local-openid 0.1.1 → 0.2.0

data/.document

@@ -1,4 +1,5 @@
-History.txt
-LICENSE.txt
-README.txt
-bin/local-openid
+NEWS
+LICENSE
+ChangeLog
+README
+lib/

data/.gitignore

@@ -1,2 +1,14 @@
 pkg
 doc
+*.rbc
+/.config
+/InstalledFiles
+/doc
+pkg/
+/NEWS
+/ChangeLog
+/.manifest
+/GIT-VERSION-FILE
+/man
+tags
+TAGS

data/GIT-VERSION-GEN

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+GVF=GIT-VERSION-FILE
+DEF_VER=v0.2.0.GIT
+
+LF='
+'
+
+# First see if there is a version file (included in release tarballs),
+# then try git-describe, then default.
+if test -f version
+then
+	VN=$(cat version) || VN="$DEF_VER"
+elif test -d .git -o -f .git &&
+	VN=$(git describe --abbrev=4 HEAD 2>/dev/null) &&
+	case "$VN" in
+	*$LF*) (exit 1) ;;
+	v[0-9]*)
+		git update-index -q --refresh
+		test -z "$(git diff-index --name-only HEAD --)" ||
+		VN="$VN-dirty" ;;
+	esac
+then
+	VN=$(echo "$VN" | sed -e 's/-/./g');
+else
+	VN="$DEF_VER"
+fi
+
+VN=$(expr "$VN" : v*'\(.*\)')
+
+if test -r $GVF
+then
+	VC=$(sed -e 's/^GIT_VERSION = //' <$GVF)
+else
+	VC=unset
+fi
+test "$VN" = "$VC" || {
+	echo >&2 "GIT_VERSION = $VN"
+	echo "GIT_VERSION = $VN" >$GVF
+}

data/GNUmakefile

@@ -1,19 +1,145 @@
-all:
+all::
+RUBY = ruby
+RAKE = rake
+RSYNC = rsync
+GIT_URL = git://git.bogomips.org/local-openid.git
+
+GIT-VERSION-FILE: .FORCE-GIT-VERSION-FILE
+	@./GIT-VERSION-GEN
+-include GIT-VERSION-FILE
+
+pkg_extra := GIT-VERSION-FILE NEWS ChangeLog
+manifest: $(pkg_extra)
+	$(RM) .manifest
+	$(MAKE) .manifest
+
+.manifest:
+	(git ls-files && \
+         for i in $@ $(pkg_extra) $(man1_paths); \
+	 do echo $$i; done) | LC_ALL=C sort > $@+
+	cmp $@+ $@ || mv $@+ $@
+	$(RM) $@+
+
+NEWS: GIT-VERSION-FILE
+	$(RAKE) -s news_rdoc > $@+
+	mv $@+ $@
+
+SINCE = 0.1.0
+ChangeLog: LOG_VERSION = \
+  $(shell git rev-parse -q "$(GIT_VERSION)" >/dev/null 2>&1 && \
+          echo $(GIT_VERSION) || git describe)
+ifneq ($(SINCE),)
+ChangeLog: log_range = v$(SINCE)..$(LOG_VERSION)
+endif
+ChangeLog: GIT-VERSION-FILE
+	@echo "ChangeLog from $(GIT_URL) ($(log_range))" > $@+
+	@echo >> $@+
+	git log $(log_range) | sed -e 's/^/    /' >> $@+
+	mv $@+ $@
+
+news_atom := http://bogomips.org/local-openid/NEWS.atom.xml
+cgit_atom := http://git.bogomips.org/cgit/local-openid.git/atom/?h=master
+atom = <link rel="alternate" title="Atom feed" href="$(1)" \
+             type="application/atom+xml"/>
+
+doc: .document NEWS ChangeLog
+	find bin lib -type f -name '*.rbc' -exec rm -f '{}' ';'
+	rdoc -a -t "$(shell sed -ne '1s/^= //p' README)"
+	install -m644 COPYING doc/COPYING
+	install -m644 $(shell grep '^[A-Z]' .document)  doc/
+	$(RUBY) -i -p -e \
+	  '$$_.gsub!("</title>",%q{\&$(call atom,$(cgit_atom))})' \
+	  doc/ChangeLog.html
+	$(RUBY) -i -p -e \
+	  '$$_.gsub!("</title>",%q{\&$(call atom,$(news_atom))})' \
+	  doc/NEWS.html doc/README.html
+	$(RAKE) -s news_atom > doc/NEWS.atom.xml
+	cd doc && ln README.html tmp && mv tmp index.html
 
 publish_doc:
 	-git set-file-times
-	$(MAKE) doc
+	$(RM) -r doc ChangeLog NEWS
+	$(MAKE) doc LOG_VERSION=$(shell git tag -l | tail -1)
+	@awk 'BEGIN{RS="=== ";ORS=""}NR==2{sub(/\n$$/,"");print RS""$$0 }' \
+	 < NEWS > doc/LATEST
+	find doc/images doc/js -type f | \
+		TZ=UTC xargs touch -d '1970-01-01 00:00:00' doc/rdoc.css
 	$(MAKE) doc_gz
-	rsync -av --delete doc/ dcvr:/srv/bogomips/local-openid/
+	chmod 644 $$(find doc -type f)
+	$(RSYNC) -av --delete doc/ bogomips.org:/srv/bogomips/local-openid/
 	git ls-files | xargs touch
 
-doc: .document
-	rdoc -Na -m README.txt -t "$(shell sed -ne '1s/^= //p' README.txt)"
+ifneq ($(VERSION),)
+rfproject := qrp
+rfpackage := local-openid
+pkggem := pkg/$(rfpackage)-$(VERSION).gem
+pkgtgz := pkg/$(rfpackage)-$(VERSION).tgz
+release_notes := release_notes-$(VERSION)
+release_changes := release_changes-$(VERSION)
+
+release-notes: $(release_notes)
+release-changes: $(release_changes)
+$(release_changes):
+	$(RAKE) -s release_changes > $@+
+	$(VISUAL) $@+ && test -s $@+ && mv $@+ $@
+$(release_notes):
+	GIT_URL=$(GIT_URL) $(RAKE) -s release_notes > $@+
+	$(VISUAL) $@+ && test -s $@+ && mv $@+ $@
+
+# ensures we're actually on the tagged $(VERSION), only used for release
+verify:
+	test x"$(shell umask)" = x0022
+	git rev-parse --verify refs/tags/v$(VERSION)^{}
+	git diff-index --quiet HEAD^0
+	test `git rev-parse --verify HEAD^0` = \
+	     `git rev-parse --verify refs/tags/v$(VERSION)^{}`
+
+fix-perms:
+	-git ls-tree -r HEAD | awk '/^100644 / {print $$NF}' | xargs chmod 644
+	-git ls-tree -r HEAD | awk '/^100755 / {print $$NF}' | xargs chmod 755
+
+gem: $(pkggem)
+
+install-gem: $(pkggem)
+	gem install $(CURDIR)/$<
+
+$(pkggem): manifest fix-perms
+	gem build $(rfpackage).gemspec
+	mkdir -p pkg
+	mv $(@F) $@
+
+$(pkgtgz): distdir = $(basename $@)
+$(pkgtgz): HEAD = v$(VERSION)
+$(pkgtgz): manifest fix-perms
+	@test -n "$(distdir)"
+	$(RM) -r $(distdir)
+	mkdir -p $(distdir)
+	tar cf - `cat .manifest` | (cd $(distdir) && tar xf -)
+	cd pkg && tar c $(basename $(@F)) | gzip -9 > $(@F)+
+	mv $@+ $@
+
+package: $(pkgtgz) $(pkggem)
+
+test-release: verify package $(release_notes) $(release_changes)
+release: verify package $(release_notes) $(release_changes)
+	# make tgz release on RubyForge
+	rubyforge add_release -f -n $(release_notes) -a $(release_changes) \
+	  $(rfproject) $(rfpackage) $(VERSION) $(pkgtgz)
+	# push gem to Gemcutter
+	gem push $(pkggem)
+	# in case of gem downloads from RubyForge releases page
+	-rubyforge add_file \
+	  $(rfproject) $(rfpackage) $(VERSION) $(pkggem)
+else
+gem install-gem: GIT-VERSION-FILE
+	$(MAKE) $@ VERSION=$(GIT_VERSION)
+endif
 
 # Create gzip variants of the same timestamp as the original so nginx
 # "gzip_static on" can serve the gzipped versions directly.
-doc_gz: suf := html js css
-doc_gz: globs := $(addprefix doc/*.,$(suf)) $(addprefix doc/*/*.,$(suf))
-doc_gz: docs := $(wildcard $(globs))
+doc_gz: docs = $(shell find doc -type f ! -regex '^.*\.\(gif\|jpg\|png\|gz\)$$')
 doc_gz:
-	for i in $(docs); do gzip < $$i > $$i.gz; touch -r $$i $$i.gz; done
+	touch doc/NEWS.atom.xml -d "$$(awk 'NR==1{print $$4,$$5,$$6}' NEWS)"
+	for i in $(docs); do \
+	  gzip --rsyncable -9 < $$i > $$i.gz; touch -r $$i $$i.gz; done
+.PHONY: .FORCE-GIT-VERSION-FILE doc manifest

data/LICENSE

@@ -0,0 +1,5 @@
+local-openid is copyrighted free software by all contributors, see logs
+in revision control for names and email addresses of all of them.  You
+can redistribute it and/or modify it under either the terms of the GNU
+Affero General Public License, version 3.  See the link:COPYING file
+for details.

data/{README.txt → README}

@@ -1,9 +1,5 @@
 = local-openid: Single User, Ephemeral OpenID Provider
 
-* http://bogomips.org/local-openid
-
-== Description
-
 local-openid allows users with shell accounts on servers to authenticate
 with OpenID consumers by editing a YAML file in their home directory
 instead of authenticating through HTTP/HTTPS.
@@ -43,17 +39,35 @@ setup.rb is also provided for non-Rubygems users.
 == Requirements
 
 local-openid is a small Sinatra application.  It requires the Ruby
-OpenID library (2.x), Sinatra (0.9+), Rack (0.9+), and any Rack-enabled
+OpenID library (2.x), Sinatra (1.0), Rack and any Rack-enabled
 server.  To be useful, it also depends on having a user account on a
 machine with a publically-accessible IP and DNS name to use as your
 OpenID identity.
 
+== Running
+
+"local-openid" should be installed in your $PATH by RubyGems or
+setup.rb.  It is a Sinatra application and takes the usual
+command-line arguments.  It binds on all addresses (0.0.0.0) and port
+4567 by default, using the standard WEBrick web server.
+
+You may specify a different port with the *-p* switch and address with
+the *-o* switch.  The following command will start local-openid on port
+3000 bound to localhost (useful if behind a reverse proxy like nginx).
+
+  local-openid -o 127.0.0.1 -p 3000
+
 == Hacking
 
 I don't have any plans for more development with local-openid.  It was
 after all, just a weekend hack.  It does what I want it to and nothing
 more.
 
+You can use the {mailing list}[mailto:local.openid@librelist.com] to
+share ideas, patches, pull requests with other users.  Remember, I
+wrote local-openid because I find the web difficult to use.  So I'll
+only accept communication about local-openid via email :)
+
 Feel free to fork it and customize it to your needs.  Of course, drop me
 a line if you fix any bugs or notice any security holes in it.
 
@@ -69,11 +83,6 @@ You may browse the code from the web and download the latest tarballs here:
 * http://git.bogomips.org/cgit/local-openid.git
 * http://repo.or.cz/w/local-openid.git (gitweb mirror)
 
-== License
-
-Copyright 2009 Eric Wong.  It is licensed under the GNU Affero General
-Public License, version 3.  See the LICENSE file for details.
-
 == Disclaimer
 
 There is NO WARRANTY whatsoever, implied or otherwise.  OpenID may not
@@ -84,5 +93,6 @@ credentials when your provider implementation has 99.999% downtime :)
 
 == Contact
 
-Eric Wong, normalperson@yhbt.net
-OpenID: http://e.yhbt.net/
+* Original author: Eric Wong, normalperson@yhbt.net
+* OpenID: http://e.yhbt.net/
+* mailing list: local.openid@librelist.com

data/Rakefile

@@ -1,12 +1,183 @@
-require 'rubygems'
-require 'hoe'
+# -*- encoding: binary -*-
+autoload :Gem, 'rubygems'
 
-readme = File.readlines('README.txt')
+def tags
+  timefmt = '%Y-%m-%dT%H:%M:%SZ'
+  @tags ||= `git tag -l`.split(/\n/).map do |tag|
+    if %r{\Av[\d\.]+\z} =~ tag
+      header, subject, body = `git cat-file tag #{tag}`.split(/\n\n/, 3)
+      header = header.split(/\n/)
+      tagger = header.grep(/\Atagger /).first
+      body ||= "initial"
+      {
+        :time => Time.at(tagger.split(/ /)[-2].to_i).utc.strftime(timefmt),
+        :tagger_name => %r{^tagger ([^<]+)}.match(tagger)[1].strip,
+        :tagger_email => %r{<([^>]+)>}.match(tagger)[1].strip,
+        :id => `git rev-parse refs/tags/#{tag}`.chomp!,
+        :tag => tag,
+        :subject => subject,
+        :body => body,
+      }
+    end
+  end.compact.sort { |a,b| b[:time] <=> a[:time] }
+end
+
+cgit_url = "http://git.bogomips.org/cgit/local-openid.git"
+git_url = ENV['GIT_URL'] || 'git://git.bogomips.org/local-openid.git'
+
+desc 'prints news as an Atom feed'
+task :news_atom do
+  require 'nokogiri'
+  new_tags = tags[0,10]
+  puts(Nokogiri::XML::Builder.new do
+    feed :xmlns => "http://www.w3.org/2005/Atom" do
+      id! "http://bogomips.org/local-openid/NEWS.atom.xml"
+      title "local-openid news"
+      subtitle %q{Single User, Ephemeral OpenID Provider}
+      link! :rel => 'alternate', :type => 'text/html',
+            :href => 'http://bogomips.org/local-openid/NEWS.html'
+      updated(new_tags.empty? ? "1970-01-01T00:00:00Z" : new_tags.first[:time])
+      new_tags.each do |tag|
+        entry do
+          title tag[:subject]
+          updated tag[:time]
+          published tag[:time]
+          author {
+            name tag[:tagger_name]
+            email tag[:tagger_email]
+          }
+          url = "#{cgit_url}/tag/?id=#{tag[:tag]}"
+          link! :rel => "alternate", :type => "text/html", :href =>url
+          id! url
+          message_only = tag[:body].split(/\n.+\(\d+\):\n {6}/s).first.strip
+          content({:type =>:text}, message_only)
+          content(:type =>:xhtml) { pre tag[:body] }
+        end
+      end
+    end
+  end.to_xml)
+end
+
+desc 'prints RDoc-formatted news'
+task :news_rdoc do
+  tags.each do |tag|
+    time = tag[:time].tr!('T', ' ').gsub!(/:\d\dZ/, ' UTC')
+    puts "=== #{tag[:tag].sub(/^v/, '')} / #{time}"
+    puts ""
+
+    body = tag[:body]
+    puts tag[:body].gsub(/^/sm, "  ").gsub(/[ \t]+$/sm, "")
+    puts ""
+  end
+end
+
+desc "print release changelog for Rubyforge"
+task :release_changes do
+  version = ENV['VERSION'] or abort "VERSION= needed"
+  version = "v#{version}"
+  vtags = tags.map { |tag| tag[:tag] =~ /\Av/ and tag[:tag] }.sort
+  prev = vtags[vtags.index(version) - 1]
+  if prev
+    system('git', 'diff', '--stat', prev, version) or abort $?
+    puts ""
+    system('git', 'log', "#{prev}..#{version}") or abort $?
+  else
+    system('git', 'log', version) or abort $?
+  end
+end
+
+desc "print release notes for Rubyforge"
+task :release_notes do
+  spec = Gem::Specification.load('local-openid.gemspec')
+  puts spec.description.strip
+  puts ""
+  puts "* #{spec.homepage}"
+  puts "* #{spec.email}"
+  puts "* #{git_url}"
+
+  _, _, body = `git cat-file tag v#{spec.version}`.split(/\n\n/, 3)
+  print "\nChanges:\n\n"
+  puts body
+end
+
+desc "read news article from STDIN and post to rubyforge"
+task :publish_news do
+  require 'rubyforge'
+  IO.select([STDIN], nil, nil, 1) or abort "E: news must be read from stdin"
+  msg = STDIN.readlines
+  subject = msg.shift
+  blank = msg.shift
+  blank == "\n" or abort "no newline after subject!"
+  subject.strip!
+  body = msg.join("").strip!
+
+  rf = RubyForge.new.configure
+  rf.login
+  rf.post_news('qrp', subject, body)
+end
+
+desc "post to RAA"
+task :raa_update do
+  require 'net/http'
+  require 'net/netrc'
+  rc = Net::Netrc.locate('local-openid-raa') or abort "~/.netrc not found"
+  password = rc.password
+
+  s = Gem::Specification.load('local-openid.gemspec')
+  desc = [ s.description.strip ]
+  desc << ""
+  desc << "* #{s.email}"
+  desc << "* #{git_url}"
+  desc << "* #{cgit_url}"
+  desc = desc.join("\n")
+  uri = URI.parse('http://raa.ruby-lang.org/regist.rhtml')
+  form = {
+    :name => s.name,
+    :short_description => s.summary,
+    :version => s.version.to_s,
+    :status => 'stable',
+    :owner => s.authors.first,
+    :email => s.email,
+    :category_major => 'Application',
+    :category_minor => 'WWW',
+    :url => s.homepage,
+    :download => 'http://rubyforge.org/frs/?group_id=5626',
+    :license => "OpenSource", # AGPLv3, specifically
+    :description_style => 'Plain',
+    :description => desc,
+    :pass => password,
+    :submit => "Update",
+  }
+  res = Net::HTTP.post_form(uri, form)
+  p res
+  puts res.body
+end
+
+desc "post to FM"
+task :fm_update do
+  require 'tempfile'
+  require 'net/http'
+  require 'net/netrc'
+  require 'json'
+  version = ENV['VERSION'] or abort "VERSION= needed"
+  uri = URI.parse('http://freshmeat.net/projects/local-openid/releases.json')
+  rc = Net::Netrc.locate('local-openid-fm') or abort "~/.netrc not found"
+  api_token = rc.password
+  changelog = tags.find { |t| t[:tag] == "v#{version}" }[:body]
+  tmp = Tempfile.new('fm-changelog')
+  tmp.syswrite(changelog)
+  system(ENV["VISUAL"], tmp.path) or abort "#{ENV["VISUAL"]} failed: #$?"
+  changelog = File.read(tmp.path).strip
 
-Hoe.new('local-openid', '0.1.1') do |p|
-   p.rubyforge_name = 'qrp'
-   p.developer('Eric Wong', 'normalperson@yhbt.net')
-   p.summary = readme[0].split(/\s*:\s*/)[1]
-   p.url = 'http://bogomips.org/local-openid'
-   p.extra_deps << [ 'sinatra', '>= 0.9' ]
+  req = {
+    "auth_code" => api_token,
+    "release" => {
+      "tag_list" => "Stable",
+      "version" => version,
+      "changelog" => changelog,
+    },
+  }.to_json
+  Net::HTTP.start(uri.host, uri.port) do |http|
+    p http.post(uri.path, req, {'Content-Type'=>'application/json'})
+  end
 end

data/bin/local-openid

@@ -1,300 +1,19 @@
-#!/home/ew/bin/ruby
-# A personal OpenID identity provider, authentication is done by editing
-# a YAML file on the server where this application runs
-# (~/.local-openid/config.yml by default) instead of via HTTP/HTTPS
-# form authentication in the browser.
-
-require 'tempfile'
-require 'time'
-require 'yaml'
-
-require 'sinatra'
-require 'openid'
-require 'openid/extensions/sreg'
-require 'openid/extensions/pape'
-require 'openid/store/filesystem'
-set :static, false
-set :sessions, true
-set :environment, :production
-set :logging, false # load Rack::CommonLogger in config.ru instead
-
-BEGIN {
-  $local_openid ||=
-              File.expand_path(ENV['LOCAL_OPENID_DIR'] || '~/.local-openid')
-  Dir.mkdir($local_openid) unless File.directory?($local_openid)
+#!/usr/bin/env ruby
+require 'local_openid'
+require 'optparse'
+require 'socket'
+BasicSocket.do_not_reverse_lookup = true
+opts = {
+  :server => 'webrick', # webrick is standard, and plenty fast enough
 }
-
-# all the sinatra endpoints:
-get('/xrds') { big_lock { render_xrds(true) } }
-get('/') { big_lock { get_or_post } }
-post('/') { big_lock { get_or_post } }
-
-private
-
-# yes, I use gsub for templating because I find it easier than erb :P
-PROMPT = %q!<html>
-<head><title>OpenID login: %s</title></head>
-<body><h1>reload this page when approved: %s</h1></body>
-</html>!
-
-XRDS_HTML = %q!<html><head>
-<link rel="openid.server" href="%s" />
-<link rel="openid2.provider" href="%s" />
-<meta http-equiv="X-XRDS-Location" content="%sxrds" />
-<title>OpenID server endpoint</title>
-</head><body>OpenID server endpoint</body></html>!
-
-XRDS_XML = %q!<?xml version="1.0" encoding="UTF-8"?>
-<xrds:XRDS
-  xmlns:xrds="xri://$xrds"
-  xmlns="xri://$xrd*($v*2.0)">
-<XRD>
-  <Service priority="0">
-    %types
-    <URI>%s</URI>
-  </Service>
-</XRD>
-</xrds:XRDS>!
-
-CONFIG_HEADER = %!
-This file may be changed by #{__FILE__} or your favorite $EDITOR
-comments will be deleted when modified by #{__FILE__}.  See the
-comments end of this file for help on the format.
-!.lstrip!
-
-CONFIG_TRAILER = %!
-Configuration file description.
-
-* allowed_ips     An array of strings representing IPs that may
-                  authenticate through local-openid.  Only put
-                  IP addresses that you trust in here.
-
-Each OpenID consumer trust root will have its own hash keyed by
-the trust root URL.  Keys in this hash are:
-
-  - expires       The time at which this login will expire.
-                  This is generally the only entry you need to edit
-                  to approve a site.  You may also delete this line
-                  and rename the "expires1m" to this.
-  - expires1m     The time 1 minute from when this entry was updated.
-                  This is provided as a convenience for replacing
-                  the default "expires" entry.  This key may be safely
-                  removed by a user editing it.
-  - updated       Time this entry was updated, strictly informational.
-  - session_id    Unique identifier in your session cookie to prevent
-                  other users from hijacking your session.  You may
-                  delete this if you've changed browsers or computers.
-  - assoc_handle  See the OpenID specs, may be empty.  Do not edit this.
-
-SReg keys supported by the Ruby OpenID implementation should be
-supported, they include (but are not limited to):
-! << OpenID::SReg::DATA_FIELDS.map do |key, value|
-  "   - #{key}: #{value}"
-end.join("\n") << %!
-SReg keys may be global at the top-level or private to each trust root.
-Per-trust root SReg entries override the global settings.
-!
-
-include OpenID::Server
-
-# this is the heart of our provider logic, adapted from the
-# Ruby OpenID gem Rails example
-def get_or_post
-  oidreq = begin
-    server.decode_request(params)
-  rescue ProtocolError => err
-    halt(500, err.to_s)
-  end
-
-  oidreq or return render_xrds
-
-  oidresp = case oidreq
-  when CheckIDRequest
-    if oidreq.id_select && oidreq.immediate
-      oidreq.answer(false)
-    elsif is_authorized?(oidreq)
-      resp = oidreq.answer(true, nil, server_root)
-      add_sreg(oidreq, resp)
-      add_pape(oidreq, resp)
-      resp
-    elsif oidreq.immediate
-      oidreq.answer(false, server_root)
-    else
-      session[:id] ||= "#{Time.now.to_i}.#$$.#{rand}"
-      session[:ip] = request.ip
-      merge_config(oidreq)
-      write_config
-
-      # here we allow our user to open $EDITOR and edit the appropriate
-      # 'expires' field in config.yml corresponding to oidreq.trust_root
-      return PROMPT.gsub(/%s/, oidreq.trust_root)
-    end
-  else
-    server.handle_request(oidreq)
-  end
-
-  finalize_response(oidresp)
-end
-
-# we're the provider for exactly one identity.  However, we do rely on
-# being proxied and being hit with an appropriate HTTP Host: header.
-# Don't expect OpenID consumers to handle port != 80.
-def server_root
-  "http://#{request.host}/"
-end
-
-def server
-  @server ||= Server.new(
-      OpenID::Store::Filesystem.new("#$local_openid/store"),
-      server_root)
-end
-
-# support the simple registration extension if possible,
-# allow per-site overrides of various data points
-def add_sreg(oidreq, oidresp)
-  sregreq = OpenID::SReg::Request.from_openid_request(oidreq) or return
-  per_site = config[oidreq.trust_root] || {}
-
-  sreg_data = {}
-  sregreq.all_requested_fields.each do |field|
-    sreg_data[field] = per_site[field] || config[field]
-  end
-
-  sregresp = OpenID::SReg::Response.extract_response(sregreq, sreg_data)
-  oidresp.add_extension(sregresp)
-end
-
-def add_pape(oidreq, oidresp)
-  papereq = OpenID::PAPE::Request.from_openid_request(oidreq) or return
-  paperesp = OpenID::PAPE::Response.new(papereq.preferred_auth_policies,
-                                        papereq.max_auth_age)
-  # since this implementation requires shell/filesystem access to the
-  # OpenID server to authenticate, we can say we're at the highest
-  # auth level possible...
-  paperesp.add_policy_uri(OpenID::PAPE::AUTH_MULTI_FACTOR_PHYSICAL)
-  paperesp.auth_time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
-  paperesp.nist_auth_level = 4
-  oidresp.add_extension(paperesp)
-end
-
-def err(msg)
-  env['rack.errors'].write("#{msg}\n")
-  false
-end
-
-def finalize_response(oidresp)
-  server.signatory.sign(oidresp) if oidresp.needs_signing
-  web_response = server.encode_response(oidresp)
-
-  case web_response.code
-  when HTTP_OK
-    web_response.body
-  when HTTP_REDIRECT
-    location = web_response.headers['location']
-    err("redirecting to: #{location} ...")
-    redirect(location)
-  else
-    halt(500, web_response.body)
+OptionParser.new { |op|
+  op.on('-s <mongrel|thin|webrick>') { |v| opts[:server] = v }
+  op.on('-p port')   { |val| opts[:port] = val.to_i }
+  op.on('-o addr')   { |val| opts[:bind] = val }
+  op.on('-h', '--help', 'Show this message') do
+    puts op.to_s
+    exit
   end
-end
-
-# the heart of our custom authentication logic
-def is_authorized?(oidreq)
-  (config['allowed_ips'] ||= []).include?(request.ip) or
-    return err("Not allowed: #{request.ip}\n" \
-               "You need to put this IP in the 'allowed_ips' array "\
-               "in:\n #$local_openid/config.yml")
-
-  request.ip == session[:ip] or
-    return err("session IP mismatch: " \
-               "#{request.ip.inspect} != #{session[:ip].inspect}")
-
-  trust_root = oidreq.trust_root
-  per_site = config[trust_root] or
-    return err("trust_root unknown: #{trust_root}")
-
-  session_id = session[:id] or return err("no session ID")
-
-  assoc_handle = per_site['assoc_handle'] # this may be nil
-  expires = per_site['expires'] or
-    return err("no expires (trust_root=#{trust_root})")
-
-  assoc_handle == oidreq.assoc_handle or
-    return err("assoc_handle mismatch: " \
-               "#{assoc_handle.inspect} != #{oidreq.assoc_handle.inspect}" \
-               " (trust_root=#{trust_root})")
+}.parse!(ARGV)
 
-  per_site['session_id'] == session_id or
-    return err("session ID mismatch: " \
-               "#{per_site['session_id'].inspect} != #{session_id.inspect}" \
-               " (trust_root=#{trust_root})")
-
-  expires > Time.now or
-    return err("Expired: #{expires.inspect} (trust_root=#{trust_root})")
-
-  true
-end
-
-def config
-  @config ||= begin
-    YAML.load(File.read("#$local_openid/config.yml"))
-  rescue Errno::ENOENT
-    {}
-  end
-end
-
-def merge_config(oidreq)
-  per_site = config[oidreq.trust_root] ||= {}
-  per_site.merge!({
-      'assoc_handle' => oidreq.assoc_handle,
-      'expires' => Time.at(0).utc,
-      'updated' => Time.now.utc,
-      'expires1m' => Time.now.utc + 60, # easy edit to "expires" in $EDITOR
-      'session_id' => session[:id],
-    })
-end
-
-def write_config
-  path = "#$local_openid/config.yml"
-  tmp = Tempfile.new('config.yml', File.dirname(path))
-  tmp.syswrite(CONFIG_HEADER.gsub(/^/m, "# "))
-  tmp.syswrite(config.to_yaml)
-  tmp.syswrite(CONFIG_TRAILER.gsub(/^/m, "# "))
-  tmp.fsync
-  File.rename(tmp.path, path)
-  tmp.close!
-end
-
-# this output is designed to be parsed by OpenID consumers
-def render_xrds(force = false)
-  if force || request.accept.include?('application/xrds+xml')
-
-    # this seems to work...
-    types = request.accept.include?('application/xrds+xml') ?
-       [ OpenID::OPENID_2_0_TYPE, OpenID::OPENID_1_0_TYPE, OpenID::SREG_URI ] :
-       [ OpenID::OPENID_IDP_2_0_TYPE ]
-
-    headers['Content-Type'] = 'application/xrds+xml'
-    types = types.map { |uri| "<Type>#{uri}</Type>" }.join("\n")
-    XRDS_XML.gsub(/%s/, server_root).gsub!(/%types/, types)
-  else # render a browser-friendly page with an XRDS pointer
-    headers['X-XRDS-Location'] = "#{server_root}xrds"
-    XRDS_HTML.gsub(/%s/, server_root)
-  end
-end
-
-# if a single-user OpenID provider like us is being hit by multiple
-# clients at once, then something is seriously wrong.  Can't use
-# Mutexes here since somebody could be running this as a CGI script
-def big_lock(&block)
-  lock = "#$local_openid/lock"
-  File.open(lock, File::WRONLY|File::CREAT|File::EXCL, 0600) do |fp|
-    begin
-      yield
-    ensure
-      File.unlink(lock)
-    end
-  end
-  rescue Errno::EEXIST
-    err("Lock: #{lock} exists! Possible hijacking attempt") rescue nil
-end
+LocalOpenID.run!(opts)

data/lib/local_openid.rb

@@ -0,0 +1,302 @@
+# A personal OpenID identity provider, authentication is done by editing
+# a YAML file on the server where this application runs
+# (~/.local-openid/config.yml by default) instead of via HTTP/HTTPS
+# form authentication in the browser.
+#:stopdoc:
+require 'tempfile'
+require 'time'
+require 'yaml'
+
+require 'sinatra/base'
+require 'openid'
+require 'openid/extensions/sreg'
+require 'openid/extensions/pape'
+require 'openid/store/filesystem'
+
+class LocalOpenID < Sinatra::Base
+  set :static, false
+  set :sessions, true
+  set :environment, :production
+  set :logging, false # load Rack::CommonLogger in config.ru instead
+
+  @@dir ||= File.expand_path(ENV['LOCAL_OPENID_DIR'] || '~/.local-openid')
+  Dir.mkdir(@@dir) unless File.directory?(@@dir)
+
+  # all the sinatra endpoints:
+  get('/xrds') { big_lock { render_xrds(true) } }
+  get('/') { big_lock { get_or_post } }
+  post('/') { big_lock { get_or_post } }
+
+  private
+
+  # yes, I use gsub for templating because I find it easier than erb :P
+  PROMPT = %q!<html>
+  <head><title>OpenID login: %s</title></head>
+  <body><h1>reload this page when approved: %s</h1></body>
+  </html>!
+
+  XRDS_HTML = %q!<html><head>
+  <link rel="openid.server" href="%s" />
+  <link rel="openid2.provider" href="%s" />
+  <meta http-equiv="X-XRDS-Location" content="%sxrds" />
+  <title>OpenID server endpoint</title>
+  </head><body>OpenID server endpoint</body></html>!
+
+  XRDS_XML = %q!<?xml version="1.0" encoding="UTF-8"?>
+  <xrds:XRDS
+    xmlns:xrds="xri://$xrds"
+    xmlns="xri://$xrd*($v*2.0)">
+  <XRD>
+    <Service priority="0">
+      %types
+      <URI>%s</URI>
+    </Service>
+  </XRD>
+  </xrds:XRDS>!
+
+  CONFIG_HEADER = %!
+  This file may be changed by #{__FILE__} or your favorite $EDITOR
+  comments will be deleted when modified by #{__FILE__}.  See the
+  comments end of this file for help on the format.
+  !.lstrip!
+
+  CONFIG_TRAILER = %!
+  Configuration file description.
+
+  * allowed_ips     An array of strings representing IPs that may
+                    authenticate through local-openid.  Only put
+                    IP addresses that you trust in here.
+
+  Each OpenID consumer trust root will have its own hash keyed by
+  the trust root URL.  Keys in this hash are:
+
+    - expires       The time at which this login will expire.
+                    This is generally the only entry you need to edit
+                    to approve a site.  You may also delete this line
+                    and rename the "expires1m" to this.
+    - expires1m     The time 1 minute from when this entry was updated.
+                    This is provided as a convenience for replacing
+                    the default "expires" entry.  This key may be safely
+                    removed by a user editing it.
+    - updated       Time this entry was updated, strictly informational.
+    - session_id    Unique identifier in your session cookie to prevent
+                    other users from hijacking your session.  You may
+                    delete this if you've changed browsers or computers.
+    - assoc_handle  See the OpenID specs, may be empty.  Do not edit this.
+
+  SReg keys supported by the Ruby OpenID implementation should be
+  supported, they include (but are not limited to):
+  ! << OpenID::SReg::DATA_FIELDS.map do |key, value|
+    "   - #{key}: #{value}"
+  end.join("\n") << %!
+  SReg keys may be global at the top-level or private to each trust root.
+  Per-trust root SReg entries override the global settings.
+  !
+
+  include OpenID::Server
+
+  # this is the heart of our provider logic, adapted from the
+  # Ruby OpenID gem Rails example
+  def get_or_post
+    oidreq = begin
+      server.decode_request(params)
+    rescue ProtocolError => err
+      halt(500, err.to_s)
+    end
+
+    oidreq or return render_xrds
+
+    oidresp = case oidreq
+    when CheckIDRequest
+      if oidreq.id_select && oidreq.immediate
+        oidreq.answer(false)
+      elsif is_authorized?(oidreq)
+        resp = oidreq.answer(true, nil, server_root)
+        add_sreg(oidreq, resp)
+        add_pape(oidreq, resp)
+        resp
+      elsif oidreq.immediate
+        oidreq.answer(false, server_root)
+      else
+        session[:id] ||= "#{Time.now.to_i}.#$$.#{rand}"
+        session[:ip] = request.ip
+        merge_config(oidreq)
+        write_config
+
+        # here we allow our user to open $EDITOR and edit the appropriate
+        # 'expires' field in config.yml corresponding to oidreq.trust_root
+        return PROMPT.gsub(/%s/, oidreq.trust_root)
+      end
+    else
+      server.handle_request(oidreq)
+    end
+
+    finalize_response(oidresp)
+  end
+
+  # we're the provider for exactly one identity.  However, we do rely on
+  # being proxied and being hit with an appropriate HTTP Host: header.
+  # Don't expect OpenID consumers to handle port != 80.
+  def server_root
+    "http://#{request.host}/"
+  end
+
+  def server
+    @server ||= Server.new(
+        OpenID::Store::Filesystem.new("#@@dir/store"),
+        server_root)
+  end
+
+  # support the simple registration extension if possible,
+  # allow per-site overrides of various data points
+  def add_sreg(oidreq, oidresp)
+    sregreq = OpenID::SReg::Request.from_openid_request(oidreq) or return
+    per_site = config[oidreq.trust_root] || {}
+
+    sreg_data = {}
+    sregreq.all_requested_fields.each do |field|
+      sreg_data[field] = per_site[field] || config[field]
+    end
+
+    sregresp = OpenID::SReg::Response.extract_response(sregreq, sreg_data)
+    oidresp.add_extension(sregresp)
+  end
+
+  def add_pape(oidreq, oidresp)
+    papereq = OpenID::PAPE::Request.from_openid_request(oidreq) or return
+    paperesp = OpenID::PAPE::Response.new(papereq.preferred_auth_policies,
+                                          papereq.max_auth_age)
+    # since this implementation requires shell/filesystem access to the
+    # OpenID server to authenticate, we can say we're at the highest
+    # auth level possible...
+    paperesp.add_policy_uri(OpenID::PAPE::AUTH_MULTI_FACTOR_PHYSICAL)
+    paperesp.auth_time = Time.now.utc.strftime('%Y-%m-%dT%H:%M:%SZ')
+    paperesp.nist_auth_level = 4
+    oidresp.add_extension(paperesp)
+  end
+
+  def err(msg)
+    env['rack.errors'].write("#{msg}\n")
+    false
+  end
+
+  def finalize_response(oidresp)
+    server.signatory.sign(oidresp) if oidresp.needs_signing
+    web_response = server.encode_response(oidresp)
+
+    case web_response.code
+    when HTTP_OK
+      web_response.body
+    when HTTP_REDIRECT
+      location = web_response.headers['location']
+      err("redirecting to: #{location} ...")
+      redirect(location)
+    else
+      halt(500, web_response.body)
+    end
+  end
+
+  # the heart of our custom authentication logic
+  def is_authorized?(oidreq)
+    (config['allowed_ips'] ||= []).include?(request.ip) or
+      return err("Not allowed: #{request.ip}\n" \
+                 "You need to put this IP in the 'allowed_ips' array "\
+                 "in:\n #@@dir/config.yml")
+
+    request.ip == session[:ip] or
+      return err("session IP mismatch: " \
+                 "#{request.ip.inspect} != #{session[:ip].inspect}")
+
+    trust_root = oidreq.trust_root
+    per_site = config[trust_root] or
+      return err("trust_root unknown: #{trust_root}")
+
+    session_id = session[:id] or return err("no session ID")
+
+    assoc_handle = per_site['assoc_handle'] # this may be nil
+    expires = per_site['expires'] or
+      return err("no expires (trust_root=#{trust_root})")
+
+    assoc_handle == oidreq.assoc_handle or
+      return err("assoc_handle mismatch: " \
+                 "#{assoc_handle.inspect} != #{oidreq.assoc_handle.inspect}" \
+                 " (trust_root=#{trust_root})")
+
+    per_site['session_id'] == session_id or
+      return err("session ID mismatch: " \
+                 "#{per_site['session_id'].inspect} != #{session_id.inspect}" \
+                 " (trust_root=#{trust_root})")
+
+    expires > Time.now or
+      return err("Expired: #{expires.inspect} (trust_root=#{trust_root})")
+
+    true
+  end
+
+  def config
+    @config ||= begin
+      YAML.load(File.read("#@@dir/config.yml"))
+    rescue Errno::ENOENT
+      {}
+    end
+  end
+
+  def merge_config(oidreq)
+    per_site = config[oidreq.trust_root] ||= {}
+    per_site.merge!({
+        'assoc_handle' => oidreq.assoc_handle,
+        'expires' => Time.at(0).utc,
+        'updated' => Time.now.utc,
+        'expires1m' => Time.now.utc + 60, # easy edit to "expires" in $EDITOR
+        'session_id' => session[:id],
+      })
+  end
+
+  def write_config
+    path = "#@@dir/config.yml"
+    tmp = Tempfile.new('config.yml', File.dirname(path))
+    tmp.syswrite(CONFIG_HEADER.gsub(/^/m, "# "))
+    tmp.syswrite(config.to_yaml)
+    tmp.syswrite(CONFIG_TRAILER.gsub(/^/m, "# "))
+    tmp.fsync
+    File.rename(tmp.path, path)
+    tmp.close!
+  end
+
+  # this output is designed to be parsed by OpenID consumers
+  def render_xrds(force = false)
+    if force || request.accept.include?('application/xrds+xml')
+
+      # this seems to work...
+      types = request.accept.include?('application/xrds+xml') ?
+         [ OpenID::OPENID_2_0_TYPE,
+           OpenID::OPENID_1_0_TYPE,
+           OpenID::SREG_URI ] :
+         [ OpenID::OPENID_IDP_2_0_TYPE ]
+
+      headers['Content-Type'] = 'application/xrds+xml'
+      types = types.map { |uri| "<Type>#{uri}</Type>" }.join("\n")
+      XRDS_XML.gsub(/%s/, server_root).gsub!(/%types/, types)
+    else # render a browser-friendly page with an XRDS pointer
+      headers['X-XRDS-Location'] = "#{server_root}xrds"
+      XRDS_HTML.gsub(/%s/, server_root)
+    end
+  end
+
+  # if a single-user OpenID provider like us is being hit by multiple
+  # clients at once, then something is seriously wrong.  Can't use
+  # Mutexes here since somebody could be running this as a CGI script
+  def big_lock(&block)
+    lock = "#@@dir/lock"
+    File.open(lock, File::WRONLY|File::CREAT|File::EXCL, 0600) do |fp|
+      begin
+        yield
+      ensure
+        File.unlink(lock)
+      end
+    end
+    rescue Errno::EEXIST
+      err("Lock: #{lock} exists! Possible hijacking attempt") rescue nil
+  end
+end
+#:startdoc:

data/local-openid.gemspec

@@ -0,0 +1,34 @@
+ENV["VERSION"] or abort "VERSION= must be specified"
+manifest = File.readlines('.manifest').map! { |x| x.chomp! }
+
+Gem::Specification.new do |s|
+  s.name = %q{local-openid}
+  s.version = ENV["VERSION"]
+
+  s.authors = ["Eric Wong"]
+  s.date = Time.now.utc.strftime('%Y-%m-%d')
+  s.description = File.read("README").split(/\n\n/)[1]
+  s.email = %q{local-openid@librelist.com}
+  s.executables = %w(local-openid)
+
+  s.extra_rdoc_files = File.readlines('.document').map! do |x|
+    x.chomp!
+    if File.directory?(x)
+      manifest.grep(%r{\A#{x}/})
+    elsif File.file?(x)
+      x
+    else
+      nil
+    end
+  end.flatten.compact
+
+  s.files = manifest
+  s.homepage = %q{http://bogomips.org/local-openid/}
+  s.summary = %q{Single User, Ephemeral OpenID Provider}
+  s.rdoc_options = [ "-a", "-t", "local-openid - #{s.summary}" ]
+  s.require_paths = %w(lib)
+  s.rubyforge_project = %q{qrp}
+  s.add_dependency(%q<sinatra>, ["~> 1.0.0"])
+  s.add_dependency(%q<ruby-openid>, ["~> 2.1.7"])
+  # s.licenses = %w(AGPLv3) # accessor not compatible with older RubyGems
+end

metadata

@@ -1,7 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: local-openid
 version: !ruby/object:Gem::Version 
-  version: 0.1.1
+  hash: 23
+  prerelease: false
+  segments: 
+  - 0
+  - 2
+  - 0
+  version: 0.2.0
 platform: ruby
 authors: 
 - Eric Wong
@@ -9,78 +15,107 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-04-06 00:00:00 -07:00
+date: 2010-06-26 00:00:00 +00:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: sinatra
-  type: :runtime
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
-    - - ">="
+    - - ~>
       - !ruby/object:Gem::Version 
-        version: "0.9"
-    version: 
+        hash: 23
+        segments: 
+        - 1
+        - 0
+        - 0
+        version: 1.0.0
+  type: :runtime
+  version_requirements: *id001
 - !ruby/object:Gem::Dependency 
-  name: hoe
-  type: :development
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
+  name: ruby-openid
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
-    - - ">="
+    - - ~>
       - !ruby/object:Gem::Version 
-        version: 1.11.0
-    version: 
-description: local-openid allows users with shell accounts on servers to authenticate with OpenID consumers by editing a YAML file in their home directory instead of authenticating through HTTP/HTTPS.  1. Encounter a login page that accepts OpenID (the consumer) 2. Login into your own server (if you're not already logged in) 3. Start the local-openid app on your server 4. Login using your OpenID (on the consumer) - you should be redirected to your local-openid application 5. edit ~/.local-openid/config.yml on your server to approve the consumer 6. Reload the local-openid page your browser was on. - you should be logged in to the OpenID consumer site - If not, check the error log (usually stderr) of local-openid 8. Shut down the local-openid application.
-email: 
-- normalperson@yhbt.net
+        hash: 5
+        segments: 
+        - 2
+        - 1
+        - 7
+        version: 2.1.7
+  type: :runtime
+  version_requirements: *id002
+description: |-
+  local-openid allows users with shell accounts on servers to authenticate
+  with OpenID consumers by editing a YAML file in their home directory
+  instead of authenticating through HTTP/HTTPS.
+email: local-openid@librelist.com
 executables: 
 - local-openid
 extensions: []
 
 extra_rdoc_files: 
-- History.txt
-- LICENSE.txt
-- Manifest.txt
-- README.txt
+- NEWS
+- LICENSE
+- ChangeLog
+- README
 files: 
 - .document
 - .gitignore
+- .manifest
+- COPYING
+- ChangeLog
+- GIT-VERSION-FILE
+- GIT-VERSION-GEN
 - GNUmakefile
-- History.txt
-- LICENSE.txt
-- Manifest.txt
-- README.txt
+- LICENSE
+- NEWS
+- README
 - Rakefile
 - bin/local-openid
+- lib/local_openid.rb
+- local-openid.gemspec
 - setup.rb
 has_rdoc: true
-homepage: http://bogomips.org/local-openid
+homepage: http://bogomips.org/local-openid/
+licenses: []
+
 post_install_message: 
 rdoc_options: 
-- --main
-- README.txt
+- -a
+- -t
+- local-openid - Single User, Ephemeral OpenID Provider
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
-  version: 
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
-  version: 
 requirements: []
 
 rubyforge_project: qrp
-rubygems_version: 1.3.1
+rubygems_version: 1.3.7
 signing_key: 
-specification_version: 2
+specification_version: 3
 summary: Single User, Ephemeral OpenID Provider
 test_files: []
 

data/History.txt

@@ -1,7 +0,0 @@
-=== 0.1.1 / 2009-04-06
-
-* add Sinatra dependency
-
-=== 0.1.0 / 2009-04-04
-
-* initial

data/Manifest.txt

@@ -1,10 +0,0 @@
-.document
-.gitignore
-GNUmakefile
-History.txt
-LICENSE.txt
-Manifest.txt
-README.txt
-Rakefile
-bin/local-openid
-setup.rb