pelle-ruby-openid 2.1.8

Sign up to get free protection for your applications and to get access to all the features.
Files changed (197) hide show
  1. data/CHANGELOG +215 -0
  2. data/CHANGES-2.1.0 +36 -0
  3. data/INSTALL +47 -0
  4. data/LICENSE +210 -0
  5. data/NOTICE +2 -0
  6. data/README +82 -0
  7. data/UPGRADE +127 -0
  8. data/VERSION +1 -0
  9. data/examples/README +32 -0
  10. data/examples/active_record_openid_store/README +58 -0
  11. data/examples/active_record_openid_store/XXX_add_open_id_store_to_db.rb +24 -0
  12. data/examples/active_record_openid_store/XXX_upgrade_open_id_store.rb +26 -0
  13. data/examples/active_record_openid_store/init.rb +8 -0
  14. data/examples/active_record_openid_store/lib/association.rb +10 -0
  15. data/examples/active_record_openid_store/lib/nonce.rb +3 -0
  16. data/examples/active_record_openid_store/lib/open_id_setting.rb +4 -0
  17. data/examples/active_record_openid_store/lib/openid_ar_store.rb +57 -0
  18. data/examples/active_record_openid_store/test/store_test.rb +212 -0
  19. data/examples/discover +49 -0
  20. data/examples/rails_openid/README +153 -0
  21. data/examples/rails_openid/Rakefile +10 -0
  22. data/examples/rails_openid/app/controllers/application.rb +4 -0
  23. data/examples/rails_openid/app/controllers/consumer_controller.rb +122 -0
  24. data/examples/rails_openid/app/controllers/login_controller.rb +45 -0
  25. data/examples/rails_openid/app/controllers/server_controller.rb +265 -0
  26. data/examples/rails_openid/app/helpers/application_helper.rb +3 -0
  27. data/examples/rails_openid/app/helpers/login_helper.rb +2 -0
  28. data/examples/rails_openid/app/helpers/server_helper.rb +9 -0
  29. data/examples/rails_openid/app/views/consumer/index.rhtml +81 -0
  30. data/examples/rails_openid/app/views/layouts/server.rhtml +68 -0
  31. data/examples/rails_openid/app/views/login/index.rhtml +56 -0
  32. data/examples/rails_openid/app/views/server/decide.rhtml +26 -0
  33. data/examples/rails_openid/config/boot.rb +19 -0
  34. data/examples/rails_openid/config/database.yml +74 -0
  35. data/examples/rails_openid/config/environment.rb +54 -0
  36. data/examples/rails_openid/config/environments/development.rb +19 -0
  37. data/examples/rails_openid/config/environments/production.rb +19 -0
  38. data/examples/rails_openid/config/environments/test.rb +19 -0
  39. data/examples/rails_openid/config/routes.rb +24 -0
  40. data/examples/rails_openid/doc/README_FOR_APP +2 -0
  41. data/examples/rails_openid/public/.htaccess +40 -0
  42. data/examples/rails_openid/public/404.html +8 -0
  43. data/examples/rails_openid/public/500.html +8 -0
  44. data/examples/rails_openid/public/dispatch.cgi +12 -0
  45. data/examples/rails_openid/public/dispatch.fcgi +26 -0
  46. data/examples/rails_openid/public/dispatch.rb +12 -0
  47. data/examples/rails_openid/public/favicon.ico +0 -0
  48. data/examples/rails_openid/public/images/openid_login_bg.gif +0 -0
  49. data/examples/rails_openid/public/javascripts/controls.js +750 -0
  50. data/examples/rails_openid/public/javascripts/dragdrop.js +584 -0
  51. data/examples/rails_openid/public/javascripts/effects.js +854 -0
  52. data/examples/rails_openid/public/javascripts/prototype.js +1785 -0
  53. data/examples/rails_openid/public/robots.txt +1 -0
  54. data/examples/rails_openid/script/about +3 -0
  55. data/examples/rails_openid/script/breakpointer +3 -0
  56. data/examples/rails_openid/script/console +3 -0
  57. data/examples/rails_openid/script/destroy +3 -0
  58. data/examples/rails_openid/script/generate +3 -0
  59. data/examples/rails_openid/script/performance/benchmarker +3 -0
  60. data/examples/rails_openid/script/performance/profiler +3 -0
  61. data/examples/rails_openid/script/plugin +3 -0
  62. data/examples/rails_openid/script/process/reaper +3 -0
  63. data/examples/rails_openid/script/process/spawner +3 -0
  64. data/examples/rails_openid/script/process/spinner +3 -0
  65. data/examples/rails_openid/script/runner +3 -0
  66. data/examples/rails_openid/script/server +3 -0
  67. data/examples/rails_openid/test/functional/login_controller_test.rb +18 -0
  68. data/examples/rails_openid/test/functional/server_controller_test.rb +18 -0
  69. data/examples/rails_openid/test/test_helper.rb +28 -0
  70. data/lib/hmac/hmac.rb +112 -0
  71. data/lib/hmac/sha1.rb +11 -0
  72. data/lib/hmac/sha2.rb +25 -0
  73. data/lib/openid/association.rb +249 -0
  74. data/lib/openid/consumer/associationmanager.rb +344 -0
  75. data/lib/openid/consumer/checkid_request.rb +186 -0
  76. data/lib/openid/consumer/discovery.rb +498 -0
  77. data/lib/openid/consumer/discovery_manager.rb +123 -0
  78. data/lib/openid/consumer/html_parse.rb +134 -0
  79. data/lib/openid/consumer/idres.rb +523 -0
  80. data/lib/openid/consumer/responses.rb +148 -0
  81. data/lib/openid/consumer.rb +395 -0
  82. data/lib/openid/cryptutil.rb +97 -0
  83. data/lib/openid/dh.rb +89 -0
  84. data/lib/openid/extension.rb +39 -0
  85. data/lib/openid/extensions/ax.rb +516 -0
  86. data/lib/openid/extensions/oauth.rb +91 -0
  87. data/lib/openid/extensions/pape.rb +179 -0
  88. data/lib/openid/extensions/sreg.rb +277 -0
  89. data/lib/openid/extras.rb +11 -0
  90. data/lib/openid/fetchers.rb +238 -0
  91. data/lib/openid/kvform.rb +136 -0
  92. data/lib/openid/kvpost.rb +58 -0
  93. data/lib/openid/message.rb +553 -0
  94. data/lib/openid/protocolerror.rb +8 -0
  95. data/lib/openid/server.rb +1544 -0
  96. data/lib/openid/store/filesystem.rb +271 -0
  97. data/lib/openid/store/interface.rb +75 -0
  98. data/lib/openid/store/memcache.rb +107 -0
  99. data/lib/openid/store/memory.rb +84 -0
  100. data/lib/openid/store/nonce.rb +68 -0
  101. data/lib/openid/trustroot.rb +349 -0
  102. data/lib/openid/urinorm.rb +75 -0
  103. data/lib/openid/util.rb +110 -0
  104. data/lib/openid/yadis/accept.rb +148 -0
  105. data/lib/openid/yadis/constants.rb +21 -0
  106. data/lib/openid/yadis/discovery.rb +153 -0
  107. data/lib/openid/yadis/filters.rb +205 -0
  108. data/lib/openid/yadis/htmltokenizer.rb +305 -0
  109. data/lib/openid/yadis/parsehtml.rb +45 -0
  110. data/lib/openid/yadis/services.rb +42 -0
  111. data/lib/openid/yadis/xrds.rb +155 -0
  112. data/lib/openid/yadis/xri.rb +90 -0
  113. data/lib/openid/yadis/xrires.rb +106 -0
  114. data/lib/openid.rb +20 -0
  115. data/setup.rb +1551 -0
  116. data/test/data/accept.txt +124 -0
  117. data/test/data/dh.txt +29 -0
  118. data/test/data/example-xrds.xml +14 -0
  119. data/test/data/linkparse.txt +587 -0
  120. data/test/data/n2b64 +650 -0
  121. data/test/data/test1-discover.txt +137 -0
  122. data/test/data/test1-parsehtml.txt +152 -0
  123. data/test/data/test_discover/malformed_meta_tag.html +19 -0
  124. data/test/data/test_discover/openid.html +11 -0
  125. data/test/data/test_discover/openid2.html +11 -0
  126. data/test/data/test_discover/openid2_xrds.xml +12 -0
  127. data/test/data/test_discover/openid2_xrds_no_local_id.xml +11 -0
  128. data/test/data/test_discover/openid_1_and_2.html +11 -0
  129. data/test/data/test_discover/openid_1_and_2_xrds.xml +16 -0
  130. data/test/data/test_discover/openid_1_and_2_xrds_bad_delegate.xml +17 -0
  131. data/test/data/test_discover/openid_and_yadis.html +12 -0
  132. data/test/data/test_discover/openid_no_delegate.html +10 -0
  133. data/test/data/test_discover/yadis_0entries.xml +12 -0
  134. data/test/data/test_discover/yadis_2_bad_local_id.xml +15 -0
  135. data/test/data/test_discover/yadis_2entries_delegate.xml +22 -0
  136. data/test/data/test_discover/yadis_2entries_idp.xml +21 -0
  137. data/test/data/test_discover/yadis_another_delegate.xml +14 -0
  138. data/test/data/test_discover/yadis_idp.xml +12 -0
  139. data/test/data/test_discover/yadis_idp_delegate.xml +13 -0
  140. data/test/data/test_discover/yadis_no_delegate.xml +11 -0
  141. data/test/data/test_xrds/=j3h.2007.11.14.xrds +25 -0
  142. data/test/data/test_xrds/README +12 -0
  143. data/test/data/test_xrds/delegated-20060809-r1.xrds +34 -0
  144. data/test/data/test_xrds/delegated-20060809-r2.xrds +34 -0
  145. data/test/data/test_xrds/delegated-20060809.xrds +34 -0
  146. data/test/data/test_xrds/no-xrd.xml +7 -0
  147. data/test/data/test_xrds/not-xrds.xml +2 -0
  148. data/test/data/test_xrds/prefixsometimes.xrds +34 -0
  149. data/test/data/test_xrds/ref.xrds +109 -0
  150. data/test/data/test_xrds/sometimesprefix.xrds +34 -0
  151. data/test/data/test_xrds/spoof1.xrds +25 -0
  152. data/test/data/test_xrds/spoof2.xrds +25 -0
  153. data/test/data/test_xrds/spoof3.xrds +37 -0
  154. data/test/data/test_xrds/status222.xrds +9 -0
  155. data/test/data/test_xrds/subsegments.xrds +58 -0
  156. data/test/data/test_xrds/valid-populated-xrds.xml +39 -0
  157. data/test/data/trustroot.txt +153 -0
  158. data/test/data/urinorm.txt +79 -0
  159. data/test/discoverdata.rb +131 -0
  160. data/test/test_accept.rb +170 -0
  161. data/test/test_association.rb +266 -0
  162. data/test/test_associationmanager.rb +917 -0
  163. data/test/test_ax.rb +648 -0
  164. data/test/test_checkid_request.rb +294 -0
  165. data/test/test_consumer.rb +257 -0
  166. data/test/test_cryptutil.rb +119 -0
  167. data/test/test_dh.rb +86 -0
  168. data/test/test_discover.rb +838 -0
  169. data/test/test_discovery_manager.rb +262 -0
  170. data/test/test_extension.rb +46 -0
  171. data/test/test_extras.rb +35 -0
  172. data/test/test_fetchers.rb +538 -0
  173. data/test/test_filters.rb +270 -0
  174. data/test/test_idres.rb +963 -0
  175. data/test/test_kvform.rb +165 -0
  176. data/test/test_kvpost.rb +65 -0
  177. data/test/test_linkparse.rb +101 -0
  178. data/test/test_message.rb +1116 -0
  179. data/test/test_nonce.rb +89 -0
  180. data/test/test_oauth.rb +175 -0
  181. data/test/test_openid_yadis.rb +178 -0
  182. data/test/test_pape.rb +247 -0
  183. data/test/test_parsehtml.rb +80 -0
  184. data/test/test_responses.rb +63 -0
  185. data/test/test_server.rb +2457 -0
  186. data/test/test_sreg.rb +479 -0
  187. data/test/test_stores.rb +298 -0
  188. data/test/test_trustroot.rb +113 -0
  189. data/test/test_urinorm.rb +35 -0
  190. data/test/test_util.rb +145 -0
  191. data/test/test_xrds.rb +169 -0
  192. data/test/test_xri.rb +48 -0
  193. data/test/test_xrires.rb +63 -0
  194. data/test/test_yadis_discovery.rb +220 -0
  195. data/test/testutil.rb +127 -0
  196. data/test/util.rb +53 -0
  197. metadata +316 -0
@@ -0,0 +1,148 @@
1
+ module OpenID
2
+ class Consumer
3
+ # Code returned when either the of the
4
+ # OpenID::OpenIDConsumer.begin_auth or OpenID::OpenIDConsumer.complete_auth
5
+ # methods return successfully.
6
+ SUCCESS = :success
7
+
8
+ # Code OpenID::OpenIDConsumer.complete_auth
9
+ # returns when the value it received indicated an invalid login.
10
+ FAILURE = :failure
11
+
12
+ # Code returned by OpenIDConsumer.complete_auth when the user
13
+ # cancels the operation from the server.
14
+ CANCEL = :cancel
15
+
16
+ # Code returned by OpenID::OpenIDConsumer.complete_auth when the
17
+ # OpenIDConsumer instance is in immediate mode and ther server sends back a
18
+ # URL for the user to login with.
19
+ SETUP_NEEDED = :setup_needed
20
+
21
+
22
+ module Response
23
+ attr_reader :endpoint
24
+
25
+ def status
26
+ self.class::STATUS
27
+ end
28
+
29
+ # The identity URL that has been authenticated; the Claimed Identifier.
30
+ # See also display_identifier.
31
+ def identity_url
32
+ @endpoint ? @endpoint.claimed_id : nil
33
+ end
34
+
35
+ # The display identifier is related to the Claimed Identifier, but the
36
+ # two are not always identical. The display identifier is something the
37
+ # user should recognize as what they entered, whereas the response's
38
+ # claimed identifier (in the identity_url attribute) may have extra
39
+ # information for better persistence.
40
+ #
41
+ # URLs will be stripped of their fragments for display. XRIs will
42
+ # display the human-readable identifier (i-name) instead of the
43
+ # persistent identifier (i-number).
44
+ #
45
+ # Use the display identifier in your user interface. Use identity_url
46
+ # for querying your database or authorization server, or other
47
+ # identifier equality comparisons.
48
+ def display_identifier
49
+ @endpoint ? @endpoint.display_identifier : nil
50
+ end
51
+ end
52
+
53
+ # A successful acknowledgement from the OpenID server that the
54
+ # supplied URL is, indeed controlled by the requesting agent.
55
+ class SuccessResponse
56
+ include Response
57
+
58
+ STATUS = SUCCESS
59
+
60
+ attr_reader :message, :signed_fields
61
+
62
+ def initialize(endpoint, message, signed_fields)
63
+ # Don't use :endpoint=, because endpoint should never be nil
64
+ # for a successfull transaction.
65
+ @endpoint = endpoint
66
+ @identity_url = endpoint.claimed_id
67
+ @message = message
68
+ @signed_fields = signed_fields
69
+ end
70
+
71
+ # Was this authentication response an OpenID 1 authentication
72
+ # response?
73
+ def is_openid1
74
+ @message.is_openid1
75
+ end
76
+
77
+ # Return whether a particular key is signed, regardless of its
78
+ # namespace alias
79
+ def signed?(ns_uri, ns_key)
80
+ @signed_fields.member?(@message.get_key(ns_uri, ns_key))
81
+ end
82
+
83
+ # Return the specified signed field if available, otherwise
84
+ # return default
85
+ def get_signed(ns_uri, ns_key, default=nil)
86
+ if singed?(ns_uri, ns_key)
87
+ return @message.get_arg(ns_uri, ns_key, default)
88
+ else
89
+ return default
90
+ end
91
+ end
92
+
93
+ # Get signed arguments from the response message. Return a dict
94
+ # of all arguments in the specified namespace. If any of the
95
+ # arguments are not signed, return nil.
96
+ def get_signed_ns(ns_uri)
97
+ msg_args = @message.get_args(ns_uri)
98
+ msg_args.each_key do |key|
99
+ if !signed?(ns_uri, key)
100
+ return nil
101
+ end
102
+ end
103
+ return msg_args
104
+ end
105
+
106
+ # Return response arguments in the specified namespace.
107
+ # If require_signed is true and the arguments are not signed,
108
+ # return nil.
109
+ def extension_response(namespace_uri, require_signed)
110
+ if require_signed
111
+ get_signed_ns(namespace_uri)
112
+ else
113
+ @message.get_args(namespace_uri)
114
+ end
115
+ end
116
+ end
117
+
118
+ class FailureResponse
119
+ include Response
120
+ STATUS = FAILURE
121
+
122
+ attr_reader :message, :contact, :reference
123
+ def initialize(endpoint, message, contact=nil, reference=nil)
124
+ @endpoint = endpoint
125
+ @message = message
126
+ @contact = contact
127
+ @reference = reference
128
+ end
129
+ end
130
+
131
+ class CancelResponse
132
+ include Response
133
+ STATUS = CANCEL
134
+ def initialize(endpoint)
135
+ @endpoint = endpoint
136
+ end
137
+ end
138
+
139
+ class SetupNeededResponse
140
+ include Response
141
+ STATUS = SETUP_NEEDED
142
+ def initialize(endpoint, setup_url)
143
+ @endpoint = endpoint
144
+ @setup_url = setup_url
145
+ end
146
+ end
147
+ end
148
+ end
@@ -0,0 +1,395 @@
1
+ require "openid/consumer/idres.rb"
2
+ require "openid/consumer/checkid_request.rb"
3
+ require "openid/consumer/associationmanager.rb"
4
+ require "openid/consumer/responses.rb"
5
+ require "openid/consumer/discovery_manager"
6
+ require "openid/consumer/discovery"
7
+ require "openid/message"
8
+ require "openid/yadis/discovery"
9
+ require "openid/store/nonce"
10
+
11
+ module OpenID
12
+ # OpenID support for Relying Parties (aka Consumers).
13
+ #
14
+ # This module documents the main interface with the OpenID consumer
15
+ # library. The only part of the library which has to be used and
16
+ # isn't documented in full here is the store required to create an
17
+ # Consumer instance.
18
+ #
19
+ # = OVERVIEW
20
+ #
21
+ # The OpenID identity verification process most commonly uses the
22
+ # following steps, as visible to the user of this library:
23
+ #
24
+ # 1. The user enters their OpenID into a field on the consumer's
25
+ # site, and hits a login button.
26
+ #
27
+ # 2. The consumer site discovers the user's OpenID provider using
28
+ # the Yadis protocol.
29
+ #
30
+ # 3. The consumer site sends the browser a redirect to the OpenID
31
+ # provider. This is the authentication request as described in
32
+ # the OpenID specification.
33
+ #
34
+ # 4. The OpenID provider's site sends the browser a redirect back to
35
+ # the consumer site. This redirect contains the provider's
36
+ # response to the authentication request.
37
+ #
38
+ # The most important part of the flow to note is the consumer's site
39
+ # must handle two separate HTTP requests in order to perform the
40
+ # full identity check.
41
+ #
42
+ # = LIBRARY DESIGN
43
+ #
44
+ # This consumer library is designed with that flow in mind. The
45
+ # goal is to make it as easy as possible to perform the above steps
46
+ # securely.
47
+ #
48
+ # At a high level, there are two important parts in the consumer
49
+ # library. The first important part is this module, which contains
50
+ # the interface to actually use this library. The second is
51
+ # openid/store/interface.rb, which describes the interface to use if
52
+ # you need to create a custom method for storing the state this
53
+ # library needs to maintain between requests.
54
+ #
55
+ # In general, the second part is less important for users of the
56
+ # library to know about, as several implementations are provided
57
+ # which cover a wide variety of situations in which consumers may
58
+ # use the library.
59
+ #
60
+ # The Consumer class has methods corresponding to the actions
61
+ # necessary in each of steps 2, 3, and 4 described in the overview.
62
+ # Use of this library should be as easy as creating an Consumer
63
+ # instance and calling the methods appropriate for the action the
64
+ # site wants to take.
65
+ #
66
+ # This library automatically detects which version of the OpenID
67
+ # protocol should be used for a transaction and constructs the
68
+ # proper requests and responses. Users of this library do not need
69
+ # to worry about supporting multiple protocol versions; the library
70
+ # supports them implicitly. Depending on the version of the
71
+ # protocol in use, the OpenID transaction may be more secure. See
72
+ # the OpenID specifications for more information.
73
+ #
74
+ # = SESSIONS, STORES, AND STATELESS MODE
75
+ #
76
+ # The Consumer object keeps track of two types of state:
77
+ #
78
+ # 1. State of the user's current authentication attempt. Things
79
+ # like the identity URL, the list of endpoints discovered for
80
+ # that URL, and in case where some endpoints are unreachable, the
81
+ # list of endpoints already tried. This state needs to be held
82
+ # from Consumer.begin() to Consumer.complete(), but it is only
83
+ # applicable to a single session with a single user agent, and at
84
+ # the end of the authentication process (i.e. when an OP replies
85
+ # with either <tt>id_res</tt>. or <tt>cancel</tt> it may be
86
+ # discarded.
87
+ #
88
+ # 2. State of relationships with servers, i.e. shared secrets
89
+ # (associations) with servers and nonces seen on signed messages.
90
+ # This information should persist from one session to the next
91
+ # and should not be bound to a particular user-agent.
92
+ #
93
+ # These two types of storage are reflected in the first two
94
+ # arguments of Consumer's constructor, <tt>session</tt> and
95
+ # <tt>store</tt>. <tt>session</tt> is a dict-like object and we
96
+ # hope your web framework provides you with one of these bound to
97
+ # the user agent. <tt>store</tt> is an instance of Store.
98
+ #
99
+ # Since the store does hold secrets shared between your application
100
+ # and the OpenID provider, you should be careful about how you use
101
+ # it in a shared hosting environment. If the filesystem or database
102
+ # permissions of your web host allow strangers to read from them, do
103
+ # not store your data there! If you have no safe place to store
104
+ # your data, construct your consumer with nil for the store, and it
105
+ # will operate only in stateless mode. Stateless mode may be
106
+ # slower, put more load on the OpenID provider, and trusts the
107
+ # provider to keep you safe from replay attacks.
108
+ #
109
+ # Several store implementation are provided, and the interface is
110
+ # fully documented so that custom stores can be used as well. See
111
+ # the documentation for the Consumer class for more information on
112
+ # the interface for stores. The implementations that are provided
113
+ # allow the consumer site to store the necessary data in several
114
+ # different ways, including several SQL databases and normal files
115
+ # on disk.
116
+ #
117
+ # = IMMEDIATE MODE
118
+ #
119
+ # In the flow described above, the user may need to confirm to the
120
+ # OpenID provider that it's ok to disclose his or her identity. The
121
+ # provider may draw pages asking for information from the user
122
+ # before it redirects the browser back to the consumer's site. This
123
+ # is generally transparent to the consumer site, so it is typically
124
+ # ignored as an implementation detail.
125
+ #
126
+ # There can be times, however, where the consumer site wants to get
127
+ # a response immediately. When this is the case, the consumer can
128
+ # put the library in immediate mode. In immediate mode, there is an
129
+ # extra response possible from the server, which is essentially the
130
+ # server reporting that it doesn't have enough information to answer
131
+ # the question yet.
132
+ #
133
+ # = USING THIS LIBRARY
134
+ #
135
+ # Integrating this library into an application is usually a
136
+ # relatively straightforward process. The process should basically
137
+ # follow this plan:
138
+ #
139
+ # Add an OpenID login field somewhere on your site. When an OpenID
140
+ # is entered in that field and the form is submitted, it should make
141
+ # a request to the your site which includes that OpenID URL.
142
+ #
143
+ # First, the application should instantiate a Consumer with a
144
+ # session for per-user state and store for shared state using the
145
+ # store of choice.
146
+ #
147
+ # Next, the application should call the <tt>begin</tt> method of
148
+ # Consumer instance. This method takes the OpenID URL as entered by
149
+ # the user. The <tt>begin</tt> method returns a CheckIDRequest
150
+ # object.
151
+ #
152
+ # Next, the application should call the redirect_url method on the
153
+ # CheckIDRequest object. The parameter <tt>return_to</tt> is the
154
+ # URL that the OpenID server will send the user back to after
155
+ # attempting to verify his or her identity. The <tt>realm</tt>
156
+ # parameter is the URL (or URL pattern) that identifies your web
157
+ # site to the user when he or she is authorizing it. Send a
158
+ # redirect to the resulting URL to the user's browser.
159
+ #
160
+ # That's the first half of the authentication process. The second
161
+ # half of the process is done after the user's OpenID Provider sends
162
+ # the user's browser a redirect back to your site to complete their
163
+ # login.
164
+ #
165
+ # When that happens, the user will contact your site at the URL
166
+ # given as the <tt>return_to</tt> URL to the redirect_url call made
167
+ # above. The request will have several query parameters added to
168
+ # the URL by the OpenID provider as the information necessary to
169
+ # finish the request.
170
+ #
171
+ # Get a Consumer instance with the same session and store as before
172
+ # and call its complete() method, passing in all the received query
173
+ # arguments and URL currently being handled.
174
+ #
175
+ # There are multiple possible return types possible from that
176
+ # method. These indicate the whether or not the login was
177
+ # successful, and include any additional information appropriate for
178
+ # their type.
179
+ class Consumer
180
+ attr_accessor :session_key_prefix
181
+
182
+ # Initialize a Consumer instance.
183
+ #
184
+ # You should create a new instance of the Consumer object with
185
+ # every HTTP request that handles OpenID transactions.
186
+ #
187
+ # session: the session object to use to store request information.
188
+ # The session should behave like a hash.
189
+ #
190
+ # store: an object that implements the interface in Store.
191
+ def initialize(session, store)
192
+ @session = session
193
+ @store = store
194
+ @session_key_prefix = 'OpenID::Consumer::'
195
+ end
196
+
197
+ # Start the OpenID authentication process. See steps 1-2 in the
198
+ # overview for the Consumer class.
199
+ #
200
+ # user_url: Identity URL given by the user. This method performs a
201
+ # textual transformation of the URL to try and make sure it is
202
+ # normalized. For example, a user_url of example.com will be
203
+ # normalized to http://example.com/ normalizing and resolving any
204
+ # redirects the server might issue.
205
+ #
206
+ # anonymous: A boolean value. Whether to make an anonymous
207
+ # request of the OpenID provider. Such a request does not ask for
208
+ # an authorization assertion for an OpenID identifier, but may be
209
+ # used with extensions to pass other data. e.g. "I don't care who
210
+ # you are, but I'd like to know your time zone."
211
+ #
212
+ # Returns a CheckIDRequest object containing the discovered
213
+ # information, with a method for building a redirect URL to the
214
+ # server, as described in step 3 of the overview. This object may
215
+ # also be used to add extension arguments to the request, using
216
+ # its add_extension_arg method.
217
+ #
218
+ # Raises DiscoveryFailure when no OpenID server can be found for
219
+ # this URL.
220
+ def begin(openid_identifier, anonymous=false)
221
+ manager = discovery_manager(openid_identifier)
222
+ service = manager.get_next_service(&method(:discover))
223
+
224
+ if service.nil?
225
+ raise DiscoveryFailure.new("No usable OpenID services were found "\
226
+ "for #{openid_identifier.inspect}", nil)
227
+ else
228
+ begin_without_discovery(service, anonymous)
229
+ end
230
+ end
231
+
232
+ # Start OpenID verification without doing OpenID server
233
+ # discovery. This method is used internally by Consumer.begin()
234
+ # after discovery is performed, and exists to provide an interface
235
+ # for library users needing to perform their own discovery.
236
+ #
237
+ # service: an OpenID service endpoint descriptor. This object and
238
+ # factories for it are found in the openid/consumer/discovery.rb
239
+ # module.
240
+ #
241
+ # Returns an OpenID authentication request object.
242
+ def begin_without_discovery(service, anonymous)
243
+ assoc = association_manager(service).get_association
244
+ checkid_request = CheckIDRequest.new(assoc, service)
245
+ checkid_request.anonymous = anonymous
246
+
247
+ if service.compatibility_mode
248
+ rt_args = checkid_request.return_to_args
249
+ rt_args[Consumer.openid1_return_to_nonce_name] = Nonce.mk_nonce
250
+ rt_args[Consumer.openid1_return_to_claimed_id_name] =
251
+ service.claimed_id
252
+ end
253
+
254
+ self.last_requested_endpoint = service
255
+ return checkid_request
256
+ end
257
+
258
+ # Called to interpret the server's response to an OpenID
259
+ # request. It is called in step 4 of the flow described in the
260
+ # Consumer overview.
261
+ #
262
+ # query: A hash of the query parameters for this HTTP request.
263
+ # Note that in rails, this is <b>not</b> <tt>params</tt> but
264
+ # <tt>params.reject{|k,v|request.path_parameters[k]}</tt>
265
+ # because <tt>controller</tt> and <tt>action</tt> and other
266
+ # "path parameters" are included in params.
267
+ #
268
+ # current_url: Extract the URL of the current request from your
269
+ # application's web request framework and specify it here to have it
270
+ # checked against the openid.return_to value in the response. Do not
271
+ # just pass <tt>args['openid.return_to']</tt> here; that will defeat the
272
+ # purpose of this check. (See OpenID Authentication 2.0 section 11.1.)
273
+ #
274
+ # If the return_to URL check fails, the status of the completion will be
275
+ # FAILURE.
276
+
277
+ #
278
+ # Returns a subclass of Response. The type of response is
279
+ # indicated by the status attribute, which will be one of
280
+ # SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED.
281
+ def complete(query, current_url)
282
+ message = Message.from_post_args(query)
283
+ mode = message.get_arg(OPENID_NS, 'mode', 'invalid')
284
+ begin
285
+ meth = method('complete_' + mode)
286
+ rescue NameError
287
+ meth = method(:complete_invalid)
288
+ end
289
+ response = meth.call(message, current_url)
290
+ cleanup_last_requested_endpoint
291
+ if [SUCCESS, CANCEL].member?(response.status)
292
+ cleanup_session
293
+ end
294
+ return response
295
+ end
296
+
297
+ protected
298
+
299
+ def session_get(name)
300
+ @session[session_key(name)]
301
+ end
302
+
303
+ def session_set(name, val)
304
+ @session[session_key(name)] = val
305
+ end
306
+
307
+ def session_key(suffix)
308
+ @session_key_prefix + suffix
309
+ end
310
+
311
+ def last_requested_endpoint
312
+ session_get('last_requested_endpoint')
313
+ end
314
+
315
+ def last_requested_endpoint=(endpoint)
316
+ session_set('last_requested_endpoint', endpoint)
317
+ end
318
+
319
+ def cleanup_last_requested_endpoint
320
+ @session[session_key('last_requested_endpoint')] = nil
321
+ end
322
+
323
+ def discovery_manager(openid_identifier)
324
+ DiscoveryManager.new(@session, openid_identifier, @session_key_prefix)
325
+ end
326
+
327
+ def cleanup_session
328
+ discovery_manager(nil).cleanup(true)
329
+ end
330
+
331
+
332
+ def discover(identifier)
333
+ OpenID.discover(identifier)
334
+ end
335
+
336
+ def negotiator
337
+ DefaultNegotiator
338
+ end
339
+
340
+ def association_manager(service)
341
+ AssociationManager.new(@store, service.server_url,
342
+ service.compatibility_mode, negotiator)
343
+ end
344
+
345
+ def handle_idres(message, current_url)
346
+ IdResHandler.new(message, current_url, @store, last_requested_endpoint)
347
+ end
348
+
349
+ def complete_invalid(message, unused_return_to)
350
+ mode = message.get_arg(OPENID_NS, 'mode', '<No mode set>')
351
+ return FailureResponse.new(last_requested_endpoint,
352
+ "Invalid openid.mode: #{mode}")
353
+ end
354
+
355
+ def complete_cancel(unused_message, unused_return_to)
356
+ return CancelResponse.new(last_requested_endpoint)
357
+ end
358
+
359
+ def complete_error(message, unused_return_to)
360
+ error = message.get_arg(OPENID_NS, 'error')
361
+ contact = message.get_arg(OPENID_NS, 'contact')
362
+ reference = message.get_arg(OPENID_NS, 'reference')
363
+
364
+ return FailureResponse.new(last_requested_endpoint,
365
+ error, contact, reference)
366
+ end
367
+
368
+ def complete_setup_needed(message, unused_return_to)
369
+ if message.is_openid1
370
+ return complete_invalid(message, nil)
371
+ else
372
+ setup_url = message.get_arg(OPENID2_NS, 'user_setup_url')
373
+ return SetupNeededResponse.new(last_requested_endpoint, setup_url)
374
+ end
375
+ end
376
+
377
+ def complete_id_res(message, current_url)
378
+ if message.is_openid1
379
+ setup_url = message.get_arg(OPENID_NS, 'user_setup_url')
380
+ if !setup_url.nil?
381
+ return SetupNeededResponse.new(last_requested_endpoint, setup_url)
382
+ end
383
+ end
384
+
385
+ begin
386
+ idres = handle_idres(message, current_url)
387
+ rescue OpenIDError => why
388
+ return FailureResponse.new(last_requested_endpoint, why.message)
389
+ else
390
+ return SuccessResponse.new(idres.endpoint, message,
391
+ idres.signed_fields)
392
+ end
393
+ end
394
+ end
395
+ end
@@ -0,0 +1,97 @@
1
+ require "openid/util"
2
+ require "digest/sha1"
3
+ require "digest/sha2"
4
+ begin
5
+ require "digest/hmac"
6
+ rescue LoadError
7
+ require "hmac/sha1"
8
+ require "hmac/sha2"
9
+ end
10
+
11
+ module OpenID
12
+ # This module contains everything needed to perform low-level
13
+ # cryptograph and data manipulation tasks.
14
+ module CryptUtil
15
+
16
+ # Generate a random number, doing a little extra work to make it
17
+ # more likely that it's suitable for cryptography. If your system
18
+ # doesn't have /dev/urandom then this number is not
19
+ # cryptographically safe. See
20
+ # <http://www.cosine.org/2007/08/07/security-ruby-kernel-rand/>
21
+ # for more information. max is the largest possible value of such
22
+ # a random number, where the result will be less than max.
23
+ def CryptUtil.rand(max)
24
+ Kernel.srand()
25
+ return Kernel.rand(max)
26
+ end
27
+
28
+ def CryptUtil.sha1(text)
29
+ return Digest::SHA1.digest(text)
30
+ end
31
+
32
+ def CryptUtil.hmac_sha1(key, text)
33
+ if Digest.const_defined? :HMAC
34
+ Digest::HMAC.new(key,Digest::SHA1).update(text).digest
35
+ else
36
+ return HMAC::SHA1.digest(key, text)
37
+ end
38
+ end
39
+
40
+ def CryptUtil.sha256(text)
41
+ return Digest::SHA256.digest(text)
42
+ end
43
+
44
+ def CryptUtil.hmac_sha256(key, text)
45
+ if Digest.const_defined? :HMAC
46
+ Digest::HMAC.new(key,Digest::SHA256).update(text).digest
47
+ else
48
+ return HMAC::SHA256.digest(key, text)
49
+ end
50
+ end
51
+
52
+ # Generate a random string of the given length, composed of the
53
+ # specified characters. If chars is nil, generate a string
54
+ # composed of characters in the range 0..255.
55
+ def CryptUtil.random_string(length, chars=nil)
56
+ s = ""
57
+
58
+ unless chars.nil?
59
+ length.times { s << chars[rand(chars.length)] }
60
+ else
61
+ length.times { s << rand(256).chr }
62
+ end
63
+ return s
64
+ end
65
+
66
+ # Convert a number to its binary representation; return a string
67
+ # of bytes.
68
+ def CryptUtil.num_to_binary(n)
69
+ bits = n.to_s(2)
70
+ prepend = (8 - bits.length % 8)
71
+ bits = ('0' * prepend) + bits
72
+ return [bits].pack('B*')
73
+ end
74
+
75
+ # Convert a string of bytes into a number.
76
+ def CryptUtil.binary_to_num(s)
77
+ # taken from openid-ruby 0.0.1
78
+ s = "\000" * (4 - (s.length % 4)) + s
79
+ num = 0
80
+ s.unpack('N*').each do |x|
81
+ num <<= 32
82
+ num |= x
83
+ end
84
+ return num
85
+ end
86
+
87
+ # Encode a number as a base64-encoded byte string.
88
+ def CryptUtil.num_to_base64(l)
89
+ return OpenID::Util.to_base64(num_to_binary(l))
90
+ end
91
+
92
+ # Decode a base64 byte string to a number.
93
+ def CryptUtil.base64_to_num(s)
94
+ return binary_to_num(OpenID::Util.from_base64(s))
95
+ end
96
+ end
97
+ end