entp-ruby-openid 2.2

data/examples/rails_openid/public/robots.txt

@@ -0,0 +1 @@
+# See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file

data/examples/rails_openid/script/about

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/about'

data/examples/rails_openid/script/breakpointer

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/breakpointer'

data/examples/rails_openid/script/console

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/console'

data/examples/rails_openid/script/destroy

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/destroy'

data/examples/rails_openid/script/generate

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/generate'

data/examples/rails_openid/script/performance/benchmarker

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../../config/boot'
+require 'commands/performance/benchmarker'

data/examples/rails_openid/script/performance/profiler

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../../config/boot'
+require 'commands/performance/profiler'

data/examples/rails_openid/script/plugin

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/plugin'

data/examples/rails_openid/script/process/reaper

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../../config/boot'
+require 'commands/process/reaper'

data/examples/rails_openid/script/process/spawner

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../../config/boot'
+require 'commands/process/spawner'

data/examples/rails_openid/script/process/spinner

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../../config/boot'
+require 'commands/process/spinner'

data/examples/rails_openid/script/runner

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/runner'

data/examples/rails_openid/script/server

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+require File.dirname(__FILE__) + '/../config/boot'
+require 'commands/server'

data/examples/rails_openid/test/functional/login_controller_test.rb

@@ -0,0 +1,18 @@
+require File.dirname(__FILE__) + '/../test_helper'
+require 'login_controller'
+
+# Re-raise errors caught by the controller.
+class LoginController; def rescue_action(e) raise e end; end
+
+class LoginControllerTest < Test::Unit::TestCase
+  def setup
+    @controller = LoginController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+  end
+
+  # Replace this with your real tests.
+  def test_truth
+    assert true
+  end
+end

data/examples/rails_openid/test/functional/server_controller_test.rb

@@ -0,0 +1,18 @@
+require File.dirname(__FILE__) + '/../test_helper'
+require 'server_controller'
+
+# Re-raise errors caught by the controller.
+class ServerController; def rescue_action(e) raise e end; end
+
+class ServerControllerTest < Test::Unit::TestCase
+  def setup
+    @controller = ServerController.new
+    @request    = ActionController::TestRequest.new
+    @response   = ActionController::TestResponse.new
+  end
+
+  # Replace this with your real tests.
+  def test_truth
+    assert true
+  end
+end

data/examples/rails_openid/test/test_helper.rb

@@ -0,0 +1,28 @@
+ENV["RAILS_ENV"] = "test"
+require File.expand_path(File.dirname(__FILE__) + "/../config/environment")
+require 'test_help'
+
+class Test::Unit::TestCase
+  # Transactional fixtures accelerate your tests by wrapping each test method
+  # in a transaction that's rolled back on completion.  This ensures that the
+  # test database remains unchanged so your fixtures don't have to be reloaded
+  # between every test method.  Fewer database queries means faster tests.
+  #
+  # Read Mike Clark's excellent walkthrough at
+  #   http://clarkware.com/cgi/blosxom/2005/10/24#Rails10FastTesting
+  #
+  # Every Active Record database supports transactions except MyISAM tables
+  # in MySQL.  Turn off transactional fixtures in this case; however, if you
+  # don't care one way or the other, switching from MyISAM to InnoDB tables
+  # is recommended.
+  self.use_transactional_fixtures = true
+
+  # Instantiated fixtures are slow, but give you @david where otherwise you
+  # would need people(:david).  If you don't want to migrate your existing
+  # test cases which use the @david style and don't mind the speed hit (each
+  # instantiated fixtures translates to a database query per test method),
+  # then set this back to true.
+  self.use_instantiated_fixtures  = false
+
+  # Add more helper methods to be used by all tests here...
+end

data/lib/hmac/hmac.rb

@@ -0,0 +1,112 @@
+# Copyright (C) 2001  Daiki Ueno <ueno@unixuser.org>
+# This library is distributed under the terms of the Ruby license.
+
+# This module provides common interface to HMAC engines.
+# HMAC standard is documented in RFC 2104:
+#
+#   H. Krawczyk et al., "HMAC: Keyed-Hashing for Message Authentication",
+#   RFC 2104, February 1997
+#
+# These APIs are inspired by JCE 1.2's javax.crypto.Mac interface.
+#
+#   <URL:http://java.sun.com/security/JCE1.2/spec/apidoc/javax/crypto/Mac.html>
+
+module HMAC
+  class Base
+    def initialize(algorithm, block_size, output_length, key)
+      @algorithm = algorithm
+      @block_size = block_size
+      @output_length = output_length
+      @status = STATUS_UNDEFINED
+      @key_xor_ipad = ''
+      @key_xor_opad = ''
+      set_key(key) unless key.nil?
+    end
+
+    private
+    def check_status
+      unless @status == STATUS_INITIALIZED
+	raise RuntimeError,
+	  "The underlying hash algorithm has not yet been initialized."
+      end
+    end
+
+    public
+    def set_key(key)
+      # If key is longer than the block size, apply hash function
+      # to key and use the result as a real key.
+      key = @algorithm.digest(key) if key.size > @block_size
+      key_xor_ipad = "\x36" * @block_size
+      key_xor_opad = "\x5C" * @block_size
+      for i in 0 .. key.size - 1
+	key_xor_ipad[i] ^= key[i]
+	key_xor_opad[i] ^= key[i]
+      end
+      @key_xor_ipad = key_xor_ipad
+      @key_xor_opad = key_xor_opad
+      @md = @algorithm.new
+      @status = STATUS_INITIALIZED
+    end
+
+    def reset_key
+      @key_xor_ipad.gsub!(/./, '?')
+      @key_xor_opad.gsub!(/./, '?')
+      @key_xor_ipad[0..-1] = ''
+      @key_xor_opad[0..-1] = ''
+      @status = STATUS_UNDEFINED
+    end
+
+    def update(text)
+      check_status
+      # perform inner H
+      md = @algorithm.new
+      md.update(@key_xor_ipad)
+      md.update(text)
+      str = md.digest
+      # perform outer H
+      md = @algorithm.new
+      md.update(@key_xor_opad)
+      md.update(str)
+      @md = md
+    end
+    alias << update
+
+    def digest
+      check_status
+      @md.digest
+    end
+
+    def hexdigest
+      check_status
+      @md.hexdigest
+    end
+    alias to_s hexdigest
+
+    # These two class methods below are safer than using above
+    # instance methods combinatorially because an instance will have
+    # held a key even if it's no longer in use.
+    def Base.digest(key, text)
+      begin
+	hmac = self.new(key)
+	hmac.update(text)
+	hmac.digest
+      ensure
+	hmac.reset_key
+      end
+    end
+
+    def Base.hexdigest(key, text)
+      begin
+	hmac = self.new(key)
+	hmac.update(text)
+	hmac.hexdigest
+      ensure
+	hmac.reset_key
+      end
+    end
+
+    private_class_method :new, :digest, :hexdigest
+  end
+
+  STATUS_UNDEFINED, STATUS_INITIALIZED = 0, 1
+end

data/lib/hmac/sha1.rb

@@ -0,0 +1,11 @@
+require 'hmac/hmac'
+require 'digest/sha1'
+
+module HMAC
+  class SHA1 < Base
+    def initialize(key = nil)
+      super(Digest::SHA1, 64, 20, key)
+    end
+    public_class_method :new, :digest, :hexdigest
+  end
+end

data/lib/hmac/sha2.rb

@@ -0,0 +1,25 @@
+require 'hmac/hmac'
+require 'digest/sha2'
+
+module HMAC
+  class SHA256 < Base
+    def initialize(key = nil)
+      super(Digest::SHA256, 64, 32, key)
+    end
+    public_class_method :new, :digest, :hexdigest
+  end
+
+  class SHA384 < Base
+    def initialize(key = nil)
+      super(Digest::SHA384, 128, 48, key)
+    end
+    public_class_method :new, :digest, :hexdigest
+  end
+
+  class SHA512 < Base
+    def initialize(key = nil)
+      super(Digest::SHA512, 128, 64, key)
+    end
+    public_class_method :new, :digest, :hexdigest
+  end
+end

data/lib/openid.rb

@@ -0,0 +1,22 @@
+# Copyright 2006-2007 JanRain, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you
+# may not use this file except in compliance with the License. You may
+# obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# permissions and limitations under the License.
+
+require "openid/version"
+require 'openid/store'
+require 'openid/yadis'
+require "openid/consumer"
+require 'openid/server'
+
+module OpenID
+end

data/lib/openid/association.rb

@@ -0,0 +1,249 @@
+require "openid/kvform"
+require "openid/util"
+require "openid/cryptutil"
+require "openid/message"
+
+module OpenID
+
+  def self.get_secret_size(assoc_type)
+    if assoc_type == 'HMAC-SHA1'
+      return 20
+    elsif assoc_type == 'HMAC-SHA256'
+      return 32
+    else
+      raise ArgumentError("Unsupported association type: #{assoc_type}")
+    end
+  end
+
+  # An Association holds the shared secret between a relying party and
+  # an OpenID provider.
+  class Association
+    attr_reader :handle, :secret, :issued, :lifetime, :assoc_type
+
+    FIELD_ORDER =
+      [:version, :handle, :secret, :issued, :lifetime, :assoc_type,]
+
+    # Load a serialized Association
+    def self.deserialize(serialized)
+      parsed = Util.kv_to_seq(serialized)
+      parsed_fields = parsed.map{|k, v| k.to_sym}
+      if parsed_fields != FIELD_ORDER
+          raise ProtocolError, 'Unexpected fields in serialized association'\
+          " (Expected #{FIELD_ORDER.inspect}, got #{parsed_fields.inspect})"
+      end
+      version, handle, secret64, issued_s, lifetime_s, assoc_type =
+        parsed.map {|field, value| value}
+      if version != '2'
+        raise ProtocolError, "Attempted to deserialize unsupported version "\
+                             "(#{parsed[0][1].inspect})"
+      end
+
+      self.new(handle,
+               Util.from_base64(secret64),
+               Time.at(issued_s.to_i),
+               lifetime_s.to_i,
+               assoc_type)
+    end
+
+    # Create an Association with an issued time of now
+    def self.from_expires_in(expires_in, handle, secret, assoc_type)
+      issued = Time.now
+      self.new(handle, secret, issued, expires_in, assoc_type)
+    end
+
+    def initialize(handle, secret, issued, lifetime, assoc_type)
+      @handle = handle
+      @secret = secret
+      @issued = issued
+      @lifetime = lifetime
+      @assoc_type = assoc_type
+    end
+
+    # Serialize the association to a form that's consistent across
+    # JanRain OpenID libraries.
+    def serialize
+      data = {
+        :version => '2',
+        :handle => handle,
+        :secret => Util.to_base64(secret),
+        :issued => issued.to_i.to_s,
+        :lifetime => lifetime.to_i.to_s,
+        :assoc_type => assoc_type,
+      }
+
+      Util.assert(data.length == FIELD_ORDER.length)
+
+      pairs = FIELD_ORDER.map{|field| [field.to_s, data[field]]}
+      return Util.seq_to_kv(pairs, strict=true)
+    end
+
+    # The number of seconds until this association expires
+    def expires_in(now=nil)
+      if now.nil?
+        now = Time.now.to_i
+      else
+        now = now.to_i
+      end
+      time_diff = (issued.to_i + lifetime) - now
+      if time_diff < 0
+        return 0
+      else
+        return time_diff
+      end
+    end
+
+    # Generate a signature for a sequence of [key, value] pairs
+    def sign(pairs)
+      kv = Util.seq_to_kv(pairs)
+      case assoc_type
+      when 'HMAC-SHA1'
+        CryptUtil.hmac_sha1(@secret, kv)
+      when 'HMAC-SHA256'
+        CryptUtil.hmac_sha256(@secret, kv)
+      else
+        raise ProtocolError, "Association has unknown type: "\
+          "#{assoc_type.inspect}"
+      end
+    end
+
+    # Generate the list of pairs that form the signed elements of the
+    # given message
+    def make_pairs(message)
+      signed = message.get_arg(OPENID_NS, 'signed')
+      if signed.nil?
+        raise ProtocolError, 'Missing signed list'
+      end
+      signed_fields = signed.split(',', -1)
+      data = message.to_post_args
+      signed_fields.map {|field| [field, data.fetch('openid.'+field,'')] }
+    end
+
+    # Return whether the message's signature passes
+    def check_message_signature(message)
+      message_sig = message.get_arg(OPENID_NS, 'sig')
+      if message_sig.nil?
+        raise ProtocolError, "#{message} has no sig."
+      end
+      calculated_sig = get_message_signature(message)
+      return CryptUtil.const_eq(calculated_sig, message_sig)
+    end
+
+    # Get the signature for this message
+    def get_message_signature(message)
+      Util.to_base64(sign(make_pairs(message)))
+    end
+
+    def ==(other)
+      (other.class == self.class and
+       other.handle == self.handle and
+       other.secret == self.secret and
+
+       # The internals of the time objects seemed to differ
+       # in an opaque way when serializing/unserializing.
+       # I don't think this will be a problem.
+       other.issued.to_i == self.issued.to_i and
+
+       other.lifetime == self.lifetime and
+       other.assoc_type == self.assoc_type)
+    end
+
+    # Add a signature (and a signed list) to a message.
+    def sign_message(message)
+      if (message.has_key?(OPENID_NS, 'sig') or
+          message.has_key?(OPENID_NS, 'signed'))
+        raise ArgumentError, 'Message already has signed list or signature'
+      end
+
+      extant_handle = message.get_arg(OPENID_NS, 'assoc_handle')
+      if extant_handle and extant_handle != self.handle
+        raise ArgumentError, "Message has a different association handle"
+      end
+
+      signed_message = message.copy()
+      signed_message.set_arg(OPENID_NS, 'assoc_handle', self.handle)
+      message_keys = signed_message.to_post_args.keys()
+
+      signed_list = []
+      message_keys.each { |k|
+        if k.starts_with?('openid.')
+          signed_list << k[7..-1]
+        end
+      }
+
+      signed_list << 'signed'
+      signed_list.sort!
+
+      signed_message.set_arg(OPENID_NS, 'signed', signed_list.join(','))
+      sig = get_message_signature(signed_message)
+      signed_message.set_arg(OPENID_NS, 'sig', sig)
+      return signed_message
+    end
+  end
+
+  class AssociationNegotiator
+    attr_reader :allowed_types
+
+    def self.get_session_types(assoc_type)
+      case assoc_type
+      when 'HMAC-SHA1'
+        ['DH-SHA1', 'no-encryption']
+      when 'HMAC-SHA256'
+        ['DH-SHA256', 'no-encryption']
+      else
+        raise ProtocolError, "Unknown association type #{assoc_type.inspect}"
+      end
+    end
+
+    def self.check_session_type(assoc_type, session_type)
+      if !get_session_types(assoc_type).include?(session_type)
+        raise ProtocolError, "Session type #{session_type.inspect} not "\
+                             "valid for association type #{assoc_type.inspect}"
+      end
+    end
+
+    def initialize(allowed_types)
+      self.allowed_types=(allowed_types)
+    end
+
+    def copy
+      Marshal.load(Marshal.dump(self))
+    end
+
+    def allowed_types=(allowed_types)
+      allowed_types.each do |assoc_type, session_type|
+        self.class.check_session_type(assoc_type, session_type)
+      end
+      @allowed_types = allowed_types
+    end
+
+    def add_allowed_type(assoc_type, session_type=nil)
+      if session_type.nil?
+        session_types = self.class.get_session_types(assoc_type)
+      else
+        self.class.check_session_type(assoc_type, session_type)
+        session_types = [session_type]
+      end
+      for session_type in session_types do
+        @allowed_types << [assoc_type, session_type]
+      end
+    end
+
+    def allowed?(assoc_type, session_type)
+      @allowed_types.include?([assoc_type, session_type])
+    end
+
+    def get_allowed_type
+      @allowed_types.empty? ? nil : @allowed_types[0]
+    end
+  end
+
+  DefaultNegotiator =
+    AssociationNegotiator.new([['HMAC-SHA1', 'DH-SHA1'],
+                               ['HMAC-SHA1', 'no-encryption'],
+                               ['HMAC-SHA256', 'DH-SHA256'],
+                               ['HMAC-SHA256', 'no-encryption']])
+
+  EncryptedNegotiator =
+    AssociationNegotiator.new([['HMAC-SHA1', 'DH-SHA1'],
+                               ['HMAC-SHA256', 'DH-SHA256']])
+end