ruby-openid-apps-discovery 1.0.2 → 1.01

data/lib/gapps_openid.rb

@@ -29,17 +29,10 @@ require 'base64'
 # Caching of discovery information is enabled when used with rails.  In other environments,
 # a cache can be set via:
 #
-#   OpenID.cache = ...
+#   OpenID::GoogleDiscovery.cache = ...
 #
 # The cache must implement methods read(key) and write(key,value)
 #
-# Similarly, logging will attempt to use the default Rail's logger, but can be overriden
-# by calling
-#
-#   OpenID.logger = ...
-#
-# The logger must respond to warn, debug, and info methods
-#
 # In some cases additional setup is required, particularly to set the location of trusted
 # root certificates for validating XRDS signatures.  If standard locations don't work, additional
 # files and directories can be added via:
@@ -88,13 +81,11 @@ module OpenID
     def perform_discovery(uri)
       OpenID.logger.debug("Performing discovery for #{uri}") unless OpenID.logger.nil?
       begin
-        domain = uri
         parsed_uri = URI::parse(uri)
-        domain = parsed_uri.host unless parsed_uri.host.nil?
-        if site_identifier?(parsed_uri)
-          return discover_site(domain)
+        if parsed_uri.scheme.nil?
+          return discover_site(uri)
         end
-        return discover_user(domain, uri)
+        return discover_user(parsed_uri.host, uri)
       rescue Exception => e
         # If we fail, just return nothing and fallback on default discovery mechanisms
         OpenID.logger.warn("Unexpected exception performing discovery for id #{uri}: #{e}") unless OpenID.logger.nil?
@@ -102,10 +93,6 @@ module OpenID
       end
     end
     
-    def site_identifier?(parsed_uri)
-      return parsed_uri.scheme.nil? || parsed_uri.path.nil? || parsed_uri.path.strip.empty?
-    end
-    
     # Handles discovery for a user's claimed ID.  
     def discover_user(domain, claimed_id)
       OpenID.logger.debug("Discovering user identity #{claimed_id} for domain #{domain}") unless OpenID.logger.nil?
@@ -114,23 +101,13 @@ module OpenID
         OpenID.logger.debug("#{domain} is not a Google Apps domain, aborting") unless OpenID.logger.nil?
         return nil # Not a Google Apps domain
       end
-
-      xrds, signed = fetch_secure_xrds(domain, url)
-
-      unless xrds.nil?
-        # TODO - Need to propogate secure discovery info up through stack
-        user_url, authority = get_user_xrds_url(xrds, claimed_id)
-        user_xrds, signed = fetch_secure_xrds(domain, user_url, false)
-      
-        # No user xrds -- likely that identifier was just OP identifier
-        if user_xrds.nil?
-          endpoints = OpenID::OpenIDServiceEndpoint.from_xrds(domain, xrds)
-          return [claimed_id, OpenID.get_op_or_user_services(endpoints)]
-        end
+      xrds = fetch_xrds(domain, url)
+      user_url, authority = get_user_xrds_url(xrds, claimed_id)
+      user_xrds = fetch_xrds(authority, user_url, false)
+      return if user_xrds.nil?
       
-        endpoints = OpenID::OpenIDServiceEndpoint.from_xrds(claimed_id, user_xrds)
-        return [claimed_id, OpenID.get_op_or_user_services(endpoints)]
-      end
+      endpoints = OpenID::OpenIDServiceEndpoint.from_xrds(claimed_id, user_xrds)
+      return [claimed_id, OpenID.get_op_or_user_services(endpoints)]
     end
     
     # Handles discovery for a domain
@@ -141,12 +118,10 @@ module OpenID
         OpenID.logger.debug("#{domain} is not a Google Apps domain, aborting") unless OpenID.logger.nil?
         return nil # Not a Google Apps domain
       end
-      xrds, secure = fetch_secure_xrds(domain, url)
-      
+      xrds = fetch_xrds(domain, url)
       unless xrds.nil?
-        # TODO - Need to propogate secure discovery info up through stack
-        endpoints = OpenID::OpenIDServiceEndpoint.from_xrds(domain, xrds)
-        return [domain, OpenID.get_op_or_user_services(endpoints)]
+          endpoints = OpenID::OpenIDServiceEndpoint.from_xrds(domain, xrds)
+          return [domain, OpenID.get_op_or_user_services(endpoints)]
       end
       return nil
     end
@@ -158,9 +133,11 @@ module OpenID
       return cached_value unless cached_value.nil?
       
       host_meta_url = "https://www.google.com/accounts/o8/.well-known/host-meta?hd=#{CGI::escape(domain)}"
-      http_resp = fetch_url(host_meta_url)
-      return nil if http_resp.nil?
-
+      http_resp = OpenID.fetch(host_meta_url)
+      if http_resp.code != "200" and http_resp.code != "206"
+        OpenID.logger.debug("Received #{http_resp.code} when fetching #{host_meta_url}") unless OpenID.logger.nil?
+        return nil
+      end
       matches = /Link: <(.*)>/.match( http_resp.body )
       if matches.nil? 
         OpenID.logger.debug("No link tag found at #{host_meta_url}") unless OpenID.logger.nil?
@@ -170,43 +147,34 @@ module OpenID
       return matches[1]
     end
 
-    def fetch_url(url)
-      http_resp = OpenID.fetch(url)
-      if http_resp.code != "200" and http_resp.code != "206"
-        OpenID.logger.debug("Received #{http_resp.code} when fetching #{url}") unless OpenID.logger.nil?
-        return nil
-      end
-      return http_resp
-    end
-    
     # Fetches the XRDS and verifies the signature and authority for the doc
-    def fetch_secure_xrds(authority, url, cache=true) 
+    def fetch_xrds(authority, url, cache=true) 
       return if url.nil?
 
       OpenID.logger.debug("Retrieving XRDS from #{url}") unless OpenID.logger.nil?
  
-      cached_xrds = get_cache("XRDS_#{url}")
+      cached_xrds = get_cache(url)
       return cached_xrds unless cached_xrds.nil?
 
-      http_resp = fetch_url(url)
-      return nil if http_resp.nil?
+      http_resp = OpenID.fetch(url)
+      if http_resp.code != "200" and http_resp.code != "206"
+        OpenID.logger.debug("Received #{http_resp.code} when fetching #{url}") unless OpenID.logger.nil?
+        return nil
+      end
 
       body = http_resp.body
-      put_cache("XRDS_#{url}", body)
-
       signature = http_resp["Signature"]
       signed_by = SimpleSign.verify(body, signature)
-
-      if signed_by.nil?
-        put_cache("XRDS_#{url}", body) if cache
-        return [body, false]      
-      elsif signed_by.casecmp(authority) || signed_by.casecmp('hosted-id.google.com')
-        put_cache("XRDS_#{url}", body) if cache
-        return [body, true]
-      else
+      if !signed_by.casecmp(authority) or !signed_by.casecmp('hosted-id.google.com')
         OpenID.logger.warn("Expected signature from #{authority} but found #{signed_by}") unless OpenID.logger.nil?        
-        return nil # Signed, but not by the right domain.
+        return false # Signed, but not by the right domain.
       end
+      
+      # Everything is OK
+      if cache
+        put_cache(url, body)
+      end
+      return body      
     end    
     
     # Process the URITemplate in the XRDS to derive the location of the claimed id's XRDS
@@ -289,15 +257,12 @@ module OpenID
 
     # Verifies the signature of the doc, returning the CN of the signer if valid
     def self.verify(xml, signature_value) 
-      doc = REXML::Document.new(xml)
-
-      return nil if REXML::XPath.first(doc, "//ds:Signature").nil? and signature_value.nil?    
-
+      raise "Missing signature value" if signature_value.nil?
       decoded_sig = Base64.decode64(signature_value)
+
+      doc = REXML::Document.new(xml)
       certs = self.parse_certificates(doc)
       raise "No signature in document" if certs.nil? or certs.empty?
-      raise "Missing signature value" if signature_value.nil?
-
 
       signing_certificate = certs.first
       raise "Invalid signature" if !signing_certificate.public_key.verify(OpenSSL::Digest::SHA1.new, decoded_sig, xml)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: ruby-openid-apps-discovery
 version: !ruby/object:Gem::Version 
-  version: 1.0.2
+  version: "1.01"
 platform: ruby
 authors: []
 
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-05-13 00:00:00 -07:00
+date: 2010-01-12 00:00:00 -08:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency