entp-ruby-openid 2.2

data/lib/openid/extensions/oauth.rb

@@ -0,0 +1,91 @@
+# An implementation of the OpenID OAuth Extension
+# Extension 1.0
+# see: http://openid.net/specs/
+
+require 'openid/extension'
+
+module OpenID
+
+  module OAuth
+    NS_URI = "http://specs.openid.net/extensions/oauth/1.0"
+    # An OAuth token request, sent from a relying
+    # party to a provider
+    class Request < Extension
+      attr_accessor :consumer, :scope, :ns_alias, :ns_uri
+      def initialize(consumer=nil, scope=nil)
+        @ns_alias = 'oauth'
+        @ns_uri = NS_URI
+        @consumer = consumer
+        @scope = scope
+      end
+
+
+      def get_extension_args
+        ns_args = {}
+        ns_args['consumer'] = @consumer if @consumer        
+        ns_args['scope'] = @scope if @scope
+        return ns_args
+      end
+
+      # Instantiate a Request object from the arguments in a
+      # checkid_* OpenID message
+      # return nil if the extension was not requested.
+      def self.from_openid_request(oid_req)
+        oauth_req = new
+        args = oid_req.message.get_args(NS_URI)
+        if args == {}
+          return nil
+        end
+        oauth_req.parse_extension_args(args)
+        return oauth_req
+      end
+
+      # Set the state of this request to be that expressed in these
+      # OAuth arguments
+      def parse_extension_args(args)
+        @consumer = args["consumer"]
+        @scope = args["scope"]
+      end
+
+    end
+
+    # A OAuth request token response, sent from a provider
+    # to a relying party
+    class Response < Extension
+      attr_accessor :request_token, :scope
+      def initialize(request_token=nil, scope=nil)
+        @ns_alias = 'oauth'
+        @ns_uri = NS_URI
+        @request_token = request_token
+        @scope = scope
+      end
+
+      # Create a Response object from an OpenID::Consumer::SuccessResponse
+      def self.from_success_response(success_response)
+        args = success_response.get_signed_ns(NS_URI)
+        return nil if args.nil?
+        oauth_resp = new
+        oauth_resp.parse_extension_args(args)
+        return oauth_resp
+      end
+
+      # parse the oauth request arguments into the
+      # internal state of this object
+      # if strict is specified, raise an exception when bad data is
+      # encountered
+      def parse_extension_args(args, strict=false)
+        @request_token = args["request_token"]
+        @scope = args["scope"]
+      end
+
+      def get_extension_args
+        ns_args = {}
+        ns_args['request_token'] = @request_token if @request_token
+        ns_args['scope'] = @scope if @scope
+        return ns_args
+      end
+
+    end
+  end
+
+end

data/lib/openid/extensions/pape.rb

@@ -0,0 +1,179 @@
+# An implementation of the OpenID Provider Authentication Policy
+# Extension 1.0
+# see: http://openid.net/specs/
+
+require 'openid/extension'
+
+module OpenID
+
+  module PAPE
+    NS_URI = "http://specs.openid.net/extensions/pape/1.0"
+    AUTH_MULTI_FACTOR_PHYSICAL =
+      'http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical'
+    AUTH_MULTI_FACTOR =
+      'http://schemas.openid.net/pape/policies/2007/06/multi-factor'
+    AUTH_PHISHING_RESISTANT =
+      'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant'
+    TIME_VALIDATOR = /\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ/
+    # A Provider Authentication Policy request, sent from a relying
+    # party to a provider
+    class Request < Extension
+      attr_accessor :preferred_auth_policies, :max_auth_age, :ns_alias, :ns_uri
+      def initialize(preferred_auth_policies=[], max_auth_age=nil)
+        @ns_alias = 'pape'
+        @ns_uri = NS_URI
+        @preferred_auth_policies = preferred_auth_policies
+        @max_auth_age = max_auth_age
+      end
+
+      # Add an acceptable authentication policy URI to this request
+      # This method is intended to be used by the relying party to add
+      # acceptable authentication types to the request.
+      def add_policy_uri(policy_uri)
+        unless @preferred_auth_policies.member? policy_uri
+          @preferred_auth_policies << policy_uri
+        end
+      end
+
+      def get_extension_args
+        ns_args = {
+          'preferred_auth_policies' => @preferred_auth_policies.join(' ')
+        }
+        ns_args['max_auth_age'] = @max_auth_age.to_s if @max_auth_age
+        return ns_args
+      end
+
+      # Instantiate a Request object from the arguments in a
+      # checkid_* OpenID message
+      # return nil if the extension was not requested.
+      def self.from_openid_request(oid_req)
+        pape_req = new
+        args = oid_req.message.get_args(NS_URI)
+        if args == {}
+          return nil
+        end
+        pape_req.parse_extension_args(args)
+        return pape_req
+      end
+
+      # Set the state of this request to be that expressed in these
+      # PAPE arguments
+      def parse_extension_args(args)
+        @preferred_auth_policies = []
+        policies_str = args['preferred_auth_policies']
+        if policies_str
+          policies_str.split(' ').each{|uri|
+            add_policy_uri(uri)
+          }
+        end
+
+        max_auth_age_str = args['max_auth_age']
+        if max_auth_age_str
+          @max_auth_age = max_auth_age_str.to_i
+        else
+          @max_auth_age = nil
+        end
+      end
+
+      # Given a list of authentication policy URIs that a provider
+      # supports, this method returns the subset of those types
+      # that are preferred by the relying party.
+      def preferred_types(supported_types)
+        @preferred_auth_policies.select{|uri| supported_types.member? uri}
+      end
+    end
+
+    # A Provider Authentication Policy response, sent from a provider
+    # to a relying party
+    class Response < Extension
+      attr_accessor :ns_alias, :auth_policies, :auth_time, :nist_auth_level
+      def initialize(auth_policies=[], auth_time=nil, nist_auth_level=nil)
+        @ns_alias = 'pape'
+        @ns_uri = NS_URI
+        @auth_policies = auth_policies
+        @auth_time = auth_time
+        @nist_auth_level = nist_auth_level
+      end
+
+      # Add a policy URI to the response
+      # see http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#auth_policies
+      def add_policy_uri(policy_uri)
+        @auth_policies << policy_uri unless @auth_policies.member?(policy_uri)
+      end
+
+      # Create a Response object from an OpenID::Consumer::SuccessResponse
+      def self.from_success_response(success_response)
+        args = success_response.get_signed_ns(NS_URI)
+        return nil if args.nil?
+        pape_resp = new
+        pape_resp.parse_extension_args(args)
+        return pape_resp
+      end
+
+      # parse the provider authentication policy arguments into the
+      # internal state of this object
+      # if strict is specified, raise an exception when bad data is
+      # encountered
+      def parse_extension_args(args, strict=false)
+        policies_str = args['auth_policies']
+        if policies_str and policies_str != 'none'
+          @auth_policies = policies_str.split(' ')
+        end
+
+        nist_level_str = args['nist_auth_level']
+        if nist_level_str
+          # special handling of zero to handle to_i behavior
+          if nist_level_str.strip == '0'
+            nist_level = 0
+          else
+            nist_level = nist_level_str.to_i
+            # if it's zero here we have a bad value
+            if nist_level == 0
+              nist_level = nil
+            end
+          end
+          if nist_level and nist_level >= 0 and nist_level < 5
+            @nist_auth_level = nist_level
+          elsif strict
+            raise ArgumentError, "nist_auth_level must be an integer 0 through 4, not #{nist_level_str.inspect}"
+          end
+        end
+
+        auth_time_str = args['auth_time']
+        if auth_time_str
+          # validate time string
+          if auth_time_str =~ TIME_VALIDATOR
+            @auth_time = auth_time_str
+          elsif strict
+            raise ArgumentError, "auth_time must be in RFC3339 format"
+          end
+        end
+      end
+
+      def get_extension_args
+        ns_args = {}
+        if @auth_policies.empty?
+          ns_args['auth_policies'] = 'none'
+        else
+          ns_args['auth_policies'] = @auth_policies.join(' ')
+        end
+        if @nist_auth_level
+          unless (0..4).member? @nist_auth_level
+            raise ArgumentError, "nist_auth_level must be an integer 0 through 4, not #{@nist_auth_level.inspect}"
+          end
+          ns_args['nist_auth_level'] = @nist_auth_level.to_s
+        end
+
+        if @auth_time
+          unless @auth_time =~ TIME_VALIDATOR
+            raise ArgumentError, "auth_time must be in RFC3339 format"
+          end
+          ns_args['auth_time'] = @auth_time
+        end
+        return ns_args
+      end
+
+    end
+  end
+
+end

data/lib/openid/extensions/sreg.rb

@@ -0,0 +1,277 @@
+require 'openid/extension'
+require 'openid/util'
+require 'openid/message'
+
+module OpenID
+  module SReg
+    DATA_FIELDS = {
+      'fullname'=>'Full Name',
+      'nickname'=>'Nickname',
+      'dob'=>'Date of Birth',
+      'email'=>'E-mail Address',
+      'gender'=>'Gender',
+      'postcode'=>'Postal Code',
+      'country'=>'Country',
+      'language'=>'Language',
+      'timezone'=>'Time Zone',
+    }
+
+    NS_URI_1_0 = 'http://openid.net/sreg/1.0'
+    NS_URI_1_1 = 'http://openid.net/extensions/sreg/1.1'
+    NS_URI = NS_URI_1_1
+
+    begin
+      Message.register_namespace_alias(NS_URI_1_1, 'sreg')
+    rescue NamespaceAliasRegistrationError => e
+      Util.log(e)
+    end
+
+    # raise ArgumentError if fieldname is not in the defined sreg fields
+    def OpenID.check_sreg_field_name(fieldname)
+      unless DATA_FIELDS.member? fieldname
+        raise ArgumentError, "#{fieldname} is not a defined simple registration field"
+      end
+    end
+
+    # Does the given endpoint advertise support for simple registration?
+    def OpenID.supports_sreg?(endpoint)
+      endpoint.uses_extension(NS_URI_1_1) || endpoint.uses_extension(NS_URI_1_0)
+    end
+
+    # Extract the simple registration namespace URI from the given
+    # OpenID message. Handles OpenID 1 and 2, as well as both sreg
+    # namespace URIs found in the wild, as well as missing namespace
+    # definitions (for OpenID 1)
+    def OpenID.get_sreg_ns(message)
+      [NS_URI_1_1, NS_URI_1_0].each{|ns|
+        if message.namespaces.get_alias(ns)
+          return ns
+        end
+      }
+      # try to add an alias, since we didn't find one
+      ns = NS_URI_1_1
+      begin
+        message.namespaces.add_alias(ns, 'sreg')
+      rescue IndexError
+        raise NamespaceError
+      end
+      return ns
+    end
+
+    # The simple registration namespace was not found and could not
+    # be created using the expected name (there's another extension
+    # using the name 'sreg')
+    #
+    # This is not <em>illegal</em>, for OpenID 2, although it probably
+    # indicates a problem, since it's not expected that other extensions
+    # will re-use the alias that is in use for OpenID 1.
+    #
+    # If this is an OpenID 1 request, then there is no recourse. This
+    # should not happen unless some code has modified the namespaces for
+    # the message that is being processed.
+    class NamespaceError < ArgumentError
+    end
+
+    # An object to hold the state of a simple registration request.
+    class Request < Extension
+      attr_reader :optional, :required, :ns_uri
+      attr_accessor :policy_url
+      def initialize(required = nil, optional = nil, policy_url = nil, ns_uri = NS_URI)
+        super()
+
+        @policy_url = policy_url
+        @ns_uri = ns_uri
+        @ns_alias = 'sreg'
+        @required = []
+        @optional = []
+
+        if required
+          request_fields(required, true, true)
+        end
+        if optional
+          request_fields(optional, false, true)
+        end
+      end
+
+      # Create a simple registration request that contains the
+      # fields that were requested in the OpenID request with the
+      # given arguments
+      # Takes an OpenID::CheckIDRequest, returns an OpenID::Sreg::Request
+      # return nil if the extension was not requested.
+      def self.from_openid_request(request)
+        # Since we're going to mess with namespace URI mapping, don't
+        # mutate the object that was passed in.
+        message = request.message.copy
+        ns_uri = OpenID::get_sreg_ns(message)
+        args = message.get_args(ns_uri)
+        return nil if args == {}
+        req = new(nil,nil,nil,ns_uri)
+        req.parse_extension_args(args)
+        return req
+      end
+
+      # Parse the unqualified simple registration request
+      # parameters and add them to this object.
+      #
+      # This method is essentially the inverse of
+      # getExtensionArgs. This method restores the serialized simple
+      # registration request fields.
+      #
+      # If you are extracting arguments from a standard OpenID
+      # checkid_* request, you probably want to use fromOpenIDRequest,
+      # which will extract the sreg namespace and arguments from the
+      # OpenID request. This method is intended for cases where the
+      # OpenID server needs more control over how the arguments are
+      # parsed than that method provides.
+      def parse_extension_args(args, strict = false)
+        required_items = args['required']
+        unless required_items.nil? or required_items.empty?
+          required_items.split(',').each{|field_name|
+            begin
+              request_field(field_name, true, strict)
+            rescue ArgumentError
+              raise if strict
+            end
+          }
+        end
+
+        optional_items = args['optional']
+        unless optional_items.nil? or optional_items.empty?
+          optional_items.split(',').each{|field_name|
+            begin
+              request_field(field_name, false, strict)
+            rescue ArgumentError
+              raise if strict
+            end
+          }
+        end
+        @policy_url = args['policy_url']
+      end
+
+      # A list of all of the simple registration fields that were
+      # requested, whether they were required or optional.
+      def all_requested_fields
+        @required + @optional
+      end
+
+      # Have any simple registration fields been requested?
+      def were_fields_requested?
+        !all_requested_fields.empty?
+      end
+
+      # Request the specified field from the OpenID user
+      # field_name: the unqualified simple registration field name
+      # required: whether the given field should be presented
+      #        to the user as being a required to successfully complete
+      #        the request
+      # strict: whether to raise an exception when a field is
+      #        added to a request more than once
+      # Raises ArgumentError if the field_name is not a simple registration
+      # field, or if strict is set and a field is added more than once
+      def request_field(field_name, required=false, strict=false)
+        OpenID::check_sreg_field_name(field_name)
+
+        if strict
+          if (@required + @optional).member? field_name
+            raise ArgumentError, 'That field has already been requested'
+          end
+        else
+          return if @required.member? field_name
+          if @optional.member? field_name
+            if required
+              @optional.delete field_name
+            else
+              return
+            end
+          end
+        end
+        if required
+          @required << field_name
+        else
+          @optional << field_name
+        end
+      end
+
+      # Add the given list of fields to the request.
+      def request_fields(field_names, required = false, strict = false)
+        raise ArgumentError unless field_names.respond_to?(:each) and
+                                   field_names[0].is_a?(String)
+        field_names.each{|fn|request_field(fn, required, strict)}
+      end
+
+      # Get a hash of unqualified simple registration arguments
+      # representing this request.
+      # This method is essentially the inverse of parse_extension_args.
+      # This method serializes the simple registration request fields.
+      def get_extension_args
+        args = {}
+        args['required'] = @required.join(',') unless @required.empty?
+        args['optional'] = @optional.join(',') unless @optional.empty?
+        args['policy_url'] = @policy_url unless @policy_url.nil?
+        return args
+      end
+
+      def member?(field_name)
+        all_requested_fields.member?(field_name)
+      end
+
+    end
+
+    # Represents the data returned in a simple registration response
+    # inside of an OpenID id_res response. This object will be
+    # created by the OpenID server, added to the id_res response
+    # object, and then extracted from the id_res message by the Consumer.
+    class Response < Extension
+      attr_reader :ns_uri, :data
+
+      def initialize(data = {}, ns_uri=NS_URI)
+        @ns_alias = 'sreg'
+        @data = data
+        @ns_uri = ns_uri
+      end
+
+      # Take a Request and a hash of simple registration
+      # values and create a Response object containing that data.
+      def self.extract_response(request, data)
+        arf = request.all_requested_fields
+        resp_data = data.reject{|k,v| !arf.member?(k) || v.nil? }
+        new(resp_data, request.ns_uri)
+      end
+
+      # Create an Response object from an
+      # OpenID::Consumer::SuccessResponse from consumer.complete
+      # If you set the signed_only parameter to false, unsigned data from
+      # the id_res message from the server will be processed.
+      def self.from_success_response(success_response, signed_only = true)
+        ns_uri = OpenID::get_sreg_ns(success_response.message)
+        if signed_only
+          args = success_response.get_signed_ns(ns_uri)
+          return nil if args.nil? # No signed args, so fail
+        else
+          args = success_response.message.get_args(ns_uri)
+        end
+        args.reject!{|k,v| !DATA_FIELDS.member?(k) }
+        new(args, ns_uri)
+      end
+
+      # Get the fields to put in the simple registration namespace
+      # when adding them to an id_res message.
+      def get_extension_args
+        return @data
+      end
+
+      # Read-only hashlike interface.
+      # Raises an exception if the field name is bad
+      def [](field_name)
+        OpenID::check_sreg_field_name(field_name)
+        data[field_name]
+      end
+
+      def empty?
+        @data.empty?
+      end
+      # XXX is there more to a hashlike interface I should add?
+    end
+  end
+end
+