀ 3hg츚B zU5aBLt#^*ɩX0o.#j]9X` >A6zzu6›Pr*4t_s7iH$B0τ1٭Gn"[Mb ~wtrH8^Dl:-yZv!ȗU6ľ):힋q $z/^=I#b䥺}a6V̂lzym kgST02 n p5zG'!&]58ʸ]K[']c/Nl~n=|# (»>ӒI41)d bX!&\8M1$11|Պ~T]5o oQҍV8_r]%aC=x3/,{޴jioalsuq~<z.b"nS]XBjXPWS^TN\cD_?LnZޓ[\à$+ʎBp0=M'#15"a7Mh]*.Ne3D'yOi$K 5Z{JD2>ѭ OBO}1$O&_4>% EG[c% m|b6'zm/y$&ڭAUWIK䚨qDCcy)-ߞC"IW=lH #I $eR10Y̬yjA%MMUmbҷ~QRYIoi(#K^xMJNZ\;dUgbeIt IYPNt@e {HѪ*kQ5P[">,~[Çd|,,gH'Hؼ:죥~**I"Uˆt˧6W擒HRJխ=5' b:k#?32hA7MQF( %/W$Mɣyd]bЧ1њe2"EIi-Qȷ0dr +T.njpOS,﬏Q& +C)T qr, S62i:ZYJ7IjvO4 ϼiJG_>BiN2,lE+t OFꪨokjXm87])b|-_J+#-1ԬbjKdOYOK]5 m {71$U5W L 9+r*XsLr0*)Y8PX'l}!}"\R 1?OiuJ7RKfU}/=K7(21ܵX1L~o P]{b\}7KsG ɜRͰOI}DyC=b~S lyOڎ\\Fre +ʛ)Ԉ6&hOoDKuY-5Q'/^/υR)hc@ov{t aդM`4hi}$NuQ!!E>I!OEZi=/>ՓݨpitnAl{ )DC۲;OM/ E\e~I?sfRI]12^ul3c M= /[kʯ?3m֙L%gϙN*uƳΓg(OU~ƗN];sN:_>%Ϳw39,?&{b$Y//92,LɿLw/2s:6?cz0'$L9|yt{;-}9:_t{z<߻z1jFG_~?6>cc_m|ة~mmFSTߍS]1y#[R48&li_JY>ջM+9y5yg9s*6j0 _c o{[V 3 M~faw2[}佾\;yٝ|ߩkϴSn֞tRќDrY9 }ՔW7Kٍti5Zg2ꢾ7ڗ" ZC f~Nb#'_MQn" Xd}M0B}(P@ (D (P (P@(P@ b@ (P (P@BLP@ (D (P@!& (P@(P@ ]uS@ (@__---Q[[Fj1(P@ FLFikk Bww?3;::hjjА"P (PFLjLH:;;?3MCCfE (P@H@ZJd||| H鿉 477(P@qb"-HK&)_ XLm5$)rW ()d:d~R0R ?G"FMF & c[reH);v(P@ 1$UUUi g.0). <ʪ4Ȥg>=J4q&f|bzf|{|Rމ+Q@ ƈ!zi̴៍QTi%dnItx8O^s!RṊwdb2 zO J?fV`F"D6(EK%%j@ #HB%c҈ i seTQ+x|6^gXOC#@QǢ$)n?}v z1 J[MgON\Vz{{b@ ^D6}oO%b"v&I5E?.b.ǯE<*G1b,^Lʉ-%ER9(bD]QFY7b."e?T""I1('bb?mbq5ZyD3p~"FJ!y7C]*~GdHDDbBDDDbBDDD,&DDDD,&DDDbBDDDbBDDD,&|#ńńXLXLńńXLXLńńXLXLńńXL^!"""zio8NL&h4tww4f3\.QJF# t:+9~l1+u_\LDQ|#zkNyE|CuC:]]]_LĊD9!"""I1 HL9C8DDDbd( 8{,=:CPpV2V}3Dh'cb 99r=DDDbJd0Xf JKK+ydggcӦMrj]twˏh8"""z b"V4qxf(**w"M~X.Ɏ;:亞7-Ǥ3pa4'?B</ L3}CV%/DDD;MߏDŽ q8!F\:B#Ic5m1N?,&K`;S@Q}?ƟL1DDDHLx#DhbryBo(%%%8~]r$l;~ Qñ} e"=TUc1QXq**QYU;'ۏ0gK%aD| \/@ꁥ hӾhi|QA8p(kcPҬi{F {%hRFDDk#%%555?yree|掘2Ժhjd߇ >+u] 6 Qc}*䵛`AߎQ09(`܃s{1o!!>=F]cF#N>IdenEݍ}:f"N-B}mH)[_1s]4J*ç~KDDD/ORb"Vb&Ojr1R!ذשk0s$&ʧ#XFA8e*>6H:#>Yhji!WDEi;01[s=#oe>;ɔIm}V+{+&mH45ALfMJJBmmO.\UU'O6[Ӎ̳5W+as:`ZٟEA:O3 zeEװy|1v2/ŶcjBjl$&|,G(<c?;L ƢSqN!+na`BhbkMFiO0ma "QJH1XqܹS>&66bݻZ 6ZCii9RMՉ<עSj\UŸs߼zZ֕~& ѩBlBaV:=*@sg74*4mܺJ@܆e+ PUW;+KPZY#)Qw /n߹|DDD4VL5NļGʕ+| rqq8e6VNCZr5t1gE T^: 5RPA#HDz[}>E)X.P{=@T*zhN9iyv ̛"""_Lt +^0 0 üND9y#dańaaaaXLaa1EDL;v 111ErraaXLZ1x<ؿ?nܸV.]¡C^z% ˯K>qI%aUƍQRR"y0vYYYؾ}|=MU(, lN<]'g  pk(j nC=,{[wYacpayh GQQL&f }rrrgX֗l+݁R`{LF{:f卸rqxm9G MHYz w sm*fLMy?LCq6;WHq'f+gd/0 ^ݻPՃC||<,K#jCgJ7KY]һ9NJiCgV梲Vn'Zkcu= hp$~d*Y o6t4k n-J5N/~۠PST j EɈ>|286#ں٦@=MZ `Ҵ ?%Fn5]*q&t6+ڀJEt](j.mρrc"eu 9ePtDBo/(7qXPmSۍb5z2p4bÆf5/a},&F(HJJzbrX,-6;,ݞj>l$V;'&t$ ]&׭ŘuX6MV/lݥX1[$w@SMTc͢ ޜf v򾉽pX$M_.a=-&AOOϠ *++qW8Ra#-W0}Qtj(PkÂtbFI]hw~܇-ܴOOlB쵶:ps<Ϭ[ZI+xF<Kcua#P`T(~?<Kw@-5`ɼx<*l-0/V ))0?,Z y۪n`IJ(uxo2Nz[r8K"`c)kwpI2\qۖS .i*¾p׈ b58U߃X|p :3*xay˗T*SY7)Wcr M.&˘6TL (_1iRp%blGA^ڇg.Gѣ{ 9 CՀKG~lY[Of̙߬CC!IV- X>U܎S+0y!X9ؼ$̊CHl*brKlB[fITL^fH)A8ZUՄ L6dwAKQ+ E7#^[C1yFޭr;K{E8fH;sV&JV.WEFbWCڃJ8b2gkĐ ӓIn,:([QߠZzoZ]^tE0ТGC5 P4ԣM>Kuע_`ᒯ4롳HEхT0 0o1wZ|MCC ę9:N>C VD>zV?Zs2({=;1DD(Cqa<.`Z v[槊_0 [*& 0 0,& 0 ð0 0 ð0 0 b0 0 b0 0 0 0,& 0 ð0 0 b0 0 0 0,& 0 ð0 0 b0 0 b0 0 0 0 z_LZ-<Maa^+b6 v蕉a0`Z_8Ntvv---DDDD/M􇮮.t:y䵊pz{{"""%1yDsM^vW*&DDDDo   'x1AbB$cJV7A| wń)1}'(%`BDf1!/b""a1!W00gfXLńXL^>~o!c`;_.J$ox> ћ+&=&E_Gu&&ϓ tߪs;ș/&.8vlx _{΢xx}ntDmGQVM0OƷbfut)-{'6?WtMm*h"IDӀ1!x+\Wg# M=6~XL~ȇ3P{GńM [w"`⸑u*+^^eDc0a\L(TeД=a؉X 3NǪ+&I^?d~xšV"{8g܃9{> Ri8-hxtKgQaT(6ynKͭX#==9F} JI+>j/LCr|9QK;_^1쯟lQLE9cPc bB,&u)"~;x w=R5)v}1]EaU6bⴴ`د1v+@MaMl kH|93 7ށ\7OPfbWpl\|'H.P:H&<*3O!h7 ;<_$_8G xa[O_\1fE&By;٧Xyb1鏸wMM **QQY}B0?~TTנ---W^1b1%q\-o \+an%o힅?D%RcFK×#FX~'\bè@C9O1ڤbr(c愣(1XQ{1ctjϦqV /0k-<8+x _?Y 6DŽ! g!d(Lޗ*&"9OPLD))//Gmm-:=|碤b)"}|򨉸OII ۹dXLvV=Ka /qS׈Fb³0I`j7}m*Fz~--]+əg8cb'Ίmh=GTp`܅8_#iGب{b/3MٳgafB$)CՊ#s0v)naB1쨃J A|8YC9,&1JI[/@C>ttt{LńXL^ӊk{qN>KQ"_oñ+#OF,E^HY?9HSt>U AUYLf,VWǁڇgȯ0oo:6r7%2&%X8n<]놪&J,Fm j[0Nmvm1N!"3R1Y9&SP(iah8`1PuSogG_YL^,&MMMhux+& bB,&[' ='!P ~? j\L??"%\N$Z1å"0s:+sb"a2kq?e;Ǝc֍ h>=7Ǣɟbƒͨ՚ajDR<5KmĚKpTVd/N>.&vEah0Pm:#& $.?u-]e!r *EO[)_͆d2+$CrzVv DՅJ1ѵ ?U;2,&DoPDQ^؎ 뗟<+oۓk}ط]rt^{yWӅgf$ǥ Ige`ń/~ٟG*چJdN["~WbBb\00 0,&D,&D,& bB,&DB1+a"j%D;q ; }C9D;Y' wXL>             ދyxb@Rը UUU0OjBPNi4tttE`A!""zA#%6M>{8c"6\.~~bVQ/#a,1r"FQXNq1G J/ӿs䶡ʉV凉]qU>t10b\ ~d{f ;h[>'K l~:!_o@.%rI^>oP~6斡/O. WR.V~vŀGj~q>;ZT={@+?r[^uu)J;aw8V۸ynܸ2Lc#FMa.~r1q:ib.~@zunF[ՐF!z#.mdѓ4MPlއX2[_CICCO6m{v§/# !{B#@8&]1رq-BދZ\4R"N#KPb"μ^M&㋌=KAK;gc[~ѧbH Ӏk'۶`-(ԸV`GCIX<u! ?Îap:GSA#Ʈ*<+@$&إh<64ő=Op7ӓ} ʕpܸkHDI$ Tf-]܇](8Ͻ~0Sr1,)))>eAe)ZWkpUW r\v {a-(y]MVPJ:9Tv}x}R2{# tߥ"gv¶Xp+`k;{L*7aTLٰ'үu{{;A"X2o݄M)h8{¤bҥ 31o.FG|ؽ"qW`tzoY9a^-1PTT$>Ҏئo,:[-j~=mȈ݈0-^[QMT.>ȥ [(lܕv.'.t1#")T܊G\…SPm(I9P%ֹɷi0˅i/R"\p똈3rķ뙈EyL/dSqF'NHFxa--_:ghk"fڴ$d[ ǐ5-&-!""zGdz&Ecc<"vbٯtˇXqWgb"vb,FĄ_Z \HCDD+r"vⰎs" JWWz{{"m|kqpVee<ٕ#%DDDb1yzΉ8##F$^[YY|KQR8=)&OIbC&^[2p"""zϊ    I?=AN%tEXtcreate-date2009-03-18T20:16:12+00:00 rD&%tEXtmodify-date2009-03-18T20:16:12+00:00R2IENDB`wordpress-openid-3.4.1/screenshot-5.png000066400000000000000000001520421265347743100200700ustar00rootroot00000000000000PNG  IHDR&` iCCPiccxڭWw4Տuu{ggH[ֵ3n7DdeK&eJEFB"TBTd~=99{zx^$PF6;:9)'4P2(z,-ﷀxA H_ ^- # J@4zA  X4x{!glpp7}70evtr](%BZhb-hր>|WI>fL"w+J B8)_BW_@2<ҁ@[Rag(|@YDPX,Pߣ }OX~zzP^Ľy%PV##FΎ뼡ymٻ I7SU>NMHSD|BgEݥg˹__U}[^>:6N߼wնA6 zFBS4cbhp 1L|-}C3>"/O([`QDdT,U.uea4j)kq ы7mhxdkqL\ @˳V 6w?9 \<]/,ur { ̼C}  ;45 ^8O c ?+)%~N[/lh72ktoLmn}d};O>߁YLnp>DiDiЅ6VFV'M'E/̰8򇵍.Ͼv#Ss;G}ɗ ," l%kHJHII-Kʊ.*((RP;lL@ ne=l,)sxfgj%db}播ݺ}Cc3eֵd[{7!,{?@x'z]Xox}DلQL#c/Ţcb/]ܸT 0Xp&!Օdڔ4Cg8gdJˁ܄<|kם ֋otTfŔVxVRfZfy[u/ C-M%Iww]ZZ۸aAcGIgÅ.1gRMoT_mɧ+ω/)_=iz5cߪ~p`?`G `I`(-@v`i0w,'0 VD1G$@P4(Y-<&j F+ a ?zM&&3b;(q')0T.TTԞ44i^J&.Lp5ttAto DYS(b1DYhزع٫)EU=K[̧߃M`=ag}KbᒜRn ]!c((*'-7$NPWһ-*Ѫ~jVZJGTttCsך_&8>J_ QK0IOdP4BLXlTaI9ĥu=c̋]w=503)8-x;NU-tnEbѱ5fE&6;ON9CA5GGJEqMtts F LaJ?Y^`3`c8TqӜK?J@[PFWI#-CĴ;qaQ1E %GO6 oh:[׫?mp`eeq4Ѵ컹qollS;:&: PLs{UFX'2zO$YG*v0W~;A8q1irsjQztc|6w(?_)} ʵ+7j[o;ճ54 kj{3:,2?x?5P2\Wé#nco%OL|:c|%e/^_ů$~'\S]gXta~߿R]%UͰȝ,ջ{{{5{o1s7,T>%1Z8 7/AhP( on`Y p>!v6 <`@<jXF=qoOdA(1#|!Yi:,5U= vpAg&*PbKGD pHYs  @IDATx[٢>{os{nCQmsF@@f1g H0!(*E@ 9眙fXj`z{>QaΚjԬԨ1FBA SSSv2(AAZ Zwl" Ÿ^GR&''n" ŸN8 T? J1G?`" `2>>$ u=Adlet/MAAj- c7@8_%Y\XhdsI4.|rrq.VUAAh4.QiadHb1$$PRp"ߥ޺Mrb<38###@}}z{{edu###" Ÿ4 `ttbN:BlMnJ"Q+}D>;;7~cyQC dU1220TUUQ\\^DAĦZh+ҙxKMu;q9~q%ZJ6,&FyqqO+dppN{{;_RZZZ~bDAdYFV300( XSDdD< S0"%\%n] ZBT,=bI9ݒfGmm-%%%}ޅ-fXeL$Ʌ$I$I &*4Vqzy *_}5q?ʡWS'+=Ny G_}蠢LN'3 fց784}bA?@00@_O/CE/ Ass]7@O+wSHv#|w~tbXL I;  AamS KOOw &$aXfg=Ԟ)n ¿w0=t242[0q:tzڛjH݆y`O?1ft:N"#G; L줫7w݃zjR:S6LD0s۬Xff0MzVQEQ>hLrȲւ ﭜT{{(v.t:Qռ-+#i=E-&`"IߟmlRN$Ʌb"#Ωc<|ӌ)E햙1QMN0R7[ݳ aDe,Qޖ5z8 f3Mt699n'^ݎJ&~&I }3Ga⯒e$»HL"%%dnq#EKM=INI!99TjZ7*2ڡnn&LrR$''2wb"II4pvq9MTFYv|+p |=f zC}ۺ9}CAgUr0FCS;6 aC͊unCv+lR4}v?kV;.(!|ֱ/Xl5޽c AV,_(DO; MmM Ÿ-<==Moo/Ք K(~V-2PJj )**ZN`2h4hw0\߭D=eYdمLc8db\ts'ϝ~|Oa(2sP-c$򗯾NASN4?[HX/Y_2a~g0^|&DάNk2r6sb!QQSdĝbo|”w{b>}?|ͪ'נH- oy[ۊqZFzП;Ww 0HfCCyy9撛KNNy/y$X+m xIvNxzFl6gn3(ȶ1b⋕8ʦ2˔xlv. HFqQ\Nf& F#VYENdקN?eQn܊ >D LV 6!8IZD W58}q X{.f6^k{/k&Pd'6Ead2aupݸݎ),9Ν\%iiS7l2b49$gؽy5?yf``aF]XfflΩ,_q9108>8˗sCTVE6XogkxP?sō]3DRvHaD/rX1M8$Bw`d϶@In]ZvYq$fL&FVŭ"G& sLLP__ϋ/l )0Τ~n1Itb23#?''OD&kV}zcꙕLw6U1x+#MtVp'9+ᗹp7ny,0OSU ^' MBv'oLVNB_$'/#b" CY[?v6Dk[Z5(n-6}M32isAY{(Bo?YAI>[de>FU._L|F * jT.Vf6.'"5CSd'S-BYw|ߺ 1⻯r+Gq+2"1PΕ_|9JVWA|oaӞKԶzDz߰yw0/_('-NV!a.ݸu;4G>G𶍬Eң\J^<V|%+6|O^Q\9/\?ll ޶`qIv&F'5>!, o>Mxie,[Im} ńyz7)x¾M+Y #T]ՄŮdr38+7paB `bQ. %:1޾)#iÒQ9ӍLLNR__ONNϞ=dgg/z N}l|bJ폣OgCQo߸,Tb7_~9GtsN&+9z-ŎA" +/c; k(s}ǏyyyyyYJz%|R=]8Ȋ~KY| ɅMnHԧ_t4}FYiX|9aϘ;Q`q7ÆΗk~:IYɪN'Q1ÓeYƬ!-W|ͅ19>엢0"QV.C2 \p;n=E\OQگsb,җ_}/1ԍ|V|ͅćcsڙ1,7޳擄W7?i00 tsxU_, y|*}m4Y֬ɒNֲlΟ: | -_s=ŬlW,M6ܳ* kߥwfNg 'eM}d'c Am036;Z\q`AÁZϟ//^ىl^tIs,V+qz{{iiirjkk?%8%;mfJV~{%m8͏t=`|uI .?ÀхӤm,j=rgh̹ŎUèɶ0,9/o^AdFL-l_BSƾWbiǡ?ahҡn= cH 8en7[5'm?d-NdŌYfgQz^\/b׫wNeܳ2/r6:ǀ%cQ5spj  hmNB$^g~v0| 6 %=gzjN%cLXsXg0إLOs%)Wؾ~ ˿OQ9`m7pVVNCYOOѫeS̗_m<ښr7*{6|fcwXId,_ͻsM>, qfcddb={%{)Zq88Nv;шFARV1}vXpV\ڽ&P$ /Yb9ߠWe90H e1qicPFqϺuyrV[>$G"Qf Lv9|sW`cw>ڪ݌J[o)ȸe#1v7Fꚛm~xөa֭̓d%eZV\Η˾aF5*f^܍e+:ln,c/a֟Xvco@GGSB ,S764Q\= m'vmz=&Kvz*2F^oQqϾ휡"*[ dW`7g˾WHfJG:ՉKV0 k:;̑sWy]L[$NYVԔOsFV}/Z)mwOA_&CCCӏɇR0T$ ÁwXdb岯Θٵ6,٨Kx!cÅYl-WR^aU`w+~8I+8C$fHzՆ]b7sk f^;;yI %X+vgA N}6/_d& CWe7N]'|Yj^ε2 N_ ]h&l6 SGswX-t0q'Gطc=?n!z[tFfLz4ZV z79wݴe_ 2S& `b̅[9-yLfwi;8e˾\CRΧ!h*L`el>DƆ[QU4e*ybЀh "\,30c}xW;dYAWǖլ [LQfƹ_LwKOڲb-[α/1>bk'̾Ť=;5\8JRS^ݻ5=vq锕vYe˿fȦ~3m˖iO0iy{ذ(ōcȊq2 i>u=Wql V|c[6 AogŲ9ƓJj+^p~~dm,b%[1rnHQ0.q+G;\xff> yN/_jERQUV2JݛeuYիM[ !'+z5,n{A|]#?O{mńnjYT߿u8v-Aҭ8{ɑ}ܸ5dլݰ ߠuM.L&+ NďۏR5ediKXwlyt ?fڵ{xu=9|8|r 8\nDͷ?c?i/* ڷMwy<ݥ ;T=sw|vvyq\O'{xe3mk|9vm?q'P\|kV5LKS=t 1R>n\3=6LG[ݽhdمQb`` 5˅l@`0~Um3S*SSS} m ӎQ7ʹֈ!}vtŠNF'K2 Ccht&ιiܧ&Fhk柟+91jTt]-4667du~Yiab&ڻ0q9mGF5jxU݊Vd6UOJsK -m 0YsS/~{0cs̕]+{Oj ).LZ5seBg̗]FhtuDs['#Nx^ >k2==M[[/^ ##%'瓓Gθ'[CW?D_7oy<߷ak2Vϕ]re?~q;m:~nٟO//ۗA?X0yNZ-TTTCff&O<ٳgs撓G=Of5   k&I:;;˗dggS<}ʳgTe^-?Φ*&SXm6LAAmGv;&)蠡jjjjhkmaxxހMAA~`88Nl6f^4шjDAN0\Pq:" LAAD0AAAALAADAAAAD0AADALAAD0AADALAA~`"2Z߽L((N2,?"usA 1?Z0QnYŅ٨d}Y[qql,fF%[+a104-[ Nq<) n{pXL &Nfيf`4b~}u΢aH; n<)".dͻEw?܅ߵ~f]ɸݳupuzflv+\g~mƈ`+반8%?n0Q}_NspΗIZ}$I|^{\}J‡p: Zx}{.k~9"3XēbTFu`J=_F$-|}}涁lU)m8 5a6|2ש2Xrۯ069LP"lK\( CeD]C-/ڧK[Ӊ))1B}ϕo6)LiԸXNg`~bKVosR),Gv#qdXFfOַr8>~sJȲ"zS5a7/"&1"L #ƏÉ$-:>} CˏhzJjߢiYQ04qo'S 0I 7IV~>|TuW*I8j=_mD:Cԡ4k叏U?Bxދg"Yx(Sh\%'}t:p8%z^D3 }I=~Izf!|XdU/|H.f֭4HH@Μ:L!+ꞦR4<ŋpXFEgI90Y`Ai3ZeEfzkgKXCKʬWΐ5Oݢq'|r*'Yl8Ku)'C=̘5^b+[Bȩ]@YOt~_}H,*"'z9߬MV,V35Yw9ׇ4f8C')lX7v.-_ˉKt7;(s:#zbNNjSQ7h,/v^%yمYKjT8͓̺eT]$\MO_׏CǯR=.kQgĤbvH&xp~>{.! -/ ˞äbt#2"xVn6D{o03$^^އ,+7}AO z 7LY$c D'59;v ˗،<~_ND4S6/۹eԿyv!S6agC@p(;iy ,åf\5­+GV@sS%`pp9Lދ&i0,ڙKt\Luq||}8~)ab-'8$+W8-F$GM8$F&rn aޞ@qiۇy:h3˙Tԑ[ i;eZ˹aًac(ͼW]\3I~f:G}Fd4ępU!Ϸ*NڋŔɬKNj[)d &6EbfY陲2M~#8m: oǓ˱4Ϸ fBl&I5Iab)IC!^xTօMV0sD{_C|b )1xsz3ƻ zNo~8^{q[׹_n,`i0̓p}|;OQh uh;7.w/&6CxMilv2Ye8z 3IqCeMyx/"%+w"є˶ ȯ~"2e1Nq _NFܤu܄lAJ*uȮʳ2]Uy|@a ;CJld>+-N#:9?']6!ZuҒ`"9͔'p}"X :\.չ8߾@fzFOvd_ rLc83 ᔝ4qX(~~}QWYq1X_ȉCAxr~ Z7\:揯A6?"l"hbad%tսHi =JMCm/ԑd5_}[.04xw%WN׏ˉOYi-w7̨ͭQ*Hip7#w?iA*if%A=Hή u镖۔(fyIG[SFGꡪ$z|ItD nv;}elOq}3CXt?`O?Dc.iPw2ʳ뱃NFZry>0Ϻba[h1mJrm`pJ@m6~xSC9|/allwhk`hs,hy|>5~y:D+BaOُow?ƛ/`=4,&x"sei['9e8.g9<^':Nۨ8݉[Qh~/46҃SGFQl<‹zY]IS{;Os,~(X57$434#-ȊZZ(yI T=naS=" :APq3Ւv悁Pp/.p*ZO&C~nAD=}â@Vwr/ǮcR5ex{@$ݶ\3cĆul9NՐm{'x<DZMBd㜽n1FI^8=?o1&q_̃aNN. &?LFZeg濛Om/fbҋh'×5t[y1 h;GZ^!Iv5۪w;WnQ$ =>8I 6P[LYm}_Ce?vHQ5d5BOES}PFk ͍'G͓:Eujj;ZąrКw]H W6p21\.b"˘}\ͭ޹figr.vD#eau7 y20ؤIr$rPOq>q+5jp0/p[~/>DՕG]NMc/vYATCx^cw F2BE2m0s_s'y2karhI &!w1|z]fC&5|ɘAkLEY"ϢzAW(ŭ*"p/ EE4n']cV_7 blr~ә[vАsTvpۗG5Ĝ2.($2[Ld7KG˩.ϟd#o~Ktq=ϯs8x1`^z_%ԃdfu([<P1EuI5!+nbړU53 4Ktj%pI:Aص d5z:q0W"9 ԼzNDBwn ( a7 yi{7pJٹϲD[Ǔ\9n[>L 1ƉT]$=g &Mj(m{O(E%OO~$ QΕh,zݥŮ%Nj'uC(3D΋DQq?V wyզn#-y7k%/5AЩRs2;y3 NR[${PԉvRx0gSwJ [u( $WB97I?KM3ѡ!.*?C#$?j>3Ib2&\ȊU}&|y;_0B&.յSD?(z%;yZZoټv5iyCTNs>x?O_3_Gdin#4D3A4b"Ou>48[I/쓊∇'ŃLgE;<炉!dWaQ3)XVJs-t ipi_ L4fyODd6e,VBhB[g fZ b Oi5$.#"ec&) %cS (8'ؾӃpu;Yd0i⠗GBDG.{ST}S;[6{g Gl$i4al`(Y`fmw|+GṾ܍:Fإ8n'ϓf"8`b ~}RC;/A>IYL˥n'C 8I.G=>Lme-ݰ%d*É r:[؝'s.nR:8Q QyU)gF7ΕduDQ5T[9A|I|Čݱ[ ]>$WR>On1H^r?&`bJظk7oMM 'n687O%b&3xm!!n:G0L SW]AK[=qwv1;22C#ib#`TiOr9$Ԭ&aTj ܹȌRD~#Ռ'߉kBvȌ?Ǒ(xt:$q?!y{+Xx[9.='Xqzi+w'Eo}=wgW <Fr3R]{-i17{&QyiqӚ c( _'d*VyǠv8iLf ^16ti,tUUx쏧wlp-HZ5?_\-%۵KQ]qa­kl/Y3Q F=M9׃_sHIJUIkf$߇^G#5$g1GAM}Ą/>V.-*cjSOzz[鞘 &{w.&ɖ)8~le`]}Oq>?[Fa%Z'(tqaln[8t9r ƍj8}bXjr5l(.Dp/O05qykbѵⱋ65aQs'nʝ`ônk'pmr3vO(8ћIZ2?}ǕfB~?kp:8U]6S|i7CF\8rl9˃i.6/b2j1ڵ[/g (;uU-<|퇒n"<`O{K3FzU5sz'WSx86&Κ*Z:ȍGU*29GMv]v39^Z:#)؛=)]@ؾM|;fɭeDKyNi+m\ι,:jHd.3G &.12bQ1[,:$Q=7mҫpԥ%U g !]z-ݞ{*a#cєmtCZR [HNS`6!r150NF?H@Fs1g|z'' $$H@` _irfQ4^r\4K~Z4G|-؜Z˞V)\+Ѵ̌qav 3S]" QOs>6ݢ²`ӎp?ghQ1TDswD?̯YKN66$aYq|nYnpJHaWa>74Yp:mX펏|vxÎ8CQe Ͷ<m-O!KʲߒݎB#}G2]Cf~¢2m]_i_no2Ss H8m3Yrt\HsVf`dW*HX:3fGV>=å4?іR_W `+?سTă~izw7j?wnY?BAW 2weY^%!sn{q25:ȸ7=d-9t7V󪬆)'BL36mWL~Q⫗EÈ>t,9uTZ\=ɲ Tn\&44 Oft~?/SQ-1{iϘ0;,N=zG QyʞiO,/\dYW^Fbl_//^A~qn?΋lNea'Nrb=G^Xt;Qd{agWKvp9,>*'ϗ:-*ki)f_8圶_ s鼬!X9OL?T0  ?8hArtLku'Gdu".lf#FC6dYn11=E@3"$tS3>)fzlΌ35:[Cl1vp$7mTsga騬.,z-Fǧ:rڙe``>_N#::F+n_OgMvBYUE9m੕l#XJp AK 369Ԕ$n݅mƈFc@dhpz &G -142ƌ9rS?0$jKbFCokٱ͘i srU?0]䴣UψJ$9Դ `; 004lun7=b28$\yf#q w9O(UM1cwb3`phENiSa`0LN0:Y%.{kFfY&iQtf: o37̯aƎc/PŔ 29e9|V#c ?dE=>B_ &\7N#R_6ڑe3)21L348&鵂 `fb'-E9n/_Y4^a8̦M;ENjD=©_mHs&L6k'YrQks8s޹ LNbKKst/-D=\r<-PңCQnUOv /SΆ*!|zs99<ΉGزnbl"Xz+oRr""#6`z^2!y݁Iuz5)|E̓$]d {Rޯ&5ێ[FuN7zQ>f%:^~dV4SWx[yVOgY߬2F{ \&&)H8Ͷ8Gjq+6CH{ZI?))mBY]-^?*+ ھJnF2yx&.ņ'&.l ͓v-%7SƴԾ`"' ۼkq-2{>&ݾdW渟WИǨ&|y;=;kWS}Wo - Ucsdu7f{'Ք?M$U$psU+eD[/.TmƋ6ff ӎSA&$>ь7r+ WКlL݃܆n&7*-]\9ǹ[ywk^4 0Ya͜YLd޹gxzC"iG=vw7Qw}Zό:EUW'a^y~~;7ZTÄJlKALltq i!^wMSz8ggq; ų\Kzu+"%[ĸs OڵmG^t^=AhC^#@=oٹ-{ ۏP֡ZL\$(]*n 2rf,Ms[/K/lK֯AC%1x]cF@4L6(qÛձdb`JZY%Ot*,HzlB:.u.ˍ90ގhhI_&UY?ǔ4d#>||0):ALfw*HaW_}7IF$w G퓈Ϊ'#4'`r-Ha( ] q*/;5X\jNߤenֻؽk'^eX''V[֒p& ʰ6tr&txyshL#-. &ܻ9y,%v-EN)"͢nx^ t|+5.~fl>4ON!?&_bHͣ2iz|gȿu ]8~mcF,cyR3f`Vђr"oVo%($MhBo8͘]AqY؇ӏ>h1q[Ϟ 9ʓNsYԌay3 [YZCBؾe#J̌~%\AQ?z0e76U#CH|GCu!e`Coر^-iqD?@x[¼QA[gҡ`vkw^v+TcazLxo{#gcU్obptiz_eVeVQ7Y <;L3/D=cڹS)/bxhɊfA=9Wظˋ15wqd~rzkťPfcr1^a}<}Bi5KF'~"Y<>̚ofC%:FU]"\"2X=FtF3=lгplcD_FII2NQ,qbNj$~N=ni"3›a0m~)*F?^g :޹:#ighpմފ{9BU;H.Ng4|YL([ӮR0LU&gȻu dhxIÆQ6pԸSAōmS޻9qK'a5Sv?ɍ\?DD&lN\gD~@…JӸ$ȋ9̾}'x=>p᲌rq&VA՘١AI=Ǥg``Rd(Ӫ'7>=~ddyvsc?CڣtNs i; >NjF&=a˫jFf1~O<8M]M_WgM~~ZyMWC:pu; yrj ٳ5CLu$t'Go=ӞJԕب|E@܃F{LjV5CO'-rm!o\g{FMu_y,A;a v3OnpJRo'=%-{RgFosm'm3s_cw04ã=S$*CN_2?s=~t)}tS\]+D_6[]2yr}nƞ+U&_'e/W #_l>ILgDBQ01vr{AQ􏍒 1˄Clykرk6yh'3nsa:nJr~ġ;4vN[q]D%'a/[yN_'6 ]GMK[TVDZCOEL6 NT؈yȐ>@ZK_M>83RXT-0= M+<yկ=! [92d(=%]r(} ;{: h֠sp?Np bnR>$P4 snU7B$bcbI_3'+lVywoM\T%Del)d? :*+W(Egurxxh%r=. k,Ȋn\MLZFM~рbf2TT͔T:i,VJ$%ucOuSZHӠpkވ!:.܊f$dgǙMsWU#Z[`w2UCaiq2t}LdEbaܰSx7SSíŌhmU=CSYqq)4 ]a. U_=bM|rtbҎR,n?_mBvYi(xύQXƌAƐËOR}֗q3&[j©H)odT: IF 1zpҟ31&3+).,/1nF%@s )I f6z;f­ Yq3;hZiY=;2Wj{w^+ euzFLYv#$$I^,a`6Nv+̺ͨ)ϽNQse>O_qSfgVnͬ{Dkl \D./f`CVZFŒZ>.΢'Sp{˫zơ2~((,{~"evѺ{* .~\f]fdBE%bVwDk g~꠫WdFSYvoxL'9`T;UK]k r(zSͨlY<5H{V}87<9?GR )fzvIBrMAAAALAAD0AAAALAADAAAAD0AADA?}0$ ÁfH$*OAD0YH FKK蝹t8d|AAYX,ׇZfvyvp8h43::dDAdff~&''q\{qLOOߏ^) `b`jjjdvvW{2~ ^O__333BALT*><\;V=j5ccc8NQ g&6$*6"++o4"g?zw)&ǿwgy;fgݟݧIDww7fYT  Vett˅(I>SQdd'Baai֢(nd}YwMM$>-4[Q>CqbPOFQo|RT*Q =Ȳ Y?0&Qqgytace1BKK& g&hO^F~/[K2[* os/r?N0&Mԥ'Oow[9w(nsnP1$n4 LX&  8N$IZąTx0qϫ1ᔯ?4a.%3>N"9MK$a#DfA#nh-060w. K&:-Vh4 JA?CWH__6 ӹ9̱̓cG;y'/0ٝ'HG9EݸH.AoUsidI|u8#oz8'*f;Ғϟ300AAIww78N6Ʉh>NOOFݎnfvfff`hh!*TAL-qQ՘fVBXYVf32AL޷ eddQDՊ Ÿ=,(&q]1::^DAD0',6'*OAD0AADALAAD0AAAALAAD0AAAALAADAAAAD0AADALAAD0AAAALAADAAAAD0Ip:  $IM0q:fj5  4_~M(  pW,̠jA7j_01LMM ) oBRaZ`b0Pt:AAL F AA~`jt:j5o޼ݻܾ};w,xRT*GA7 &*z뉋OuuBgӡ-*{ ы#HzzrZ|L<~`ht`X=˅` ))bt:GXlrl&Th5ӌvRʘjΦz*(++1IkiA5e /ݭ6u z\ft&T\Z?giV X0y?)ʇJJJHIIAVc6?255ݻw),,hiM>/UI8Xz3;7ǵWx+QAk@f?CA44}W\{C3w,h[WuZZ5-o_q #j4:׏bY҇huڅ/{vn?O[i}E¥U71~z ?(ƅ`255¿KKKIKKcppя Aqq}H)6pVśWJEw+g|vG{3,cot&-Du'4h>lA4=vnk]#r)N^$U):jɉSJ-dȐmo9~.]*zLX7Ot7opI£o򶭏i5o >XnǑUho#wRRH+So^LǴM~#M'^VVFff& dpp,^~ZBNZM烉FdNvl]#ןU0ߺL5LOAmMyLvF=2w.PF)zӬGpzx~ysY/j%:̛mBU?Z3XbO:hhxtkI\N`HʪJ9u#;v'-k@+ٱ[u4"dͿjSGIzюV#?LjG*++errZ-*/^P^^J2j5jZʟ'/vרx4!Ttrs+~O?.K4NhYr+G3L> ¯5fnzoy]kgzN(Q"OcLR˪{xVމVC3ك;Y{6SgD_ɷk7ry3>NEH+rٶ56j}@ӌvZ`2>>BU*ռz ɧPVV۷olԴU<go3:ǃ?NPxp07u\L+a5>Im{=== .iu/q}f[:*r >nc|Nlb7?Ƀ,:Wԋ\0߻H}^E__?]\87^484[225zDѓ;$2PMs[I|\pk~#Y{}Y7'_;[PMo}[si C]ݸ97 &>XRŭ[r W^Hdd$)))tttR~QjC4V򺴔US&'whՔ~ڛfFoh{Ix oiF璘Z:::hjvVRQUGSj5Q:Zgt|b9dѡAڛhl[nK{'j5]BF59FUcd<&v8֭JGfhdɱz:gr|NG'PCǂ'<11A__TTTPYY R2==j>dR_3ףWVZ:kAߎz~$Z5S8L05{JGHPTsn U*Ƈ{yr(@MچƘT;==6LLL|g}ՕfΝg{nݶ]rEer@  Ȓ", 9΁s=?RUvvyZ%Js ' *_G?>D%J]'}3LE%J(Q~t`"J(QD}#E%J(Q=仾 G(QD%ϩL%J(QDI&ZۅE%J(Q~lojfAA~ Z$  "  `" &  t266Fii)%%%Tii)^p  ‡ &糺_ҳFaa!+++]IYtv,KN<x\N\nIe  ]! &Vl˲h4x_WdN }xe=NΎ78)ΰU=cKd#~UOoIy}v%'s5FEF`p { gǫ%A~_^lpcwˀ<r1{3])0є_L5vh/P ^d*:޼<|L$ Aɓ\kz^'s "aĴܞ˹NfZC`?5 vZI cijk;*&2!R#H}PEݥӵ>piԢ؟%.md`'gCgwO~yO{xј PfקI&#njb}#|3m#iCb>a!ṱ2ޑn=xm2Oh(Q(6oULGRkeV>)輧,,CI(;=>&]]$]c(fKbea2^YZXCy|[WElxMC'Z^CgoM^P'Ecg'G뭜7{%VBy;_+:M/^Ly9Tij_L"_4rӇ3o#h"./ZM'\]T&s+Ճ ҽȩ"ʺ(wȏ/zs~]vs{qQ|@:q-q7.S@Mai@'hfֹGu"Эqj(Vn\_o+zk: J3sݑs@`~GU!_7ˬ"dO>lF6UȘOH0єR|k뜬@o10Cr 3?P?/m=D^ӫ^vwD6 $cmy͋]2M鳗,gwjۓjJC.^f{|y3 gl*[_9}7IBߺaLl/ME*KTv ӓD%qle$e$Z ']X=~7Y̪CHM^QO1p+I/_L{Z|Cj1K2]v`s[i,Υq7xE{(ceeR0(oZG9#*(#Pw&m'P|Hm->Dqyщ+JinJfp;uTxTq:`A=Bxr -?~M܃܏!lbR~gh^aYųы`2XN &.^Ei<.4OacrCx6ċ(" _v\ gˠ0Rq/ t ϪAn6Eul)ſt]wN{eE[q?c6_売hi-L_R૿%X!N 3Pƽg<"8$ڜH`Lս j^L>S9/_h4t:q8t:1 ,4/Jj޷vɈw0PGg8v"S3r#zF-#x})c 90-7zƦ9qɛ_Wtbo|APX3Oo.D}wU {cd3o|L~X8;R13 #I(oaa%i<=L DijcqbZPPM`|9uf#ixgr"y\XsD2ǡ"=]7ފ!d8!$$7}[v Edj3zG^v*hRL˝M#CpwKkpEFkj;ОRɔ@v OF1Np(CUJcb?>&3`T[Z"96VDCA"at1.ĭ[~$eznfy⁆gu {܏SRV\N#Ϫy)Z`AaڟAj8pZى-%(*`7`Y57PlOO`(w2X<;)?YdDJj8uԄwddIW]?, 0*:g8Wr͏H+)yNmvɎ&<( iiXfD`T1 i՘.@j4`ڑ<.L:-ݠlw!nĤ66Ph H2x6:%lfEΔ=7kv|G%-:Y0-9,&fǷ~FZp(Mlons2e7_<Y쀄`lHz9voAxgǵ{=(9T~Vј~pU,GAe**ޤtΔWUp0rǤAfYē}?a?AAj`" &  "   &  `"   "  `" &"   "`" &  `"  sDThD%J(Q~tb6`D%J(Q?T  ?LAADALD0Ao.ȲZfmmVWW/kee5T*,  ‡ &gggTUUQUUEmm;#*++9==GAAL`0 I;e0(((`jj+i3]wxkFH2l7;%V p;1X쮷̈́^gzkyf23ZzNa39\b]fEvN FyL)**BTb20e28??^bR3|䴘8ia|$x?.uIV . ҽb;qTG@63LۋN=M\X9{ WHK~:ݘn&k9E`tԌ2N 5q/$%R۷_}C\zVTv ɡI&oVpӇ:@F3`\n. $'ӝ֍4 bq 1A8!& KxM?(;-ۛ[ׯR2CEI4|^?2ӿp T*ߩCRox@ nSADjgXLFNZ_f||SpsJg<g֣_c=y:@/􀾁i'YU$vF j H#kSM]e5F'_Xס[(/g+8T2V)ScLVqj>{6$FF8Ҽ~;L0Y >hqVuI.wez  &Q )k,n)byG$?nd7}s\G&##LaQr6#N1vEFǦ;#f)''/L2qN{k{GVecvٕ̎njkkd{{ڢ>n$ħ)y/ؚ#SE'ʿ}rg_13 NdVV=u L],Mee&+3;ano9(j:y0{1,֑[sRR⸓H½GlK7"h>Bbb& a~ay|Drv:A7&'OUNaœS©[S撍pn'=,=/%:9Tֿ`Fu:ApPCJEދsF<+$=̴&Lsj~Y%ē^݋;xZ;/,-]tz=m'^XU.բ^x37rIKyb"a)$EO*;S|u34n|v82¸BO6J P(ީ#YXXx0Y7[:t׫1jIoci^)%86|G0}As0I<2a59_XL.ՒVLWՂ.]XXx΃A' Ģ$Z8]sH.yB pJ&T֏@bO^1{+  ((|ϿÞɅi"֖ȎEi:d  άC'$S: .Fk2^č&7c="3bvb@HLvpon2AdF e1߫Cإ4#1hA4ߡ}p H(=ѥ%JnڄM/VB3XQN;y˯n(6!ܼ׈RQ- Нp'$C{,,_!{' |u#NI_ƃ7BTpK<|{BXLW^yBzS?6B,q9BxTmN }8 ;z=Y&Z˯ј_F\sLoIWF"_A/PHn}k >GK nuyq)&&1uӸ\ ,t8py$'ˤG{IJ3f ϊ (,U׼bJX#%ҏ@b}BS s]ާ,aɍ]8N">%~r?l4rM`WQKy2)]P>êIa,g=ВH'/hÝmŠJAaT 3ŊV[\+ftCS(4=!cЕ̓[@. NxūW x}z`qu$p&߳vZ"|hXx:t7 `xNX*zEpxOGWXuHn+ImNI1`8Nvzʖ3]g@{Wa o8\nH퀬 UNEê U&'&,$7EhC!(g|lWUP`Ioo/6;p8d}}dL$PpV-V;A甲vrƋ'iF'3dkO𤣗'NadffrfC+;zdO2mXNW֯sO%.8αmGk ji;!?5EF+}QXQB*Ĭڧ!Gn ]1;we y<(|<ߍOy _~mhO"C^uMI{/IfqӖ"{ !iӥj8PooP4Ϻ_20jw{adW,՝?$r \i}I,gz"HjܴQ9d!-:û,g PCdSԪ #C/ncsVgmf}q?zVqmV, yPDeOy@ey$i1Ʃ!<~Iqj0яq; 4!>֧DFEжxhy9@_S!~I,+ov{q2’YZfzmP4̮p0}/Kfrd^d󲧕*GY& 7ёF`TΪL 555NRSS{WRܦfkt.KJ1z,jX k= ;-`cS^`QȨ&HJCҝ q|>6t<{!u ?Mbg~ήp#w|m^HMU܋o/?wH~$uvSwIvo3dNŅ9F'X;Z51y|Qp1 jFX. A30O]aA:9//D5t43wN-5WU3|؟N L4tQ(TVV2>>gۜK2$_,N-}mLm v懻]ޕc+[_QC0ߜBb,1ϛ9P~m j{y #K[\ݷ&}o̩Z0'Yͻː=+&>%қpvnh~׷,Ikr/kfjΫ( ܂@n$9-]wm;~o1߾7]0oVTjK>Q^k*-1T~, a^a\"!*̇ Nn޺BbQAQtN!oѶ{j֕/I*~o#ө,N'(6 Qr7);M=ׯM0lmmeE]]=W^ÂB}}y6Xo&EO16/#/'??j_.40rt9r^̮ 5rGC;3p6GmcK#40ċE52 ytdQ#$p'1':'N1R7SpKfB9Les=$ņWi[6S@@PO汹L>/+0{'ѿxSG?Q,1X?Qw>ggPotd| /LvTGHr#ZηH 70! v7g#?A*>At>Aa Y9zɋ{T.f\~v$'vT=&@ʃziLiV4<#yRd= iPLJ@`[pv&::.-#)-G^oOئ>b[R`s Džu=\Os fxE cRb(if3ڥg| 1vvZ H(O_=Nc|oѹ N2]7ýtvMau5=`2y}+L^8_!/Wo޿ii '.=ڽ >0T:{) $)}/,--\!{{{4773??tߒSpK>՜/9QQMhZ1: 3|˯(keE%7o2wf`mcNأ"5ˠb> SYD\P笽z'7 8v] C*Cʧ ]FGH˭|U:ǖ87Z1+׹+ZghOH cvh]T2T—h-'5%3sOUM,Fv7X!+&S(?6rTwPIo92}O''hOWH $yݵax7H8&_gdԘPze;L6\~#&1䴡i\^bn/sGrk1~kSSA|c . hYӀ|NfX/W1NY\XU[1_\O`ߪ>;O>edqbrW[xDb7l' u_Usjyy:y~t-:,-w{v5-SW9W΅석vww;8h{w}6-UoAdY%9.[{ g ]Mh$k u^5xc_Qĕ&K#Z~[oGx?a%ER:OO59==EѼ9RIWWKKK= M!]kV=6wx2Xf:Hwwope,.P{A 3~p)x`vuCbm!wjѺ%{HBMZ@EzD}+nQ]|EfO'Q 7`= 68⮆ӿg|gr_ yd]luCE\2: Kc~ w#_˫3~ׯ5?Kvb yY\c[](-(GWޢs[ֺ7Upo?j>'MƕvAs78 '4?%53P,oO qtLm0ws0)aXe$a7<ʚK=Vf\.;eXfmm=Y2}Ef@چ׭XdS=$i*'$;Nh@+~d܂Qls2+V:rܥkb u&CMI~L <'u@ 9>נq:dҿv xaF:~y394Z-Z }>tPiO;#Jieh.6˸L#W> cdX^a;[ЮuݗUj F ;F ef_x8A?m{ Q2@-a]xλWBM<Πk p3\vlckgL|7W5s+VΙ)$,LTߠ|dfn|te3._ cӨ Y(H WZ1{nT$ۅӤ0 Ա43ˉI 7j``qiW yt r0j{u;>૘BbA0z%V3d'+%S*Ӻr$K޺˯ŀha<%' 8 {\>$!lSMz+ŇS$/b[,%3pSSNk{s䷢7[Y-'>!)f;y~ϕ\ g]hQ7# C5 / ?-{v 憯?\cpxEa`2|ahvph 'dҿd1>xݸI|Z {*[M$e= q3 4㲜QUIhgvb1iO %fBBo~NBN#-׵ae[+l$KWg׈HF7Bhb"7>FQ(J hy9wtv>uӇ|ZG4½Pony{[ĒځK=O-Ξ2]|ϿxY>Kv2TK`7n̓rNmA ׽|Eb)A^q?6/WBhÉ\c>ge6Yh$7Lx]%)ZGp]ƿ~`RύWl Jڈݍ 8*!ndQ 5c?Lww7S<ޕ<1=N,V2qМ0\Hn'zTQԜiשӌ~Ay}^n/OZ*Z|=Xv ˉzn4ZYbТ8=E7$V+.fqQP8\ >DhC *)jfb&S\n ӎ^GĆ(xldogK|O9R]OnRC Ǎ?;'c=SkX]-޶g+[U_' &  "   &  `"   "  `" &"   "`" &  `"  "  &  ST*(QD%JԏfLz=.K(QD%GJS9  LrD0AAAAD0DA`"2'''LNN2>>e3991$  ‡ &'''@[[;HYY( a<<`0 I$I`0PXX{WҢ?eqa O>"t8dHN].~5x$YY q9.i$v;N`O֙Rͨ,a78Wqy?۬5ߴ.3Ɵ{0Q*58XÂJyFoOneӎbl`{b@P/Gr;1(O0Z=u+,LOOSTTRd2a4/d2qvvFYYccc=w_{Ъ՘'٠EgI6mTʶzyL7hՈt&v1}T{Ds%=uq|ũ)f&ƟW }-rHqX޷Mۦ_p' [75wwI8teG bVaDT`DQ1і\!z#}%q<Ǭ !,eTGF0n>lc%8) #kNdG:Z3'mN6Jz5S)JIT dgue;:X`T =C (GLv048>T0YXX-vvv޾hlldvvdk{F$n;sZX}~F؞룛ĥq;Ɨy >kef㔋nATNu4{.6d̴Dl ,oFdGy\ OtoP׳zO6حz&_4R8[.`R,FVdžlkeC7Cvr;%uCT4&Aν$"Y80$[ܻLpM"SIMKmK*~ AIqL$_|,dEtn[lseJ?:]A1^7"q?5[ޤݿGM Z&K:\Ź}Aҋ2|#2YWКBJ4'u\MguTfwMQQ~7,PЯvre!Ĥ*W?%6:;[{#l8TolUAjxo"ɎS2|Kx`_MNZW8oaFZZZ8::BTP(.KTr||L{{; &G+]|莚&n]n@6Q ԲL>,05M86eɅ].xvv pqsR`sCTW`qy(:f{r*p9cKrOL'_#}n̛f$vlSGrMv2 (V `xߊlWQMfcEd0i|FǜyLKq 4*+ykEeWŒвݬcsq֚b|0qf=Hg_gz0޴.\Q,ёkL<$÷.%RnE1q&cii7,7O/j&0FplGVpSJ>rLbB/zERYPLii)tom/=D2nIip],d]^]W^ED5sjr~kHnh HuBy =|VWX b_[ɎybLA`6)V˗/Y]]Ev2˽EeA֎z,mңy2yÝ$`{hn+?2#ܠbY鿎vZS=[1[c 3si>'̾%rwÂ)馹2Дnd@ϵyjWz@կhZ{fI70 U_U:ty-J>0 <|\LQ .3J8 d$/>FHj2<^x# Yۏ l|sqa$`,'=ovvF[OcQaz6^j:mFh$ۯLga4qٽ썔r54B}b[ׁ[A [':1k =W798/'9昛fX7NVet5&tInDFd3wWE~Hk0=ߑH eP8iJ A I`!%@O~B2mdss/^`Z_fRI^mW-V9wCs2 wVn~E5 T&tc.WuuVK.dtCN,Jc}5)a!<\e7N^u*O BW& ɄgXKIQx1>!<E:A^Z1+jgSN)K &!! Յ3U^q㤣2& y) f~t+,?Z}v5LƒtAGSYd_҇ 8(͎'>go1ߙN@ͯ`o_QxuĤ$T>#|_"'2r=&UDSCÂ]aAtВOw09;;Zީ:jjj8==}JԇLb.$?Mtr'6X$/5)aPؙgqͲ^s#L &3tta7SFBBe4 CǸlFf:(-LN3:)3N*>,y`$c<٢# ef%T7O`q.򨔇_8@N&X=ABbom';K#D)`g~ls=Z#q1U>fllwjtt#<.礤a[UG`r1ehn Ivy5de1)~rdYFwJ?\ns9h=AeIr=n7nL²N _>r9qy>L,7?4N%~  `" &"   "`" &  `"  g"l%tEXtcreate-date2009-03-18T20:16:30+00:00Rr%tEXtmodify-date2009-03-18T20:16:30+00:00y$FIENDB`wordpress-openid-3.4.1/server.php000066400000000000000000000451761265347743100170730ustar00rootroot00000000000000role_names as $key => $name) { $role = $wp_roles->get_role($key); if ($role->has_cap('use_openid_provider')) { $provider_enabled = true; break; } } if (!$provider_enabled) return $xrds; $user = openid_server_requested_user(); if (!$user && get_option('openid_blog_owner')) { $url_parts = parse_url(get_option('home')); $path = array_key_exists('path', $url_parts) ? $url_parts['path'] : ''; $path = trailingslashit($path); $script = preg_replace('/index.php$/', '', $_SERVER['SCRIPT_NAME']); $script = trailingslashit($script); if ($path != $script && !is_admin()) { return $xrds; } if (!defined('OPENID_DISALLOW_OWNER') || !OPENID_DISALLOW_OWNER) { $user = get_user_by('login', get_option('openid_blog_owner')); } } if ($user) { // if user doesn't have capability, bail $user_object = new WP_User($user->ID); if (!$user_object->has_cap('use_openid_provider')) return $xrds; if (get_user_meta($user->ID, 'openid_delegate', true)) { $services = get_user_meta($user->ID, 'openid_delegate_services', true); } else { $services = array(); $tmp_types = apply_filters('openid_server_xrds_types', array('http://specs.openid.net/auth/2.0/signon')); $types = array(); foreach ($tmp_types as $t) { $types[] = array('content' => $t); } $services[] = array( 'Type' => $types, 'URI' => openid_server_url(), 'LocalID' => get_author_posts_url($user->ID), ); $tmp_types = apply_filters('openid_server_xrds_types', array('http://openid.net/signon/1.1')); $types = array(); foreach ($tmp_types as $t) { $types[] = array('content' => $t); } $services[] = array( 'Type' => $types, 'URI' => openid_server_url(), 'openid:Delegate' => get_author_posts_url($user->ID), ); } } else { $services = array( array( 'Type' => array(array('content' => 'http://specs.openid.net/auth/2.0/server')), 'URI' => openid_server_url(), 'LocalID' => 'http://specs.openid.net/auth/2.0/identifier_select', ) ); } if (!empty($services)) { foreach ($services as $index => $service) { $name = 'OpenID Provider Service (' . $index . ')'; $xrds = xrds_add_service($xrds, 'main', $name, $service, $index); } } return $xrds; } /** * Add WebFinger entries for OpenID Server. Entries added will be highly * dependant on the requested URL and plugin configuration. * * @param array $webfinger The WebFinger data array * @param string $resource The requested WebFinger resource * @param WP_User $user The WordPress user * @return array The updated WebFinger data array */ function openid_provider_webfinger( $webfinger, $resource, $user ) { // check if OpenID provider is enabled for user if ( ! $user->has_cap( 'use_openid_provider' ) ) { return $webfinger; } // use delegation URL if set if ( get_user_meta( $user->ID, 'openid_delegate', true ) ) { $webfinger['links'][] = array( 'href' => get_user_meta( $user->ID, 'openid_delegate', true ), 'rel' => 'http://specs.openid.net/auth/2.0/provider', ); } else { // check if WebFinger user is "blog-owner" if ( get_option( 'openid_blog_owner' ) && $user->user_login == get_option( 'openid_blog_owner' ) ) { $webfinger['links'][] = array( 'href' => site_url( '/' ), 'rel' => 'http://specs.openid.net/auth/2.0/provider', ); } else { // otherwise use author-url $webfinger['links'][] = array( 'href' => get_author_posts_url( $user->ID ), 'rel' => 'http://specs.openid.net/auth/2.0/provider', ); } } return $webfinger; } /** * Parse the request URL to determine which author is associated with it. * * @return bool|object false on failure, User DB row object */ function openid_server_requested_user() { global $wp_rewrite; if (array_key_exists('author', $_REQUEST) && $_REQUEST['author']) { if (is_numeric($_REQUEST['author'])) { return get_user_by('id', $_REQUEST['author']); } else { return get_user_by('login', $_REQUEST['author']); } } else { $regex = preg_replace('/%author%/', '(.+)', $wp_rewrite->get_author_permastruct()); preg_match('|'.$regex.'|', $_SERVER['REQUEST_URI'], $matches); if ($matches) { $username = sanitize_user($matches[1], true); return get_user_by('login', $username); } } } /** * Process an OpenID Server request. * * @uses apply_filters() Calls 'openid_server_auth_response' before sending the authentication response. */ function openid_server_request() { $server = openid_server(); // get OpenID request, either from session or HTTP request $request = $server->decodeRequest(); if (!$request || Auth_OpenID_isError($request)) { @session_start(); if (isset($_SESSION['openid_server_request']) && $_SESSION['openid_server_request']) { $request = $_SESSION['openid_server_request']; unset($_SESSION['openid_server_request']); } } if (!$request || Auth_OpenID_isError($request)) { $html = '

This is an OpenID Server.

'; if (Auth_OpenID_isError($request)) { $html .= '

Request Error: ' . $request->toString() . '

'; } else { $html .= '

Nothing to see here… move along.

'; } wp_die($html); } // process request if (in_array($request->mode, array('checkid_immediate', 'checkid_setup'))) { $response = openid_server_auth_request($request); $response = apply_filters('openid_server_auth_response', $response); } else { $response = $server->handleRequest($request); } openid_server_process_response($response); } /** * Process an OpenID Server authentication request. * * @uses do_action() Calls the 'openid_server_pre_auth' hook action before checking if the user is logged in. * @uses do_action() Calls the 'openid_server_post_auth' hook action after ensuring that the user is logged in. */ function openid_server_auth_request($request) { do_action('openid_server_pre_auth', $request); // user must be logged in if (!is_user_logged_in()) { if ($request->mode == 'checkid_immediate') { return $request->answer(false); } else { @session_start(); $_SESSION['openid_server_request'] = $request; auth_redirect(); } } do_action('openid_server_post_auth', $request); // get some user data $user = wp_get_current_user(); $author_url = get_author_posts_url($user->ID); $id_select = ($request->identity == 'http://specs.openid.net/auth/2.0/identifier_select'); // bail if user does not have access to OpenID provider if (!$user->has_cap('use_openid_provider')) return $request->answer(false); // bail if user doesn't own identity and not using id select if (!$id_select && ($author_url != $request->identity)) { return $request->answer(false); } // if using id select but user is delegating, display error to user (unless checkid_immediate) if ($id_select && get_user_meta($user->ID, 'openid_delegate', true)) { if ($request->mode != 'checkid_immediate') { if ($_REQUEST['action'] == 'cancel') { check_admin_referer('openid-server_cancel'); return $request->answer(false); } else { @session_start(); $_SESSION['openid_server_request'] = $request; ob_start(); echo '

'.__('OpenID Login Error', 'openid').'

'; echo '

'; printf(__('Because you have delegated your OpenID, you cannot login with the URL %s. Instead, you must use your full OpenID when logging in.', 'openid'), trailingslashit(get_option('home'))); echo'

'; echo '

' . sprintf(__('Your full OpenID is: %s', 'openid'), ''.$author_url.'') . '

'; echo '

' . wp_nonce_field('openid-server_cancel', '_wpnonce', true, false) .'
'; $html = ob_get_contents(); ob_end_clean(); wp_die($html, 'OpenID Login Error'); } } } // if user trusts site, we're done $trusted_sites = get_user_meta($user->ID, 'openid_trusted_sites', true); $site_hash = md5($request->trust_root); if (is_array($trusted_sites) && array_key_exists($site_hash, $trusted_sites)) { $trusted_sites[$site_hash]['last_login'] = time(); update_user_meta($user->ID, 'openid_trusted_sites', $trusted_sites); if ($id_select) { return $request->answer(true, null, $author_url); } else { return $request->answer(true); } } // that's all we can do without interacting with the user... bail if using immediate if ($request->mode == 'checkid_immediate') { return $request->answer(false); } // finally, prompt the user to trust this site if (openid_server_user_trust($request)) { if ($id_select) { return $request->answer(true, null, $author_url); } else { return $request->answer(true); } } else { return $request->answer(false); } } /** * Check that the current user's author URL matches the claimed URL. * * @param string $claimed claimed url * @return bool whether the current user matches the claimed URL */ function openid_server_check_user_login($claimed) { $user = wp_get_current_user(); if (!$user) return false; $identifier = get_author_posts_url($user->ID); return ($claimed == $identifier); } /** * Process OpenID server response * * @param object $response response object */ function openid_server_process_response($response) { $server = openid_server(); $web_response = $server->encodeResponse($response); if ($web_response->code != AUTH_OPENID_HTTP_OK) { header(sprintf('HTTP/1.1 %d', $web_response->code), true, $web_response->code); } foreach ($web_response->headers as $k => $v) { header("$k: $v"); } print $web_response->body; exit; } /** * Get Auth_OpenID_Server singleton. * * @return object Auth_OpenID_Server singleton instance */ function openid_server() { static $server; if (!$server || !is_a($server, 'Auth_OpenID_Server')) { $server = new Auth_OpenID_Server(openid_getStore(), openid_server_url()); } return $server; } /** * Add OpenID HTML link tags when appropriate. */ function openid_provider_link_tags() { if (is_front_page()) { if (!defined('OPENID_DISALLOW_OWNER') || !OPENID_DISALLOW_OWNER) { $user = get_user_by('login', get_option('openid_blog_owner')); } } else if (is_author()) { global $wp_query; $user = $wp_query->get_queried_object(); } if ( isset($user) && $user) { // if user doesn't have capability, bail $user_object = new WP_User($user->ID); if (!$user_object->has_cap('use_openid_provider')) return; if (get_user_meta($user->ID, 'openid_delegate', true)) { $services = get_user_meta($user->ID, 'openid_delegate_services', true); $openid_1 = false; $openid_2 = false; foreach($services as $service) { if (!$openid_1 && $service['openid:Delegate']) { echo ' '; $openid_1 = true; } if (!$openid_2 && $service['LocalID']) { echo ' '; $openid_2 = true; } } } else { $server = openid_server_url(); $identifier = get_author_posts_url($user->ID); echo ' '; } } } function openid_server_add_trust_site($user_id, $site_url, $site_name = null, $release_attributes) { } function openid_server_remove_trust_site() { } /** * Determine if the current user trusts the the relying party of the OpenID authentication request. * * @uses do_action() Calls the 'openid_server_trust_form' hook action when displaying the trust form. * @uses do_action() Calls the 'openid_server_trust_submit' hook action when processing the submitted trust form. * @uses apply_filters() Calls 'openid_server_store_trusted_site' before storing trusted site data. */ function openid_server_user_trust($request) { $user = wp_get_current_user(); if (isset($_REQUEST['openid_trust']) && $_REQUEST['openid_trust']) { $trust = null; if ($_REQUEST['openid_trust'] == 'cancel') { $trust = false; } else { check_admin_referer('openid-server_trust'); $trust = true; } do_action('openid_server_trust_submit', $trust, $request); if ($trust) { // store trusted site (unless hidden constant is set) if (!defined('OPENID_NO_AUTO_TRUST') || !OPENID_NO_AUTO_TRUST) { $site = array( 'url' => $request->trust_root, 'last_login' => time()); $site = apply_filters('openid_server_store_trusted_site', $site); $trusted_sites = get_user_meta($user->ID, 'openid_trusted_sites', true); $site_hash = md5($request->trust_root); $trusted_sites[$site_hash] = $site; update_user_meta($user->ID, 'openid_trusted_sites', $trusted_sites); } } return $trust; } else { // prompt the user to make a trust decision @session_start(); $_SESSION['openid_server_request'] = $request; ob_start(); echo '

'.__('Verify Your Identity', 'openid').'

' . sprintf(__('%s has asked to verify your identity.', 'openid'), ''.$request->trust_root.'') . '

' . __('Click Continue to verify your identity and login without creating a new password.', 'openid') . '

'; do_action('openid_server_trust_form'); echo '

'.__('Cancel and go back', 'openid').'

' . sprintf(__('Manage or remove access on the Trusted Sites page.', 'openid'), admin_url((current_user_can('edit_users') ? 'users.php' : 'profile.php') . '?page=openid_trusted_sites')) . '

' . sprintf(__('Edit your profile to change the information that gets shared with Trusted Sites.', 'openid'), admin_url('profile.php')) . '

'; wp_nonce_field('openid-server_trust', '_wpnonce', true); echo '
'; $html = ob_get_contents(); ob_end_clean(); openid_page($html, __('Verify Your Identity', 'openid')); } } /** * Discover and cache OpenID services for a user's delegate OpenID. * * @param int $userid user ID * @url string URL to discover. If not provided, user's current delegate will be used * @return bool true if successful */ function openid_server_get_delegation_info($userid, $url = null) { if (empty($url)) $url = get_user_meta($userid, 'openid_delegate', true); if (empty($url)) return false; $fetcher = Auth_Yadis_Yadis::getHTTPFetcher(); $discoveryResult = Auth_Yadis_Yadis::discover($url, $fetcher); $endpoints = Auth_OpenID_ServiceEndpoint::fromDiscoveryResult($discoveryResult); $services = array(); if (!empty($endpoints)) { foreach ($endpoints as $endpoint) { $service = array( 'Type' => array(), 'URI' => $endpoint->server_url, ); foreach ($endpoint->type_uris as $type) { $service['Type'][] = array('content' => $type); if ($type == Auth_OpenID_TYPE_2_0_IDP) { $service['LocalID'] = Auth_OpenID_IDENTIFIER_SELECT; } else if ($type == Auth_OpenID_TYPE_2_0) { $service['LocalID'] = $endpoint->local_id; } else if (in_array($type, array(Auth_OpenID_TYPE_1_0, Auth_OpenID_TYPE_1_1, Auth_OpenID_TYPE_1_2))) { $service['openid:Delegate'] = $endpoint->local_id; } } $services[] = $service; } } if (empty($services)) { // resort to checking for HTML links $response = $fetcher->get($url); if ( ! $response ) { return false; } $html_content = $response->body; $p = new Auth_OpenID_Parse(); $link_attrs = $p->parseLinkAttrs($html_content); // check HTML for OpenID2 $server_url = $p->findFirstHref($link_attrs, 'openid2.provider'); if ($server_url !== null) { $openid_url = $p->findFirstHref($link_attrs, 'openid2.local_id'); if ($openid_url == null) $openid_url = $url; $services[] = array( 'Type' => array(array('content' => Auth_OpenID_Type_1_1)), 'URI' => $server_url, 'LocalID' => $openid_url, ); } // check HTML for OpenID1 $server_url = $p->findFirstHref($link_attrs, 'openid.server'); if ($server_url !== null) { $openid_url = $p->findFirstHref($link_attrs, 'openid.delegate'); if ($openid_url == null) $openid_url = $url; $services[] = array( 'Type' => array(array('content' => Auth_OpenID_Type_2_0)), 'URI' => $server_url, 'openid:Delegate' => $openid_url, ); } } if (empty($services)) return false; return array( 'url' => $url, 'services' => $services ); } wordpress-openid-3.4.1/server_ext.php000066400000000000000000000125351265347743100177440ustar00rootroot00000000000000allRequestedFields(); if ( ! empty( $sreg_fields ) ) { foreach ( $sreg_fields as $field ) { $value = openid_server_sreg_from_profile( $field ); if ( ! empty( $value ) ) { $attributes[] = strtolower( $GLOBALS['Auth_OpenID_sreg_data_fields'][ $field ] ); } } } return $attributes; } /** * Add attribute input fields to the OpenID Trust Form */ function openid_server_attributes_trust_form() { $attributes = apply_filters( 'openid_server_trust_form_attributes', array() ); if ( ! empty( $attributes ) ) { $attr_string = openid_server_attributes_string( $attributes ); echo '

'; } } /** * Convert list of attribute names to human readable string. */ function openid_server_attributes_string( $fields, $string = '' ) { if ( empty( $fields ) ) { return $string; } if ( empty( $string ) ) { if ( sizeof( $fields ) == 2 ) { return join( ' and ', $fields ); } $string = array_shift( $fields ); } else if ( sizeof( $fields ) == 1 ) { $string .= ', and ' . array_shift( $fields ); } else if ( sizeof( $fields ) > 1 ) { $string .= ', ' . array_shift( $fields ); } return openid_server_attributes_string( $fields, $string ); } /** * Based on input from the OpenID trust form, prep data to be included in the authentication response */ function openid_server_sreg_trust_submit( $trust, $request ) { if ( $trust && isset( $_REQUEST['include_sreg'] ) && 'on' == $_REQUEST['include_sreg'] ) { $GLOBALS['openid_server_sreg_trust'] = true; } else { $GLOBALS['openid_server_sreg_trust'] = false; } } /** * Store user's decision on whether to release attributes to the site. */ function openid_server_sreg_store_trusted_site( $site ) { $site['release_attributes'] = $GLOBALS['openid_server_sreg_trust']; return $site; } /** * Attach SReg response to authentication response. */ function openid_server_sreg_auth_response( $response ) { $user = wp_get_current_user(); // should we include SREG in the response? $include_sreg = false; if ( isset( $GLOBALS['openid_server_sreg_trust'] ) ) { $include_sreg = $GLOBALS['openid_server_sreg_trust']; } else { $trusted_sites = get_user_meta( $user->ID, 'openid_trusted_sites', true ); $request = $response->request; $site_hash = md5( $request->trust_root ); if ( is_array( $trusted_sites ) && array_key_exists( $site_hash, $trusted_sites ) ) { $include_sreg = $trusted_sites[ $site_hash ]['release_attributes']; } } if ( $include_sreg ) { $sreg_data = array(); foreach ( $GLOBALS['Auth_OpenID_sreg_data_fields'] as $field => $name ) { $value = openid_server_sreg_from_profile( $field ); if ( ! empty( $value ) ) { $sreg_data[ $field ] = $value; } } $sreg_response = Auth_OpenID_SRegResponse::extractResponse( $GLOBALS['openid_server_sreg_request'], $sreg_data ); if ( ! empty( $sreg_response ) ) { $response->addExtension( $sreg_response ); } } return $response; } /** * Try to pre-populate SReg data from user's profile. The following fields * are not handled by the plugin: dob, gender, postcode, country, and language. * Other plugins may provide this data by implementing the filter * openid_server_sreg_${fieldname}. * * @uses apply_filters() Calls 'openid_server_sreg_*' before returning sreg values, * where '*' is the name of the sreg attribute. */ function openid_server_sreg_from_profile($field) { $user = wp_get_current_user(); $value = ''; switch ( $field ) { case 'nickname': $value = get_user_meta( $user->ID, 'nickname', true ); break; case 'email': $value = $user->user_email; break; case 'fullname': $user_data = get_userdata( $user->ID ); $value = $user_data->display_name; break; } $value = apply_filters( 'openid_server_sreg_' . $field, $value, $user->ID ); return $value; } wordpress-openid-3.4.1/store.php000066400000000000000000000235641265347743100167160ustar00rootroot00000000000000_getAssociationKey($server_url, $association->handle); $association_s = $association->serialize(); // prevent the likelihood of a race condition - don't rely on cache wp_cache_delete('openid_associations', 'options'); $associations = get_option('openid_associations'); if ($associations == null) { $associations = array(); } $associations[$key] = $association_s; update_option('openid_associations', $associations); } function getAssociation($server_url, $handle = null) { //wp_cache_delete('openid_associations', 'options'); if ($handle === null) { $handle = ''; } $key = $this->_getAssociationKey($server_url, $handle); $associations = get_option('openid_associations'); if ($handle && array_key_exists($key, $associations)) { return Auth_OpenID_Association::deserialize( 'Auth_OpenID_Association', $associations[$key] ); } else { // Return the most recently issued association $matching_keys = array(); foreach (array_keys($associations) as $assoc_key) { if (strpos($assoc_key, $key) === 0) { $matching_keys[] = $assoc_key; } } $matching_associations = array(); // sort by time issued foreach ($matching_keys as $assoc_key) { if (array_key_exists($assoc_key, $associations)) { $association = Auth_OpenID_Association::deserialize( 'Auth_OpenID_Association', $associations[$assoc_key] ); } if ($association !== null) { $matching_associations[] = array( $association->issued, $association ); } } $issued = array(); $assocs = array(); foreach ($matching_associations as $assoc_key => $assoc) { $issued[$assoc_key] = $assoc[0]; $assocs[$assoc_key] = $assoc[1]; } array_multisort($issued, SORT_DESC, $assocs, SORT_DESC, $matching_associations); // return the most recently issued one. if ($matching_associations) { list($issued, $assoc) = $matching_associations[0]; return $assoc; } else { return null; } } } function _getAssociationKey($server_url, $handle) { if (strpos($server_url, '://') === false) { trigger_error(sprintf("Bad server URL: %s", $server_url), E_USER_WARNING); return null; } list($proto, $rest) = explode('://', $server_url, 2); $parts = explode('/', $rest); $domain = $parts[0]; $url_hash = base64_encode($server_url); if ($handle) { $handle_hash = base64_encode($handle); } else { $handle_hash = ''; } return sprintf('%s-%s-%s-%s', $proto, $domain, $url_hash, $handle_hash); } function removeAssociation($server_url, $handle) { // Remove the matching association if it's found, and // returns whether the association was removed or not. $key = $this->_getAssociationKey($server_url, $handle); $assoc = $this->getAssociation($server_url, $handle); if ($assoc === null) { return false; } else { $associations = get_option('openid_associations'); if (isset($associations[$key])) { unset($associations[$key]); update_option('openid_associations', $associations); return true; } else { return false; } } } function useNonce($server_url, $timestamp, $salt) { global $Auth_OpenID_SKEW; if ( abs($timestamp - time()) > $Auth_OpenID_SKEW ) { return false; } $key = $this->_getNonceKey($server_url, $timestamp, $salt); // prevent the likelihood of a race condition - don't rely on cache wp_cache_delete('openid_nonces', 'options'); $nonces = get_option('openid_nonces'); if ($nonces == null) { $nonces = array(); } if (array_key_exists($key, $nonces)) { return false; } else { $nonces[$key] = $timestamp; update_option('openid_nonces', $nonces); return true; } } function _getNonceKey($server_url, $timestamp, $salt) { if ($server_url) { list($proto, $rest) = explode('://', $server_url, 2); } else { $proto = ''; $rest = ''; } $parts = explode('/', $rest, 2); $domain = $parts[0]; $url_hash = base64_encode($server_url); $salt_hash = base64_encode($salt); return sprintf('%08x-%s-%s-%s-%s', $timestamp, $proto, $domain, $url_hash, $salt_hash); } function cleanupNonces() { global $Auth_OpenID_SKEW; $nonces = get_option('openid_nonces'); foreach ($nonces as $nonce => $time) { if ( abs($time - time()) > $Auth_OpenID_SKEW ) { unset($nonces[$nonce]); } } update_option('openid_nonces', $nonces); } function cleanupAssociations() { $associations = get_option('openid_associations'); foreach ($associations as $key => $assoc_s) { $assoc = Auth_OpenID_Association::deserialize('Auth_OpenID_Association', $assoc_s); if ( $assoc->getExpiresIn() == 0) { unset($associations[$key]); } } update_option('openid_associations', $associations); } function reset() { update_option('openid_nonces', array()); update_option('openid_associations', array()); } } endif; /** * Check to see whether the nonce, association, and identity tables exist. * * @param bool $retry if true, tables will try to be recreated if they are not okay * @return bool if tables are okay */ function openid_check_tables($retry=true) { global $wpdb; $ok = true; $message = array(); $tables = array( openid_identity_table(), ); foreach( $tables as $t ) { if( $wpdb->get_var("SHOW TABLES LIKE '$t'") != $t ) { $ok = false; $message[] = "Table $t doesn't exist."; } else { $message[] = "Table $t exists."; } } if( $retry and !$ok) { openid_create_tables(); $ok = openid_check_tables( false ); } return $ok; } /** * Create OpenID related tables in the WordPress database. */ function openid_create_tables() { global $wpdb; $store = openid_getStore(); require_once(ABSPATH . 'wp-admin/includes/upgrade.php'); // Create the SQL and call the WP schema upgrade function $statements = array( "CREATE TABLE ".openid_identity_table()." ( uurl_id bigint(20) NOT NULL auto_increment, user_id bigint(20) NOT NULL default '0', url text, hash char(32), PRIMARY KEY (uurl_id), UNIQUE KEY uurl (hash), KEY url (url(30)), KEY user_id (user_id) )", ); $sql = implode(';', $statements); dbDelta($sql); update_option('openid_db_revision', OPENID_DB_REVISION); } /** * Undo any database changes made by the OpenID plugin. Do not attempt to preserve any data. */ function openid_delete_tables() { global $wpdb; $wpdb->query('DROP TABLE IF EXISTS ' . openid_identity_table()); $wpdb->query( $wpdb->prepare('DELETE FROM ' . $wpdb->postmeta . ' WHERE meta_key=%s', 'openid_comments') ); // old database changes... just to make sure $wpdb->query('DROP TABLE IF EXISTS ' . openid_table_prefix(true) . 'openid_nonces'); $wpdb->query('DROP TABLE IF EXISTS ' . openid_table_prefix(true) . 'openid_associations'); // clear old way of storing OpenID comments $openid_column = $wpdb->get_row('SHOW COLUMNS FROM ' . openid_table_prefix(true) . 'comments LIKE "openid"'); if ($openid_column) { $wpdb->query('ALTER table ' . $comments_table . ' DROP COLUMN openid'); $wpdb->query( $wpdb->prepare('UPDATE ' . $comments_table . ' SET comment_type=%s WHERE comment_type=%s', '', 'openid') ); } } /** * Migrate old data to new locations. */ function openid_migrate_old_data() { global $wpdb; // remove old nonce and associations tables $wpdb->query('DROP TABLE IF EXISTS ' . openid_table_prefix(true) . 'openid_nonces'); $wpdb->query('DROP TABLE IF EXISTS ' . openid_table_prefix(true) . 'openid_associations'); $openid_column = $wpdb->get_row('SHOW COLUMNS FROM ' . openid_table_prefix(true) . 'comments LIKE "openid"'); if ($openid_column) { // update old style of marking openid comments. For performance reason, we // migrate them en masse rather than using set_comment_openid() $comments_table = openid_table_prefix(true) . 'comments'; $comment_data = $wpdb->get_results( $wpdb->prepare('SELECT comment_ID, comment_post_ID from ' . $comments_table . ' WHERE openid=%s OR comment_type=%s', 1, 'openid') ); if (!empty($comment_data)) { $openid_comments = array(); foreach ($comment_data as $comment) { if (!array_key_exists($comment->comment_post_ID, $openid_comments)) { $openid_comments[$comment->comment_post_ID] = array(); } $openid_comments[$comment->comment_post_ID][] = $comment->comment_ID; } foreach ($openid_comments as $post_id => $comments) { $current = get_post_meta($post_id, 'openid_comments', true); if (!empty($current)) $comments = array_merge($comments, $current); update_post_meta($post_id, 'openid_comments', array_unique($comments)); } } $wpdb->query('ALTER table ' . $comments_table . ' DROP COLUMN openid'); $wpdb->query( $wpdb->prepare('UPDATE ' . $comments_table . ' SET comment_type=%s WHERE comment_type=%s', '', 'openid') ); } // remove old style of marking openid users $usermeta_table = defined('CUSTOM_USER_META_TABLE') ? CUSTOM_USER_META_TABLE : openid_table_prefix() . 'usermeta'; $wpdb->query( $wpdb->prepare('DELETE FROM ' . $usermeta_table . ' WHERE meta_key=%s OR meta_key=%s', 'has_openid', 'registered_with_openid') ); } function openid_table_prefix($blog_specific = false) { global $wpdb; if (is_multisite() && isset($wpdb->base_prefix)) { return $wpdb->base_prefix . ($blog_specific ? $wpdb->blogid . '_' : ''); } else { return $wpdb->prefix; } } function openid_identity_table() { return (defined('CUSTOM_OPENID_IDENTITY_TABLE') ? CUSTOM_OPENID_IDENTITY_TABLE : openid_table_prefix() . 'openid_identities'); }