nov-rack-openid 1.2.1

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Joshua Peek
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,70 @@
+= Rack::OpenID
+
+Provides a more HTTPish API around the ruby-openid library.
+
+=== Usage
+
+You trigger an OpenID request similar to HTTP authentication. From your app, return a "401 Unauthorized" and a "WWW-Authenticate" header with the identifier you would like to validate.
+
+On competition, the OpenID response is automatically verified and assigned to
+<tt>env["rack.openid.response"]</tt>.
+
+=== Rack Example
+
+  MyApp = lambda { |env|
+    if resp = env["rack.openid.response"]
+      case resp.status
+      when :success
+        ...
+      when :failure
+        ...
+    else
+      [401, {"WWW-Authenticate" => 'OpenID identifier="http://example.com/"'}, []]
+    end
+  }
+
+  use Rack::OpenID
+  run MyApp
+
+=== Sinatra Example
+
+  # Session needs to be before Rack::OpenID
+  use Rack::Session::Cookie
+
+  require 'rack/openid'
+  use Rack::OpenID
+
+  get '/login' do
+    erb :login
+  end
+
+  post '/login' do
+    if resp = request.env["rack.openid.response"]
+      if resp.status == :success
+        "Welcome: #{resp.display_identifier}"
+      else
+        "Error: #{resp.status}"
+      end
+    else
+      headers 'WWW-Authenticate' => Rack::OpenID.build_header(
+        :identifier => params["openid_identifier"]
+      )
+      throw :halt, [401, 'got openid?']
+    end
+  end
+
+  use_in_file_templates!
+
+  __END__
+
+  @@ login
+  <form action="/login" method="post">
+    <p>
+      <label for="openid_identifier">OpenID:</label>
+      <input id="openid_identifier" name="openid_identifier" type="text" />
+    </p>
+
+    <p>
+      <input name="commit" type="submit" value="Sign in" />
+    </p>
+  </form>

data/Rakefile

@@ -0,0 +1,65 @@
+require 'rake/testtask'
+
+task :default => :test
+
+Rake::TestTask.new do |t|
+  t.warning = true
+end
+
+begin
+  require 'jeweler'
+
+  class Jeweler
+    module Commands
+      class ReleaseGemspec
+        def run
+          unless clean_staging_area?
+            system "git status"
+            raise "Unclean staging area! Be sure to commit or .gitignore everything first. See `git status` above."
+          end
+          repo.checkout('releasable')
+          regenerate_gemspec!
+          commit_gemspec! if gemspec_changed?
+          output.puts "Pushing releasable to origin"
+          repo.push
+        end
+      end
+    end
+  end
+
+  class Jeweler
+    module Commands
+      class ReleaseToGit
+        def run
+          unless clean_staging_area?
+            system "git status"
+            raise "Unclean staging area! Be sure to commit or .gitignore everything first. See `git status` above."
+          end
+          repo.checkout('releasable')
+          repo.push
+          if release_not_tagged?
+            output.puts "Tagging #{release_tag}"
+            repo.add_tag(release_tag)
+            output.puts "Pushing #{release_tag} to origin"
+            repo.push('origin', release_tag)
+          end
+        end
+      end
+    end
+  end
+
+  Jeweler::Tasks.new do |gem|
+    gem.name = 'nov-rack-openid'
+    gem.summary = %Q{Provides a more HTTPish API around the ruby-openid library}
+    gem.description = %Q{Provides a more HTTPish API around the ruby-openid library}
+    gem.email = 'nov@matake.jp'
+    gem.homepage = 'http://github.com/nov/rack-openid'
+    gem.authors = ['nov matake']
+    gem.add_dependency 'rack', '>= 1.1'
+    gem.add_dependency 'nov-ruby-openid', '>= 2.1.9'
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts 'Jeweler not available. Install it with: gem install jeweler'
+end

data/VERSION

@@ -0,0 +1 @@
+1.2.1

data/deps.rip

@@ -0,0 +1,2 @@
+rack >=1.1.0
+ruby-openid >=2.1.8

data/dev-deps.rip

@@ -0,0 +1 @@
+git://github.com/roman/rots.git

data/lib/rack/openid.rb

@@ -0,0 +1,283 @@
+require 'rack/request'
+require 'rack/utils'
+
+require 'openid'
+require 'openid/consumer'
+require 'openid/extensions/sreg'
+require 'openid/extensions/ax'
+require 'openid/extensions/oauth'
+require 'openid/extensions/ui'
+
+module Rack #:nodoc:
+  # A Rack middleware that provides a more HTTPish API around the
+  # ruby-openid library.
+  #
+  # You trigger an OpenID request similar to HTTP authentication.
+  # From your app, return a "401 Unauthorized" and a "WWW-Authenticate"
+  # header with the identifier you would like to validate.
+  #
+  # On competition, the OpenID response is automatically verified and
+  # assigned to <tt>env["rack.openid.response"]</tt>.
+  class OpenID
+    # Helper method for building the "WWW-Authenticate" header value.
+    #
+    #   Rack::OpenID.build_header(:identifier => "http://josh.openid.com/")
+    #     #=> OpenID identifier="http://josh.openid.com/"
+    def self.build_header(params = {})
+      'OpenID ' + params.map { |key, value|
+        if value.is_a?(Array)
+          "#{key}=\"#{value.join(',')}\""
+        else
+          "#{key}=\"#{value}\""
+        end
+      }.join(', ')
+    end
+
+    # Helper method for parsing "WWW-Authenticate" header values into
+    # a hash.
+    #
+    #   Rack::OpenID.parse_header("OpenID identifier='http://josh.openid.com/'")
+    #     #=> {:identifier => "http://josh.openid.com/"}
+    def self.parse_header(str)
+      params = {}
+      if str =~ AUTHENTICATE_REGEXP
+        str = str.gsub(/#{AUTHENTICATE_REGEXP}\s+/, '')
+        str.split(', ').each { |pair|
+          key, *value = pair.split('=')
+          value = value.join('=')
+          value.gsub!(/^\"/, '').gsub!(/\"$/, "")
+          value = value.split(',')
+          params[key] = value.length > 1 ? value : value.first
+        }
+      end
+      params
+    end
+
+    class TimeoutResponse #:nodoc:
+      include ::OpenID::Consumer::Response
+      STATUS = :failure
+    end
+
+    class MissingResponse #:nodoc:
+      include ::OpenID::Consumer::Response
+      STATUS = :missing
+    end
+
+    # :stopdoc:
+
+    HTTP_METHODS = %w(GET HEAD PUT POST DELETE OPTIONS)
+
+    RESPONSE = "rack.openid.response"
+    AUTHENTICATE_HEADER = "WWW-Authenticate"
+    AUTHENTICATE_REGEXP = /^OpenID/
+
+    URL_FIELD_SELECTOR = lambda { |field| field.to_s =~ %r{^https?://} }
+
+    # :startdoc:
+
+    # Initialize middleware with application and optional OpenID::Store.
+    # If no store is given, OpenID::Store::Memory is used.
+    #
+    #   use Rack::OpenID
+    #
+    # or
+    #
+    #   use Rack::OpenID, OpenID::Store::Memcache.new
+    def initialize(app, store = nil)
+      @app = app
+      @store = store || default_store
+    end
+
+    # Standard Rack +call+ dispatch that accepts an +env+ and
+    # returns a <tt>[status, header, body]</tt> response.
+    def call(env)
+      req = Rack::Request.new(env)
+      if req.params["openid.mode"]
+        complete_authentication(env)
+      end
+
+      status, headers, body = @app.call(env)
+
+      qs = headers[AUTHENTICATE_HEADER]
+      if status.to_i == 401 && qs && qs.match(AUTHENTICATE_REGEXP)
+        begin_authentication(env, qs)
+      else
+        [status, headers, body]
+      end
+    end
+
+    private
+      def begin_authentication(env, qs)
+        req = Rack::Request.new(env)
+        params = self.class.parse_header(qs)
+        session = env["rack.session"]
+
+        unless session
+          raise RuntimeError, "Rack::OpenID requires a session"
+        end
+
+        consumer = ::OpenID::Consumer.new(session, @store)
+        identifier = params['identifier'] || params['identity']
+
+        begin
+          oidreq = consumer.begin(identifier)
+          add_simple_registration_fields(oidreq, params)
+          add_attribute_exchange_fields(oidreq, params)
+          add_oauth_fields(oidreq, params)
+          add_ui_fields(oidreq, params)
+          url = open_id_redirect_url(req, oidreq, params["trust_root"], params["return_to"], params["method"])
+          return redirect_to(url)
+        rescue ::OpenID::OpenIDError, Timeout::Error => e
+          env[RESPONSE] = MissingResponse.new
+          return @app.call(env)
+        end
+      end
+
+      def complete_authentication(env)
+        req = Rack::Request.new(env)
+        session = env["rack.session"]
+
+        unless session
+          raise RuntimeError, "Rack::OpenID requires a session"
+        end
+
+        oidresp = timeout_protection_from_identity_server {
+          consumer = ::OpenID::Consumer.new(session, @store)
+          consumer.complete(flatten_params(req.params), req.url)
+        }
+
+        env[RESPONSE] = oidresp
+
+        method = req.GET["_method"]
+        override_request_method(env, method)
+
+        sanitize_query_string(env)
+      end
+
+      def flatten_params(params)
+        Rack::Utils.parse_query(Rack::Utils.build_nested_query(params))
+      end
+
+      def override_request_method(env, method)
+        return unless method
+        method = method.upcase
+        if HTTP_METHODS.include?(method)
+          env["REQUEST_METHOD"] = method
+        end
+      end
+
+      def sanitize_query_string(env)
+        query_hash = env["rack.request.query_hash"]
+        query_hash.delete("_method")
+        query_hash.delete_if do |key, value|
+          key =~ /^openid\./
+        end
+
+        env["QUERY_STRING"] = env["rack.request.query_string"] =
+          Rack::Utils.build_query(env["rack.request.query_hash"])
+
+        qs = env["QUERY_STRING"]
+        request_uri = (env["PATH_INFO"] || "").dup
+        request_uri << "?" + qs unless qs == ""
+        env["REQUEST_URI"] = request_uri
+      end
+
+      def realm_url(req)
+        url = req.scheme + "://"
+        url << req.host
+
+        scheme, port = req.scheme, req.port
+        if scheme == "https" && port != 443 ||
+            scheme == "http" && port != 80
+          url << ":#{port}"
+        end
+
+        url
+      end
+
+      def request_url(req)
+        url = realm_url(req)
+        url << req.script_name
+        url << req.path_info
+        url
+      end
+
+      def redirect_to(url)
+        [303, {"Content-Type" => "text/html", "Location" => url}, []]
+      end
+
+      def open_id_redirect_url(req, oidreq, trust_root = nil, return_to = nil, method = nil)
+        request_url = request_url(req)
+
+        if return_to
+          method ||= "get"
+        else
+          return_to = request_url
+          method ||= req.request_method
+        end
+
+        method = method.to_s.downcase
+        oidreq.return_to_args['_method'] = method unless method == "get"
+        oidreq.redirect_url(trust_root || realm_url(req), return_to || request_url)
+      end
+
+      def add_simple_registration_fields(oidreq, fields)
+        sregreq = ::OpenID::SReg::Request.new
+
+        required = Array(fields['required']).reject(&URL_FIELD_SELECTOR)
+        sregreq.request_fields(required, true) if required.any?
+
+        optional = Array(fields['optional']).reject(&URL_FIELD_SELECTOR)
+        sregreq.request_fields(optional, false) if optional.any?
+
+        policy_url = fields['policy_url']
+        sregreq.policy_url = policy_url if policy_url
+
+        oidreq.add_extension(sregreq)
+      end
+
+      def add_attribute_exchange_fields(oidreq, fields)
+        axreq = ::OpenID::AX::FetchRequest.new
+
+        required = Array(fields['required']).select(&URL_FIELD_SELECTOR)
+        optional = Array(fields['optional']).select(&URL_FIELD_SELECTOR)
+
+        if required.any? || optional.any?
+          required.each do |field|
+            axreq.add(::OpenID::AX::AttrInfo.new(field, nil, true))
+          end
+
+          optional.each do |field|
+            axreq.add(::OpenID::AX::AttrInfo.new(field, nil, false))
+          end
+
+          oidreq.add_extension(axreq)
+        end
+      end
+
+      def add_oauth_fields(oidreq, fields)
+        if fields['oauth[consumer]']
+          oauthreq = ::OpenID::OAuth::Request.new(fields['oauth[consumer]'], Array(fields['oauth[scope]']).join(' '))
+          oidreq.add_extension(oauthreq)
+        end
+      end
+
+      def add_ui_fields(oidreq, fields)
+        if fields['ui[mode]'] || fields['ui[icon]'] || fields['ui[lang]']
+          uireq = ::OpenID::UI::Request.new(fields['ui[mode]'], fields['ui[icon]'], fields['ui[lang]'])
+          oidreq.add_extension(uireq)
+        end
+      end
+
+      def default_store
+        require 'openid/store/memory'
+        ::OpenID::Store::Memory.new
+      end
+
+      def timeout_protection_from_identity_server
+        yield
+      rescue Timeout::Error
+        TimeoutResponse.new
+      end
+  end
+end

data/lib/rack/openid/simple_auth.rb

@@ -0,0 +1,77 @@
+require 'rack/openid'
+require 'rack/request'
+
+module Rack #:nodoc:
+  class OpenID
+    # A simple OpenID middleware that restricts access to
+    # a single identifier.
+    #
+    #   use Rack::OpenID::SimpleAuth, "http://example.org"
+    #
+    # SimpleAuth will automatically insert the required Rack::OpenID
+    # middleware, so <tt>use Rack::OpenID</tt> is unnecessary.
+    class SimpleAuth
+      def self.new(*args)
+        Rack::OpenID.new(super)
+      end
+
+      attr_reader :app, :identifier
+
+      def initialize(app, identifier)
+        @app        = app
+        @identifier = identifier
+      end
+
+      def call(env)
+        if session_authenticated?(env)
+          app.call(env)
+        elsif successful_response?(env)
+          authenticate_session(env)
+          redirect_to requested_url(env)
+        else
+          authentication_request
+        end
+      end
+
+      private
+        def session(env)
+          env['rack.session'] || raise_session_error
+        end
+
+        def raise_session_error
+          raise RuntimeError, 'Rack::OpenID::SimpleAuth requires a session'
+        end
+
+        def session_authenticated?(env)
+          session(env)['authenticated'] == true
+        end
+
+        def authenticate_session(env)
+          session(env)['authenticated'] = true
+        end
+
+        def successful_response?(env)
+          if resp = env[OpenID::RESPONSE]
+            resp.status == :success && resp.display_identifier == identifier
+          end
+        end
+
+        def requested_url(env)
+          req = Rack::Request.new(env)
+          req.url
+        end
+
+        def redirect_to(url)
+          [303, {'Content-Type' => 'text/html', 'Location' => url}, []]
+        end
+
+        def authentication_request
+          [401, { OpenID::AUTHENTICATE_HEADER => www_authenticate_header }, []]
+        end
+
+        def www_authenticate_header
+          OpenID.build_header(:identifier => identifier)
+        end
+    end
+  end
+end

data/nov-rack-openid.gemspec

@@ -0,0 +1,54 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{nov-rack-openid}
+  s.version = "1.2.1"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["nov matake"]
+  s.date = %q{2011-01-18}
+  s.description = %q{Provides a more HTTPish API around the ruby-openid library}
+  s.email = %q{nov@matake.jp}
+  s.extra_rdoc_files = [
+    "LICENSE",
+    "README.rdoc"
+  ]
+  s.files = [
+    "LICENSE",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION",
+    "deps.rip",
+    "dev-deps.rip",
+    "lib/rack/openid.rb",
+    "lib/rack/openid/simple_auth.rb",
+    "nov-rack-openid.gemspec",
+    "test/test_openid.rb"
+  ]
+  s.homepage = %q{http://github.com/nov/rack-openid}
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.4.1}
+  s.summary = %q{Provides a more HTTPish API around the ruby-openid library}
+  s.test_files = [
+    "test/test_openid.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<rack>, [">= 1.1"])
+      s.add_runtime_dependency(%q<nov-ruby-openid>, [">= 2.1.9"])
+    else
+      s.add_dependency(%q<rack>, [">= 1.1"])
+      s.add_dependency(%q<nov-ruby-openid>, [">= 2.1.9"])
+    end
+  else
+    s.add_dependency(%q<rack>, [">= 1.1"])
+    s.add_dependency(%q<nov-ruby-openid>, [">= 2.1.9"])
+  end
+end
+

data/test/test_openid.rb

@@ -0,0 +1,393 @@
+require 'test/unit'
+require 'net/http'
+
+require 'rack'
+require 'rack/openid'
+require 'rack/openid/simple_auth'
+
+log = Logger.new(STDOUT)
+log.level = Logger::WARN
+OpenID::Util.logger = log
+
+class MockFetcher
+  def initialize(app)
+    @app = app
+  end
+
+  def fetch(url, body = nil, headers = nil, limit = nil)
+    opts = (headers || {}).dup
+    opts[:input]  = body
+    opts[:method] = "POST" if body
+    env = Rack::MockRequest.env_for(url, opts)
+
+    status, headers, body = @app.call(env)
+
+    buf = []
+    buf << "HTTP/1.1 #{status} #{Rack::Utils::HTTP_STATUS_CODES[status]}"
+    headers.each { |header, value| buf << "#{header}: #{value}" }
+    buf << ""
+    body.each { |part| buf << part }
+
+    io = Net::BufferedIO.new(StringIO.new(buf.join("\n")))
+    res = Net::HTTPResponse.read_new(io)
+    res.reading_body(io, true) {}
+    OpenID::HTTPResponse._from_net_response(res, url)
+  end
+end
+
+RotsServerUrl = 'http://localhost:9292'
+
+RotsApp = Rack::Builder.new do
+  require 'rots'
+
+  config = {
+    'identity' => 'john.doe',
+    'sreg' => {
+      'nickname' => 'jdoe',
+      'fullname' => 'John Doe',
+      'email' => 'jhon@doe.com',
+      'dob' => Date.parse('1985-09-21'),
+      'gender' => 'M'
+    }
+  }
+
+  map("/%s" % config['identity']) do
+    run Rots::IdentityPageApp.new(config, {})
+  end
+
+  map '/server' do
+    run Rots::ServerApp.new(config, :storage => Dir.tmpdir)
+  end
+end
+
+OpenID.fetcher = MockFetcher.new(RotsApp)
+
+
+class TestHeader < Test::Unit::TestCase
+  def test_build_header
+    assert_equal 'OpenID identity="http://example.com/"',
+      Rack::OpenID.build_header(:identity => "http://example.com/")
+    assert_equal 'OpenID identity="http://example.com/?foo=bar"',
+      Rack::OpenID.build_header(:identity => "http://example.com/?foo=bar")
+
+    header = Rack::OpenID.build_header(:identity => "http://example.com/", :return_to => "http://example.org/")
+    assert_match(/OpenID /, header)
+    assert_match(/identity="http:\/\/example\.com\/"/, header)
+    assert_match(/return_to="http:\/\/example\.org\/"/, header)
+
+    header = Rack::OpenID.build_header(:identity => "http://example.com/", :required => ["nickname", "email"])
+    assert_match(/OpenID /, header)
+    assert_match(/identity="http:\/\/example\.com\/"/, header)
+    assert_match(/required="nickname,email"/, header)
+  end
+
+  def test_parse_header
+    assert_equal({"identity" => "http://example.com/"},
+      Rack::OpenID.parse_header('OpenID identity="http://example.com/"'))
+    assert_equal({"identity" => "http://example.com/?foo=bar"},
+      Rack::OpenID.parse_header('OpenID identity="http://example.com/?foo=bar"'))
+    assert_equal({"identity" => "http://example.com/", "return_to" => "http://example.org/"},
+      Rack::OpenID.parse_header('OpenID identity="http://example.com/", return_to="http://example.org/"'))
+    assert_equal({"identity" => "http://example.com/", "required" => ["nickname", "email"]},
+      Rack::OpenID.parse_header('OpenID identity="http://example.com/", required="nickname,email"'))
+
+    # ensure we don't break standard HTTP basic auth
+    assert_equal({},
+      Rack::OpenID.parse_header('Realm="Example"'))
+  end
+end
+
+module RackTestHelpers
+  private
+    def process(*args)
+      env = Rack::MockRequest.env_for(*args)
+      @response = Rack::MockResponse.new(*@app.call(env))
+    end
+
+    def follow_redirect!
+      assert @response
+      assert_equal 303, @response.status
+
+      env = Rack::MockRequest.env_for(@response.headers['Location'])
+      status, headers, body = RotsApp.call(env)
+
+      uri = URI(headers['Location'])
+      process("#{uri.path}?#{uri.query}")
+    end
+end
+
+class TestOpenID < Test::Unit::TestCase
+  include RackTestHelpers
+
+  def test_with_get
+    @app = app
+    process('/', :method => 'GET')
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_deprecated_identity
+    @app = app
+    process('/', :method => 'GET', :identity => "#{RotsServerUrl}/john.doe?openid.success=true")
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_post_method
+    @app = app
+    process('/', :method => 'POST')
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'POST', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_custom_return_to
+    @app = app(:return_to => 'http://example.org/complete')
+    process('/', :method => 'GET')
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/complete', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_get_nested_params_custom_return_to
+    url = 'http://example.org/complete?user[remember_me]=true'
+    @app = app(:return_to => url)
+    process('/', :method => 'GET')
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/complete', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+    assert_match(/remember_me/, @response.headers['X-Query-String'])
+  end
+
+  def test_with_post_nested_params_custom_return_to
+    url = 'http://example.org/complete?user[remember_me]=true'
+    @app = app(:return_to => url)
+    process('/', :method => 'POST')
+
+    assert_equal 303, @response.status
+    env = Rack::MockRequest.env_for(@response.headers['Location'])
+    status, headers, body = RotsApp.call(env)
+
+    uri, input = headers['Location'].split('?', 2)
+    process("http://example.org/complete?user[remember_me]=true", :method => 'POST', :input => input)
+
+    assert_equal 200, @response.status
+    assert_equal 'POST', @response.headers['X-Method']
+    assert_equal '/complete', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+    assert_match(/remember_me/, @response.headers['X-Query-String'])
+  end
+
+  def test_with_post_method_custom_return_to
+    @app = app(:return_to => 'http://example.org/complete')
+    process('/', :method => 'POST')
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/complete', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_custom_return_method
+    @app = app(:method => 'put')
+    process('/', :method => 'GET')
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'PUT', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_simple_registration_fields
+    @app = app(:required => ['nickname', 'email'], :optional => 'fullname')
+    process('/', :method => 'GET')
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_attribute_exchange
+    @app = app(
+      :required => ['http://axschema.org/namePerson/friendly', 'http://axschema.org/contact/email'],
+      :optional => 'http://axschema.org/namePerson')
+    process('/', :method => 'GET')
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_oauth
+    @app = app(
+      :'oauth[consumer]' => 'www.example.com',
+      :'oauth[scope]' => ['http://docs.google.com/feeds/', 'http://spreadsheets.google.com/feeds/']
+    )
+    process('/', :method => 'GET')
+
+    location = @response.headers['Location']
+    assert_match(/openid.oauth.consumer/, location)
+    assert_match(/openid.oauth.scope/, location)
+
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_ui_mode
+    @app = app(
+      :'ui[mode]' => 'popup'
+    )
+    process('/', :method => 'GET')
+
+    location = @response.headers['Location']
+    assert_match(/openid.ui.mode/, location)
+
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_ui_icon
+    @app = app(
+      :'ui[icon]' => true
+    )
+    process('/', :method => 'GET')
+
+    location = @response.headers['Location']
+    assert_match(/openid.ui.icon/, location)
+
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_ui_lang
+    @app = app(
+      :'ui[lang]' => 'ja-JP'
+    )
+    process('/', :method => 'GET')
+
+    location = @response.headers['Location']
+    assert_match(/openid.ui.lang/, location)
+
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'success', @response.body
+  end
+
+  def test_with_missing_id
+    @app = app(:identifier => "#{RotsServerUrl}/john.doe")
+    process('/', :method => 'GET')
+    follow_redirect!
+    assert_equal 400, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'cancel', @response.body
+  end
+
+  def test_with_timeout
+    @app = app(:identifier => RotsServerUrl)
+    process('/', :method => "GET")
+    assert_equal 400, @response.status
+    assert_equal 'GET', @response.headers['X-Method']
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal 'missing', @response.body
+  end
+
+  def test_sanitize_query_string
+    @app = app
+    process('/', :method => 'GET')
+    follow_redirect!
+    assert_equal 200, @response.status
+    assert_equal '/', @response.headers['X-Path']
+    assert_equal '', @response.headers['X-Query-String']
+  end
+
+  def test_passthrough_standard_http_basic_auth
+    @app = app
+    process('/', :method => 'GET', "MOCK_HTTP_BASIC_AUTH" => '1')
+    assert_equal 401, @response.status
+  end
+
+  private
+    def app(options = {})
+      options[:identifier] ||= "#{RotsServerUrl}/john.doe?openid.success=true"
+
+      app = lambda { |env|
+        if resp = env[Rack::OpenID::RESPONSE]
+          headers = {
+            'X-Path' => env['PATH_INFO'],
+            'X-Method' => env['REQUEST_METHOD'],
+            'X-Query-String' => env['QUERY_STRING']
+          }
+          if resp.status == :success
+            [200, headers, [resp.status.to_s]]
+          else
+            [400, headers, [resp.status.to_s]]
+          end
+        elsif env["MOCK_HTTP_BASIC_AUTH"]
+          [401, {Rack::OpenID::AUTHENTICATE_HEADER => 'Realm="Example"'}, []]
+        else
+          [401, {Rack::OpenID::AUTHENTICATE_HEADER => Rack::OpenID.build_header(options)}, []]
+        end
+      }
+      Rack::Session::Pool.new(Rack::OpenID.new(app))
+    end
+end
+
+class TestSimpleAuth < Test::Unit::TestCase
+  include RackTestHelpers
+
+  def test_successful_login
+    @app = app "#{RotsServerUrl}/john.doe?openid.success=true"
+
+    process '/dashboard'
+    follow_redirect!
+
+    assert_equal 303, @response.status
+    assert_equal 'http://example.org/dashboard', @response.headers['Location']
+
+    cookie = @response.headers['Set-Cookie'].split(';').first
+    process '/dashboard', 'HTTP_COOKIE' => cookie
+    assert_equal 200, @response.status
+    assert_equal 'Hello', @response.body
+  end
+
+  def test_failed_login
+    @app = app "#{RotsServerUrl}/john.doe"
+
+    process '/dashboard'
+    follow_redirect!
+    assert_match RotsServerUrl, @response.headers['Location']
+  end
+
+  private
+    def app(identifier)
+      app = lambda { |env| [200, {'Content-Type' => 'text/html'}, ['Hello']] }
+      app = Rack::OpenID::SimpleAuth.new(app, identifier)
+      Rack::Session::Pool.new(app)
+    end
+end

metadata

@@ -0,0 +1,107 @@
+--- !ruby/object:Gem::Specification 
+name: nov-rack-openid
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: 
+  segments: 
+  - 1
+  - 2
+  - 1
+  version: 1.2.1
+platform: ruby
+authors: 
+- nov matake
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-01-18 00:00:00 +09:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rack
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 13
+        segments: 
+        - 1
+        - 1
+        version: "1.1"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: nov-ruby-openid
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 2
+        - 1
+        - 9
+        version: 2.1.9
+  type: :runtime
+  version_requirements: *id002
+description: Provides a more HTTPish API around the ruby-openid library
+email: nov@matake.jp
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- deps.rip
+- dev-deps.rip
+- lib/rack/openid.rb
+- lib/rack/openid/simple_auth.rb
+- nov-rack-openid.gemspec
+- test/test_openid.rb
+has_rdoc: true
+homepage: http://github.com/nov/rack-openid
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.4.1
+signing_key: 
+specification_version: 3
+summary: Provides a more HTTPish API around the ruby-openid library
+test_files: 
+- test/test_openid.rb