ruby-openid 1.0.2 → 1.1.1

data/lib/openid/consumer.rb

@@ -180,7 +180,7 @@ module OpenID
   # of the user though it's +identity_url+ method.
   class Consumer
     
-    @@token_key = '_openid_consumer_token'
+    @@service_key = '_openid_consumer_service'
     @@disco_suffix = 'xopenid_services'
     attr_accessor :consumer, :session, :fetcher
 
@@ -266,19 +266,18 @@ module OpenID
     # +msg+ method which provides more detailed information as to why
     # the request failed.
     def begin(user_url)
-      user_url = OpenID::Util.normalize_url(user_url)
-      unless user_url
-        user_url = user_url.to_s
-        return FailureRequest.new("Invalid URL: #{user_url}")
+      discovery = self.get_discovery(user_url)
+
+      unless discovery
+        return FailureRequest.new("Don't know how to find services for that identifier")
       end
 
-      discovery = self.get_discovery(user_url)
       service = discovery.next_service
 
-      if service.nil?
+      unless service
         return FailureRequest.new('No service endpoints found.')
       end
-
+      
       return self.begin_without_discovery(service)
     end
 
@@ -300,7 +299,7 @@ module OpenID
     # for more information.
     def begin_without_discovery(service)
       request = @consumer.begin(service)
-      @session[@@token_key] = request.token
+      @session[@@service_key] = service
       return request
     end
     
@@ -345,17 +344,12 @@ module OpenID
     # in to the +setup_url+, either in the current window or in a 
     # new browser window.
     def complete(query)
-      begin
-        token = @session.delete(@@token_key)
-      rescue
-        token = @session[@@token_key]
-        @session[@@token_key] = nil
-      end
+      service = @session[@@service_key]
       
-      if token.nil?
+      if service.nil?
         resp = FailureResponse.new(nil, 'No session state found.')
       else
-        resp = @consumer.complete(query, token)
+        resp = @consumer.complete(query, service)
       end
 
       disco = self.get_discovery(resp.identity_url)
@@ -368,6 +362,13 @@ module OpenID
         resp.service = disco.current
       end
 
+      # want to delete service unless status is SETUP_NEEDED,
+      # because we still need the service info when the user returns from
+      # the server
+      unless resp.status == SETUP_NEEDED
+        @session[@@service_key] = nil
+      end
+
       return resp
     end
 
@@ -375,10 +376,18 @@ module OpenID
     
     # Used internally to create an instnace of the OpenIDDiscovery object.
     def get_discovery(url)
-      return OpenIDDiscovery.new(@session, url, @consumer.fetcher,
-                                 @@disco_suffix)
+      if XRI::identifier_scheme(url) == :xri
+        XRIDiscovery.new(@session, url, @@disco_suffix)
+      else
+        url = OpenID::Util.normalize_url(url)
+        if url
+          user_url = user_url.to_s
+          OpenIDDiscovery.new(@session, url, @consumer.fetcher, @@disco_suffix)
+        else
+          nil
+        end
+      end
     end
-
   end
 
   # This class implements the common logic for OpenID consumers.  It
@@ -397,9 +406,6 @@ module OpenID
     
     # Nonce character set
     @@NONCE_CHRS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-    # Number of seconds the tokens generated by this library will be valid for.
-    @@TOKEN_LIFETIME = 60 * 2
-
     @@D_SUFFIX = 'openid_disco'
 
     attr_reader :fetcher
@@ -451,27 +457,22 @@ module OpenID
     # has the same interface.
     def begin(service)
       nonce = self.create_nonce
-      token = self.gen_token(service.consumer_id, service.server_id,
-                             service.server_url)
-
       assoc = self.get_association(service.server_url)
-      return SuccessRequest.new(assoc, token, nonce, service)
+      return SuccessRequest.new(assoc, nonce, service)
     end
 
     # Please see the interface docs for Consumer.complete.  This method accpets
-    # a +token+ paramter which is provided though the SuccessRequest object
-    # generated in the +begin+ call.  The token should be stored somewhere
+    # a +service+ paramter which is provided though the SuccessRequest object
+    # generated in the +begin+ call.  The +service+ should be stored somewhere
     # in the user's session or environment and passed into this method
     # along with the full query string Hash.  Consumer.complete has the
     # full list of return values for this method.
-    def complete(query, token)
-      # get the service data out of the token
-      pieces = self.split_token(token)
-      if pieces
-        consumer_id, server_id, server_url = pieces
-      else
-        return FailureResponse.new(nil, msg='bad token')        
-      end
+    def complete(query, service_endpoint)
+      return FailureResponse.new(nil, msg='no session state found') unless service_endpoint
+
+      consumer_id = service_endpoint.consumer_id
+      server_id = service_endpoint.server_id
+      server_url = service_endpoint.server_url
 
       # get the nonce out of the query
       nonce = query['nonce']
@@ -612,37 +613,6 @@ module OpenID
       return self.associate(server_url)    
     end
     
-    # Generate a token representing the user and their server.  Used
-    # internally for maintaining cross request state.
-    def gen_token(consumer_id, server_id, server_url)
-      timestamp = Time.now.to_i.to_s
-      joined = [timestamp, consumer_id, server_id, server_url].join("\x00")
-      sig = OpenID::Util.hmac_sha1(@store.get_auth_key, joined)
-      OpenID::Util.to_base64(sig+joined)
-    end
-
-    # Extract server and user information from a token string.
-    def split_token(token)
-      return nil if token.nil?
-
-      token = OpenID::Util.from_base64(token)
-      return nil if token.length < 20
-      
-      sig, joined = token[(0...20)], token[(20...token.length)]
-      return nil if OpenID::Util.hmac_sha1(@store.get_auth_key, joined) != sig
-      
-      s = joined.split("\x00")
-      return nil if s.length != 4
-
-      timestamp, consumer_id, server_id, server_url = s
-      
-      timestamp = timestamp.to_i
-      return nil if timestamp == 0
-      return nil if (timestamp + @@TOKEN_LIFETIME) < Time.now.to_i
-      
-      return [consumer_id, server_id, server_url].freeze
-    end
-
     # Make the openid.associate call to the server.
     def associate(server_url)
       dh = OpenID::DiffieHellman.new
@@ -723,7 +693,7 @@ module OpenID
   # Consumer.begin.
   class SuccessRequest < OpenIDStatus
     
-    attr_reader :token, :server_id, :server_url, :nonce, :identity_url, \
+    attr_reader :server_id, :server_url, :nonce, :identity_url, \
                 :service, :return_to_args
     
     # Creates a new SuccessRequest object.  This just stores each
@@ -732,7 +702,7 @@ module OpenID
     # Users of this library should not create instances of this
     # class.  Instances of this class are created by Consumer
     # during begin.
-    def initialize(assoc, token, nonce, service)
+    def initialize(assoc, nonce, service)
       super(SUCCESS)
       @service = service
       @server_id = service.server_id
@@ -742,7 +712,6 @@ module OpenID
       @return_to_args = {'nonce' => nonce}
 
       @assoc = assoc
-      @token = token
       @nonce = nonce
     end
 

data/lib/openid/discovery.rb

@@ -5,13 +5,21 @@ require "openid/parse"
 # try and use the yadis gem, falling back to system yadis
 begin
   require 'rubygems'
-  require_gem 'ruby-yadis', ">=0.3"  
+  require_gem 'ruby-yadis', ">=0.3.3"  
 rescue LoadError
   require "yadis"
 end
 
 module OpenID
 
+  OPENID_IDP_2_0_TYPE = 'http://openid.net/server/2.0'
+  OPENID_2_0_TYPE = 'http://openid.net/signon/2.0'
+  OPENID_1_2_TYPE = 'http://openid.net/signon/1.2'
+  OPENID_1_1_TYPE = 'http://openid.net/signon/1.1'
+  OPENID_1_0_TYPE = 'http://openid.net/signon/1.0'
+  OPENID_TYPE_URIS = [OPENID_2_0_TYPE,OPENID_1_2_TYPE,
+                     OPENID_1_1_TYPE,OPENID_1_0_TYPE]
+
   # OpenID::Discovery encapsulates the logic for doing Yadis and OpenID 1.0
   # style server discovery.  This class uses a session object to manage 
   # a list of tried OpenID servers for implemeting server fallback.  This is
@@ -86,4 +94,29 @@ module OpenID
 
   end
 
+  class XRIDiscovery < Discovery
+    def initialize(session, iname, suffix=nil)
+      super(session, iname, suffix)
+    end
+
+    def discover(filter=nil)
+      begin
+        services = XRI::ProxyResolver.new.query(@url, OPENID_TYPE_URIS)
+      rescue XRI::XRIHTTPError, ArgumentError
+        return [nil, []]
+      end
+      endpoints = []
+      services.each {|s|
+        se = OpenIDServiceEndpoint.from_endpoint(s)
+        if se
+          se.delegate_url = @url
+          se.yadis_url = @url
+          endpoints << se
+        end
+      }
+      return [@url, endpoints]      
+    end
+
+  end
+
 end

data/lib/openid/discovery.rb~

@@ -0,0 +1,122 @@
+require "openid/util"
+require "openid/service"
+require "openid/parse"
+
+# try and use the yadis gem, falling back to system yadis
+begin
+  require 'rubygems'
+  require_gem 'ruby-yadis', ">=0.4"  
+rescue LoadError
+  require "yadis"
+end
+
+module OpenID
+
+  OPENID_IDP_2_0_TYPE = 'http://openid.net/server/2.0'
+  OPENID_2_0_TYPE = 'http://openid.net/signon/2.0'
+  OPENID_1_2_TYPE = 'http://openid.net/signon/1.2'
+  OPENID_1_1_TYPE = 'http://openid.net/signon/1.1'
+  OPENID_1_0_TYPE = 'http://openid.net/signon/1.0'
+  OPENID_TYPE_URIS = [OPENID_2_0_TYPE,OPENID_1_2_TYPE,
+                     OPENID_1_1_TYPE,OPENID_1_0_TYPE]
+
+  # OpenID::Discovery encapsulates the logic for doing Yadis and OpenID 1.0
+  # style server discovery.  This class uses a session object to manage 
+  # a list of tried OpenID servers for implemeting server fallback.  This is
+  # useful the case when a user's primary server(s) is not available, and
+  # will allow then to try again with one of their alternates.
+  class OpenIDDiscovery < Discovery
+
+    def initialize(session, url, fetcher, suffix=nil)
+      super(session, url, suffix)
+      @fetcher = fetcher
+    end
+
+    # Pass in a custom filter here if you like.  Otherwise you'll get all
+    # OpenID sso services. filter should produce objects or subclasses of
+    # OpenIDServiceEndpoint.
+    def discover(filter=nil)
+      unless filter
+        filter = lambda {|s| OpenIDServiceEndpoint.from_endpoint(s)}
+      end
+      
+      begin
+        # do yadis discover, filtering out OpenID services
+        return super(filter)
+      rescue YADISParseError, YADISHTTPError
+
+        # Couldn't do Yadis discovery, fall back on OpenID 1.0 disco
+        status, service = self.openid_discovery(@url)
+        if status == SUCCESS
+          return [service.consumer_id, [service]]
+        end
+      end
+
+      return [nil, []]
+    end
+
+    # Perform OpenID 1.0 style link rel discovery.  No string normalization
+    # will be done on +url+.  See Util.normalize_url for information on
+    # textual URL transformations.
+    def openid_discovery(url)
+      ret = @fetcher.get(url)
+      return [HTTP_FAILURE, nil] if ret.nil?
+      
+      consumer_id, data = ret
+      server = nil
+      delegate = nil
+      parse_link_attrs(data) do |attrs|
+        rel = attrs["rel"]
+        if rel == "openid.server" and server.nil?
+          href = attrs["href"]
+          server = href unless href.nil?
+        end
+        
+        if rel == "openid.delegate" and delegate.nil?
+          href = attrs["href"]
+          delegate = href unless href.nil?
+        end
+      end
+
+      return [PARSE_ERROR, nil] if server.nil?
+    
+      server_id = delegate.nil? ? consumer_id : delegate
+
+      consumer_id = OpenID::Util.normalize_url(consumer_id)
+      server_id = OpenID::Util.normalize_url(server_id)
+      server_url = OpenID::Util.normalize_url(server)
+                  
+      service = OpenID::FakeOpenIDServiceEndpoint.new(consumer_id,
+                                                      server_id,
+                                                      server_url)
+      return [SUCCESS, service]
+    end    
+
+  end
+
+  class XRIDiscovery < Discovery
+    def initialize(session, iname, suffix=nil)
+      super(session, iname, suffix)
+    end
+
+    def discover(filter=nil)
+      begin
+        services = XRI::ProxyResolver.new.query(@url, OPENID_TYPE_URIS)
+      rescue XRI::XRIHTTPError, ArgumentError
+        return [nil, []]
+      end
+      endpoints = []
+      services.each {|s|
+        se = OpenIDServiceEndpoint.from_endpoint(s)
+        if se
+          se.delegate_url = @url
+          se.yadis_url = @url
+          endpoints << se
+        end
+      }
+      return [@url, endpoints]      
+    end
+
+  end
+
+end

data/lib/openid/fetchers.rb

@@ -12,6 +12,40 @@ else
   HAS_OPENSSL = true
 end
 
+# Not all versions of Ruby 1.8.4 have the version of post_connection_check
+# that properly handles wildcard hostnames.  This version of
+# post_connection_check is copied from post April 2006 release of 1.8.4.
+module Net
+  class HTTP
+    def post_connection_check(hostname)
+      check_common_name = true
+      cert = @socket.io.peer_cert
+      cert.extensions.each { |ext|
+        next if ext.oid != "subjectAltName"
+        ext.value.split(/,\s+/).each{ |general_name|
+          if /\ADNS:(.*)/ =~ general_name
+            check_common_name = false
+            reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
+            return true if /\A#{reg}\z/i =~ hostname
+          elsif /\AIP Address:(.*)/ =~ general_name
+            check_common_name = false
+            return true if $1 == hostname
+          end
+        }
+      }
+      if check_common_name
+        cert.subject.to_a.each{ |oid, value|
+          if oid == "CN"
+            reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
+            return true if /\A#{reg}\z/i =~ hostname
+          end
+        }
+      end
+      raise OpenSSL::SSL::SSLError, "hostname does not match"
+    end
+  end
+end
+
 module OpenID
 
   # Base Object used by consumer to send http messages
@@ -101,6 +135,13 @@ module OpenID
       begin
         u = URI.parse(url)
         http = get_http_obj(u)
+        http.start {
+          if HAS_OPENSSL and u.is_a?(URI::HTTPS) and @ca_path
+            # do the post_connection_check, which verifies that
+            # the host matches the cert
+            http.post_connection_check(u.host)
+          end
+        }
         resp = http.get(u.request_uri)
       rescue
         nil