entp-ruby-openid 2.2

data/lib/openid/store/memory.rb

@@ -0,0 +1,84 @@
+require 'openid/store/interface'
+module OpenID
+  module Store
+    # An in-memory implementation of Store.  This class is mainly used
+    # for testing, though it may be useful for long-running single
+    # process apps.  Note that this store is NOT thread-safe.
+    #
+    # You should probably be looking at OpenID::Store::Filesystem
+    class Memory < Interface
+
+      def initialize
+        @associations = {}
+        @associations.default = {}
+        @nonces = {}
+      end
+
+      def store_association(server_url, assoc)
+        assocs = @associations[server_url]
+        @associations[server_url] = assocs.merge({assoc.handle => deepcopy(assoc)})
+      end
+
+      def get_association(server_url, handle=nil)
+        assocs = @associations[server_url]
+        assoc = nil
+        if handle
+          assoc = assocs[handle]
+        else
+          assoc = assocs.values.sort{|a,b| a.issued <=> b.issued}[-1]
+        end
+
+        return assoc
+      end
+
+      def remove_association(server_url, handle)
+        assocs = @associations[server_url]
+        if assocs.delete(handle)
+          return true
+        else
+          return false
+        end
+      end
+
+      def use_nonce(server_url, timestamp, salt)
+        return false if (timestamp - Time.now.to_i).abs > Nonce.skew
+        nonce = [server_url, timestamp, salt].join('')
+        return false if @nonces[nonce]
+        @nonces[nonce] = timestamp
+        return true
+      end
+
+      def cleanup_associations
+        count = 0
+        @associations.each{|server_url, assocs|
+          assocs.each{|handle, assoc|
+            if assoc.expires_in == 0
+              assocs.delete(handle)
+              count += 1
+            end
+          }
+        }
+        return count
+      end
+
+      def cleanup_nonces
+        count = 0
+        now = Time.now.to_i
+        @nonces.each{|nonce, timestamp|
+          if (timestamp - now).abs > Nonce.skew
+            @nonces.delete(nonce)
+            count += 1
+          end
+        }
+        return count
+      end
+
+      protected
+
+      def deepcopy(o)
+        Marshal.load(Marshal.dump(o))
+      end
+
+    end
+  end
+end

data/lib/openid/store/nonce.rb

@@ -0,0 +1,68 @@
+require 'openid/cryptutil'
+require 'date'
+require 'time'
+
+module OpenID
+  module Nonce
+    DEFAULT_SKEW = 60*60*5
+    TIME_FMT = '%Y-%m-%dT%H:%M:%SZ'
+    TIME_STR_LEN = '0000-00-00T00:00:00Z'.size
+    @@NONCE_CHRS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+    TIME_VALIDATOR = /\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ/
+
+    @skew = DEFAULT_SKEW
+
+    # The allowed nonce time skew in seconds.  Defaults to 5 hours.
+    # Used for checking nonce validity, and by stores' cleanup methods.
+    def Nonce.skew
+      @skew
+    end
+
+    def Nonce.skew=(new_skew)
+      @skew = new_skew
+    end
+
+    # Extract timestamp from a nonce string
+    def Nonce.split_nonce(nonce_str)
+      timestamp_str = nonce_str[0...TIME_STR_LEN]
+      raise ArgumentError if timestamp_str.size < TIME_STR_LEN
+      raise ArgumentError unless timestamp_str.match(TIME_VALIDATOR)
+      ts = Time.parse(timestamp_str).to_i
+      raise ArgumentError if ts < 0
+      return ts, nonce_str[TIME_STR_LEN..-1]
+    end
+
+    # Is the timestamp that is part of the specified nonce string
+    # within the allowed clock-skew of the current time?
+    def Nonce.check_timestamp(nonce_str, allowed_skew=nil, now=nil)
+      allowed_skew = skew if allowed_skew.nil?
+      begin
+        stamp, foo = split_nonce(nonce_str)
+      rescue ArgumentError # bad timestamp
+        return false
+      end
+      now = Time.now.to_i unless now
+
+      # times before this are too old
+      past = now - allowed_skew
+
+      # times newer than this are too far in the future
+      future = now + allowed_skew
+
+      return (past <= stamp and stamp <= future)
+    end
+
+    # generate a nonce with the specified timestamp (defaults to now)
+    def Nonce.mk_nonce(time = nil)
+      salt = CryptUtil::random_string(6, @@NONCE_CHRS)
+      if time.nil?
+        t = Time.now.getutc
+      else
+        t = Time.at(time).getutc
+      end
+      time_str = t.strftime(TIME_FMT)
+      return time_str + salt
+    end
+
+  end
+end

data/lib/openid/trustroot.rb

@@ -0,0 +1,349 @@
+require 'uri'
+require 'openid/urinorm'
+
+module OpenID
+
+  class RealmVerificationRedirected < Exception
+    # Attempting to verify this realm resulted in a redirect.
+    def initialize(relying_party_url, rp_url_after_redirects)
+      @relying_party_url = relying_party_url
+      @rp_url_after_redirects = rp_url_after_redirects
+    end
+
+    def to_s
+      return "Attempting to verify #{@relying_party_url} resulted in " +
+        "redirect to #{@rp_url_after_redirects}"
+    end
+  end
+
+  module TrustRoot
+    TOP_LEVEL_DOMAINS = %w'
+      ac ad ae aero af ag ai al am an ao aq ar arpa as asia at
+      au aw ax az ba bb bd be bf bg bh bi biz bj bm bn bo br bs bt
+      bv bw by bz ca cat cc cd cf cg ch ci ck cl cm cn co com coop
+      cr cu cv cx cy cz de dj dk dm do dz ec edu ee eg er es et eu
+      fi fj fk fm fo fr ga gb gd ge gf gg gh gi gl gm gn gov gp gq
+      gr gs gt gu gw gy hk hm hn hr ht hu id ie il im in info int
+      io iq ir is it je jm jo jobs jp ke kg kh ki km kn kp kr kw
+      ky kz la lb lc li lk lr ls lt lu lv ly ma mc md me mg mh mil
+      mk ml mm mn mo mobi mp mq mr ms mt mu museum mv mw mx my mz
+      na name nc ne net nf ng ni nl no np nr nu nz om org pa pe pf
+      pg ph pk pl pm pn pr pro ps pt pw py qa re ro rs ru rw sa sb
+      sc sd se sg sh si sj sk sl sm sn so sr st su sv sy sz tc td
+      tel tf tg th tj tk tl tm tn to tp tr travel tt tv tw tz ua
+      ug uk us uy uz va vc ve vg vi vn vu wf ws xn--0zwm56d
+      xn--11b5bs3a9aj6g xn--80akhbyknj4f xn--9t4b11yi5a
+      xn--deba0ad xn--g6w251d xn--hgbk6aj7f53bba
+      xn--hlcj6aya9esc7a xn--jxalpdlp xn--kgbechtv xn--zckzah ye
+      yt yu za zm zw'
+
+    ALLOWED_PROTOCOLS = ['http', 'https']
+
+    # The URI for relying party discovery, used in realm verification.
+    #
+    # XXX: This should probably live somewhere else (like in
+    # OpenID or OpenID::Yadis somewhere)
+    RP_RETURN_TO_URL_TYPE = 'http://specs.openid.net/auth/2.0/return_to'
+
+    # If the endpoint is a relying party OpenID return_to endpoint,
+    # return the endpoint URL. Otherwise, return None.
+    #
+    # This function is intended to be used as a filter for the Yadis
+    # filtering interface.
+    #
+    # endpoint: An XRDS BasicServiceEndpoint, as returned by
+    # performing Yadis dicovery.
+    #
+    # returns the endpoint URL or None if the endpoint is not a
+    # relying party endpoint.
+    def TrustRoot._extract_return_url(endpoint)
+      if endpoint.matchTypes([RP_RETURN_TO_URL_TYPE])
+        return endpoint.uri
+      else
+        return nil
+      end
+    end
+
+    # Is the return_to URL under one of the supplied allowed
+    # return_to URLs?
+    def TrustRoot.return_to_matches(allowed_return_to_urls, return_to)
+      allowed_return_to_urls.each { |allowed_return_to|
+        # A return_to pattern works the same as a realm, except that
+        # it's not allowed to use a wildcard. We'll model this by
+        # parsing it as a realm, and not trying to match it if it has
+        # a wildcard.
+
+        return_realm = TrustRoot.parse(allowed_return_to)
+        if (# Parses as a trust root
+            !return_realm.nil? and
+
+            # Does not have a wildcard
+            !return_realm.wildcard and
+
+            # Matches the return_to that we passed in with it
+            return_realm.validate_url(return_to)
+            )
+          return true
+        end
+      }
+
+      # No URL in the list matched
+      return false
+    end
+
+    # Given a relying party discovery URL return a list of return_to
+    # URLs.
+    def TrustRoot.get_allowed_return_urls(relying_party_url)
+      rp_url_after_redirects, return_to_urls = services.get_service_endpoints(
+        relying_party_url, _extract_return_url)
+
+      if rp_url_after_redirects != relying_party_url
+        # Verification caused a redirect
+        raise RealmVerificationRedirected.new(
+                relying_party_url, rp_url_after_redirects)
+      end
+
+      return return_to_urls
+    end
+
+    # Verify that a return_to URL is valid for the given realm.
+    #
+    # This function builds a discovery URL, performs Yadis discovery
+    # on it, makes sure that the URL does not redirect, parses out
+    # the return_to URLs, and finally checks to see if the current
+    # return_to URL matches the return_to.
+    #
+    # raises DiscoveryFailure when Yadis discovery fails returns
+    # true if the return_to URL is valid for the realm
+    def TrustRoot.verify_return_to(realm_str, return_to, _vrfy=nil)
+      # _vrfy parameter is there to make testing easier
+      if _vrfy.nil?
+        _vrfy = self.method('get_allowed_return_urls')
+      end
+
+      if !(_vrfy.is_a?(Proc) or _vrfy.is_a?(Method))
+        raise ArgumentError, "_vrfy must be a Proc or Method"
+      end
+
+      realm = TrustRoot.parse(realm_str)
+      if realm.nil?
+        # The realm does not parse as a URL pattern
+        return false
+      end
+
+      begin
+        allowable_urls = _vrfy.call(realm.build_discovery_url())
+      rescue RealmVerificationRedirected => err
+        Util.log(err.to_s)
+        return false
+      end
+
+      if return_to_matches(allowable_urls, return_to)
+        return true
+      else
+        Util.log("Failed to validate return_to #{return_to} for " +
+            "realm #{realm_str}, was not in #{allowable_urls}")
+        return false
+      end
+    end
+
+    class TrustRoot
+
+      attr_reader :unparsed, :proto, :wildcard, :host, :port, :path
+
+      @@empty_re = Regexp.new('^http[s]*:\/\/\*\/$')
+
+      def TrustRoot._build_path(path, query=nil, frag=nil)
+        s = path.dup
+
+        frag = nil if frag == ''
+        query = nil if query == ''
+
+        if query
+          s << "?" << query
+        end
+
+        if frag
+          s << "#" << frag
+        end
+
+        return s
+      end
+
+      def TrustRoot._parse_url(url)
+        begin
+          url = URINorm.urinorm(url)
+        rescue URI::InvalidURIError => err
+          nil
+        end
+
+        begin
+          parsed = URI::parse(url)
+        rescue URI::InvalidURIError
+          return nil
+        end
+
+        path = TrustRoot._build_path(parsed.path,
+                                     parsed.query,
+                                     parsed.fragment)
+
+        return [parsed.scheme || '', parsed.host || '',
+                parsed.port || '', path || '']
+      end
+
+      def TrustRoot.parse(trust_root)
+        trust_root = trust_root.dup
+        unparsed = trust_root.dup
+
+        # look for wildcard
+        wildcard = (not trust_root.index('://*.').nil?)
+        trust_root.sub!('*.', '') if wildcard
+
+        # handle http://*/ case
+        if not wildcard and @@empty_re.match(trust_root)
+          proto = trust_root.split(':')[0]
+          port = proto == 'http' ? 80 : 443
+          return new(unparsed, proto, true, '', port, '/')
+        end
+
+        parts = TrustRoot._parse_url(trust_root)
+        return nil if parts.nil?
+
+        proto, host, port, path = parts
+
+        # check for URI fragment
+        if path and !path.index('#').nil?
+          return nil
+        end
+
+        return nil unless ['http', 'https'].member?(proto)
+        return new(unparsed, proto, wildcard, host, port, path)
+      end
+
+      def TrustRoot.check_sanity(trust_root_string)
+        trust_root = TrustRoot.parse(trust_root_string)
+        if trust_root.nil?
+          return false
+        else
+          return trust_root.sane?
+        end
+      end
+
+      # quick func for validating a url against a trust root.  See the
+      # TrustRoot class if you need more control.
+      def self.check_url(trust_root, url)
+        tr = self.parse(trust_root)
+        return (!tr.nil? and tr.validate_url(url))
+      end
+
+      # Return a discovery URL for this realm.
+      #
+      # This function does not check to make sure that the realm is
+      # valid. Its behaviour on invalid inputs is undefined.
+      #
+      # return_to:: The relying party return URL of the OpenID
+      # authentication request
+      #
+      # Returns the URL upon which relying party discovery should be
+      # run in order to verify the return_to URL
+      def build_discovery_url
+        if self.wildcard
+          # Use "www." in place of the star
+          www_domain = 'www.' + @host
+          port = (!@port.nil? and ![80, 443].member?(@port)) ? (":" + @port.to_s) : ''
+          return "#{@proto}://#{www_domain}#{port}#{@path}"
+        else
+          return @unparsed
+        end
+      end
+
+      def initialize(unparsed, proto, wildcard, host, port, path)
+        @unparsed = unparsed
+        @proto = proto
+        @wildcard = wildcard
+        @host = host
+        @port = port
+        @path = path
+      end
+
+      def sane?
+        return true if @host == 'localhost'
+
+        host_parts = @host.split('.')
+
+        # a note: ruby string split does not put an empty string at
+        # the end of the list if the split element is last.  for
+        # example, 'foo.com.'.split('.') => ['foo','com'].  Mentioned
+        # because the python code differs here.
+
+        return false if host_parts.length == 0
+
+        # no adjacent dots
+        return false if host_parts.member?('')
+
+        # last part must be a tld
+        tld = host_parts[-1]
+        return false unless TOP_LEVEL_DOMAINS.member?(tld)
+
+        return false if host_parts.length == 1
+
+        if @wildcard
+          if tld.length == 2 and host_parts[-2].length <= 3
+            # It's a 2-letter tld with a short second to last segment
+            # so there needs to be more than two segments specified
+            # (e.g. *.co.uk is insane)
+            return host_parts.length > 2
+          end
+        end
+
+        return true
+      end
+
+      def validate_url(url)
+        parts = TrustRoot._parse_url(url)
+        return false if parts.nil?
+
+        proto, host, port, path = parts
+
+        return false unless proto == @proto
+        return false unless port == @port
+        return false unless host.index('*').nil?
+
+        if !@wildcard
+          if host != @host
+            return false
+          end
+        elsif ((@host != '') and
+               (!host.ends_with?('.' + @host)) and
+               (host != @host))
+          return false
+        end
+
+        if path != @path
+          path_len = @path.length
+          trust_prefix = @path[0...path_len]
+          url_prefix = path[0...path_len]
+
+          # must be equal up to the length of the path, at least
+          if trust_prefix != url_prefix
+            return false
+          end
+
+          # These characters must be on the boundary between the end
+          # of the trust root's path and the start of the URL's path.
+          if !@path.index('?').nil?
+            allowed = '&'
+          else
+            allowed = '?/'
+          end
+
+          return (!allowed.index(@path[-1]).nil? or
+                  !allowed.index(path[path_len]).nil?)
+        end
+
+        return true
+      end
+    end
+  end
+end
+