ruby-openid 1.0

data/lib/openid/service.rb

@@ -0,0 +1,135 @@
+require 'rexml/document'
+
+begin
+  require 'rubygems'
+  require_gem 'ruby-yadis', '>=0.2.3'
+rescue LoadError
+  require 'yadis/service'
+end
+
+module OpenID
+
+  # OpenIDService is an object representation of an OpenID server,
+  # and the services it provides.  It contains a useful information such
+  # as the server URL, and information about the OpenID identity bound
+  # to the server.  OpenIDService object should be produced using the
+  # OpenIDService.from_service class method with a Yadis Service object.
+  # See the ruby Yadis library for more information:
+  #
+  # http://www.openidenabled.com/yadis/libraries/ruby
+  #
+  # Unless you choose to do your own discovery and interface with
+  # OpenIDConsumer through the OpenIDConsumer.begin_without_discovery
+  # method, you won't need to ever use this object directly.  It is used
+  # internally by the OpenIDConsumer object.
+  class OpenIDServiceEndpoint < ServiceEndpoint
+    
+    @@namespace = {'openid' => 'http://openid.net/xmlns/1.0'}
+    attr_accessor :service_types, :uri, :yadis_url, :delegate_url
+
+    # Class method to produce OpenIDService objects. Call with a Yadis Service
+    # object.  Will return nil if the Service object does not represent an
+    # an OpenID server.
+    def OpenIDServiceEndpoint.from_endpoint(service, versions=nil)
+      return nil unless OpenIDServiceEndpoint.is_type?(service, versions)
+
+      s = new
+      s.service_types = service.service_types
+      s.uri = service.uri
+      s.yadis_url = service.yadis.uri
+
+      s.delegate_url = nil
+      REXML::XPath.each(service.element, 'openid:Delegate', @@namespace) do |e|
+        s.delegate_url = e.text.strip
+      end
+
+      return s
+    end
+
+    # Class method to determine if a Yadis service object is an OpenID server.
+    # +versions+ is a list of Strings representing the versions of the OpenID
+    # protocol you support.  Only service that match one of the versions will
+    # return a value that evaluates to true.  If no +versions+ list is
+    # specified, all versions will be accepted.
+    def OpenIDServiceEndpoint.is_type?(service, versions=nil)
+      # escape the period in the version numbers
+      versions.collect! {|v| v.gsub('.', '\.')} if versions
+      
+      base_url = 'http://openid\.net/signon/'
+      base_url += '(' + versions.join('|') + '){1}' if versions
+      
+      service.service_types.each do |st|
+        return true if st.match(base_url)
+      end
+
+      return false
+    end
+
+    # Alias for +supports?+
+    def uses_extension?(extension_url)
+      return self.supports?(extension_url)
+    end
+    
+    # Same as uses_extension? Checks to see if the provided URL is
+    # in the list of service types. Example that checks for support
+    # of the simple registratino protocol:
+    #
+    #   service.supports?('http://openid.net/sreg/1.0')
+    #
+    def supports?(url)
+      return @service_types.member?(extension_url)
+    end
+
+    # Returns the OpenID delegate URL.  This is the URL on the OpenID server,
+    # For example if example.com delegates to example-server.com/user, then
+    # this will return example-server.com/user
+    def delegate
+      @delegate_url or self.consumer_id
+    end
+
+    # Returns the OpenID server endpoint URL.
+    def server_url
+      @uri
+    end
+    
+    # Returns user's URL which resides on the OpenID server.  For
+    # example if http://example.com/ delegates to http://example.myopenid.com/,
+    # then http://example.myopenid.com/ will be returned by this method.
+    def server_id
+      self.delegate
+    end
+
+    # The URL the user entered to authenticate.  For example, if
+    # http://example.com/ delegates to http://example.myopenid.com/, this
+    # method will return http://example.com/
+    def consumer_id
+      @yadis_url
+    end
+  end
+
+
+  # Used for providing an OpenIDService like object
+  # to the OpenID library for 1.X link rel discovery.
+  # See the documentation for OpenID::OpenIDService for more information
+  # on what this object does.
+  class FakeOpenIDServiceEndpoint < OpenIDServiceEndpoint
+    
+    def initialize(consumer_id, server_id, server_url)
+      @uri = server_url
+      @delegate = server_id
+      @yadis_url = consumer_id     
+      @service_types = ['http://openid.net/signon/1.0']
+      @yadis = nil
+    end
+
+    def delegate
+      @delegate
+    end
+
+    def supports?(url)
+      false
+    end
+
+  end
+
+end

data/lib/openid/stores.rb

@@ -0,0 +1,178 @@
+require "openid/util"
+
+module OpenID
+
+  # Interface for the abstract Store
+  class Store
+
+    @@AUTH_KEY_LEN = 20
+
+    # Put a Association object into storace
+    def store_association(association)
+      raise NotImplementedError
+    end
+
+    # Returns a Association object from storage that matches
+    # the server_url.  Returns nil if no such association is found or if
+    # the one matching association is expired. (Is allowed to GC expired
+    # associations when found.)
+    def get_association(server_url)
+      raise NotImplementedError
+    end
+
+    # If there is a matching association, remove it from the store and
+    # return true, otherwise return false.
+    def removeAssociation(server_url, handle)
+      raise NotImplementedError
+    end
+
+    # Stores a nonce (which is passed in as a string).
+    def store_nonce(nonce)
+      raise NotImplementedError
+    end
+
+    # If the nonce is in the store, remove it and return true. Otherwise
+    # return false.
+    def use_nonce(nonce)
+      raise NotImplementedError
+    end
+
+    # Returns a 20-byte auth key used to sign the tokens, to ensure
+    # that they haven't been tampered with in transit. It must return
+    # the same key every time it is called.   
+    def get_auth_key
+      raise NotImplementedError
+    end
+
+    # Method return true if the store is dumb-mode-style store.
+    def dumb?
+      false
+    end
+
+  end
+
+
+  class DumbStore < Store
+    
+    def initialize(secret_phrase)
+      require "digest/sha1"
+      @auth_key = Digest::SHA1.hexdigest(secret_phrase)
+    end
+
+    def store_association(assoc)
+      nil
+    end
+
+    def get_association(server_url)
+      nil
+    end
+  
+    def remove_association(server_url, handle)
+      false
+    end
+
+    def store_nonce(nonce)
+      nil
+    end
+
+    def use_nonce(nonce)
+      true
+    end
+
+    def get_auth_key
+      @auth_key
+    end
+
+    def dumb?
+      true
+    end
+
+  end
+
+  class ServerAssocs
+    def initialize
+      @assocs = {}
+    end
+
+    def set(assoc)
+      @assocs[assoc.handle] = assoc
+    end
+
+    def get(handle)
+      @assocs[handle]
+    end
+
+    def remove(handle)
+      return @assocs.delete(handle)
+    end
+
+    def best
+      best = nil
+      @assocs.each do |k, assoc|
+        if best.nil? or best.issued < assoc.issued
+          best = assoc
+        end
+      end
+      return best
+    end
+  end
+
+  # An in-memory implementation of Store.  This class is mainly used
+  # for testing, though it may be useful for long-running single process apps.
+  #
+  # You should probably be looking at OpenID::FilesystemStore
+  class MemoryStore < Store
+
+    def initialize
+      @server_assocs = {}
+      @nonces = {}
+      @auth_key = OpenID::Util.random_string(@@AUTH_KEY_LEN)
+    end
+
+    def dumb?
+      false
+    end
+
+    def store_association(server_url, assoc)
+      assocs = _get_server_assocs(server_url)
+      assocs.set(self.deepcopy(assoc))
+    end
+    
+    def get_association(server_url, handle=nil)
+      assocs = _get_server_assocs(server_url)
+      return assocs.best if handle.nil?
+      return assocs.get(handle)
+    end
+    
+    def remove_association(server_url, handle)
+      assocs = _get_server_assocs(server_url)
+      return assocs.remove(handle)
+    end
+
+    def use_nonce(nonce)
+      return true if @nonces.delete(nonce)
+      return false
+    end
+
+    def store_nonce(nonce)
+      @nonces[nonce] = true
+    end
+
+    def get_auth_key
+      @auth_key
+    end
+
+    def _get_server_assocs(server_url)
+      unless @server_assocs.has_key?(server_url)
+        @server_assocs[server_url] = ServerAssocs.new
+      end
+      return @server_assocs[server_url]
+    end
+
+    def deepcopy(o)
+      Marshal.load(Marshal.dump(o))
+    end
+
+  end
+
+end

data/lib/openid/trustroot.rb

@@ -0,0 +1,100 @@
+require 'uri'
+
+TOP_LEVEL_DOMAINS = 'com|edu|gov|int|mil|net|org|biz|info|name|museum|coop|aero|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|eh|er|es|et|fi|fj|fk|fm|fo|fr|ga|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kp|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw'.split('|')
+
+module OpenID
+
+  class TrustRoot
+
+    @@empty_re = Regexp.new('^http[s]*:\/\/\*\/$')
+
+    def TrustRoot._parse_url(url)
+      begin
+        parsed = URI::parse(url)
+      rescue
+        return nil
+      end
+      
+      return [parsed.scheme, parsed.host, parsed.port, parsed.path]
+    end
+
+    def TrustRoot.parse(trust_root)
+      return nil unless trust_root.instance_of?(String)
+
+      unparsed = trust_root.dup
+
+      # look for wildcard
+      wildcard = (not trust_root.index('://*.').nil?)
+      trust_root.sub!('*.', '') if wildcard
+
+      # handle http://*/ case
+      if not wildcard and @@empty_re.match(trust_root)
+        proto = trust_root.split(':')[0]
+        port = proto == 'http' ? 80 : 443
+        return new(unparsed, proto, true, '', port, '/')
+      end
+
+      parts = TrustRoot._parse_url(trust_root)
+      return nil if parts.nil?
+
+      proto, host, port, path = parts
+      
+      return nil unless ['http', 'https'].member?(proto)
+      return new(unparsed, proto, wildcard, host, port, path)
+    end
+
+    def TrustRoot.check_sanity(trust_root)
+      tr = TrustRoot.parse(trust_root)
+      return false if tr.nil?
+      return tr.sane?
+    end
+      
+
+    def initialize(unparsed, proto, wildcard, host, port, path)
+      @unparsed = unparsed
+      @proto = proto
+      @wildcard = wildcard
+      @host = host
+      @port = port
+      @path = path
+    end
+
+    def sane?
+      return true if @host == 'localhost'
+      
+      host_parts = @host.split('.')
+      return false unless TOP_LEVEL_DOMAINS.member?(host_parts[-1])
+      
+      # wacky heurestic for extracting a sane tld
+      host = []
+      if host_parts[-1].length == 2 and host_parts.length > 1
+        if host_parts[-2].length <= 3
+          host = host_parts[0...-2]
+        end
+      elsif host_parts[-1].length == 3
+        host = host_parts[0...-1]
+      end
+      
+      return (host.length > 0)
+    end
+    
+    def validate_url(url)
+      parts = TrustRoot._parse_url(url)
+      return false if parts.nil?
+
+      proto, host, port, path = parts
+      
+      return false unless proto == @proto
+      return false unless port == @port
+      return false unless path.index(@path) == 0
+
+      if @wildcard
+        return (not host.rindex(@host).nil?)
+      else
+        return (host == @host)
+      end
+    end
+
+  end
+end
+

data/lib/openid/util.rb

@@ -0,0 +1,273 @@
+require "base64"
+require "cgi"
+require "digest/sha1"
+require "hmac-sha1"
+require "uri"
+
+srand(Time.now.to_f)
+
+class Object
+
+  def instance_variable_hash
+    h = {}
+    self.instance_variables.each { |k| h[k] = self.instance_variable_get(k) }
+    return h
+  end
+
+end
+
+class String
+
+  def starts_with?(other)
+    other = other.to_str
+    head = self[0, other.length]
+    head == other
+  end
+
+end
+
+
+module OpenID
+
+  # Code returned when either the of the
+  # OpenID::OpenIDConsumer.begin_auth or OpenID::OpenIDConsumer.complete_auth
+  # methods return successfully.
+  SUCCESS = 'success'
+
+  # Code OpenID::OpenIDConsumer.complete_auth
+  # returns when the value it received indicated an invalid login.
+  FAILURE = 'failure'
+
+  # Code returned by OpenIDConsumer.complete_auth when the user
+  # cancels the operation from the server.
+  CANCEL = 'cancel'
+
+  # Code returned by OpenID::OpenIDConsumer.complete_auth when the
+  # OpenIDConsumer instance is in immediate mode and ther server sends back a
+  # URL for the user to login with.
+  SETUP_NEEDED = 'setup needed'  
+
+  # Code returned by OpenID::OpenIDConsumer.begin_auth when it is unable
+  # to fetch the URL given by the user.
+  HTTP_FAILURE = 'http failure'
+
+  # Code returned by OpenID::OpenIDConsumer.begin_auth when the page fetched
+  # from the OpenID URL doesn't contain the necessary link tags to function
+  # as an identity page.
+  PARSE_ERROR = 'parse error'
+
+  module Util
+
+    HAS_URANDOM = File.chardev? '/dev/urandom'
+
+    def Util.get_openid_params(query)
+      params = {}
+      query.each do |k,v|
+        params[k] = v if k.index("openid.") == 0
+      end
+      params
+    end
+
+    def Util.hmac_sha1(key, text)
+      HMAC::SHA1.digest(key, text)
+    end
+
+    def Util.sha1(s)
+      Digest::SHA1.digest(s)
+    end
+   
+    def Util.to_base64(s)
+      Base64.encode64(s).gsub("\n", "")
+    end
+
+    def Util.from_base64(s)
+      Base64.decode64(s)
+    end
+ 
+    def Util.kvform(hash)
+      form = ""
+      hash.each do |k,v|
+        form << "#{k}:#{v}\n"
+      end
+      form
+    end
+
+    def Util.parsekv(s)
+      s.strip!
+      form = {}
+      s.split("\n").each do |line|
+        pair = line.split(":", 2)
+        if pair.length == 2
+          k, v = pair
+          form[k.strip] = v.strip
+        end
+      end
+      form
+    end
+
+    def Util.num_to_str(n)
+      bits = n.to_s(2)
+      prepend = (8 - bits.length % 8)
+      bits = ('0' * prepend) + bits
+      [bits].pack('B*')
+    end
+
+    def Util.str_to_num(s)
+      # taken from openid-ruby 0.0.1
+      s = "\000" * (4 - (s.length % 4)) + s
+      num = 0
+      s.unpack('N*').each do |x|
+        num <<= 32
+        num |= x
+      end
+      num    
+    end
+
+    def Util.num_to_base64(l)
+      return to_base64(num_to_str(l))
+    end
+
+    def Util.base64_to_num(s)
+      return str_to_num(from_base64(s))
+    end
+
+    def Util.random_string(length, chars=nil)
+      s = ""
+
+      unless chars.nil?
+        length.times { s << chars[Util.rand(chars.length)] }
+      else
+        length.times { s << Util.rand(256).chr }
+      end
+      s
+    end
+
+    def Util.urlencode(args)
+      a = []
+      args.each do |key, val|
+        a << (CGI::escape(key) + "=" + CGI::escape(val))
+      end
+      a.join("&")
+    end
+    
+    def Util.parse_query(qs)
+      query = {}
+      CGI::parse(qs).each {|k,v| query[k] = v[0]}
+      return query
+    end
+    
+    def Util.append_args(url, args)
+      url = url.dup
+      url if args.length == 0
+      url << (url.include?("?") ? "&" : "?")
+      url << Util.urlencode(args)
+    end
+    
+    def Util.strxor(s1, s2)
+      raise ArgumentError if s1.length != s2.length
+      length = [s1.length, s2.length].min - 1
+      a = (0..length).collect {|i| (s1[i]^s2[i]).chr}
+      a.join("")
+    end
+    
+    # Sign the given fields from the reply with the specified key.
+    # Return [signed, sig]
+    def Util.sign_reply(reply, key, signed_fields, prefix="openid.")
+      token = []
+      signed_fields.each do |sf|
+        token << [sf+":"+reply[prefix+sf].to_s+"\n"]
+      end
+      text = token.join("")
+      signed = Util.to_base64(Util.hmac_sha1(key, text))
+      return [signed_fields.join(","), signed]
+    end
+
+    # This code is taken from this post[http://blade.nagaokaut.ac.jp/cgi-bin/scat.\rb/ruby/ruby-talk/19098]
+    # by Eric Lee Green.
+    # This implementation is much faster than x ** n % q
+    def Util.powermod(x, n, q)
+      counter=0
+      n_p=n
+      y_p=1
+      z_p=x
+      while n_p != 0
+        if n_p[0]==1
+          y_p=(y_p*z_p) % q
+        end
+        n_p = n_p >> 1
+        z_p = (z_p * z_p) % q
+        counter += 1
+      end
+      return y_p
+    end
+
+    # Generate a random number less than max.  Uses urandom if available.
+    def Util.rand(max)
+      unless Util::HAS_URANDOM
+        return Kernel::rand(max)
+      end
+
+      start = 0
+      stop = max
+      step = 1
+      r = ((stop-start)/step).to_i
+
+      # figure out how many bytes we need
+      rbytes = Util::num_to_str(r)
+      nbytes = rbytes.length
+      nbytes -= 1 if rbytes[0].chr == "\000"
+            
+      bytes = "\000" + Util::get_random_bytes(nbytes)
+      n = Util::str_to_num(bytes)
+      
+      return start + (n % r) * step
+    end
+
+    # change the message below to do whatever you like for logging
+    def Util.log(message)
+      STDERR.puts('OpenID Log: ' + message)
+    end
+
+
+    def Util.get_random_bytes(n)
+      bytes = ""
+
+      if Util::HAS_URANDOM
+        f = File.open("/dev/urandom")
+        while n != 0
+          _bytes = f.read(n)
+          n -= _bytes.length
+          bytes << _bytes
+        end
+      else
+        bytes = Util.random_string(n)
+      end
+
+      return bytes
+    end
+
+    def Util.normalize_url(url)
+      url = url.strip
+
+      unless url.starts_with?('http://') or url.starts_with?('https://')
+        url = 'http://' + url
+      end
+
+      begin
+        parsed = URI.parse(url)
+      rescue URI::InvalidURIError
+        return nil
+      else
+        return parsed.normalize.to_s
+      end
+    end
+
+    def Util.urls_equal?(url1, url2)
+      url1 = Util.normalize_url(url1)
+      return false if url1.nil?
+      return url1 == Util.normalize_url(url2)
+    end
+
+  end
+
+end