czak-authlogic-oid 1.0.4

data/test/libs/open_id_authentication/lib/open_id_authentication.rb

@@ -0,0 +1,244 @@
+require 'uri'
+require 'openid/extensions/sreg'
+require 'openid/extensions/ax'
+require 'openid/store/filesystem'
+
+require File.dirname(__FILE__) + '/open_id_authentication/association'
+require File.dirname(__FILE__) + '/open_id_authentication/nonce'
+require File.dirname(__FILE__) + '/open_id_authentication/db_store'
+require File.dirname(__FILE__) + '/open_id_authentication/mem_cache_store'
+require File.dirname(__FILE__) + '/open_id_authentication/request'
+require File.dirname(__FILE__) + '/open_id_authentication/timeout_fixes' if OpenID::VERSION == "2.0.4"
+
+module OpenIdAuthentication
+  OPEN_ID_AUTHENTICATION_DIR = RAILS_ROOT + "/tmp/openids"
+
+  def self.store
+    @@store
+  end
+
+  def self.store=(*store_option)
+    store, *parameters = *([ store_option ].flatten)
+
+    @@store = case store
+    when :db
+      OpenIdAuthentication::DbStore.new
+    when :mem_cache
+      OpenIdAuthentication::MemCacheStore.new(*parameters)
+    when :file
+      OpenID::Store::Filesystem.new(OPEN_ID_AUTHENTICATION_DIR)
+    else
+      raise "Unknown store: #{store}"
+    end
+  end
+
+  self.store = :db
+
+  class InvalidOpenId < StandardError
+  end
+
+  class Result
+    ERROR_MESSAGES = {
+      :missing      => "Sorry, the OpenID server couldn't be found",
+      :invalid      => "Sorry, but this does not appear to be a valid OpenID",
+      :canceled     => "OpenID verification was canceled",
+      :failed       => "OpenID verification failed",
+      :setup_needed => "OpenID verification needs setup"
+    }
+
+    def self.[](code)
+      new(code)
+    end
+
+    def initialize(code)
+      @code = code
+    end
+
+    def status
+      @code
+    end
+
+    ERROR_MESSAGES.keys.each { |state| define_method("#{state}?") { @code == state } }
+
+    def successful?
+      @code == :successful
+    end
+
+    def unsuccessful?
+      ERROR_MESSAGES.keys.include?(@code)
+    end
+
+    def message
+      ERROR_MESSAGES[@code]
+    end
+  end
+
+  # normalizes an OpenID according to http://openid.net/specs/openid-authentication-2_0.html#normalization
+  def self.normalize_identifier(identifier)
+    # clean up whitespace
+    identifier = identifier.to_s.strip
+
+    # if an XRI has a prefix, strip it.
+    identifier.gsub!(/xri:\/\//i, '')
+
+    # dodge XRIs -- TODO: validate, don't just skip.
+    unless ['=', '@', '+', '$', '!', '('].include?(identifier.at(0))
+      # does it begin with http?  if not, add it.
+      identifier = "http://#{identifier}" unless identifier =~ /^http/i
+
+      # strip any fragments
+      identifier.gsub!(/\#(.*)$/, '')
+
+      begin
+        uri = URI.parse(identifier)
+        uri.scheme = uri.scheme.downcase  # URI should do this
+        identifier = uri.normalize.to_s
+      rescue URI::InvalidURIError
+        raise InvalidOpenId.new("#{identifier} is not an OpenID identifier")
+      end
+    end
+
+    return identifier
+  end
+
+  # deprecated for OpenID 2.0, where not all OpenIDs are URLs
+  def self.normalize_url(url)
+    ActiveSupport::Deprecation.warn "normalize_url has been deprecated, use normalize_identifier instead"
+    self.normalize_identifier(url)
+  end
+
+  protected
+    def normalize_url(url)
+      OpenIdAuthentication.normalize_url(url)
+    end
+
+    def normalize_identifier(url)
+      OpenIdAuthentication.normalize_identifier(url)
+    end
+
+    # The parameter name of "openid_identifier" is used rather than the Rails convention "open_id_identifier"
+    # because that's what the specification dictates in order to get browser auto-complete working across sites
+    def using_open_id?(identity_url = nil) #:doc:
+      identity_url ||= params[:openid_identifier] || params[:openid_url]
+      !identity_url.blank? || params[:open_id_complete]
+    end
+
+    def authenticate_with_open_id(identity_url = nil, options = {}, &block) #:doc:
+      identity_url ||= params[:openid_identifier] || params[:openid_url]
+
+      if params[:open_id_complete].nil?
+        begin_open_id_authentication(identity_url, options, &block)
+      else
+        complete_open_id_authentication(&block)
+      end
+    end
+
+  private
+    def begin_open_id_authentication(identity_url, options = {})
+      identity_url = normalize_identifier(identity_url)
+      return_to    = options.delete(:return_to)
+      method       = options.delete(:method)
+      
+      options[:required] ||= []  # reduces validation later
+      options[:optional] ||= []
+
+      open_id_request = open_id_consumer.begin(identity_url)
+      add_simple_registration_fields(open_id_request, options)
+      add_ax_fields(open_id_request, options)
+      
+      redirect_to(open_id_redirect_url(open_id_request, return_to, method))
+    rescue OpenIdAuthentication::InvalidOpenId => e
+      yield Result[:invalid], identity_url, nil
+    rescue OpenID::OpenIDError, Timeout::Error => e
+      logger.error("[OPENID] #{e}")
+      yield Result[:missing], identity_url, nil
+    end
+
+    def complete_open_id_authentication
+      params_with_path = params.reject { |key, value| request.path_parameters[key] }
+      params_with_path.delete(:format)
+      open_id_response = timeout_protection_from_identity_server { open_id_consumer.complete(params_with_path, requested_url) }
+      identity_url     = normalize_identifier(open_id_response.display_identifier) if open_id_response.display_identifier
+
+      case open_id_response.status
+      when OpenID::Consumer::SUCCESS
+        profile_data = {}
+
+        # merge the SReg data and the AX data into a single hash of profile data
+        [ OpenID::SReg::Response, OpenID::AX::FetchResponse ].each do |data_response|
+          if data_response.from_success_response( open_id_response )
+            profile_data.merge! data_response.from_success_response( open_id_response ).data
+          end
+        end
+        
+        yield Result[:successful], identity_url, profile_data
+      when OpenID::Consumer::CANCEL
+        yield Result[:canceled], identity_url, nil
+      when OpenID::Consumer::FAILURE
+        yield Result[:failed], identity_url, nil
+      when OpenID::Consumer::SETUP_NEEDED
+        yield Result[:setup_needed], open_id_response.setup_url, nil
+      end
+    end
+
+    def open_id_consumer
+      OpenID::Consumer.new(session, OpenIdAuthentication.store)
+    end
+
+    def add_simple_registration_fields(open_id_request, fields)
+      sreg_request = OpenID::SReg::Request.new
+      
+      # filter out AX identifiers (URIs)
+      required_fields = fields[:required].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact
+      optional_fields = fields[:optional].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact
+      
+      sreg_request.request_fields(required_fields, true) unless required_fields.blank?
+      sreg_request.request_fields(optional_fields, false) unless optional_fields.blank?
+      sreg_request.policy_url = fields[:policy_url] if fields[:policy_url]
+      open_id_request.add_extension(sreg_request)
+    end
+    
+    def add_ax_fields( open_id_request, fields )
+      ax_request = OpenID::AX::FetchRequest.new
+      
+      # look through the :required and :optional fields for URIs (AX identifiers)
+      fields[:required].each do |f|
+        next unless f =~ /^https?:\/\//
+        ax_request.add( OpenID::AX::AttrInfo.new( f, nil, true ) )
+      end
+
+      fields[:optional].each do |f|
+        next unless f =~ /^https?:\/\//
+        ax_request.add( OpenID::AX::AttrInfo.new( f, nil, false ) )
+      end
+      
+      open_id_request.add_extension( ax_request )
+    end
+        
+    def open_id_redirect_url(open_id_request, return_to = nil, method = nil)
+      open_id_request.return_to_args['_method'] = (method || request.method).to_s
+      open_id_request.return_to_args['open_id_complete'] = '1'
+      open_id_request.redirect_url(root_url, return_to || requested_url)
+    end
+
+    def requested_url
+      relative_url_root = self.class.respond_to?(:relative_url_root) ?
+        self.class.relative_url_root.to_s :
+        request.relative_url_root
+      "#{request.protocol}#{request.host_with_port}#{ActionController::Base.relative_url_root}#{request.path}"
+    end
+
+    def timeout_protection_from_identity_server
+      yield
+    rescue Timeout::Error
+      Class.new do
+        def status
+          OpenID::FAILURE
+        end
+
+        def msg
+          "Identity server timed out"
+        end
+      end.new
+    end
+end

data/test/libs/open_id_authentication/tasks/open_id_authentication_tasks.rake

@@ -0,0 +1,30 @@
+namespace :open_id_authentication do
+  namespace :db do
+    desc "Creates authentication tables for use with OpenIdAuthentication"
+    task :create => :environment do
+      generate_migration(["open_id_authentication_tables", "add_open_id_authentication_tables"])
+    end
+
+    desc "Upgrade authentication tables from ruby-openid 1.x.x to 2.x.x"
+    task :upgrade => :environment do
+      generate_migration(["upgrade_open_id_authentication_tables", "upgrade_open_id_authentication_tables"])
+    end
+
+    def generate_migration(args)
+      require 'rails_generator'
+      require 'rails_generator/scripts/generate'
+
+      if ActiveRecord::Base.connection.supports_migrations?
+        Rails::Generator::Scripts::Generate.new.run(args)
+      else
+        raise "Task unavailable to this database (no migration support)"
+      end
+    end
+
+    desc "Clear the authentication tables"
+    task :clear => :environment do
+      OpenIdAuthentication::DbStore.cleanup_nonces
+      OpenIdAuthentication::DbStore.cleanup_associations
+    end
+  end
+end

data/test/libs/open_id_authentication/test/mem_cache_store_test.rb

@@ -0,0 +1,151 @@
+require File.dirname(__FILE__) + '/test_helper'
+require File.dirname(__FILE__) + '/../lib/open_id_authentication/mem_cache_store'
+
+# Mock MemCacheStore with MemoryStore for testing
+class OpenIdAuthentication::MemCacheStore < OpenID::Store::Interface
+  def initialize(*addresses)
+    @connection = ActiveSupport::Cache::MemoryStore.new
+  end
+end
+
+class MemCacheStoreTest < Test::Unit::TestCase
+  ALLOWED_HANDLE = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
+
+  def setup
+    @store = OpenIdAuthentication::MemCacheStore.new
+  end
+
+  def test_store
+    server_url = "http://www.myopenid.com/openid"
+    assoc = gen_assoc(0)
+
+    # Make sure that a missing association returns no result
+    assert_retrieve(server_url)
+
+    # Check that after storage, getting returns the same result
+    @store.store_association(server_url, assoc)
+    assert_retrieve(server_url, nil, assoc)
+
+    # more than once
+    assert_retrieve(server_url, nil, assoc)
+
+    # Storing more than once has no ill effect
+    @store.store_association(server_url, assoc)
+    assert_retrieve(server_url, nil, assoc)
+
+    # Removing an association that does not exist returns not present
+    assert_remove(server_url, assoc.handle + 'x', false)
+
+    # Removing an association that does not exist returns not present
+    assert_remove(server_url + 'x', assoc.handle, false)
+
+    # Removing an association that is present returns present
+    assert_remove(server_url, assoc.handle, true)
+
+    # but not present on subsequent calls
+    assert_remove(server_url, assoc.handle, false)
+
+    # Put assoc back in the store
+    @store.store_association(server_url, assoc)
+
+    # More recent and expires after assoc
+    assoc2 = gen_assoc(1)
+    @store.store_association(server_url, assoc2)
+
+    # After storing an association with a different handle, but the
+    # same server_url, the handle with the later expiration is returned.
+    assert_retrieve(server_url, nil, assoc2)
+
+    # We can still retrieve the older association
+    assert_retrieve(server_url, assoc.handle, assoc)
+
+    # Plus we can retrieve the association with the later expiration
+    # explicitly
+    assert_retrieve(server_url, assoc2.handle, assoc2)
+
+    # More recent, and expires earlier than assoc2 or assoc. Make sure
+    # that we're picking the one with the latest issued date and not
+    # taking into account the expiration.
+    assoc3 = gen_assoc(2, 100)
+    @store.store_association(server_url, assoc3)
+
+    assert_retrieve(server_url, nil, assoc3)
+    assert_retrieve(server_url, assoc.handle, assoc)
+    assert_retrieve(server_url, assoc2.handle, assoc2)
+    assert_retrieve(server_url, assoc3.handle, assoc3)
+
+    assert_remove(server_url, assoc2.handle, true)
+
+    assert_retrieve(server_url, nil, assoc3)
+    assert_retrieve(server_url, assoc.handle, assoc)
+    assert_retrieve(server_url, assoc2.handle, nil)
+    assert_retrieve(server_url, assoc3.handle, assoc3)
+
+    assert_remove(server_url, assoc2.handle, false)
+    assert_remove(server_url, assoc3.handle, true)
+
+    assert_retrieve(server_url, nil, assoc)
+    assert_retrieve(server_url, assoc.handle, assoc)
+    assert_retrieve(server_url, assoc2.handle, nil)
+    assert_retrieve(server_url, assoc3.handle, nil)
+
+    assert_remove(server_url, assoc2.handle, false)
+    assert_remove(server_url, assoc.handle, true)
+    assert_remove(server_url, assoc3.handle, false)
+
+    assert_retrieve(server_url, nil, nil)
+    assert_retrieve(server_url, assoc.handle, nil)
+    assert_retrieve(server_url, assoc2.handle, nil)
+    assert_retrieve(server_url, assoc3.handle, nil)
+
+    assert_remove(server_url, assoc2.handle, false)
+    assert_remove(server_url, assoc.handle, false)
+    assert_remove(server_url, assoc3.handle, false)
+  end
+
+  def test_nonce
+    server_url = "http://www.myopenid.com/openid"
+
+    [server_url, ''].each do |url|
+      nonce1 = OpenID::Nonce::mk_nonce
+
+      assert_nonce(nonce1, true, url, "#{url}: nonce allowed by default")
+      assert_nonce(nonce1, false, url, "#{url}: nonce not allowed twice")
+      assert_nonce(nonce1, false, url, "#{url}: nonce not allowed third time")
+
+      # old nonces shouldn't pass
+      old_nonce = OpenID::Nonce::mk_nonce(3600)
+      assert_nonce(old_nonce, false, url, "Old nonce #{old_nonce.inspect} passed")
+    end
+  end
+
+  private
+    def gen_assoc(issued, lifetime = 600)
+      secret = OpenID::CryptUtil.random_string(20, nil)
+      handle = OpenID::CryptUtil.random_string(128, ALLOWED_HANDLE)
+      OpenID::Association.new(handle, secret, Time.now + issued, lifetime, 'HMAC-SHA1')
+    end
+
+    def assert_retrieve(url, handle = nil, expected = nil)
+      assoc = @store.get_association(url, handle)
+
+      if expected.nil?
+        assert_nil(assoc)
+      else
+        assert_equal(expected, assoc)
+        assert_equal(expected.handle, assoc.handle)
+        assert_equal(expected.secret, assoc.secret)
+      end
+    end
+
+    def assert_remove(url, handle, expected)
+      present = @store.remove_association(url, handle)
+      assert_equal(expected, present)
+    end
+
+    def assert_nonce(nonce, expected, server_url, msg = "")
+      stamp, salt = OpenID::Nonce::split_nonce(nonce)
+      actual = @store.use_nonce(server_url, stamp, salt)
+      assert_equal(expected, actual, msg)
+    end
+end

data/test/libs/open_id_authentication/test/normalize_test.rb

@@ -0,0 +1,32 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class NormalizeTest < Test::Unit::TestCase
+  include OpenIdAuthentication
+
+  NORMALIZATIONS = {
+    "openid.aol.com/nextangler"             => "http://openid.aol.com/nextangler",
+    "http://openid.aol.com/nextangler"      => "http://openid.aol.com/nextangler",
+    "https://openid.aol.com/nextangler"     => "https://openid.aol.com/nextangler",
+    "HTTP://OPENID.AOL.COM/NEXTANGLER"      => "http://openid.aol.com/NEXTANGLER",
+    "HTTPS://OPENID.AOL.COM/NEXTANGLER"     => "https://openid.aol.com/NEXTANGLER",
+    "loudthinking.com"                      => "http://loudthinking.com/",
+    "http://loudthinking.com"               => "http://loudthinking.com/",
+    "http://loudthinking.com:80"            => "http://loudthinking.com/",
+    "https://loudthinking.com:443"          => "https://loudthinking.com/",
+    "http://loudthinking.com:8080"          => "http://loudthinking.com:8080/",
+    "techno-weenie.net"                     => "http://techno-weenie.net/",
+    "http://techno-weenie.net"              => "http://techno-weenie.net/",
+    "http://techno-weenie.net  "            => "http://techno-weenie.net/",
+    "=name"                                 => "=name"
+  }
+
+  def test_normalizations
+    NORMALIZATIONS.each do |from, to|
+      assert_equal to, normalize_identifier(from)
+    end
+  end
+
+  def test_broken_open_id
+    assert_raises(InvalidOpenId) { normalize_identifier(nil) }
+  end
+end

data/test/libs/open_id_authentication/test/open_id_authentication_test.rb

@@ -0,0 +1,46 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class OpenIdAuthenticationTest < Test::Unit::TestCase
+  def setup
+    @controller = Class.new do
+      include OpenIdAuthentication
+      def params() {} end
+    end.new
+  end
+
+  def test_authentication_should_fail_when_the_identity_server_is_missing
+    open_id_consumer = mock()
+    open_id_consumer.expects(:begin).raises(OpenID::OpenIDError)
+    @controller.expects(:open_id_consumer).returns(open_id_consumer)
+    @controller.expects(:logger).returns(mock(:error => true))
+
+    @controller.send(:authenticate_with_open_id, "http://someone.example.com") do |result, identity_url|
+      assert result.missing?
+      assert_equal "Sorry, the OpenID server couldn't be found", result.message
+    end
+  end
+
+  def test_authentication_should_be_invalid_when_the_identity_url_is_invalid
+    @controller.send(:authenticate_with_open_id, "!") do |result, identity_url|
+      assert result.invalid?, "Result expected to be invalid but was not"
+      assert_equal "Sorry, but this does not appear to be a valid OpenID", result.message
+    end
+  end
+
+  def test_authentication_should_fail_when_the_identity_server_times_out
+    open_id_consumer = mock()
+    open_id_consumer.expects(:begin).raises(Timeout::Error, "Identity Server took too long.")
+    @controller.expects(:open_id_consumer).returns(open_id_consumer)
+    @controller.expects(:logger).returns(mock(:error => true))
+
+    @controller.send(:authenticate_with_open_id, "http://someone.example.com") do |result, identity_url|
+      assert result.missing?
+      assert_equal "Sorry, the OpenID server couldn't be found", result.message
+    end
+  end
+
+  def test_authentication_should_begin_when_the_identity_server_is_present
+    @controller.expects(:begin_open_id_authentication)
+    @controller.send(:authenticate_with_open_id, "http://someone.example.com")
+  end
+end

data/test/libs/open_id_authentication/test/status_test.rb

@@ -0,0 +1,14 @@
+require File.dirname(__FILE__) + '/test_helper'
+
+class StatusTest < Test::Unit::TestCase
+  include OpenIdAuthentication
+
+  def test_state_conditional
+    assert Result[:missing].missing?
+    assert Result[:missing].unsuccessful?
+    assert !Result[:missing].successful?
+
+    assert Result[:successful].successful?
+    assert !Result[:successful].unsuccessful?
+  end
+end

data/test/libs/open_id_authentication/test/test_helper.rb

@@ -0,0 +1,17 @@
+require 'test/unit'
+require 'rubygems'
+
+gem 'activesupport'
+require 'active_support'
+
+gem 'actionpack'
+require 'action_controller'
+
+gem 'mocha'
+require 'mocha'
+
+gem 'ruby-openid'
+require 'openid'
+
+RAILS_ROOT = File.dirname(__FILE__) unless defined? RAILS_ROOT
+require File.dirname(__FILE__) + "/../lib/open_id_authentication"

data/test/libs/rails_trickery.rb

@@ -0,0 +1,41 @@
+# The only reason I am doing all of this non sense is becuase the openid_authentication requires that
+# these constants be present. The only other alternative is to use an entire rails application for testing
+# which is a little too overboard for this, I think.
+
+RAILS_ROOT = ''
+
+class ActionController < Authlogic::TestCase::MockController
+  class Request < Authlogic::TestCase::MockRequest
+    def request_method
+      ""
+    end
+  end
+  
+  def root_url
+    ''
+  end
+  
+  def request
+    return @request if defined?(@request)
+    super
+    # Rails does some crazy s#!t with the "method" method. If I don't do this I get a "wrong arguments (0 for 1) error"
+    @request.class.class_eval do
+      def method
+        nil
+      end
+    end
+    @request
+  end
+  
+  def url_for(*args)
+    ''
+  end
+  
+  def redirecting_to
+    @redirect_to
+  end
+  
+  def redirect_to(*args)
+    @redirect_to = args
+  end
+end

data/test/libs/user.rb

@@ -0,0 +1,3 @@
+class User < ActiveRecord::Base
+  acts_as_authentic
+end

data/test/libs/user_session.rb

@@ -0,0 +1,2 @@
+class UserSession < Authlogic::Session::Base
+end

data/test/session_test.rb

@@ -0,0 +1,32 @@
+require File.dirname(__FILE__) + '/test_helper.rb'
+
+class SessionTest < ActiveSupport::TestCase
+  def test_openid_identifier
+    session = UserSession.new
+    assert session.respond_to?(:openid_identifier)
+    session.openid_identifier = "test"
+    assert_equal "http://test/", session.openid_identifier
+  end
+  
+  def test_validate_openid_error
+    session = UserSession.new
+    session.openid_identifier = "yes"
+    session.openid_identifier = "%"
+    assert_nil session.openid_identifier
+    assert !session.save
+    assert session.errors.on(:openid_identifier)
+  end
+  
+  def test_validate_by_nil_openid_identifier
+    session = UserSession.new
+    assert !session.save
+    assert !redirecting_to_yahoo?
+  end
+  
+  def test_validate_by_correct_openid_identifier
+    session = UserSession.new
+    session.openid_identifier = "https://me.yahoo.com/a/9W0FJjRj0o981TMSs0vqVxPdmMUVOQ--"
+    assert !session.save
+    assert redirecting_to_yahoo?
+  end
+end