rack_my_openid 0.0.1

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/.rvmrc

@@ -0,0 +1 @@
+rvm use 1.9.3@rails_openid_server

data/Gemfile

@@ -0,0 +1,8 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in rack_my_openid.gemspec
+gemspec
+
+group :development do
+  gem 'rack-test', :git => 'git://github.com/brynary/rack-test.git'
+end

data/README.md

@@ -0,0 +1,68 @@
+# rack_my_openid - a one-user OpenID provider solution for rack
+
+So you have a Rack/Sinatra/Rails-powered blog and you want to make it an OpenID?
+
+Now you can do it in under 5 minutes.
+
+## Operation details
+
+Rack_my_openid is a simple, single-user OpenID provider inspired by (now deprecated) [phpMyId](http://siege.org/phpmyid.php). It uses 
+
+* [ruby-openid](https://github.com/openid/ruby-openid) for the protocol implementation;
+* simple Yaml files for storing configuration;
+* in-memory storage for authentication data;
+* HTTP Digest authentication for security;
+* Sinatra and Rack as the server backend.
+
+It's designed to be drop-in compatible with any Rails application, since implementing OpenID is a confusing exercise even with ruby-openid. I extracted it from my own site/blog and am continuing to use it there.
+
+It's fully covered by RSpec tests.
+
+See the [OpenID specs](http://openid.net/specs/openid-authentication-2_0.html) if you really want to understand how the whole thing works.
+
+## Installation - Rails 3
+
+* Add the `rack_my_openid` gem to your Gemfile
+* Add this to your routes:
+
+        openid_provider = RackMyOpenid::Provider.new(YAML.load_file('config/rack_my_openid.yml'))
+        match '/openid' => openid_provider 
+        match '/openid/*whatever' => openid_provider 
+
+    The `/openid` path can't be changed, as of this release.
+
+* Create a `config/rack_my_openid.yml` file (see below)
+* Restart your Rails app and you're good to go.
+* If you make any changes to the config you'll have to restart the app to pick them up.
+
+## Installation - Standalone
+
+This assumes that the OpenID is the root path.
+
+* Install the `rack_my_openid` gem.
+* Create a `config.ru` in your desired path with these contents:
+
+        require 'rack_my_openid'
+        run RackMyOpenid::Provider.new(YAML.load_file('rack_my_openid.yml'))
+
+* Create a `rack_my_openid.yml` file (see below) in the same path
+* Create empty `/public` and `/tmp` directories in the same path
+* Deploy with [Passenger](http://www.modrails.com/documentation/Users%20guide%20Nginx.html#deploying_a_rack_app), [Rackup](https://github.com/rack/rack/wiki/(tutorial)-rackup-howto) or whatever Rack handler you fancy. 
+
+## `rack_my_openid.yml`
+
+This is a simple flat Yaml file. The keys are symbols (as of this release).
+
+* `:credentials` - run `md5 -s 'yourusername:rack_my_openid:yourpassword'` (or replace rack_my_openid with your realm name if you changed it);
+* `:openid` - the actual OpenID identifier that you want to provide;
+* `:realm` - the realm for HTTP Digest auth. The default is `"rack_my_openid"`, why would you change it?
+* `:endpoint_url` - the URL of the OpenID endpoint (the one that's '/openid'). You shouldn't explicitly declare it
+
+## TODO
+
+* Support stores other than memory store
+* Support SReg data provision
+
+~ ~ ~
+
+(c) Leonid Shevtsov http://leonid.shevtsov.me

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/rack_my_openid/handler.rb

@@ -0,0 +1,89 @@
+require 'openid/server'
+require 'openid/store/memory'
+
+module RackMyOpenid
+  class Handler
+    class BadRequest < RuntimeError; end
+    class UntrustedRealm < RuntimeError
+      attr_reader :realm
+      def initialize(realm); @realm = realm; end
+      def message; "OpenID realm #{@realm} not trusted by user."; end
+    end
+
+    def initialize(options)
+      @options = options
+    end
+
+    def handle(params, session)
+      if request = openid_server.decode_request(params)
+        return openid_server.encode_response handle_openid_request(request, session)
+      else
+        raise BadRequest
+      end
+    end
+
+    def cancel(params)
+      if request = openid_server.decode_request(params)
+        return openid_server.encode_response cancel_check_id_request(request) 
+      else
+        raise BadRequest
+      end
+    end
+
+  private
+    
+    def openid_server
+      @openid_server ||= OpenID::Server::Server.new(@options[:endpoint_url], openid_store)
+    end
+
+    def openid_store
+      @openid_store ||= OpenID::Store::Memory 
+    end
+    
+    # Handle a valid OpenID request
+    #
+    # Requests are handled by the standard openid server,
+    # except the main one - which validates your OpenID.
+    # So we only have to handle a check_id request
+    def handle_openid_request(request, session)
+      case request
+      when OpenID::Server::CheckIDRequest
+        return handle_check_id_request(request, session)
+      else
+        return openid_server.handle_request(request)
+      end
+    end
+
+    def handle_check_id_request(request, session)
+      if request_provided_invalid_openid?(request)
+        return request.answer(false)
+      elsif trusted_realm?(request.realm, session)
+        return request.answer(true, nil, @options[:openid])
+      else
+        raise UntrustedRealm.new(request.realm)
+      end
+    end
+    
+    def cancel_check_id_request(request)
+      request.answer(false)
+    end
+
+    # Returns true if the request's claimed id is different from ours
+    # 
+    # OK, this is an 'inverted truth' method, but it
+    # seems appropriate since the opposite assertion isn't
+    # 'inverted' (request can either not pass an id or
+    # pass a valid id)
+    def request_provided_invalid_openid?(request)
+      !request.id_select && (request.claimed_id != @options[:openid])
+    end
+
+    def trusted_realm?(realm, session)
+      trusted_realms(session).include? realm
+    end
+    
+    def trusted_realms(session={})
+      @options.fetch(:trusted_realms, []) + session.fetch(:trusted_realms, [])
+    end
+  end
+end

data/lib/rack_my_openid/provider.rb

@@ -0,0 +1,91 @@
+require 'cgi'
+require 'sinatra/base'
+require 'rack_my_openid/handler'
+
+module RackMyOpenid
+  class Provider < Sinatra::Base
+    set :root, File.dirname(__FILE__)
+
+    use Rack::Session::Pool
+
+    # authorization
+    def authorize!
+      response = @auth.call(request.env)
+      unless response===true
+        throw(:halt, response)
+      end
+    end
+
+    # Options can contain
+    #
+    # * :credentials (required) - `md5 -s 'username:realm:password'`
+    # * :openid (required) - the OpenID you want to authorize
+    # * :realm (optional, the default is "rack_my_openid") - an arbitrary resource name for HTTP Authentication
+    def initialize(options = {})
+      super()
+      @options = default_options.merge options
+      @auth = Rack::Auth::Digest::MD5.new(lambda{|e| true}, @options[:realm]) do
+        @options[:credentials]
+      end
+      @auth.opaque = $$.to_s
+      @auth.passwords_hashed = true
+    end
+
+    get '/openid' do
+      if params.empty?
+        erb :endpoint
+      else
+        authorize!
+        @options[:endpoint_url] ||= "#{request.scheme}://#{request.host_with_port}#{request.fullpath}"
+        begin
+          render_openid_response RackMyOpenid::Handler.new(@options).handle(params, session)
+        rescue RackMyOpenid::Handler::BadRequest
+          status 400
+          body 'Bad Request'
+        rescue RackMyOpenid::Handler::UntrustedRealm => e
+          session[:openid_request_params] = params
+          session[:realm] = e.realm
+          redirect to('/openid/decide'), 302 
+        end
+      end
+    end
+
+    get '/openid/decide' do
+      authorize!
+      if @realm = session[:realm]
+        erb :decide
+      else
+        redirect to('/openid'), 302
+      end
+    end
+
+    post '/openid/decide' do
+      authorize!
+      @realm = session.delete(:realm)
+      begin
+        if params[:yes]
+          session[:trusted_realms] ||= []
+          session[:trusted_realms] << @realm
+          response = RackMyOpenid::Handler.new(@options).handle(session[:openid_request_params], session)
+        else
+          response RackMyOpenid::Handler.new(@options).cancel(session[:openid_request_params])
+        end
+        render_openid_response response
+      rescue RackMyOpenid::Handler::BadRequest
+        erb :expired
+      end
+    end
+
+    def render_openid_response(response)
+      status response.code
+      headers response.headers
+      body response.body
+    end
+
+    def default_options
+      {
+        :realm => 'rack_my_openid'
+      }
+    end
+  end
+end

data/lib/rack_my_openid/version.rb

@@ -0,0 +1,3 @@
+module RackMyOpenid
+  VERSION = "0.0.1"
+end

data/lib/rack_my_openid/views/decide.erb

@@ -0,0 +1,7 @@
+<form method="POST" action="<%=request.path_info%>">
+  <p>
+    Do you wish to trust <strong><%=@realm %></strong> with your identity?
+  </p>
+  <input type="submit" value="Yes" name="yes">
+  <input type="submit" value="No" name="no">
+</form>

data/lib/rack_my_openid/views/endpoint.erb

@@ -0,0 +1,3 @@
+<p>
+  This is an OpenID endpoint.
+</p>

data/lib/rack_my_openid/views/expired.erb

@@ -0,0 +1,3 @@
+<p>
+  Your session has expired. Please try authenticating again.
+</p>

data/lib/rack_my_openid/views/layout.erb

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>rack_my_openid OpenID endpoint</title>
+  </head>
+  <body>
+    <%= yield %>
+  </body>
+</html>

data/lib/rack_my_openid.rb

@@ -0,0 +1,6 @@
+require 'rack_my_openid/version'
+require 'rack_my_openid/provider'
+
+module RackMyOpenid
+
+end

data/rack_my_openid.gemspec

@@ -0,0 +1,26 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "rack_my_openid/version"
+
+Gem::Specification.new do |s|
+  s.name        = "rack_my_openid"
+  s.version     = RackMyOpenid::VERSION
+  s.authors     = ["Leonid Shevtsov"]
+  s.email       = ["leonid@shevtsov.me"]
+  s.homepage    = "https://github.com/leonid-shevtsov/rack_my_openid"
+  s.summary     = %q{Single-user OpenID provider implemented as a Rack (Sinatra) application.}
+  s.description = %q{Would be useful to enable OpenID authorisation with your Ruby/Rails-based blog, personal website or whatever.}
+
+  s.rubyforge_project = "rack_my_openid"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  s.add_runtime_dependency 'sinatra'
+  s.add_runtime_dependency 'ruby-openid'
+
+  s.add_development_dependency 'rspec'
+  s.add_development_dependency 'capybara'
+end

data/spec/handler_spec.rb

@@ -0,0 +1,106 @@
+require 'spec_helper'
+
+shared_examples_for 'a valid request' do
+  context 'when realm is trusted via options' do
+    let(:options_with_realm) { options.merge({:trusted_realms => [request.realm]}) }
+    it 'should answer true' do
+      described_class.new(options_with_realm).handle(params, session).should == 'answered true'
+    end
+  end
+
+  context 'when realm is trusted via session' do
+    let(:session) { {:trusted_realms => [request.realm] } }
+    it 'should answer true' do
+      described_class.new(options).handle(params, session).should == 'answered true'
+    end
+  end
+  
+  context 'when realm is not trusted' do
+    it 'should raise an error' do
+      expect {
+        described_class.new(options).handle(params, session)
+      }.to raise_error(RackMyOpenid::Handler::UntrustedRealm)
+    end
+  end
+end
+
+describe RackMyOpenid::Handler do
+  let(:options) { {:openid => 'http://myopenid.myopenid/' } }
+  let(:params) { {} }
+  let(:session) { {} }
+  let(:server) { 
+    server = double('OpenID::Server::Server') 
+    server.should_receive(:decode_request).with(params) { request }
+    server
+  }
+  before(:each) do
+    OpenID::Server::Server.stub(:new) { server }
+  end
+
+  context 'with bad params' do
+    let(:params) { {:bad => :params} }
+    let(:request) { false }
+  
+    it 'should raise error' do
+      expect {
+        described_class.new(options).handle(params, session)
+      }.to raise_error(RackMyOpenid::Handler::BadRequest)
+    end
+  end
+
+  context 'with a non-check_id request' do
+    let(:params) { {:mode => 'some_mode' } }
+    let(:request) { Object.new } 
+    let(:response) { double('Response') }
+
+    it 'should pass the request to the server' do
+      server.should_receive(:handle_request).with(request) { response }
+      server.should_receive(:encode_response).with(response)
+      described_class.new(options).handle(params, session)
+    end
+  end
+
+  context 'with a check_id request' do
+    let(:params) { {:mode => 'check_id'} }
+    let(:request) {
+      request = OpenID::Server::CheckIDRequest.new(nil, nil, nil)
+      request.stub(:realm) { 'http://my.realm' }
+      request.stub(:answer).with(true, nil, options[:openid]) { 'answered true' }
+      request.stub(:answer).with(false) { 'answered false' }
+      request
+    }
+    before do
+      server.stub(:encode_response) {|params| params }
+    end
+
+    context 'and a valid openid' do
+      before do
+        request.stub(:id_select) { false }
+        request.stub(:claimed_id) { options[:openid] }
+      end
+
+      it_should_behave_like 'a valid request'
+    end
+
+    context 'and an invalid openid' do
+      before do
+        request.stub(:id_select) { false }
+        request.stub(:claimed_id) { 'bad id' }
+      end
+
+      it 'should answer false' do
+        described_class.new(options).handle(params, session).should == 'answered false'
+      end
+    end
+
+    context 'and no openid' do
+      before do
+        request.stub(:id_select) { true }
+        request.stub(:claimed_id) { nil }
+      end
+
+      it_should_behave_like 'a valid request'
+    end
+  end
+end
+

data/spec/provider/authentication_spec.rb

@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+feature 'Authentication' do
+  setup_app
+  assume_authorization
+
+  scenario 'Bad request' do
+    handler.stub(:handle) { raise RackMyOpenid::Handler::BadRequest }
+    visit '/openid?foo=bar'
+    page.status_code.should == 400
+  end
+
+  scenario 'Untrusted realm' do
+    handler.stub(:handle) { raise RackMyOpenid::Handler::UntrustedRealm.new('http://my.realm') }
+    visit '/openid?foo=bar'
+    page.current_path.should == '/openid/decide'
+    page.should have_selector('form')
+    page.should have_content('http://my.realm')
+  end
+
+  scenario 'Happy case' do
+    handler.stub(:handle) { OpenID::Server::WebResponse.new(123, {'X-Test' => 'bar'}, 'testbody') } 
+    visit '/openid?foo=bar'
+    page.status_code.should == 123
+    page.response_headers['X-Test'].should == 'bar'
+    page.source.should == 'testbody'
+  end
+end

data/spec/provider/decision_spec.rb

@@ -0,0 +1,38 @@
+feature 'Decision whether to trust a realm or not' do
+  setup_app
+  assume_authorization
+
+  context 'when accessing decision page directly' do
+    scenario 'should redirect to the endpoint' do
+      visit '/openid/decide'
+      page.current_path.should == '/openid'
+    end
+  end
+
+  context 'when redirected to the decision page' do
+    before do
+      handler.stub(:handle) { raise RackMyOpenid::Handler::UntrustedRealm.new('http://my.realm') }
+      visit '/openid?foo=bar'
+      handler.stub(:handle) { OpenID::Server::WebResponse.new(200, {}, 'ok') }
+    end
+
+    scenario 'Trusting the realm - should allow authentication' do
+      handler.should_receive(:handle)
+      page.click_button('Yes')
+    end
+
+    scenario 'Not trusting the realm - should cancel authentication' do
+      handler.should_receive(:cancel)
+      page.click_button('No')
+    end
+
+    scenario 'Preserving realm trust' do
+      page.click_button('Yes')
+      handler.should_receive(:handle) { |params,session|
+        session[:trusted_realms].should == ['http://my.realm']
+      }
+      visit('/openid?foo=bar')
+    end
+  end
+
+end

data/spec/provider/endpoint_spec.rb

@@ -0,0 +1,10 @@
+require 'spec_helper'
+
+feature 'Human-readable endpoint' do
+  setup_app
+
+  scenario 'Visiting the endpoint' do
+    visit '/openid'
+    page.should have_content 'This is an OpenID endpoint.'
+  end
+end

data/spec/provider/http_auth_spec.rb

@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+feature 'HTTP authorisation' do
+  setup_app
+
+  before do
+    handler.stub(:handle) { OpenID::Server::WebResponse.new(200, {}, 'ok') }
+    visit '/openid?foo=bar'
+  end
+
+  scenario 'Without authorisation it should propose to authorise' do
+    page.status_code.should == 401
+  end
+
+  scenario 'With improper authorisation it should reject the request' do
+    page.driver.browser.digest_authorize('vasya', 'pupkin')
+    visit '/openid?foo=bar'
+    page.status_code.should == 401
+  end
+
+  scenario 'With proper authorisation we should handle the request' do
+    page.driver.browser.digest_authorize('correct_login', 'correct_password')
+    visit '/openid?foo=bar'
+    page.status_code.should == 200
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,25 @@
+require 'rack_my_openid'
+require 'rspec'
+require 'capybara/rspec'
+
+module AcceptanceHelper
+  def setup_app
+    before { Capybara.app = RackMyOpenid::Provider.new({:realm => 'myrealm', :credentials => 'bd1baa373b11c42826d3b15ef77a26d8'}) }
+
+    let(:handler) { double('RackMyOpenid::Handler') }
+    before { RackMyOpenid::Handler.stub(:new).and_return(handler) }
+  end
+
+  def assume_authorization
+    before {
+      visit '/openid?foo=bar'
+      page.driver.browser.digest_authorize('correct_login', 'correct_password')
+      visit '/openid?foo=bar'
+    }
+  end
+end
+
+RSpec.configure do |config|
+  config.extend AcceptanceHelper, :type => :request
+end
+

metadata

@@ -0,0 +1,116 @@
+--- !ruby/object:Gem::Specification
+name: rack_my_openid
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Leonid Shevtsov
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-01-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: &70135767507380 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70135767507380
+- !ruby/object:Gem::Dependency
+  name: ruby-openid
+  requirement: &70135767506760 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70135767506760
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &70135767506180 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70135767506180
+- !ruby/object:Gem::Dependency
+  name: capybara
+  requirement: &70135767503520 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70135767503520
+description: Would be useful to enable OpenID authorisation with your Ruby/Rails-based
+  blog, personal website or whatever.
+email:
+- leonid@shevtsov.me
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rvmrc
+- Gemfile
+- README.md
+- Rakefile
+- lib/rack_my_openid.rb
+- lib/rack_my_openid/handler.rb
+- lib/rack_my_openid/provider.rb
+- lib/rack_my_openid/version.rb
+- lib/rack_my_openid/views/decide.erb
+- lib/rack_my_openid/views/endpoint.erb
+- lib/rack_my_openid/views/expired.erb
+- lib/rack_my_openid/views/layout.erb
+- rack_my_openid.gemspec
+- spec/handler_spec.rb
+- spec/provider/authentication_spec.rb
+- spec/provider/decision_spec.rb
+- spec/provider/endpoint_spec.rb
+- spec/provider/http_auth_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/leonid-shevtsov/rack_my_openid
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: rack_my_openid
+rubygems_version: 1.8.11
+signing_key: 
+specification_version: 3
+summary: Single-user OpenID provider implemented as a Rack (Sinatra) application.
+test_files:
+- spec/handler_spec.rb
+- spec/provider/authentication_spec.rb
+- spec/provider/decision_spec.rb
+- spec/provider/endpoint_spec.rb
+- spec/provider/http_auth_spec.rb
+- spec/spec_helper.rb