nov-ruby-openid 2.1.9

data/lib/openid/consumer/checkid_request.rb

@@ -0,0 +1,186 @@
+require "openid/message"
+require "openid/util"
+
+module OpenID
+  class Consumer
+    # An object that holds the state necessary for generating an
+    # OpenID authentication request. This object holds the association
+    # with the server and the discovered information with which the
+    # request will be made.
+    #
+    # It is separate from the consumer because you may wish to add
+    # things to the request before sending it on its way to the
+    # server. It also has serialization options that let you encode
+    # the authentication request as a URL or as a form POST.
+    class CheckIDRequest
+      attr_accessor :return_to_args, :message
+      attr_reader :endpoint
+
+      # Users of this library should not create instances of this
+      # class.  Instances of this class are created by the library
+      # when needed.
+      def initialize(assoc, endpoint)
+        @assoc = assoc
+        @endpoint = endpoint
+        @return_to_args = {}
+        @message = Message.new(endpoint.preferred_namespace)
+        @anonymous = false
+      end
+
+      attr_reader :anonymous
+
+      # Set whether this request should be made anonymously. If a
+      # request is anonymous, the identifier will not be sent in the
+      # request. This is only useful if you are making another kind of
+      # request with an extension in this request.
+      #
+      # Anonymous requests are not allowed when the request is made
+      # with OpenID 1.
+      def anonymous=(is_anonymous)
+        if is_anonymous && @message.is_openid1
+          raise ArgumentError, ("OpenID1 requests MUST include the "\
+                                "identifier in the request")
+        end
+        @anonymous = is_anonymous
+      end
+
+      # Add an object that implements the extension interface for
+      # adding arguments to an OpenID message to this checkid request.
+      #
+      # extension_request: an OpenID::Extension object.
+      def add_extension(extension_request)
+        extension_request.to_message(@message)
+      end
+
+      # Add an extension argument to this OpenID authentication
+      # request. You probably want to use add_extension and the
+      # OpenID::Extension interface.
+      #
+      # Use caution when adding arguments, because they will be
+      # URL-escaped and appended to the redirect URL, which can easily
+      # get quite long.
+      def add_extension_arg(namespace, key, value)
+        @message.set_arg(namespace, key, value)
+      end
+
+      # Produce a OpenID::Message representing this request.
+      #
+      # Not specifying a return_to URL means that the user will not be
+      # returned to the site issuing the request upon its completion.
+      #
+      # If immediate mode is requested, the OpenID provider is to send
+      # back a response immediately, useful for behind-the-scenes
+      # authentication attempts.  Otherwise the OpenID provider may
+      # engage the user before providing a response.  This is the
+      # default case, as the user may need to provide credentials or
+      # approve the request before a positive response can be sent.
+      def get_message(realm, return_to=nil, immediate=false)
+        if !return_to.nil?
+          return_to = Util.append_args(return_to, @return_to_args)
+        elsif immediate
+          raise ArgumentError, ('"return_to" is mandatory when using '\
+                                '"checkid_immediate"')
+        elsif @message.is_openid1
+          raise ArgumentError, ('"return_to" is mandatory for OpenID 1 '\
+                                'requests')
+        elsif @return_to_args.empty?
+          raise ArgumentError, ('extra "return_to" arguments were specified, '\
+                                'but no return_to was specified')
+        end
+
+
+        message = @message.copy
+
+        mode = immediate ? 'checkid_immediate' : 'checkid_setup'
+        message.set_arg(OPENID_NS, 'mode', mode)
+
+        realm_key = message.is_openid1 ? 'trust_root' : 'realm'
+        message.set_arg(OPENID_NS, realm_key, realm)
+
+        if !return_to.nil?
+          message.set_arg(OPENID_NS, 'return_to', return_to)
+        end
+
+        if not @anonymous
+          if @endpoint.is_op_identifier
+            # This will never happen when we're in OpenID 1
+            # compatibility mode, as long as is_op_identifier()
+            # returns false whenever preferred_namespace returns
+            # OPENID1_NS.
+            claimed_id = request_identity = IDENTIFIER_SELECT
+          else
+            request_identity = @endpoint.get_local_id
+            claimed_id = @endpoint.claimed_id
+          end
+
+          # This is true for both OpenID 1 and 2
+          message.set_arg(OPENID_NS, 'identity', request_identity)
+
+          if message.is_openid2
+            message.set_arg(OPENID2_NS, 'claimed_id', claimed_id)
+          end
+        end
+
+        if @assoc
+          message.set_arg(OPENID_NS, 'assoc_handle', @assoc.handle)
+          assoc_log_msg = "with assocication #{@assoc.handle}"
+        else
+          assoc_log_msg = 'using stateless mode.'
+        end
+
+        Util.log("Generated #{mode} request to #{@endpoint.server_url} "\
+                 "#{assoc_log_msg}")
+        return message
+      end
+
+      # Returns a URL with an encoded OpenID request.
+      #
+      # The resulting URL is the OpenID provider's endpoint URL with
+      # parameters appended as query arguments.  You should redirect
+      # the user agent to this URL.
+      #
+      # OpenID 2.0 endpoints also accept POST requests, see
+      # 'send_redirect?' and 'form_markup'.
+      def redirect_url(realm, return_to=nil, immediate=false)
+        message = get_message(realm, return_to, immediate)
+        return message.to_url(@endpoint.server_url)
+      end
+
+      # Get html for a form to submit this request to the IDP.
+      #
+      # form_tag_attrs is a hash of attributes to be added to the form
+      # tag. 'accept-charset' and 'enctype' have defaults that can be
+      # overridden. If a value is supplied for 'action' or 'method',
+      # it will be replaced.
+      def form_markup(realm, return_to=nil, immediate=false,
+                      form_tag_attrs=nil)
+        message = get_message(realm, return_to, immediate)
+        return message.to_form_markup(@endpoint.server_url, form_tag_attrs)
+      end
+
+      # Get a complete HTML document that autosubmits the request to the IDP
+      # with javascript.  This method wraps form_markup - see that method's
+      # documentation for help with the parameters.
+      def html_markup(realm, return_to=nil, immediate=false,
+                      form_tag_attrs=nil)
+        Util.auto_submit_html(form_markup(realm, 
+                                          return_to, 
+                                          immediate, 
+                                          form_tag_attrs))
+      end
+
+      # Should this OpenID authentication request be sent as a HTTP
+      # redirect or as a POST (form submission)?
+      #
+      # This takes the same parameters as redirect_url or form_markup
+      def send_redirect?(realm, return_to=nil, immediate=false)
+        if @endpoint.compatibility_mode
+          return true
+        else
+          url = redirect_url(realm, return_to, immediate)
+          return url.length <= OPENID1_URL_LIMIT
+        end
+      end
+    end
+  end
+end

data/lib/openid/consumer/discovery.rb

@@ -0,0 +1,497 @@
+# Functions to discover OpenID endpoints from identifiers.
+
+require 'uri'
+require 'openid/util'
+require 'openid/fetchers'
+require 'openid/urinorm'
+require 'openid/message'
+require 'openid/yadis/discovery'
+require 'openid/yadis/xrds'
+require 'openid/yadis/xri'
+require 'openid/yadis/services'
+require 'openid/yadis/filters'
+require 'openid/consumer/html_parse'
+require 'openid/yadis/xrires'
+
+module OpenID
+
+  OPENID_1_0_NS = 'http://openid.net/xmlns/1.0'
+  OPENID_IDP_2_0_TYPE = 'http://specs.openid.net/auth/2.0/server'
+  OPENID_2_0_TYPE = 'http://specs.openid.net/auth/2.0/signon'
+  OPENID_1_1_TYPE = 'http://openid.net/signon/1.1'
+  OPENID_1_0_TYPE = 'http://openid.net/signon/1.0'
+
+  OPENID_1_0_MESSAGE_NS = OPENID1_NS
+  OPENID_2_0_MESSAGE_NS = OPENID2_NS
+
+  # Object representing an OpenID service endpoint.
+  class OpenIDServiceEndpoint
+
+    # OpenID service type URIs, listed in order of preference.  The
+    # ordering of this list affects yadis and XRI service discovery.
+    OPENID_TYPE_URIS = [
+        OPENID_IDP_2_0_TYPE,
+
+        OPENID_2_0_TYPE,
+        OPENID_1_1_TYPE,
+        OPENID_1_0_TYPE,
+        ]
+
+    # the verified identifier.
+    attr_accessor :claimed_id
+
+    # For XRI, the persistent identifier.
+    attr_accessor :canonical_id
+
+    attr_accessor :server_url, :type_uris, :local_id, :used_yadis
+
+    def initialize
+      @claimed_id = nil
+      @server_url = nil
+      @type_uris = []
+      @local_id = nil
+      @canonical_id = nil
+      @used_yadis = false # whether this came from an XRDS
+      @display_identifier = nil
+    end
+
+    def display_identifier
+      return @display_identifier if @display_identifier
+
+      return @claimed_id if @claimed_id.nil? 
+
+      begin
+        parsed_identifier = URI.parse(@claimed_id)
+      rescue URI::InvalidURIError
+        raise ProtocolError, "Claimed identifier #{claimed_id} is not a valid URI"
+      end
+
+      return @claimed_id if not parsed_identifier.fragment
+
+      disp = parsed_identifier
+      disp.fragment = nil
+
+      return disp.to_s
+    end
+
+    def display_identifier=(display_identifier)
+      @display_identifier = display_identifier
+    end
+
+    def uses_extension(extension_uri)
+      return @type_uris.member?(extension_uri)
+    end
+
+    def preferred_namespace
+      if (@type_uris.member?(OPENID_IDP_2_0_TYPE) or
+          @type_uris.member?(OPENID_2_0_TYPE))
+        return OPENID_2_0_MESSAGE_NS
+      else
+        return OPENID_1_0_MESSAGE_NS
+      end
+    end
+
+    def supports_type(type_uri)
+      # Does this endpoint support this type?
+      #
+      # I consider C{/server} endpoints to implicitly support C{/signon}.
+      (
+       @type_uris.member?(type_uri) or
+       (type_uri == OPENID_2_0_TYPE and is_op_identifier())
+       )
+    end
+
+    def compatibility_mode
+      return preferred_namespace() != OPENID_2_0_MESSAGE_NS
+    end
+
+    def is_op_identifier
+      return @type_uris.member?(OPENID_IDP_2_0_TYPE)
+    end
+
+    def parse_service(yadis_url, uri, type_uris, service_element)
+      # Set the state of this object based on the contents of the
+      # service element.
+      @type_uris = type_uris
+      @server_url = uri
+      @used_yadis = true
+
+      if !is_op_identifier()
+        # XXX: This has crappy implications for Service elements that
+        # contain both 'server' and 'signon' Types.  But that's a
+        # pathological configuration anyway, so I don't think I care.
+        @local_id = OpenID.find_op_local_identifier(service_element,
+                                                    @type_uris)
+        @claimed_id = yadis_url
+      end
+    end
+
+    def get_local_id
+      # Return the identifier that should be sent as the
+      # openid.identity parameter to the server.
+      if @local_id.nil? and @canonical_id.nil?
+        return @claimed_id
+      else
+        return (@local_id or @canonical_id)
+      end
+    end
+
+    def self.from_basic_service_endpoint(endpoint)
+      # Create a new instance of this class from the endpoint object
+      # passed in.
+      #
+      # @return: nil or OpenIDServiceEndpoint for this endpoint object"""
+
+      type_uris = endpoint.match_types(OPENID_TYPE_URIS)
+
+      # If any Type URIs match and there is an endpoint URI specified,
+      # then this is an OpenID endpoint
+      if (!type_uris.nil? and !type_uris.empty?) and !endpoint.uri.nil?
+        openid_endpoint = self.new
+        openid_endpoint.parse_service(
+                                      endpoint.yadis_url,
+                                      endpoint.uri,
+                                      endpoint.type_uris,
+                                      endpoint.service_element)
+      else
+        openid_endpoint = nil
+      end
+
+      return openid_endpoint
+    end
+
+    def self.from_html(uri, html)
+      # Parse the given document as HTML looking for an OpenID <link
+      # rel=...>
+      #
+      # @rtype: [OpenIDServiceEndpoint]
+
+      discovery_types = [
+                         [OPENID_2_0_TYPE, 'openid2.provider', 'openid2.local_id'],
+                         [OPENID_1_1_TYPE, 'openid.server', 'openid.delegate'],
+                        ]
+
+      link_attrs = OpenID.parse_link_attrs(html)
+      services = []
+      discovery_types.each { |type_uri, op_endpoint_rel, local_id_rel|
+
+        op_endpoint_url = OpenID.find_first_href(link_attrs, op_endpoint_rel)
+
+        if !op_endpoint_url
+          next
+        end
+
+        service = self.new
+        service.claimed_id = uri
+        service.local_id = OpenID.find_first_href(link_attrs, local_id_rel)
+        service.server_url = op_endpoint_url
+        service.type_uris = [type_uri]
+
+        services << service
+      }
+
+      return services
+    end
+
+    def self.from_xrds(uri, xrds)
+      # Parse the given document as XRDS looking for OpenID services.
+      #
+      # @rtype: [OpenIDServiceEndpoint]
+      #
+      # @raises L{XRDSError}: When the XRDS does not parse.
+      return Yadis::apply_filter(uri, xrds, self)
+    end
+
+    def self.from_discovery_result(discoveryResult)
+      # Create endpoints from a DiscoveryResult.
+      #
+      # @type discoveryResult: L{DiscoveryResult}
+      #
+      # @rtype: list of L{OpenIDServiceEndpoint}
+      #
+      # @raises L{XRDSError}: When the XRDS does not parse.
+      if discoveryResult.is_xrds()
+        meth = self.method('from_xrds')
+      else
+        meth = self.method('from_html')
+      end
+
+      return meth.call(discoveryResult.normalized_uri,
+                       discoveryResult.response_text)
+    end
+
+    def self.from_op_endpoint_url(op_endpoint_url)
+      # Construct an OP-Identifier OpenIDServiceEndpoint object for
+      # a given OP Endpoint URL
+      #
+      # @param op_endpoint_url: The URL of the endpoint
+      # @rtype: OpenIDServiceEndpoint
+      service = self.new
+      service.server_url = op_endpoint_url
+      service.type_uris = [OPENID_IDP_2_0_TYPE]
+      return service
+    end
+
+    def to_s
+      return sprintf("<%s server_url=%s claimed_id=%s " +
+                     "local_id=%s canonical_id=%s used_yadis=%s>",
+                     self.class, @server_url, @claimed_id,
+                     @local_id, @canonical_id, @used_yadis)
+    end
+  end
+
+  def self.find_op_local_identifier(service_element, type_uris)
+    # Find the OP-Local Identifier for this xrd:Service element.
+    #
+    # This considers openid:Delegate to be a synonym for xrd:LocalID
+    # if both OpenID 1.X and OpenID 2.0 types are present. If only
+    # OpenID 1.X is present, it returns the value of
+    # openid:Delegate. If only OpenID 2.0 is present, it returns the
+    # value of xrd:LocalID. If there is more than one LocalID tag and
+    # the values are different, it raises a DiscoveryFailure. This is
+    # also triggered when the xrd:LocalID and openid:Delegate tags are
+    # different.
+
+    # XXX: Test this function on its own!
+
+    # Build the list of tags that could contain the OP-Local
+    # Identifier
+    local_id_tags = []
+    if type_uris.member?(OPENID_1_1_TYPE) or
+        type_uris.member?(OPENID_1_0_TYPE)
+      # local_id_tags << Yadis::nsTag(OPENID_1_0_NS, 'openid', 'Delegate')
+      service_element.add_namespace('openid', OPENID_1_0_NS)
+      local_id_tags << "openid:Delegate"
+    end
+
+    if type_uris.member?(OPENID_2_0_TYPE)
+      # local_id_tags.append(Yadis::nsTag(XRD_NS_2_0, 'xrd', 'LocalID'))
+      service_element.add_namespace('xrd', Yadis::XRD_NS_2_0)
+      local_id_tags << "xrd:LocalID"
+    end
+
+    # Walk through all the matching tags and make sure that they all
+    # have the same value
+    local_id = nil
+    local_id_tags.each { |local_id_tag|
+      service_element.each_element(local_id_tag) { |local_id_element|
+        if local_id.nil?
+          local_id = local_id_element.text
+        elsif local_id != local_id_element.text
+          format = 'More than one %s tag found in one service element'
+          message = sprintf(format, local_id_tag)
+          raise DiscoveryFailure.new(message, nil)
+        end
+      }
+    }
+
+    return local_id
+  end
+
+  def self.normalize_xri(xri)
+    # Normalize an XRI, stripping its scheme if present
+    m = /^xri:\/\/(.*)/.match(xri)
+    xri = m[1] if m
+    return xri
+  end
+
+  def self.normalize_url(url)
+    # Normalize a URL, converting normalization failures to
+    # DiscoveryFailure
+    begin
+      normalized = URINorm.urinorm(url)
+    rescue URI::Error => why
+      raise DiscoveryFailure.new("Error normalizing #{url}: #{why.message}", nil)
+    else
+      defragged = URI::parse(normalized)
+      defragged.fragment = nil
+      return defragged.normalize.to_s
+    end
+  end
+
+  def self.best_matching_service(service, preferred_types)
+    # Return the index of the first matching type, or something higher
+    # if no type matches.
+    #
+    # This provides an ordering in which service elements that contain
+    # a type that comes earlier in the preferred types list come
+    # before service elements that come later. If a service element
+    # has more than one type, the most preferred one wins.
+    preferred_types.each_with_index { |value, index|
+      if service.type_uris.member?(value)
+        return index
+      end
+    }
+
+    return preferred_types.length
+  end
+
+  def self.arrange_by_type(service_list, preferred_types)
+    # Rearrange service_list in a new list so services are ordered by
+    # types listed in preferred_types.  Return the new list.
+
+    # Build a list with the service elements in tuples whose
+    # comparison will prefer the one with the best matching service
+    prio_services = []
+
+    service_list.each_with_index { |s, index|
+      prio_services << [best_matching_service(s, preferred_types), index, s]
+    }
+
+    prio_services.sort!
+
+    # Now that the services are sorted by priority, remove the sort
+    # keys from the list.
+    (0...prio_services.length).each { |i|
+      prio_services[i] = prio_services[i][2]
+    }
+
+    return prio_services
+  end
+
+  def self.get_op_or_user_services(openid_services)
+    # Extract OP Identifier services.  If none found, return the rest,
+    # sorted with most preferred first according to
+    # OpenIDServiceEndpoint.openid_type_uris.
+    #
+    # openid_services is a list of OpenIDServiceEndpoint objects.
+    #
+    # Returns a list of OpenIDServiceEndpoint objects.
+
+    op_services = arrange_by_type(openid_services, [OPENID_IDP_2_0_TYPE])
+
+    openid_services = arrange_by_type(openid_services,
+                                      OpenIDServiceEndpoint::OPENID_TYPE_URIS)
+
+    if !op_services.empty?
+      return op_services
+    else
+      return openid_services
+    end
+  end
+
+  def self.discover_yadis(uri)
+    # Discover OpenID services for a URI. Tries Yadis and falls back
+    # on old-style <link rel='...'> discovery if Yadis fails.
+    #
+    # @param uri: normalized identity URL
+    # @type uri: str
+    # 
+    # @return: (claimed_id, services)
+    # @rtype: (str, list(OpenIDServiceEndpoint))
+    #
+    # @raises DiscoveryFailure: when discovery fails.
+
+    # Might raise a yadis.discover.DiscoveryFailure if no document
+    # came back for that URI at all.  I don't think falling back to
+    # OpenID 1.0 discovery on the same URL will help, so don't bother
+    # to catch it.
+    response = Yadis.discover(uri)
+
+    yadis_url = response.normalized_uri
+    body = response.response_text
+
+    begin
+      openid_services = OpenIDServiceEndpoint.from_xrds(yadis_url, body)
+    rescue Yadis::XRDSError
+      # Does not parse as a Yadis XRDS file
+      openid_services = []
+    end
+
+    if openid_services.empty?
+      # Either not an XRDS or there are no OpenID services.
+
+      if response.is_xrds
+        # if we got the Yadis content-type or followed the Yadis
+        # header, re-fetch the document without following the Yadis
+        # header, with no Accept header.
+        return self.discover_no_yadis(uri)
+      end
+
+      # Try to parse the response as HTML.
+      # <link rel="...">
+      openid_services = OpenIDServiceEndpoint.from_html(yadis_url, body)
+    end
+
+    return [yadis_url, self.get_op_or_user_services(openid_services)]
+  end
+
+  def self.discover_xri(iname)
+    endpoints = []
+    iname = self.normalize_xri(iname)
+
+    begin
+      canonical_id, services = Yadis::XRI::ProxyResolver.new().query( iname )
+
+      if canonical_id.nil?
+        raise Yadis::XRDSError.new(sprintf('No CanonicalID found for XRI %s', iname))
+      end
+
+      flt = Yadis.make_filter(OpenIDServiceEndpoint)
+
+      services.each { |service_element|
+        endpoints += flt.get_service_endpoints(iname, service_element)
+      }
+    rescue Yadis::XRDSError => why
+      Util.log('xrds error on ' + iname + ': ' + why.to_s)
+    end
+
+    endpoints.each { |endpoint|
+      # Is there a way to pass this through the filter to the endpoint
+      # constructor instead of tacking it on after?
+      endpoint.canonical_id = canonical_id
+      endpoint.claimed_id = canonical_id
+      endpoint.display_identifier = iname
+    }
+
+    # FIXME: returned xri should probably be in some normal form
+    return [iname, self.get_op_or_user_services(endpoints)]
+  end
+
+  def self.discover_no_yadis(uri)
+    http_resp = OpenID.fetch(uri)
+    if http_resp.code != "200" and http_resp.code != "206"
+      raise DiscoveryFailure.new(
+        "HTTP Response status from identity URL host is not \"200\". "\
+        "Got status #{http_resp.code.inspect}", http_resp)
+    end
+
+    claimed_id = http_resp.final_url
+    openid_services = OpenIDServiceEndpoint.from_html(
+        claimed_id, http_resp.body)
+    return [claimed_id, openid_services]
+  end
+
+  def self.discover_uri(uri)
+    # Hack to work around URI parsing for URls with *no* scheme.
+    if uri.index("://").nil?
+      uri = 'http://' + uri
+    end
+
+    begin
+      parsed = URI::parse(uri)
+    rescue URI::InvalidURIError => why
+      raise DiscoveryFailure.new("URI is not valid: #{why.message}", nil)
+    end
+
+    if !parsed.scheme.nil? and !parsed.scheme.empty?
+      if !['http', 'https'].member?(parsed.scheme)
+        raise DiscoveryFailure.new(
+                "URI scheme #{parsed.scheme} is not HTTP or HTTPS", nil)
+      end
+    end
+
+    uri = self.normalize_url(uri)
+    claimed_id, openid_services = self.discover_yadis(uri)
+    claimed_id = self.normalize_url(claimed_id)
+    return [claimed_id, openid_services]
+  end
+
+  def self.discover(identifier)
+    if Yadis::XRI::identifier_scheme(identifier) == :xri
+      normalized_identifier, services = discover_xri(identifier)
+    else
+      return discover_uri(identifier)
+    end
+  end
+end