pelle-ruby-openid 2.1.8

data/UPGRADE

@@ -0,0 +1,127 @@
+= Upgrading from the OpenID 1.x series library
+
+== Consumer Upgrade
+
+The flow is largely the same, however there are a number of significant 
+changes.  The consumer example is helpful to look at:
+examples/rails_openid/app/controllers/consumer_controller.rb
+
+
+=== Stores
+
+You will need to require the file for the store that you are using.
+For the filesystem store, this is 'openid/stores/filesystem'
+They are also now in modules.  The filesystem store is 
+  OpenID::Store::Filesystem
+The format has changed, and you should remove your old store directory.
+
+The ActiveRecord store ( examples/active_record_openid_store ) still needs
+to be put in a plugin directory for your rails app.  There's a migration
+that needs to be run; examine the README in that directory.
+
+Also, note that the stores now can be garbage collected with the method
+  store.cleanup
+
+
+=== Starting the OpenID transaction
+
+The OpenIDRequest object no longer has status codes.  Instead,
+consumer.begin raises an OpenID::OpenIDError if there is a problem
+initiating the transaction, so you'll want something along the lines of:
+
+  begin
+    openid_request = consumer.begin(params[:openid_identifier])
+  rescue OpenID::OpenIDError => e
+    # display error e
+    return
+  end
+  #success case
+
+Data regarding the OpenID server once lived in
+  openid_request.service
+
+The corresponding object in the 2.0 lib can be retrieved with
+  openid_request.endpoint
+
+Getting the unverified identifier: Where you once had
+  openid_request.identity_url
+you will now want
+  openid_request.endpoint.claimed_id
+which might be different from what you get at the end of the transaction,
+since it is now possible for users to enter their server's url directly.
+
+Arguments on the return_to URL are now verified, so if you want to add
+additional arguments to the return_to url, use
+  openid_request.return_to_args['param'] = value
+
+Generating the redirect is the same as before, but add any extensions
+first.
+
+If you need to set up an SSL certificate authority list for the fetcher,
+use the 'ca_file' attr_accessor on the OpenID::StandardFetcher.  This has
+changed from 'ca_path' in the 1.x.x series library.  That is, set
+OpenID.fetcher.ca_file = '/path/to/ca.list'
+before calling consumer.begin.
+
+=== Requesting Simple Registration Data
+
+You'll need to require the code for the extension
+  require 'openid/extensions/sreg'
+
+The new code for adding an SReg request now looks like:
+
+  sreg_request = OpenID::SReg::Request.new
+  sreg_request.request_fields(['email', 'dob'], true) # required
+  sreg_request.request_fields(['nickname', 'fullname'], false) # optional
+  sreg_request.policy_url = policy_url
+  openid_request.add_extension(sreg_request)
+
+The code for adding other extensions is similar.  Code for the Attribute
+Exchange (AX) and Provider Authentication Policy Extension (PAPE) are
+included with the library, and additional extensions can be implemented
+subclassing OpenID::Extension.
+
+
+=== Completing the transaction
+
+The return_to and its arguments are verified, so you need to pass in
+the base URL and the arguments.  With Rails, the params method mashes
+together parameters from GET, POST, and the path, so you'll need to pull
+off the path "parameters" with something like
+
+  return_to = url_for(:only_path => false, 
+                      :controller => 'openid',
+                      :action => 'complete')
+  parameters = params.reject{|k,v| request.path_parameters[k] }
+  openid_response = consumer.complete(parameters, return_to)
+
+The response still uses the status codes, but they are now namespaced
+slightly differently, for example OpenID::Consumer::SUCCESS
+
+In the case of failure, the error message is now found in
+  openid_response.message
+
+The identifier to display to the user can be found in
+  openid_response.endpoint.display_identifier
+
+The Simple Registration response can be read from the OpenID response
+with
+  sreg_response = OpenID::SReg::Response.from_success_response(openid_response)
+  nickname = sreg_response['nickname']
+  # etc.
+
+
+== Server Upgrade
+
+The server code is mostly the same as before, with the exception of
+extensions.  Also, you must pass in the endpoint URL to the server 
+constructor:
+  @server = OpenID::Server.new(store, server_url)
+
+I recommend looking at 
+examples/rails_openid/app/controllers/server_controller.rb
+for an example of the new way of doing extensions.
+
+--
+Dag Arneson, JanRain Inc.
+Please direct questions to openid@janrain.com

data/VERSION

@@ -0,0 +1 @@
+2.1.8

data/examples/README

@@ -0,0 +1,32 @@
+This directory contains several examples that demonstrate use of the
+OpenID library.  Make sure you have properly installed the library
+before running the examples.  These examples are a great place to
+start in integrating OpenID into your application.
+
+==Rails example
+
+The rails_openid contains a fully functional OpenID server and relying
+party, and acts as a starting point for implementing your own
+production rails server.  You'll need the latest version of Ruby on
+Rails installed, and then:
+
+ cd rails_openid
+ ./script/server
+
+Open a web browser to http://localhost:3000/ and follow the instructions.
+
+The relevant code to work from when writing your Rails OpenID Relying
+Party is: 
+  rails_openid/app/controllers/consumer_controller.rb
+If you are working on an OpenID provider, check out
+  rails_openid/app/controllers/server_controller.rb
+
+Since the library and examples are Apache-licensed, don't be shy about 
+copy-and-paste.
+
+==Rails ActiveRecord OpenIDStore plugin
+
+For various reasons you may want or need to deploy your ruby openid
+consumer/server using an SQL based store.  The active_record_openid_store 
+is a plugin that makes using an SQL based store simple.  Follow the
+README inside the plugin's dir for usage.

data/examples/active_record_openid_store/README

@@ -0,0 +1,58 @@
+=Active Record OpenID Store Plugin
+
+A store is required by an OpenID server and optionally by the consumer
+to store associations, nonces, and auth key information across
+requests and processes.  If rails is distributed across several
+machines, they must must all have access to the same OpenID store
+data, so the FilesystemStore won't do.
+
+This directory contains a plugin for connecting your
+OpenID enabled rails app to an ActiveRecord based OpenID store.
+
+==Install
+
+1) Copy this directory and all it's contents into your
+RAILS_ROOT/vendor/plugins directory.  You structure should look like
+this:
+
+  RAILS_ROOT/vendor/plugins/active_record_openid_store/
+
+2) Copy the migration, XXX_add_open_id_store_to_db.rb to your
+   RAILS_ROOT/db/migrate directory.  Rename the XXX portion of the
+   file to next sequential migration number.
+
+3) Run the migration:
+
+  rake migrate
+
+4) Change your app to use the ActiveRecordOpenIDStore:
+
+  store = ActiveRecordOpenIDStore.new
+  consumer = OpenID::Consumer.new(session, store)
+
+5) That's it! All your OpenID state will now be stored in the database.
+
+==Upgrade
+
+If you are upgrading from the 1.x ActiveRecord store, replace your old
+RAILS_ROOT/vendor/plugins/active_record_openid_store/ directory with
+the new one and run the migration XXX_upgrade_open_id_store.rb.
+
+==What about garbage collection? 
+
+You may garbage collect unused nonces and expired associations using
+the gc instance method of ActiveRecordOpenIDStore.  Hook it up to a
+task in your app's Rakefile like so:
+
+  desc 'GC OpenID store'
+  task :gc_openid_store => :environment do
+    ActiveRecordOpenIDStore.new.cleanup
+  end
+
+Run it by typing:
+
+  rake gc_openid_store
+
+
+==Questions?
+Contact Dag Arneson: dag at janrain dot com

data/examples/active_record_openid_store/XXX_add_open_id_store_to_db.rb

@@ -0,0 +1,24 @@
+# Use this migration to create the tables for the ActiveRecord store
+class AddOpenIdStoreToDb < ActiveRecord::Migration
+  def self.up
+    create_table "open_id_associations", :force => true do |t|
+      t.column "server_url", :binary, :null => false
+      t.column "handle", :string, :null => false
+      t.column "secret", :binary, :null => false
+      t.column "issued", :integer, :null => false
+      t.column "lifetime", :integer, :null => false
+      t.column "assoc_type", :string, :null => false
+    end
+
+    create_table "open_id_nonces", :force => true do |t|
+      t.column :server_url, :string, :null => false
+      t.column :timestamp, :integer, :null => false
+      t.column :salt, :string, :null => false
+    end
+  end
+
+  def self.down
+    drop_table "open_id_associations"
+    drop_table "open_id_nonces"
+  end
+end

data/examples/active_record_openid_store/XXX_upgrade_open_id_store.rb

@@ -0,0 +1,26 @@
+# Use this migration to upgrade the old 1.1 ActiveRecord store schema
+# to the new 2.0 schema.
+class UpgradeOpenIdStore < ActiveRecord::Migration
+  def self.up
+    drop_table "open_id_settings"
+    drop_table "open_id_nonces"
+    create_table "open_id_nonces", :force => true do |t|
+      t.column :server_url, :string, :null => false
+      t.column :timestamp, :integer, :null => false
+      t.column :salt, :string, :null => false
+    end
+  end
+
+  def self.down
+    drop_table "open_id_nonces"
+    create_table "open_id_nonces", :force => true do |t|
+      t.column "nonce", :string
+      t.column "created", :integer
+    end
+
+    create_table "open_id_settings", :force => true do |t|
+      t.column "setting", :string
+      t.column "value", :binary
+    end
+  end
+end

data/examples/active_record_openid_store/init.rb

@@ -0,0 +1,8 @@
+# might using the ruby-openid gem
+begin
+  require 'rubygems'
+rescue LoadError
+  nil
+end
+require 'openid'
+require 'openid_ar_store'

data/examples/active_record_openid_store/lib/association.rb

@@ -0,0 +1,10 @@
+require 'openid/association'
+require 'time'
+
+class Association < ActiveRecord::Base
+  set_table_name 'open_id_associations'
+  def from_record
+    OpenID::Association.new(handle, secret, Time.at(issued), lifetime, assoc_type)
+  end
+end
+

data/examples/active_record_openid_store/lib/nonce.rb

@@ -0,0 +1,3 @@
+class Nonce < ActiveRecord::Base
+  set_table_name 'open_id_nonces'
+end

data/examples/active_record_openid_store/lib/open_id_setting.rb

@@ -0,0 +1,4 @@
+class OpenIdSetting < ActiveRecord::Base
+  
+  validates_uniqueness_of :setting
+end

data/examples/active_record_openid_store/lib/openid_ar_store.rb

@@ -0,0 +1,57 @@
+require 'association'
+require 'nonce'
+require 'openid/store/interface'
+
+# not in OpenID module to avoid namespace conflict
+class ActiveRecordStore < OpenID::Store::Interface
+  def store_association(server_url, assoc)
+    remove_association(server_url, assoc.handle)    
+    Association.create!(:server_url => server_url,
+                       :handle     => assoc.handle,
+                       :secret     => assoc.secret,
+                       :issued     => assoc.issued.to_i,
+                       :lifetime   => assoc.lifetime,
+                       :assoc_type => assoc.assoc_type)
+  end
+
+  def get_association(server_url, handle=nil)
+    assocs = if handle.blank?
+        Association.find_all_by_server_url(server_url)
+      else
+        Association.find_all_by_server_url_and_handle(server_url, handle)
+      end
+
+    assocs.reverse.each do |assoc|
+      a = assoc.from_record    
+      if a.expires_in == 0
+        assoc.destroy
+      else
+        return a
+      end
+    end if assocs.any?
+    
+    return nil
+  end
+  
+  def remove_association(server_url, handle)
+    Association.delete_all(['server_url = ? AND handle = ?', server_url, handle]) > 0
+  end
+  
+  def use_nonce(server_url, timestamp, salt)
+    return false if Nonce.find_by_server_url_and_timestamp_and_salt(server_url, timestamp, salt)
+    return false if (timestamp - Time.now.to_i).abs > OpenID::Nonce.skew
+    Nonce.create!(:server_url => server_url, :timestamp => timestamp, :salt => salt)
+    return true
+  end
+  
+  def cleanup_nonces
+    now = Time.now.to_i
+    Nonce.delete_all(["timestamp > ? OR timestamp < ?", now + OpenID::Nonce.skew, now - OpenID::Nonce.skew])
+  end
+
+  def cleanup_associations
+    now = Time.now.to_i
+    Association.delete_all(['issued + lifetime > ?',now])
+  end
+
+end

data/examples/active_record_openid_store/test/store_test.rb

@@ -0,0 +1,212 @@
+$:.unshift(File.dirname(__FILE__) + '/../lib')
+require 'test/unit'
+RAILS_ENV = "test"
+require File.expand_path(File.join(File.dirname(__FILE__), '../../../../config/environment.rb'))
+
+module StoreTestCase
+  @@allowed_handle = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
+  @@allowed_nonce = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
+  
+  def _gen_nonce
+    OpenID::CryptUtil.random_string(8, @@allowed_nonce)
+  end
+
+  def _gen_handle(n)
+    OpenID::CryptUtil.random_string(n, @@allowed_handle)
+  end
+
+  def _gen_secret(n, chars=nil)
+    OpenID::CryptUtil.random_string(n, chars)
+  end
+
+  def _gen_assoc(issued, lifetime=600)
+    secret = _gen_secret(20)
+    handle = _gen_handle(128)
+    OpenID::Association.new(handle, secret, Time.now + issued, lifetime,
+                            'HMAC-SHA1') 
+  end
+  
+  def _check_retrieve(url, handle=nil, expected=nil)
+    ret_assoc = @store.get_association(url, handle)
+
+    if expected.nil?
+      assert_nil(ret_assoc)
+    else
+      assert_equal(expected, ret_assoc)
+      assert_equal(expected.handle, ret_assoc.handle)
+      assert_equal(expected.secret, ret_assoc.secret)
+    end
+  end
+
+  def _check_remove(url, handle, expected)
+    present = @store.remove_association(url, handle)
+    assert_equal(expected, present)
+  end
+
+  def test_store
+    server_url = "http://www.myopenid.com/openid"
+    assoc = _gen_assoc(issued=0)
+
+    # Make sure that a missing association returns no result
+    _check_retrieve(server_url)
+
+    # Check that after storage, getting returns the same result
+    @store.store_association(server_url, assoc)
+    _check_retrieve(server_url, nil, assoc)
+
+    # more than once
+    _check_retrieve(server_url, nil, assoc)
+
+    # Storing more than once has no ill effect
+    @store.store_association(server_url, assoc)
+    _check_retrieve(server_url, nil, assoc)
+
+    # Removing an association that does not exist returns not present
+    _check_remove(server_url, assoc.handle + 'x', false)
+
+    # Removing an association that does not exist returns not present
+    _check_remove(server_url + 'x', assoc.handle, false)
+
+    # Removing an association that is present returns present
+    _check_remove(server_url, assoc.handle, true)
+
+    # but not present on subsequent calls
+    _check_remove(server_url, assoc.handle, false)
+
+    # Put assoc back in the store
+    @store.store_association(server_url, assoc)
+
+    # More recent and expires after assoc
+    assoc2 = _gen_assoc(issued=1)
+    @store.store_association(server_url, assoc2)
+
+    # After storing an association with a different handle, but the
+    # same server_url, the handle with the later expiration is returned.
+    _check_retrieve(server_url, nil, assoc2)
+
+    # We can still retrieve the older association
+    _check_retrieve(server_url, assoc.handle, assoc)
+
+    # Plus we can retrieve the association with the later expiration
+    # explicitly
+    _check_retrieve(server_url, assoc2.handle, assoc2)
+
+    # More recent, and expires earlier than assoc2 or assoc. Make sure
+    # that we're picking the one with the latest issued date and not
+    # taking into account the expiration.
+    assoc3 = _gen_assoc(issued=2, lifetime=100)
+    @store.store_association(server_url, assoc3)
+
+    _check_retrieve(server_url, nil, assoc3)
+    _check_retrieve(server_url, assoc.handle, assoc)
+    _check_retrieve(server_url, assoc2.handle, assoc2)
+    _check_retrieve(server_url, assoc3.handle, assoc3)
+
+    _check_remove(server_url, assoc2.handle, true)
+
+    _check_retrieve(server_url, nil, assoc3)
+    _check_retrieve(server_url, assoc.handle, assoc)
+    _check_retrieve(server_url, assoc2.handle, nil)
+    _check_retrieve(server_url, assoc3.handle, assoc3)
+
+    _check_remove(server_url, assoc2.handle, false)
+    _check_remove(server_url, assoc3.handle, true)
+
+    _check_retrieve(server_url, nil, assoc)
+    _check_retrieve(server_url, assoc.handle, assoc)
+    _check_retrieve(server_url, assoc2.handle, nil)
+    _check_retrieve(server_url, assoc3.handle, nil)
+
+    _check_remove(server_url, assoc2.handle, false)
+    _check_remove(server_url, assoc.handle, true)
+    _check_remove(server_url, assoc3.handle, false)
+
+    _check_retrieve(server_url, nil, nil)
+    _check_retrieve(server_url, assoc.handle, nil)
+    _check_retrieve(server_url, assoc2.handle, nil)
+    _check_retrieve(server_url, assoc3.handle, nil)
+
+    _check_remove(server_url, assoc2.handle, false)
+    _check_remove(server_url, assoc.handle, false)
+    _check_remove(server_url, assoc3.handle, false)
+
+    assocValid1 = _gen_assoc(-3600, 7200)
+    assocValid2 = _gen_assoc(-5)
+    assocExpired1 = _gen_assoc(-7200, 3600)
+    assocExpired2 = _gen_assoc(-7200, 3600)
+
+    @store.cleanup_associations
+    @store.store_association(server_url + '1', assocValid1)
+    @store.store_association(server_url + '1', assocExpired1)
+    @store.store_association(server_url + '2', assocExpired2)
+    @store.store_association(server_url + '3', assocValid2)
+
+    cleaned = @store.cleanup_associations()
+    assert_equal(2, cleaned, "cleaned up associations")
+  end
+
+  def _check_use_nonce(nonce, expected, server_url, msg='')
+    stamp, salt = OpenID::Nonce::split_nonce(nonce)
+    actual = @store.use_nonce(server_url, stamp, salt)
+    assert_equal(expected, actual, msg)
+  end
+
+  def test_nonce
+    server_url = "http://www.myopenid.com/openid"
+    [server_url, ''].each{|url|
+      nonce1 = OpenID::Nonce::mk_nonce
+
+      _check_use_nonce(nonce1, true, url, "#{url}: nonce allowed by default") 
+      _check_use_nonce(nonce1, false, url, "#{url}: nonce not allowed twice") 
+      _check_use_nonce(nonce1, false, url, "#{url}: nonce not allowed third time")
+      
+      # old nonces shouldn't pass
+      old_nonce = OpenID::Nonce::mk_nonce(3600)
+      _check_use_nonce(old_nonce, false, url, "Old nonce #{old_nonce.inspect} passed")
+
+    }
+
+    now = Time.now.to_i
+    old_nonce1 = OpenID::Nonce::mk_nonce(now - 20000)
+    old_nonce2 = OpenID::Nonce::mk_nonce(now - 10000)
+    recent_nonce = OpenID::Nonce::mk_nonce(now - 600)
+
+    orig_skew = OpenID::Nonce.skew
+    OpenID::Nonce.skew = 0
+    count = @store.cleanup_nonces
+    OpenID::Nonce.skew = 1000000
+    ts, salt = OpenID::Nonce::split_nonce(old_nonce1)
+    assert(@store.use_nonce(server_url, ts, salt), "oldnonce1")
+    ts, salt = OpenID::Nonce::split_nonce(old_nonce2)
+    assert(@store.use_nonce(server_url, ts, salt), "oldnonce2")
+    ts, salt = OpenID::Nonce::split_nonce(recent_nonce)
+    assert(@store.use_nonce(server_url, ts, salt), "recent_nonce")
+
+    
+    OpenID::Nonce.skew = 1000
+    cleaned = @store.cleanup_nonces
+    assert_equal(2, cleaned, "Cleaned #{cleaned} nonces")
+
+    OpenID::Nonce.skew = 100000
+    ts, salt = OpenID::Nonce::split_nonce(old_nonce1)
+    assert(@store.use_nonce(server_url, ts, salt), "oldnonce1 after cleanup")
+    ts, salt = OpenID::Nonce::split_nonce(old_nonce2)
+    assert(@store.use_nonce(server_url, ts, salt), "oldnonce2 after cleanup")
+    ts, salt = OpenID::Nonce::split_nonce(recent_nonce)
+    assert(!@store.use_nonce(server_url, ts, salt), "recent_nonce after cleanup")
+
+    OpenID::Nonce.skew = orig_skew
+
+  end
+end
+
+
+class TestARStore < Test::Unit::TestCase
+  include StoreTestCase
+  
+  def setup
+    @store = ActiveRecordStore.new
+  end
+
+end
+

data/examples/discover

@@ -0,0 +1,49 @@
+#!/usr/bin/env ruby
+require "openid/consumer/discovery"
+require 'openid/fetchers'
+
+OpenID::fetcher_use_env_http_proxy
+
+$names = [[:server_url,   "Server URL  "],
+          [:local_id,     "Local ID    "],
+          [:canonical_id, "Canonical ID"],
+         ]
+
+def show_services(user_input, normalized, services)
+  puts " Claimed identifier: #{normalized}"
+  if services.empty?
+    puts " No OpenID services found"
+    puts
+  else
+    puts " Discovered services:"
+    n = 0
+    services.each do |service|
+      n += 1
+      puts "  #{n}."
+      $names.each do |meth, name|
+        val = service.send(meth)
+        if val
+          printf("     %s: %s\n", name, val)
+        end
+      end
+      puts "     Type URIs:"
+      for type_uri in service.type_uris
+        puts "       * #{type_uri}"
+      end
+      puts
+    end
+  end
+end
+
+ARGV.each do |openid_identifier|
+  puts "=" * 50
+  puts "Running discovery on #{openid_identifier}"
+  begin
+    normalized_identifier, services = OpenID.discover(openid_identifier)
+  rescue OpenID::DiscoveryFailure => why
+    puts "Discovery failed: #{why.message}"
+    puts
+  else
+    show_services(openid_identifier, normalized_identifier, services)
+  end
+end