pasaporte 0.0.1 → 0.0.3

data/History.txt

@@ -1,2 +1,2 @@
-=== HEAD
-* Initial rollout
+=== 0.0.3 - 14.02.2009
+* Most glaring bugs fixed

data/Manifest.txt

@@ -3,10 +3,9 @@ Manifest.txt
 README.txt
 Rakefile
 TODO.txt
+bin/pasaporte-emit-app.rb
 bin/pasaporte-fcgi.rb
 lib/pasaporte.rb
-lib/pasaporte/.DS_Store
-lib/pasaporte/assets/.DS_Store
 lib/pasaporte/assets/bgbar.png
 lib/pasaporte/assets/lock.png
 lib/pasaporte/assets/mainbg_green.gif
@@ -20,22 +19,32 @@ lib/pasaporte/auth/remote_web_workplace.rb
 lib/pasaporte/auth/yaml_digest_table.rb
 lib/pasaporte/auth/yaml_table.rb
 lib/pasaporte/faster_openid.rb
+lib/pasaporte/hacks.rb
 lib/pasaporte/iso_countries.yml
 lib/pasaporte/julik_state.rb
+lib/pasaporte/lighttpd/cacert.pem
+lib/pasaporte/lighttpd/cert_localhost_combined.pem
+lib/pasaporte/lighttpd/sample-lighttpd-config.conf
 lib/pasaporte/markaby_ext.rb
+lib/pasaporte/models.rb
 lib/pasaporte/pasaporte_store.rb
 lib/pasaporte/timezones.yml
+lib/pasaporte/token_box.rb
 test/fixtures/pasaporte_approvals.yml
 test/fixtures/pasaporte_profiles.yml
 test/fixtures/pasaporte_throttles.yml
 test/helper.rb
 test/mosquito.rb
-test/test_throttle.rb
-test/testable_openid_fetcher.rb
 test/test_approval.rb
 test/test_auth_backends.rb
+test/test_edit_profile.rb
 test/test_openid.rb
 test/test_pasaporte.rb
 test/test_profile.rb
+test/test_public_signon.rb
 test/test_settings.rb
-test/test_throttle.rb
+test/test_signout.rb
+test/test_throttle.rb
+test/test_token_box.rb
+test/test_with_partial_ssl.rb
+test/testable_openid_fetcher.rb

data/README.txt

@@ -4,7 +4,7 @@ This is Pasaporte, a small identity server with a colored bar on top. It's in th
 of Crowd (but smaller). Will act as a mediator between OpenID and arbitary services where
 users are distinguished by their nickname (login), their password and a domain name.
 
-==The idea
+== The idea
 
 Pasaporte brings OpenID to the traditional simplicity of
 
@@ -15,29 +15,66 @@ that, when called, will return true or false. Yes, it's that simple. All the neg
 smorgasbord, profile editing, encryptodecryption and other electrabombastic niceties are
 going to be taken care of.
 
-Should the password become stale or should the authentication backend say that it no
+Here is an example of a simple auth procedure:
+
+  # Stick your super auth HERE. Should be a proc accepting login, pass and domain
+  Pasaporte::AUTH = lambda do | login, pass, domain |
+    allowd = {"joe" => "secret"}
+    return (allowd[login] && (allowd[login] == pass))
+  end
+
+Obviously you can let your auth procedure look up in ACLs and things like that if you
+really need it to.
+
+If the password becomes stale or should the authentication backend say that it no
 longer has the user in question the authorization tokens are immediately revoked, and any
 authorization requests will be denied.
 
-==Configuration
+== Using SSL
+
+It is recommended that you run pasaporte in full SSL mode. However,
+some OpenID consumers disallow OpenID providers with self-signed (i.e. free)
+SSL certificates. Pasaporte mitigates this by offering the "partial SSL" mode. When turned on,
+only the signon page (where the password is entered) and subsequent pages with which the user
+interacts will be protected with SSL encryption, while the public OpenID endpoint will NOT be
+SSL-enabled. Same is true for the server-server step of OpenID handshake.
+
+This will allow even stricter providers to use Pasaporte servers, but without passing the user login
+over the wire in clear text.
+
+When partial SSL is turned on, the profile page (OpenID identity) will forcibly be made
+unencrypted (will redirect to non-secure port).
+
+Partial SSL is disabled by default - to enable set PARTIAL_SSL to true.
+
+== Current issues
+
+As of now, we are not aware of sites that cannot consume OpenID from Pasaporte.
+There is currently no provision for verifying that the URL you are logging in from is the
+one Pasaporte manages.
+
+== Configuration
 
 The adventurous among us can override the defaults (Pasaporte constants) by placing a
 hash-formatted YAML file called "config.yml" in the pasaporte dir. And don't ask me what
 a "hash-formatted YAML file" is, because if you do you are not adventurous.
 
-==A word of warning
+Here the rundown of the config parameters:
 
-Considering the clear-text passwords issue, we strongly recommend running Pasaporte under
-SSL and under SSL only. But of course this might be prohibitive especially if you cannot
-be self-signed or don't have an extra IP at hand. When you run Pasaporte under HTTPS all
-URLs are going to be rewritten automatically to redirect and link to the HTTPS site.
+MAX_FAILED_LOGIN_ATTEMPTS - after how many login attempts the user will be trottled
+THROTTLE_FOR - Trottle length in seconds
+ALLOW_DELEGATION - if set to true, the user will be able to redirect his OpenID
+SESSION_LIFETIME - in seconds - how long does a session remain valid
+PARTIAL_SSL - see above
+HTTP_PORT - if partial SSL is used, the port on which the standard version runs
+SSL_PORT - if partial SSL is used, the port on which the secure version runs
 
-==Profiles
+== Profiles
 
 Pasaporte allows the user to have a simple passport page, where some info can be placed
-for people who follow the OpenID profile URL. Sharing the information  is entirelly optional.
+for people who follow the OpenID profile URL. Sharing the information is entirelly optional.
 
-==The all-id
+== The all-id
 
 The login that you use is ultimately the nickname that comes in the URL. For that reason
 no other login name can be entered in the form. However the user still can verify that
@@ -52,20 +89,20 @@ It's important to understand that a Profile record is a helper for metadata and
 something authoritative - it's the auth routine that takes the actual decision about the
 user's state.
 
-==Persistence
+== Persistence
 
 We store some data that the user might find useful to store and maybe display on his user
-page. No sites that the user authorizes are stored. No sessions of the exchange are kept
+page. No sessions of the exchange are kept
 except of the standard OpenID shared secrets (there are not linked to user records in any
 way).
 
-==SREG data sharing
+== SREG data sharing
 
 There is currently no provision for fetching SREG data (like email, date of birth and such)
 from the autorizing routine. We might consider this in the future, for now the user has to
 fill it in himself.
 
-==Sharding
+== Sharding
 
 The users in Pasaporte are segregated by the domain name of Pasaporte server. That is, if
 you have two domains pointed at +one+ Pasaporte, you will not have name clashes between

data/Rakefile

@@ -4,18 +4,11 @@ require 'hoe'
 require File.dirname(__FILE__) + '/lib/pasaporte'
 $KCODE = 'u'
 
-class KolkHoe < Hoe
-  def define_tasks
-    extra_deps.reject! {|e| e[0] == 'hoe' }
-    super
-  end
-end
-
 # Disable spurious warnings when running tests, ActiveMagic cannot stand -w
 Hoe::RUBY_FLAGS.replace ENV['RUBY_FLAGS'] || "-I#{%w(lib test).join(File::PATH_SEPARATOR)}" + 
   (Hoe::RUBY_DEBUG ? " #{RUBY_DEBUG}" : '')
 
-KolkHoe.new('Pasaporte', Pasaporte::VERSION) do |p|
+psp = Hoe.new('Pasaporte', Pasaporte::VERSION) do |p|
   p.name = "pasaporte"
   p.author = "Julik Tarkhanov"
   p.description = "An OpenID server with a colored bar on top"
@@ -25,9 +18,11 @@ KolkHoe.new('Pasaporte', Pasaporte::VERSION) do |p|
   p.rdoc_pattern = /README.txt|CHANGELOG.txt|lib/
   p.test_globs = 'test/test_*.rb'
   p.need_zip = true
-  p.extra_deps = ['activerecord', 'camping', ['ruby-openid', '>=2.1.0'], 'flexmock']
+  p.extra_deps = ['activerecord', ['camping' '>=1.5.180'], ['ruby-openid', '>=2.1.0'], 'flexmock']
 end
 
+psp.spec.rdoc_options << "--charset" << "utf-8"
+
 desc "Generate the proper list of country codes from the ISO list"
 task :build_country_list do
   ISO_LIST = 'http://www.iso.org/iso/iso3166_en_code_lists.txt'

data/bin/pasaporte-emit-app.rb

@@ -0,0 +1,5 @@
+#! /usr/bin/env ruby
+require 'rubygems'
+require 'pasaporte'
+require 'fileutils'
+FileUtils.cp_r(Pasaporte::PATH, Dir.getcwd + '/')

data/bin/pasaporte-fcgi.rb

@@ -1,4 +1,4 @@
-#!/usr/bin/env ruby
+#! /usr/bin/env ruby
 require 'rubygems'
 require 'camping'
 require 'camping/fastcgi'
@@ -12,6 +12,10 @@ Camping::Models::Base.establish_connection(
 Pasaporte.create
 Pasaporte::LOGGER = Logger.new(ENV['HOME'] + "/pasaporte.log")
 
+ENV.keys.grep(/^PASAPORTE_/).each do | envar |
+  Pasaporte.const_set(envar.gsub(/^PASAPORTE_/, ''), ENV[envar])
+end
+
 serv = Camping::FastCGI.new
 serv.mount('/', Pasaporte)
 serv.start

data/lib/pasaporte.rb

@@ -1,5 +1,5 @@
 require 'rubygems'
-gem 'ruby-openid', '>=2.1.0'
+gem 'ruby-openid', '>=2.1.0' # Not less!
 
 $: << File.dirname(__FILE__)
 
@@ -8,16 +8,24 @@ $: << File.dirname(__FILE__)
   camping/session
   openid
   openid/extensions/sreg
-  pasaporte/faster_openid
+).each {|r| require r }
+
+Camping.goes :Pasaporte
+
+%w( 
   pasaporte/julik_state
   pasaporte/markaby_ext
+  pasaporte/hacks
+  pasaporte/token_box
 ).each {|r| require r }
 
-Camping.goes :Pasaporte
 
+Markaby::Builder.set(:indent, 2)
 Markaby::Builder.set(:output_xml_instruction, false)
 
 module Pasaporte
+  VERSION = '0.0.3'
+  
   module Auth; end # Acts as a container for auth classes
   
   MAX_FAILED_LOGIN_ATTEMPTS = 3
@@ -25,8 +33,12 @@ module Pasaporte
   DEFAULT_COUNTRY = 'nl'
   DEFAULT_TZ = 'Europe/Amsterdam'
   ALLOW_DELEGATION = true
-  VERSION = '0.0.1'
-  SESSION_LIFETIME = 10.hours
+  
+  
+  SESSION_LIFETIME = 12.hours
+  PARTIAL_SSL = false
+  HTTP_PORT = 80
+  SSL_PORT = 443
   
   LOGGER = Logger.new(STDERR) #:nodoc:
   PATH = File.expand_path(__FILE__) #:nodoc:
@@ -82,18 +94,13 @@ module Pasaporte
     end
   end
   
-  module LoggerHijack
-    #def service(*the_rest)
-    #  _hijacked, OpenID::Util.logger = OpenID::Util.logger, LOGGER
-    #  returning(super(*the_rest)) { OpenID::Util.logger = _hijacked }
-    #end
-  end
-  
   # Or a semblance thereof
   module Secure
     class PleaseLogin < RuntimeError; end
     class Throttled < RuntimeError; end
     class FullStop < RuntimeError; end
+    class RedirectToSSL < RuntimeError; end
+    class RedirectToPlain < RuntimeError; end
     
     module CheckMethods
       def _redir_to_login_page!(persistables)
@@ -105,7 +112,7 @@ module Pasaporte
       end
       
       # Allow the user to log in. Suspend any variables passed in the session.
-      def require_login(persistables = {})
+      def require_login!(persistables = {})
         deny_throttled!
         raise "No nickname" unless @nickname
         _redir_to_login_page!(persistables) unless is_logged_in?
@@ -117,33 +124,66 @@ module Pasaporte
       def deny_throttled!
         raise Throttled if Models::Throttle.throttled?(env)
       end
-    
+      
+      # When partial SSL is enabled we use this method to redirect
+      def require_ssl!
+        raise RedirectToSSL if PARTIAL_SSL && !@env.HTTPS
+      end
+      
+      # When partial SSL is enabled we use this method to force a plain page
+      def require_plain!
+        raise RedirectToPlain if PARTIAL_SSL && @env.HTTPS
+      end
+      
+      def validate_token!
+       #from = URI.parse(@env.HTTP_REFERER).path
+       #LOGGER.debug "Validating form token"
+       #token_box.validate!(from, @input.tok)
+      end
+      
       def profile_by_nickname(n)
         ::Pasaporte::Models::Profile.find_or_create_by_nickname_and_domain_name(n, my_domain)
       end
     end
     
-    def expire_old_sessions!
-      day_zero = (Time.now - SESSION_LIFETIME).to_s(:db)
-      # JulikState.expire_old(SESSION_LIFETIME)
-      # Camping::Models::Session.delete_all("created_at < '%s'" % day_zero)
+    def token_box
+      @state.token_box ||= TokenBox.new
     end
     
     def service(*a)
       begin
-        expire_old_sessions!
         @ctr = self.class.to_s.split('::').pop
         super(*a)
       rescue FullStop
         return self
       rescue PleaseLogin
-        LOGGER.info "#{env['REMOTE_ADDR']} - Redirecting to signon #{@cookies.inspect}"
+        LOGGER.info "#{env['REMOTE_ADDR']} - Redirecting to signon"
         redirect R(Pasaporte::Controllers::Signon, @nickname)
         return self
       rescue Throttled
         LOGGER.info "#{env['REMOTE_ADDR']} - Throttled user tried again"
         redirect R(Pasaporte::Controllers::ThrottledPage)
         return self
+      rescue TokenBox::Invalid => i
+        LOGGER.warn "Form token has been compromised on #{@env.REQUEST_URI} - #{i}"
+        LOGGER.warn @state.token_box.inspect
+        redirect R(Pasaporte::Controllers::FormExpired)
+      rescue RedirectToSSL
+        LOGGER.info "Forcing redirect to SSL page"
+        the_uri = URI.parse(@env.REQUEST_URI)
+        the_uri.host = @env.SERVER_NAME
+        the_uri.scheme = 'https'
+        the_uri.port = SSL_PORT unless SSL_PORT.to_i == 443
+        redirect the_uri.to_s
+        return self
+      rescue RedirectToPlain
+        LOGGER.info "Forcing redirect to plain (non-SSL) page"
+        the_uri = URI.parse(@env.REQUEST_URI)
+        the_uri.host = @env.SERVER_NAME
+        the_uri.scheme = 'http'
+        the_uri.port = HTTP_PORT unless HTTP_PORT.to_i == 80
+        redirect the_uri.to_s
+        return self
       end
       self
     end
@@ -153,272 +193,19 @@ module Pasaporte
   module CookiePreservingRedirect
     def redirect(*args)
       @headers['Set-Cookie'] = @cookies.map { |k,v| "#{k}=#{C.escape(v)}; path=#{self/"/"}" if v != @k[k] } - [nil]
+      force_session_save!
       super(*args)
     end
   end
   
-  # The order here is important. Camping::Session has to come LAST (innermost)
+  # The order here is important. Camping::Session has to come LAST (outermost)
   # otherwise you risk losing the session if one of the services upstream
   # redirects.
-  [CampingFlash, CookiePreservingRedirect, Secure, JulikState, LoggerHijack].map{|m| include m }
-  
-  
-  module Models
-    MAX = :limit # Thank you rails core, it was MAX before
-    class CreatePasaporte < V 1.0
-      def self.up
-        create_table :pasaporte_profiles, :force => true do |t|
-          # http://openid.net/specs/openid-simple-registration-extension-1_0.html
-          t.column :nickname, :string, MAX => 20
-          t.column :email, :string, MAX => 70
-          t.column :fullname, :string, MAX => 50
-          t.column :dob, :date, :null => true
-          t.column :gender, :string, MAX => 1
-          t.column :postcode, :string, MAX => 10
-          t.column :country, :string, MAX => 2
-          t.column :language, :string, MAX => 5
-          t.column :timezone, :string, MAX => 50
-  
-          # And our extensions
-          # is the profile shared (visible to others)
-          t.column :shared, :boolean, :default => false
-  
-          # his bio
-          t.column :info, :text
-  
-          # when he last used Pasaporte
-          t.column :last_login, :datetime
-  
-          # the encryption part that we generate for every user, the other is the pass
-          # the total encryption key for private data will be stored in the session only when
-          # the user is logged in
-          t.column :secret_salt, :integer
-  
-          # Good servers delegate
-          t.column :openid_server, :string
-          t.column :openid_delegate, :string
-  
-          # We shard by domain
-          t.column :domain_name, :string, :null => false, :default => 'localhost'
-  
-          # Keep a close watch on those who
-          t.column :throttle_count, :integer, :default => 0
-          t.column :suspicious, :boolean, :default => false
-        end
-  
-        add_index(:pasaporte_profiles, [:nickname, :domain_name], :unique)
-  
-        create_table :pasaporte_settings do |t|
-          t.column :setting, :string
-          t.column :value, :binary
-        end
-  
-        create_table :pasaporte_associations do |t|
-          # server_url is blob, because URLs could be longer
-          # than db can handle as a string
-          t.column :server_url, :binary
-          t.column :handle,     :string
-          t.column :secret,     :binary
-          t.column :issued,     :integer
-          t.column :lifetime,   :integer
-          t.column :assoc_type, :string
-        end
-  
-        create_table :pasaporte_nonces do |t|
-          t.column :nonce,   :string
-          t.column :created, :integer
-        end
+  [CampingFlash, Secure, JulikState, CookiePreservingRedirect].map{|m| include m }
   
-        create_table :pasaporte_throttles do |t|
-          t.column :created_at, :datetime
-          t.column :client_fingerprint, :string, MAX => 40
-        end
-      end
   
-      def self.down
-        drop_table :pasaporte_profiles
-        drop_table :pasaporte_settings
-        drop_table :pasaporte_associations
-        drop_table :pasaporte_nonces
-        drop_table :pasaporte_throttles
-      end
-    end
-    class AddAprovals < V(1.1)
-      def self.up
-        create_table :pasaporte_approvals do | t |
-          t.column :profile_id, :integer, :null => false
-          t.column :trust_root, :string, :null => false
-        end
-        add_index(:pasaporte_approvals, [:profile_id, :trust_root], :unique)
-      end
-  
-      def self.down
-        drop_table :pasaporte_approvals
-      end
-    end
-    
-    class MigrateOpenidTables < V(1.2)
-      def self.up
-        drop_table :pasaporte_settings
-        drop_table :pasaporte_nonces
-        create_table :pasaporte_nonces, :force => true do |t|
-          t.column :server_url, :string, :null => false
-          t.column :timestamp, :integer, :null => false
-          t.column :salt, :string, :null => false
-        end
-      end
-      
-      def self.down
-        drop_table :pasaporte_nonces
-        create_table :pasaporte_nonces, :force => true do |t|
-          t.column "nonce", :string
-          t.column "created", :integer
-        end
-        
-        create_table :pasaporte_settings, :force => true do |t|
-          t.column "setting", :string
-          t.column "value", :binary
-        end
-      end
-    end
-    
-    class ShardOpenidTables < V(1.3)
-      def self.up
-        add_column :pasaporte_associations, :pasaporte_domain, :string, :null => false, :default => 'localhost'
-        add_column :pasaporte_nonces, :pasaporte_domain, :string, :null => false, :default => 'localhost'
-      end
-      
-      def self.down
-        remove_column :pasaporte_nonces, :pasaporte_domain
-        remove_column :pasaporte_associations, :pasaporte_domain
-      end
-    end
-  
-    # Minimal info we store about people. It's the container for the sreg data
-    # in the first place.
-    class Profile < Base
-      before_create { |p| p.secret_salt = rand(Time.now) }
-      before_save :validate_delegate_uris
-      validates_presence_of :nickname
-      validates_presence_of :domain_name
-      validates_uniqueness_of :nickname, :scope => :domain_name
-      attr_protected :domain_name, :nickname
-      has_many :approvals, :dependent => :delete_all
-  
-      any_url_present = lambda do |r| 
-        !r.openid_server.blank? || !r.openid_server.blank?
-      end
-      %w(openid_server openid_delegate).map do | c |
-        validates_presence_of c, :if => any_url_present
-      end
-      
-      # Convert the profile to sreg according to the spec (YYYY-MM-DD for dob and such)
-      def to_sreg_fields(fields_to_extract = nil)
-        fields_to_extract ||= %w( nickname email fullname dob gender postcode country language timezone )
-        fields_to_extract.inject({}) do | out, field |
-          v = self[field]
-          v.blank? ? out : (out[field.to_s] = v.to_s; out)
-        end
-      end
-      
-      # We have to override that because we want our protected attributes
-      def self.find_or_create_by_nickname_and_domain_name(nick, domain)
-        returning(super(nick, domain)) do | me |
-          ((me.nickname, me.domain_name = nick, domain) && me.save) if me.new_record?
-        end
-      end
-      class << self
-        alias_method :find_or_create_by_domain_name_and_nickname,
-        :find_or_create_by_nickname_and_domain_name
-      end
-      
-      def generate_sess_key
-        self.secret_salt ||= rand(Time.now)
-        s = [nickname, secret_salt, Time.now.year, Time.now.month].join('|')
-        OpenSSL::Digest::SHA1.new(s).hexdigest.to_s
-      end
-      
-      # Check if this profile wants us to delegate his openid to a different identity provider.
-      # If both delegate and server are filled in properly this will return true
-      def delegates_openid?
-        ALLOW_DELEGATION && (!openid_server.blank? && !openid_delegate.blank?)
-      end
-      
-      def delegates_openid=(nv)
-        (self.openid_server, self.openid_delegate = nil, nil) if [false, '0', 0, 'no'].include?(nv) 
-      end
-      alias_method :delegates_openid, :delegates_openid? # for checkboxes
-      
-      def to_s; nickname; end
-      
-      private
-      def validate_delegate_uris
-        if ([self.openid_server, self.openid_delegate].select{|i| i.blank?}).length == 1
-          errors.add(:delegate_server, "If you use delegation you have to specify both addresses")
-          false
-        end
-        
-        %w(openid_server openid_delegate).map do | attr |
-          return if self[attr].blank?
-          begin
-            self[attr] = OpenID::URINorm.urinorm(self[attr])
-          rescue Exception => e
-            errors.add(attr, e.message)
-          end
-        end
-      end
-    end
-    
-    # A token that the user has approved a site (a site's trust root) as legal
-    # recipient of his information
-    class Approval < Base
-      belongs_to :profile
-      validates_presence_of :profile_id, :trust_root
-      validates_uniqueness_of :trust_root, :scope => :profile_id
-      def to_s; trust_root; end
-    end
-    
-    # Openid setting
-    class Setting < Base; end
-    
-    # Openid nonces
-    class Nonce < Base; end
-    
-    # Openid assocs
-    class Association < Base
-      def from_record
-        OpenID::Association.new(handle, secret, issued, lifetime, assoc_type)
-      end
-      
-      def expired?
-        Time.now.to_i > (issued + lifetime)
-      end
-    end
-   
-    # Set throttles
-    class Throttle < Base
-    
-      # Set a throttle with the environment of the request
-      def self.set!(e)
-        create(:client_fingerprint => env_hash(e))
-      end
-    
-      # Check if an environment is throttled
-      def self.throttled?(e)
-        prune!
-        count(:conditions => ["client_fingerprint = ? AND created_at > ?", env_hash(e), cutoff]) > 0
-      end
-    
-      private
-      def self.prune!;  delete_all "created_at < '#{cutoff.to_s(:db)}'"; end
-      def self.cutoff; Time.now - THROTTLE_FOR; end
-      def self.env_hash(e)
-        OpenSSL::Digest::SHA1.new([e['REMOTE_ADDR'], e['HTTP_USER_AGENT']].map(&:to_s).join('|')).to_s
-      end
-    end
-  end
-   
-  require File.dirname(__FILE__) + '/pasaporte/pasaporte_store'
+  require 'pasaporte/models'
+  require 'pasaporte/pasaporte_store'
   
   module Controllers
     
@@ -437,6 +224,12 @@ module Pasaporte
         post_with_nick(*extras)
       end
       
+      def head(*extras)
+        raise "Nickname is required for this action" unless (@nickname = extras.shift)
+        raise "#{self.class} does not respond to head_with_nick" unless respond_to?(:head_with_nick)
+        head_with_nick(*extras)
+      end
+      
       # So that we can define put_with_nick and Camping sees it as #put being available
       def respond_to?(m, *whatever)
         super(m.to_sym) || super("#{m}_with_nick".to_sym)
@@ -457,29 +250,34 @@ module Pasaporte
       include OpenID::Server
       
       class Err < RuntimeError; end #:nodoc
-      class NeedsApproval < RuntimeError; end  #:nodoc
+      class NeedsApproval < Err; end  #:nodoc
       class Denied < Err; end  #:nodoc
-      class NoOpenidRequest < RuntimeError; end  #:nodoc
+      class NoOpenidRequest < Err; end  #:nodoc
+      class SwitchUser < Secure::PleaseLogin; end #:nodoc
       
       def get_with_nick
+        require_plain!
         begin
           @oid_request = openid_request_from_input_or_session
           
-          LOGGER.info "pasaporte: user #{@nickname} must not be throttled"
+          LOGGER.info "OpenID: user #{@nickname} must not be throttled"
           deny_throttled!
           
-          LOGGER.info "pasaporte: nick must match the identity URL"
+          LOGGER.info "OpenID: nick must match the identity URL"
           check_nickname_matches_identity_url
+
+          LOGGER.info "OpenID: identity must reside on our server"
+          check_identity_lives_here
           
-          LOGGER.info "pasaporte: user must be logged in"
+          LOGGER.info "OpenID: user must be logged in"
           check_logged_in
           
           @profile = profile_by_nickname(@nickname)
           
-          LOGGER.info "pasaporte: trust root is on the approvals list"
+          LOGGER.info "OpenID: trust root is on the approvals list"
           check_if_previously_approved
           
-          LOGGER.info "pasaporte: OpenID verified, redirecting"
+          LOGGER.info "OpenID: OpenID verified, redirecting"
           
           succesful_resp = @oid_request.answer(true)
           add_sreg(@oid_request, succesful_resp)
@@ -487,28 +285,36 @@ module Pasaporte
         rescue NoOpenidRequest
           return 'This is an OpenID server endpoint.'
         rescue ProtocolError => e
-          LOGGER.error "pasaporte: Cannot decode the OpenID request - #{e.message}"
+          LOGGER.error "OpenID: Cannot decode the OpenID request - #{e.message}"
           return "Something went wrong processing your request"
+        rescue SwitchUser => e
+          # Force a session save, remove the current user from the session and throw
+          # to the login page for the user to switch  to
+          @state.nickname = nil
+          force_session_save!
+          LOGGER.warn "OpenID: suspend - need to switch user first"
+          @oid_request.immediate ? ask_user_to_approve : (raise e)
         rescue PleaseLogin => e
           # There is a subtlety here. If the user had NO session before entering
           # this, he will get a new SID upon arriving at the signon page and thus
           # will loose his openid request
           force_session_save!
-          LOGGER.warn "pasaporte: suspend - the user needs to login first, saving session"
+          LOGGER.warn "OpenID: suspend - the user needs to login first, saving session"
           @oid_request.immediate ? ask_user_to_approve : (raise e)
         rescue NeedsApproval
-          LOGGER.warn "pasaporte: suspend - the URL needs approval first"
+          LOGGER.warn "OpenID: suspend - the URL needs approval first"
           ask_user_to_approve
         rescue Denied => d
-          LOGGER.warn "pasaporte: deny OpenID to #{@nickname} - #{d.message}"
+          LOGGER.warn "OpenID: deny OpenID to #{@nickname} - #{d.message}"
           send_openid_response(@oid_request.answer(false))
         rescue Secure::Throttled => e
-          LOGGER.warn "pasaporte: deny OpenID to #{@nickname} - user is throttled"
+          LOGGER.warn "OpenID: deny OpenID to #{@nickname} - user is throttled"
           send_openid_response(@oid_request.answer(false))
         end
       end
   
       def post_with_nick
+        require_plain!
         req = openid_server.decode_request(input)
         raise ProtocolError, "The decoded request was nil" if req.nil?
         # Check for dumb mode HIER!
@@ -523,7 +329,7 @@ module Pasaporte
         if input.keys.grep(/openid/).any?
           @state.delete(:pending_openid)
           r = openid_server.decode_request(input)
-          LOGGER.info "Starting a new OpenID session with #{r.trust_root}"
+          LOGGER.info "Starting a session #{r.trust_root} -> #{r.identity}"
           @state.pending_openid = r
         elsif @state.pending_openid
           LOGGER.info "Resuming an OpenID session with #{@state.pending_openid.trust_root}"
@@ -534,19 +340,28 @@ module Pasaporte
       end
       
       def check_nickname_matches_identity_url
-        nick_from_uri = @oid_request.identity.to_s.split(/\//)[-2]
+        nick_from_uri = @oid_request.identity.to_s.split(/\//).pop
         if (nick_from_uri != @nickname)
           raise Denied, "The identity '#{@oid_request.claimed_id}' does not mach the URL realm"
         end
-  
+ 
         if (@state.nickname && (nick_from_uri != @state.nickname))
-          raise Denied, "The identity '#{@oid_request.claimed_id}' is not the one of the current user"
+          raise SwitchUser, "The identity '#{@oid_request.claimed_id}' is not the one of the current user"
         end
       end
-  
+      
+      # TODO: we need to give the user a chance to say "I want these URLs to be legit too"
+      def check_identity_lives_here
+        the_id = URI.parse(@oid_request.identity)
+        # HTTP_HOST check
+        if (the_id.host != @env['HTTP_HOST'])
+          raise Denied, "The identity '#{@oid_request.claimed_id}' is not in this server(#{@env['HTTP_HOST']}"
+        end
+      end
+      
       def check_logged_in
         message = "Before authorizing '%s' you will need to login" % input["openid.trust_root"]
-        require_login(:pending_openid => @oid_request, :msg => message)
+        require_login!(:pending_openid => @oid_request, :msg => message)
       end
       
       def ask_user_to_approve
@@ -576,29 +391,28 @@ module Pasaporte
     
     # Return the yadis autodiscovery XML for the user
     class Yadis < personal(:yadis)
-      YADIS_TPL = %{
-        <xrds:XRDS xmlns:xrds="xri://$xrds" 
-          xmlns="xri://$xrd*($v*2.0)" 
-          xmlns:openid="http://openid.net/xmlns/1.0">
+      YADIS_TPL = %{<?xml version="1.0" encoding="UTF-8"?>
+        <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
         <XRD>
-        <Service priority="1">
+        <Service>
           <Type>http://openid.net/signon/1.0</Type>
           <URI>%s</URI>
-          <openid:Delegate>%s</openid:Delegate>
         </Service>
         </XRD>
         </xrds:XRDS>
       }
       
       def get_with_nick
-        @headers["Content-type"] = "application/xrds+xml"
+        @headers["Content-Type"] = "application/xrds+xml"
+        LOGGER.info "YADIS requested for #{@nickname}"
         @skip_layout = true
-        YADIS_TPL % get_endpoints
+        # We only use the server for now
+        YADIS_TPL % get_endpoints[0]
       end
       
       private
         def get_endpoints
-          defaults = [_our_endpoint_uri, _our_endpoint_uri]
+          defaults = [_our_endpoint_uri, _our_identity_url]
           @profile = Profile.find_by_nickname_and_domain_name(@nickname, my_domain)
           return defaults unless @profile && @profile.delegates_openid?
           [@profile.openid_server, @profile.openid_delegate]
@@ -607,7 +421,7 @@ module Pasaporte
     
     class ApprovalsPage < personal(:approvals)
       def get_with_nick
-        require_login
+        require_login!
         @approvals = @profile.approvals
         if @approvals.empty?
           @msg = 'You currently do not have any associations with other sites through us'
@@ -620,7 +434,7 @@ module Pasaporte
     
     class DeleteApproval < personal('disapprove/(\d+)')
       def get_with_nick(appr_id)
-        require_login
+        require_login!
         ap = @profile.approvals.find(appr_id); ap.destroy
         show_message "The site #{ap} has been removed from your approvals list"
         redirect R(ApprovalsPage, @nickname)
@@ -633,18 +447,27 @@ module Pasaporte
       include Secure::CheckMethods
       
       def get(nick=nil)
-        LOGGER.info "Entered signon with #{@cookies.inspect}"
+        LOGGER.info "Entered signon, #{@env.HTTPS ? :HTTPS : :HTTP_plain }"
         deny_throttled!
         return redirect(DashPage, @state.nickname) if @state.nickname 
         if nick && @state.pending_openid
-          humane = URI.parse(@state.pending_openid.trust_root).host
+          humane = begin
+            URI.parse(@state.pending_openid.trust_root).host
+          rescue URI::InvalidURIError
+            LOGGER.error "Failed to parse #{@state.pending_openid.trust_root}"
+            @state.pending_openid.trust_root
+          end
           show_message "Before authorizing with <b>#{humane}</b> you will need to login"
         end
+        
+        require_ssl!
+        
         @nickname = nick;
         render :signon_form
       end
       
       def post(n=nil)
+        
         begin
           deny_throttled!
         rescue Pasaporte::Secure::Throttled => th
@@ -654,11 +477,19 @@ module Pasaporte
           end
           raise th
         end
+        
+        require_ssl!
+        
         @nickname = @input.login || n || (raise "No nickname to authenticate")
+        
         # The throttling logic must be moved into throttles apparently
+        
         # Start counting
         @state.failed_logins ||= 0
         
+        # Validate token
+        validate_token!
+        
         # If the user reaches the failed login limit we ban him for a while and
         # tell the OpenID requesting party to go away
         if Pasaporte::AUTH.call(@nickname, input.pass, my_domain)
@@ -726,8 +557,7 @@ module Pasaporte
     class Signout < personal(:signout)
       def get_with_nick
         (redirect R(Signon, @nickname); return) unless is_logged_in?
-        # reset the session in our part only
-        @state = Camping::H.new
+        reset_session!
         @state.msg = "Thanks for using the service and goodbye"
         redirect R(Signon, @nickname)
       end
@@ -737,13 +567,16 @@ module Pasaporte
     # when associating for the first time
     class Decide < personal(:decide)
       def get_with_nick
-        require_login
+        require_ssl!
+        require_login!
+        
         @oid_request = @state.pending_openid
         render :decide
       end
       
       def post_with_nick
-        require_login
+        require_ssl!
+        require_login!
         if !@state.pending_openid
           @report = "There is no OpenID request to approve anymore. Looks like it went out already."
           render :bailout
@@ -760,12 +593,16 @@ module Pasaporte
     # Allows the user to modify the settings
     class EditProfile < personal(:edit)
       def get_with_nick
-        require_login
+        require_login!
+        require_ssl!
         render :profile_form
       end
       
       def post_with_nick
-        require_login
+        require_login!
+        require_ssl!
+        validate_token!
+        
         _collapse_checkbox_input(input)
         
         if @profile.update_attributes(input.profile)
@@ -821,13 +658,32 @@ module Pasaporte
         render :bailout
       end
     end
+    
+    class FormExpired < R('/form-expired')
+      def get
+        @report = "The form has expired unfortunately"
+        render :bailout
+      end
+    end
   
     # Just show a public profile page. Before the user logs in for the first time
     # it works like a dummy page. After the user has been succesfully authenticated he can
     # show his personal info on this page (this is his identity URL).
     class ProfilePage < personal
+      
+      def head(nick)
+        get(nick)
+        return
+      end
+      
       def get(nick)
         @nickname = nick
+        
+        # Redirect the OpenID requesting party to the usual HTTP so that
+        # the OpenID procedure takes place without SSL, if partial SSL is turned on
+        require_plain! if PARTIAL_SSL
+        
+        LOGGER.info "Profile page GET for #{nick}, sending YADIS header"
         @headers['X-XRDS-Location'] = _our_identity_url + '/yadis'
         @title = "#{@nickname}'s profile" 
         @profile = Profile.find_by_nickname_and_domain_name(@nickname, my_domain)
@@ -837,7 +693,7 @@ module Pasaporte
     end
     
     class DashPage < personal(:prefs)
-      def get_with_nick; require_login; render :dash; end
+      def get_with_nick; require_login!; render :dash; end
     end
   end
   
@@ -849,7 +705,8 @@ module Pasaporte
     
     # Return a RELATIVELY reliable domain key
     def my_domain
-      env["SERVER_NAME"].gsub(/^www\./i, '').chars.downcase.to_s
+      server = env["SERVER_NAME"].gsub(/^www\./i, '')
+      (server.mb_chars rescue server.chars).downcase.to_s
     end
   
     # Camping processes double values (hidden field with 0 and checkbox with 1) as an array.
@@ -859,15 +716,21 @@ module Pasaporte
         (v == ["0", "1"]) ? (ha[k] = "1") : (v.is_a?(Hash) ? _collapse_checkbox_input(v) : true)
       end
     end
-  
+    
+    def _csrf_token
+     #input :name => :tok, :type => :hidden, :value => token_box.procure!(@env.REQUEST_URI)
+     #LOGGER.warn "After token procurement #{token_box.inspect}"
+    end
+    
     def openid_server
       @store ||= PasaporteStore.new
       
       # Associations etc are sharded per domain on which Pasaporte sits
       @store.pasaporte_domain = @env['SERVER_NAME']
       
-      # we also need to provide endopint URL - this is where Pasaporte is mounted
-      @server ||= OpenID::Server::Server.new(@store, @env['SERVER_NAME'])
+      # we also need to provide endopint URL - this is where Pasaporte is mounted.
+      # Op-endpoint is the endpoint used by the server
+      @server ||= OpenID::Server::Server.new(@store, _our_endpoint_uri)
       @server
     end
     
@@ -960,22 +823,25 @@ module Pasaporte
           self << "Your password:"
           input.pass! :name => "pass", :type => "password"
         end
+        _csrf_token
         input :type => :submit, :value => 'Log me in'
       end
     end
 
     def layout
       @headers['Cache-Control'] = 'no-cache; must-revalidate'
+      @headers['Content-Type'] ||= 'text/html'
+      
       if @skip_layout
         self << yield; return
       end
       
-      @headers['Content-type'] = 'text/html'
       xhtml_transitional do
         head do
-          meta 'http-equiv' => 'X-XRDS-Location', :content => (_our_identity_url + '/yadis')
-          link :rel => "openid.server", :href => _openid_server_uri 
+          self << '<meta http-equiv="X-XRDS-Location" content="%s/yadis" />' % _our_identity_url
+          link :rel => "openid.server", :href => _openid_server_uri
           link :rel => "openid.delegate", :href => _openid_delegate_uri
+          
           link :rel => "stylesheet", :href => _s("pasaporte.css")
           script :type=>'text/javascript', :src => _s("pasaporte.js")
           title(@title || ('%s : pasaporte' % env['SERVER_NAME']))
@@ -1006,14 +872,14 @@ module Pasaporte
       R(Assets, file)
     end
     
-    # Render either our server URL or the URL of the delegate
+    # Render either our endpoint URL or the URL of the delegate
     def _openid_server_uri
       (@profile && @profile.delegates_openid?) ? @profile.openid_server : _our_endpoint_uri
     end
 
-    # Render either our providing URL or the URL of the delegate    
+    # Render either our identity URL or the URL of the delegate    
     def _openid_delegate_uri
-      (@profile && @profile.delegates_openid?) ? @profile.openid_delegate : _our_endpoint_uri
+      (@profile && @profile.delegates_openid?) ? @profile.openid_delegate : _our_identity_url
     end
 
     # Canonicalized URL of our endpoint    
@@ -1050,12 +916,13 @@ module Pasaporte
       end
       
       form :method => :post do
+        _csrf_token
         input :name => :pleasedo, :type => :submit, :value => " Yes, do allow "
         self << '&#160;'
         input :name => :nope, :type => :submit, :value => " No, they are villains! "
       end
     end
-
+    
     def _toolbar
       # my profile button
       # log me out button
@@ -1103,7 +970,7 @@ module Pasaporte
       form(:method => :post) do
         
         h2 "Your profile"
-        
+        _csrf_token
         label.cblabel :for => :share_info do
           _cbox :profile, :shared, :id => :share_info 
           self << '&#160; Share your info on your OpenID page'
@@ -1206,9 +1073,10 @@ module Pasaporte
   def self.create
     JulikState.create_schema
     self::Models.create_schema
-    LOGGER.warn "Deleting stale sessions"
-    JulikState::State.delete_all
-    LOGGER.warn "Deleting set throttles"
-    self::Models::Throttle.delete_all
+    self::LOGGER.warn "Deleting sessions, assocs and nonces"
+    [self::Models::Throttle, self::Models::Nonce, 
+     self::Models::Association, JulikState::State].each do | m |
+      m.delete_all
+    end
   end
 end