rack-openid 1.4.1 → 1.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: baa6d79858863be57b086b541ab63c6c972c3af8
-  data.tar.gz: 08e650720bbe74a979a1124a6c92067d9a7aece2
+  metadata.gz: c25038647dc3ed708897688b6336ffa0d4a298a2
+  data.tar.gz: bb5cc2437c6979083f5dedec5dd4c6bb6a37eca5
 SHA512:
-  metadata.gz: 17e508ee39e107a0a789b33dabfe7853f7ac4ade8404b3c8c459ac8c6a6477c05395bc093870184e858299d3ce3a999a171673f9f891956a289e9089482f9e6e
-  data.tar.gz: c9aead4288a53e7f65d2bc1e9a40d2b2e30f8e61879b69c9c3900e83ff78216ad66f31a20815ceac39ac400e6b651263e21858d679731afbe4f693c86f244973
+  metadata.gz: d2c192c7751774d1aa30d16bcd1fcba79524e2dde8e45a1fc0a2fc169718edd8b77cfaec9a9f547c76900ff0b6462a201974eb6e937ceddfe93518171b4b62a9
+  data.tar.gz: f43611ced6314d3f718c1628010ef7bd7dbf6d57fb2be452f6a51e0e3e4ec7fcd9ac6c7f5078be893715534eade01dea44979425366ff8bdc148d9bac0b94f53

data/lib/rack/openid.rb

@@ -8,7 +8,7 @@ require 'openid/extensions/ax'
 require 'openid/extensions/oauth'
 require 'openid/extensions/pape'
 
-module Rack #:nodoc:
+module Rack
   # A Rack middleware that provides a more HTTPish API around the
   # ruby-openid library.
   #
@@ -17,7 +17,7 @@ module Rack #:nodoc:
   # header with the identifier you would like to validate.
   #
   # On competition, the OpenID response is automatically verified and
-  # assigned to <tt>env["rack.openid.response"]</tt>.
+  # assigned to env["rack.openid.response"].
   class OpenID
     # Helper method for building the "WWW-Authenticate" header value.
     #
@@ -53,18 +53,16 @@ module Rack #:nodoc:
       params
     end
 
-    class TimeoutResponse #:nodoc:
+    class TimeoutResponse
       include ::OpenID::Consumer::Response
       STATUS = :failure
     end
 
-    class MissingResponse #:nodoc:
+    class MissingResponse
       include ::OpenID::Consumer::Response
       STATUS = :missing
     end
 
-    # :stopdoc:
-
     HTTP_METHODS = %w(GET HEAD PUT POST DELETE OPTIONS)
 
     RESPONSE = "rack.openid.response"
@@ -73,8 +71,6 @@ module Rack #:nodoc:
 
     URL_FIELD_SELECTOR = lambda { |field| field.to_s =~ %r{^https?://} }
 
-    # :startdoc:
-
     # Initialize middleware with application and optional OpenID::Store.
     # If no store is given, OpenID::Store::Memory is used.
     #
@@ -89,9 +85,12 @@ module Rack #:nodoc:
     end
 
     # Standard Rack +call+ dispatch that accepts an +env+ and
-    # returns a <tt>[status, header, body]</tt> response.
+    # returns a [status, header, body] response.
     def call(env)
       req = Rack::Request.new(env)
+
+      sanitize_params!(req.params)
+
       if req.params["openid.mode"]
         complete_authentication(env)
       end
@@ -107,198 +106,204 @@ module Rack #:nodoc:
     end
 
     private
-      def begin_authentication(env, qs)
-        req = Rack::Request.new(env)
-        params = self.class.parse_header(qs)
-        session = env["rack.session"]
 
-        unless session
-          raise RuntimeError, "Rack::OpenID requires a session"
-        end
-
-        consumer   = ::OpenID::Consumer.new(session, @store)
-        identifier = params['identifier'] || params['identity']
-
-        begin
-          oidreq = consumer.begin(identifier)
-          add_simple_registration_fields(oidreq, params)
-          add_attribute_exchange_fields(oidreq, params)
-          add_oauth_fields(oidreq, params)
-          add_pape_fields(oidreq, params)
-
-          url = open_id_redirect_url(req, oidreq, params)
-          return redirect_to(url)
-        rescue ::OpenID::OpenIDError, Timeout::Error => e
-          env[RESPONSE] = MissingResponse.new
-          return @app.call(env)
-        end
+    def sanitize_params!(params)
+      ['openid.sig', 'openid.response_nonce'].each do |param|
+        (params[param] || '').gsub!(' ', '+')
       end
+    end
 
-      def complete_authentication(env)
-        req = Rack::Request.new(env)
-        session = env["rack.session"]
-
-        unless session
-          raise RuntimeError, "Rack::OpenID requires a session"
-        end
+    def begin_authentication(env, qs)
+      req = Rack::Request.new(env)
+      params = self.class.parse_header(qs)
+      session = env["rack.session"]
 
-        oidresp = timeout_protection_from_identity_server {
-          consumer = ::OpenID::Consumer.new(session, @store)
-          consumer.complete(flatten_params(req.params), req.url)
-        }
+      unless session
+        raise RuntimeError, "Rack::OpenID requires a session"
+      end
 
-        env[RESPONSE] = oidresp
+      consumer   = ::OpenID::Consumer.new(session, @store)
+      identifier = params['identifier'] || params['identity']
+
+      begin
+        oidreq = consumer.begin(identifier)
+        add_simple_registration_fields(oidreq, params)
+        add_attribute_exchange_fields(oidreq, params)
+        add_oauth_fields(oidreq, params)
+        add_pape_fields(oidreq, params)
+
+        url = open_id_redirect_url(req, oidreq, params)
+        return redirect_to(url)
+      rescue ::OpenID::OpenIDError, Timeout::Error => e
+        env[RESPONSE] = MissingResponse.new
+        return @app.call(env)
+      end
+    end
 
-        method = req.GET["_method"]
-        override_request_method(env, method)
+    def complete_authentication(env)
+      req = Rack::Request.new(env)
+      session = env["rack.session"]
 
-        sanitize_query_string(env)
+      unless session
+        raise RuntimeError, "Rack::OpenID requires a session"
       end
 
-      def flatten_params(params)
-        Rack::Utils.parse_query(Rack::Utils.build_nested_query(params))
-      end
+      oidresp = timeout_protection_from_identity_server {
+        consumer = ::OpenID::Consumer.new(session, @store)
+        consumer.complete(flatten_params(req.params), req.url)
+      }
 
-      def override_request_method(env, method)
-        return unless method
-        method = method.upcase
-        if HTTP_METHODS.include?(method)
-          env["REQUEST_METHOD"] = method
-        end
-      end
+      env[RESPONSE] = oidresp
 
-      def sanitize_query_string(env)
-        query_hash = env["rack.request.query_hash"]
-        query_hash.delete("_method")
-        query_hash.delete_if do |key, value|
-          key =~ /^openid\./
-        end
+      method = req.GET["_method"]
+      override_request_method(env, method)
+
+      sanitize_query_string(env)
+    end
 
-        env["QUERY_STRING"] = env["rack.request.query_string"] =
-          Rack::Utils.build_query(env["rack.request.query_hash"])
+    def flatten_params(params)
+      Rack::Utils.parse_query(Rack::Utils.build_nested_query(params))
+    end
 
-        qs = env["QUERY_STRING"]
-        request_uri = (env["PATH_INFO"] || "").dup
-        request_uri << "?" + qs unless qs == ""
-        env["REQUEST_URI"] = request_uri
+    def override_request_method(env, method)
+      return unless method
+      method = method.upcase
+      if HTTP_METHODS.include?(method)
+        env["REQUEST_METHOD"] = method
       end
+    end
 
-      def scheme_with_host_and_port(req, host = nil)
-        url = req.scheme + "://"
-        url << (host || req.host)
+    def sanitize_query_string(env)
+      query_hash = env["rack.request.query_hash"]
+      query_hash.delete("_method")
+      query_hash.delete_if do |key, value|
+        key =~ /^openid\./
+      end
 
-        scheme, port = req.scheme, req.port
-        if scheme == "https" && port != 443 ||
-            scheme == "http" && port != 80
-          url << ":#{port}"
-        end
+      env["QUERY_STRING"] = env["rack.request.query_string"] =
+        Rack::Utils.build_query(env["rack.request.query_hash"])
 
-        url
-      end
+      qs = env["QUERY_STRING"]
+      request_uri = (env["PATH_INFO"] || "").dup
+      request_uri << "?" + qs unless qs == ""
+      env["REQUEST_URI"] = request_uri
+    end
 
-      def realm(req, domain = nil)
-        if domain
-          scheme_with_host_and_port(req, domain)
-        else
-          scheme_with_host_and_port(req)
-        end
+    def scheme_with_host_and_port(req, host = nil)
+      url = req.scheme + "://"
+      url << (host || req.host)
 
+      scheme, port = req.scheme, req.port
+      if scheme == "https" && port != 443 ||
+          scheme == "http" && port != 80
+        url << ":#{port}"
       end
 
-      def request_url(req)
-        url = scheme_with_host_and_port(req)
-        url << req.script_name
-        url << req.path_info
-        url << "?#{req.query_string}" if req.query_string.to_s.length > 0
-        url
-      end
+      url
+    end
 
-      def redirect_to(url)
-        [303, {"Content-Type" => "text/html", "Location" => url}, []]
+    def realm(req, domain = nil)
+      if domain
+        scheme_with_host_and_port(req, domain)
+      else
+        scheme_with_host_and_port(req)
       end
 
-      def open_id_redirect_url(req, oidreq, options)
-        trust_root = options["trust_root"]
-        return_to  = options["return_to"]
-        method     = options["method"]
-        immediate  = options["immediate"] == "true"
+    end
+
+    def request_url(req)
+      url = scheme_with_host_and_port(req)
+      url << req.script_name
+      url << req.path_info
+      url << "?#{req.query_string}" if req.query_string.to_s.length > 0
+      url
+    end
 
-        realm       = realm(req, options["realm_domain"])
-        request_url = request_url(req)
+    def redirect_to(url)
+      [303, {"Content-Type" => "text/html", "Location" => url}, []]
+    end
 
-        if return_to
-          method ||= "get"
-        else
-          return_to = request_url
-          method ||= req.request_method
-        end
+    def open_id_redirect_url(req, oidreq, options)
+      trust_root = options["trust_root"]
+      return_to  = options["return_to"]
+      method     = options["method"]
+      immediate  = options["immediate"] == "true"
 
-        method = method.to_s.downcase
-        oidreq.return_to_args['_method'] = method unless method == "get"
-        oidreq.redirect_url(trust_root || realm, return_to || request_url, immediate)
-      end
+      realm       = realm(req, options["realm_domain"])
+      request_url = request_url(req)
 
-      def add_simple_registration_fields(oidreq, fields)
-        sregreq = ::OpenID::SReg::Request.new
+      if return_to
+        method ||= "get"
+      else
+        return_to = request_url
+        method ||= req.request_method
+      end
 
-        required = Array(fields['required']).reject(&URL_FIELD_SELECTOR)
-        sregreq.request_fields(required, true) if required.any?
+      method = method.to_s.downcase
+      oidreq.return_to_args['_method'] = method unless method == "get"
+      oidreq.redirect_url(trust_root || realm, return_to || request_url, immediate)
+    end
 
-        optional = Array(fields['optional']).reject(&URL_FIELD_SELECTOR)
-        sregreq.request_fields(optional, false) if optional.any?
+    def add_simple_registration_fields(oidreq, fields)
+      sregreq = ::OpenID::SReg::Request.new
 
-        policy_url = fields['policy_url']
-        sregreq.policy_url = policy_url if policy_url
+      required = Array(fields['required']).reject(&URL_FIELD_SELECTOR)
+      sregreq.request_fields(required, true) if required.any?
 
-        oidreq.add_extension(sregreq)
-      end
+      optional = Array(fields['optional']).reject(&URL_FIELD_SELECTOR)
+      sregreq.request_fields(optional, false) if optional.any?
 
-      def add_attribute_exchange_fields(oidreq, fields)
-        axreq = ::OpenID::AX::FetchRequest.new
+      policy_url = fields['policy_url']
+      sregreq.policy_url = policy_url if policy_url
 
-        required = Array(fields['required']).select(&URL_FIELD_SELECTOR)
-        optional = Array(fields['optional']).select(&URL_FIELD_SELECTOR)
+      oidreq.add_extension(sregreq)
+    end
 
-        if required.any? || optional.any?
-          required.each do |field|
-            axreq.add(::OpenID::AX::AttrInfo.new(field, nil, true))
-          end
+    def add_attribute_exchange_fields(oidreq, fields)
+      axreq = ::OpenID::AX::FetchRequest.new
 
-          optional.each do |field|
-            axreq.add(::OpenID::AX::AttrInfo.new(field, nil, false))
-          end
+      required = Array(fields['required']).select(&URL_FIELD_SELECTOR)
+      optional = Array(fields['optional']).select(&URL_FIELD_SELECTOR)
 
-          oidreq.add_extension(axreq)
+      if required.any? || optional.any?
+        required.each do |field|
+          axreq.add(::OpenID::AX::AttrInfo.new(field, nil, true))
         end
-      end
 
-      def add_oauth_fields(oidreq, fields)
-        if (consumer = fields['oauth[consumer]']) &&
-              (scope = fields['oauth[scope]'])
-          oauthreq = ::OpenID::OAuth::Request.new(consumer, Array(scope).join(' '))
-          oidreq.add_extension(oauthreq)
-        end
-      end
-      
-      def add_pape_fields(oidreq, fields)
-        preferred_auth_policies = fields['pape[preferred_auth_policies]']
-        max_auth_age = fields['pape[max_auth_age]']
-        if preferred_auth_policies || max_auth_age
-          preferred_auth_policies = preferred_auth_policies.split if preferred_auth_policies.is_a?(String)
-          pape_request = ::OpenID::PAPE::Request.new(preferred_auth_policies || [], max_auth_age)
-          oidreq.add_extension(pape_request)
+        optional.each do |field|
+          axreq.add(::OpenID::AX::AttrInfo.new(field, nil, false))
         end
+
+        oidreq.add_extension(axreq)
       end
+    end
 
-      def default_store
-        require 'openid/store/memory'
-        ::OpenID::Store::Memory.new
+    def add_oauth_fields(oidreq, fields)
+      if (consumer = fields['oauth[consumer]']) && (scope = fields['oauth[scope]'])
+        oauthreq = ::OpenID::OAuth::Request.new(consumer, Array(scope).join(' '))
+        oidreq.add_extension(oauthreq)
       end
+    end
 
-      def timeout_protection_from_identity_server
-        yield
-      rescue Timeout::Error
-        TimeoutResponse.new
+    def add_pape_fields(oidreq, fields)
+      preferred_auth_policies = fields['pape[preferred_auth_policies]']
+      max_auth_age = fields['pape[max_auth_age]']
+      if preferred_auth_policies || max_auth_age
+        preferred_auth_policies = preferred_auth_policies.split if preferred_auth_policies.is_a?(String)
+        pape_request = ::OpenID::PAPE::Request.new(preferred_auth_policies || [], max_auth_age)
+        oidreq.add_extension(pape_request)
       end
+    end
+
+    def default_store
+      require 'openid/store/memory'
+      ::OpenID::Store::Memory.new
+    end
+
+    def timeout_protection_from_identity_server
+      yield
+    rescue Timeout::Error
+      TimeoutResponse.new
+    end
   end
 end

data/lib/rack/openid/simple_auth.rb

@@ -1,7 +1,7 @@
 require 'rack/openid'
 require 'rack/request'
 
-module Rack #:nodoc:
+module Rack
   class OpenID
     # A simple OpenID middleware that restricts access to
     # a single identifier.
@@ -9,7 +9,7 @@ module Rack #:nodoc:
     #   use Rack::OpenID::SimpleAuth, "http://example.org"
     #
     # SimpleAuth will automatically insert the required Rack::OpenID
-    # middleware, so <tt>use Rack::OpenID</tt> is unnecessary.
+    # middleware, so use Rack::OpenID is unnecessary.
     class SimpleAuth
       def self.new(*args)
         Rack::OpenID.new(super)
@@ -34,44 +34,45 @@ module Rack #:nodoc:
       end
 
       private
-        def session(env)
-          env['rack.session'] || raise_session_error
-        end
 
-        def raise_session_error
-          raise RuntimeError, 'Rack::OpenID::SimpleAuth requires a session'
-        end
+      def session(env)
+        env['rack.session'] || raise_session_error
+      end
 
-        def session_authenticated?(env)
-          session(env)['authenticated'] == true
-        end
+      def raise_session_error
+        raise RuntimeError, 'Rack::OpenID::SimpleAuth requires a session'
+      end
 
-        def authenticate_session(env)
-          session(env)['authenticated'] = true
-        end
+      def session_authenticated?(env)
+        session(env)['authenticated'] == true
+      end
 
-        def successful_response?(env)
-          if resp = env[OpenID::RESPONSE]
-            resp.status == :success && resp.display_identifier == identifier
-          end
-        end
+      def authenticate_session(env)
+        session(env)['authenticated'] = true
+      end
 
-        def requested_url(env)
-          req = Rack::Request.new(env)
-          req.url
+      def successful_response?(env)
+        if resp = env[OpenID::RESPONSE]
+          resp.status == :success && resp.display_identifier == identifier
         end
+      end
 
-        def redirect_to(url)
-          [303, {'Content-Type' => 'text/html', 'Location' => url}, []]
-        end
+      def requested_url(env)
+        req = Rack::Request.new(env)
+        req.url
+      end
 
-        def authentication_request
-          [401, { OpenID::AUTHENTICATE_HEADER => www_authenticate_header }, []]
-        end
+      def redirect_to(url)
+        [303, {'Content-Type' => 'text/html', 'Location' => url}, []]
+      end
 
-        def www_authenticate_header
-          OpenID.build_header(:identifier => identifier)
-        end
+      def authentication_request
+        [401, { OpenID::AUTHENTICATE_HEADER => www_authenticate_header }, []]
+      end
+
+      def www_authenticate_header
+        OpenID.build_header(:identifier => identifier)
+      end
     end
   end
 end

data/lib/rack/openid/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class OpenID
-    VERSION = "1.4.1"
+    VERSION = "1.4.2"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-openid
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 1.4.2
 platform: ruby
 authors:
 - Michael Grosser
@@ -30,7 +30,7 @@ cert_chain:
   y0kCSWmK6D+x/SbfS6r7Ke07MRqziJdB9GuE1+0cIRuFh8EQ+LN6HXCKM5pon/GU
   ycwMXfl0
   -----END CERTIFICATE-----
-date: 2013-11-11 00:00:00.000000000 Z
+date: 2014-01-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -89,7 +89,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.6
+rubygems_version: 2.0.14
 signing_key: 
 specification_version: 4
 summary: Provides a more HTTPish API around the ruby-openid library