ruby-openid 1.1.4 → 2.0.1

data/examples/active_record_openid_store/test/store_test.rb

@@ -4,46 +4,43 @@ RAILS_ENV = "test"
 require File.expand_path(File.join(File.dirname(__FILE__), '../../../../config/environment.rb'))
 
 module StoreTestCase
-
   @@allowed_handle = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
   @@allowed_nonce = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
-
+  
   def _gen_nonce
-    OpenID::Util.random_string(8, @@allowed_nonce)
+    OpenID::CryptUtil.random_string(8, @@allowed_nonce)
   end
 
   def _gen_handle(n)
-    OpenID::Util.random_string(n, @@allowed_handle)
+    OpenID::CryptUtil.random_string(n, @@allowed_handle)
   end
 
   def _gen_secret(n, chars=nil)
-    OpenID::Util.random_string(n, chars)
+    OpenID::CryptUtil.random_string(n, chars)
   end
 
   def _gen_assoc(issued, lifetime=600)
     secret = _gen_secret(20)
     handle = _gen_handle(128)
-    OpenID::Association.new(handle, secret, Time.now.to_i + issued, lifetime,
+    OpenID::Association.new(handle, secret, Time.now + issued, lifetime,
                             'HMAC-SHA1') 
   end
-    
+  
   def _check_retrieve(url, handle=nil, expected=nil)
     ret_assoc = @store.get_association(url, handle)
 
-    if expected.nil? or @store.dumb?
+    if expected.nil?
       assert_nil(ret_assoc)
     else
-      assert_equal(ret_assoc, expected)
-      assert_equal(ret_assoc.handle, expected.handle)
-      assert_equal(ret_assoc.secret, expected.secret)
+      assert_equal(expected, ret_assoc)
+      assert_equal(expected.handle, ret_assoc.handle)
+      assert_equal(expected.secret, ret_assoc.secret)
     end
   end
 
   def _check_remove(url, handle, expected)
     present = @store.remove_association(url, handle)
-    expected_present = ((not @store.dumb?) and expected)
-    assert ((not expected_present and not present) or \
-            (expected_present and present))    
+    assert_equal(expected, present)
   end
 
   def test_store
@@ -132,50 +129,83 @@ module StoreTestCase
     _check_remove(server_url, assoc2.handle, false)
     _check_remove(server_url, assoc.handle, false)
     _check_remove(server_url, assoc3.handle, false)
+
+    assocValid1 = _gen_assoc(-3600, 7200)
+    assocValid2 = _gen_assoc(-5)
+    assocExpired1 = _gen_assoc(-7200, 3600)
+    assocExpired2 = _gen_assoc(-7200, 3600)
+
+    @store.cleanup_associations
+    @store.store_association(server_url + '1', assocValid1)
+    @store.store_association(server_url + '1', assocExpired1)
+    @store.store_association(server_url + '2', assocExpired2)
+    @store.store_association(server_url + '3', assocValid2)
+
+    cleaned = @store.cleanup_associations()
+    assert_equal(2, cleaned, "cleaned up associations")
   end
-    
+
+  def _check_use_nonce(nonce, expected, server_url, msg='')
+    stamp, salt = OpenID::Nonce::split_nonce(nonce)
+    actual = @store.use_nonce(server_url, stamp, salt)
+    assert_equal(expected, actual, msg)
+  end
+
   def test_nonce
-    nonce1 = _gen_nonce
-    
-    assert_not_nil(nonce1)
-
-    # a nonce is present by default
-    present = @store.use_nonce(nonce1)
-    assert_equal(present, false)
-
-    # Storing once causes use_nonce to return true the first, and only
-    # the first, time it is called after the store.
-    @store.store_nonce(nonce1)
-    present = @store.use_nonce(nonce1)
-    assert present
-    present = @store.use_nonce(nonce1)
-    assert_equal(present, false)
-    
-    # Storing twice has the same effect as storing once.
-    @store.store_nonce(nonce1)
-    @store.store_nonce(nonce1)
-    present = @store.use_nonce(nonce1)
-    assert present
-    present = @store.use_nonce(nonce1)
-    assert_equal(present, false)
-    
-    ### Auth key stuff
-    
-    # there is no key to start with, so generate a new key and return it
-    key = @store.get_auth_key
+    server_url = "http://www.myopenid.com/openid"
+    [server_url, ''].each{|url|
+      nonce1 = OpenID::Nonce::mk_nonce
+
+      _check_use_nonce(nonce1, true, url, "#{url}: nonce allowed by default") 
+      _check_use_nonce(nonce1, false, url, "#{url}: nonce not allowed twice") 
+      _check_use_nonce(nonce1, false, url, "#{url}: nonce not allowed third time")
+      
+      # old nonces shouldn't pass
+      old_nonce = OpenID::Nonce::mk_nonce(3600)
+      _check_use_nonce(old_nonce, false, url, "Old nonce #{old_nonce.inspect} passed")
+
+    }
+
+    now = Time.now.to_i
+    old_nonce1 = OpenID::Nonce::mk_nonce(now - 20000)
+    old_nonce2 = OpenID::Nonce::mk_nonce(now - 10000)
+    recent_nonce = OpenID::Nonce::mk_nonce(now - 600)
+
+    orig_skew = OpenID::Nonce.skew
+    OpenID::Nonce.skew = 0
+    count = @store.cleanup_nonces
+    OpenID::Nonce.skew = 1000000
+    ts, salt = OpenID::Nonce::split_nonce(old_nonce1)
+    assert(@store.use_nonce(server_url, ts, salt), "oldnonce1")
+    ts, salt = OpenID::Nonce::split_nonce(old_nonce2)
+    assert(@store.use_nonce(server_url, ts, salt), "oldnonce2")
+    ts, salt = OpenID::Nonce::split_nonce(recent_nonce)
+    assert(@store.use_nonce(server_url, ts, salt), "recent_nonce")
+
     
-    # the second time we should return the same key as before
-    key2 = @store.get_auth_key
-    assert key == key2
+    OpenID::Nonce.skew = 1000
+    cleaned = @store.cleanup_nonces
+    assert_equal(2, cleaned, "Cleaned #{cleaned} nonces")
+
+    OpenID::Nonce.skew = 100000
+    ts, salt = OpenID::Nonce::split_nonce(old_nonce1)
+    assert(@store.use_nonce(server_url, ts, salt), "oldnonce1 after cleanup")
+    ts, salt = OpenID::Nonce::split_nonce(old_nonce2)
+    assert(@store.use_nonce(server_url, ts, salt), "oldnonce2 after cleanup")
+    ts, salt = OpenID::Nonce::split_nonce(recent_nonce)
+    assert(!@store.use_nonce(server_url, ts, salt), "recent_nonce after cleanup")
+
+    OpenID::Nonce.skew = orig_skew
+
   end
-  
 end
 
+
 class TestARStore < Test::Unit::TestCase
   include StoreTestCase
   
   def setup
-    @store = ActiveRecordOpenIDStore.new
+    @store = ActiveRecordStore.new
   end
 
 end

data/examples/discover

@@ -0,0 +1,46 @@
+#!/usr/bin/env ruby
+require "openid/consumer/discovery"
+
+$names = [[:server_url,   "Server URL  "],
+          [:local_id,     "Local ID    "],
+          [:canonical_id, "Canonical ID"],
+         ]
+
+def show_services(user_input, normalized, services)
+  puts " Claimed identifier: #{normalized}"
+  if services.empty?
+    puts " No OpenID services found"
+    puts
+  else
+    puts " Discovered services:"
+    n = 0
+    services.each do |service|
+      n += 1
+      puts "  #{n}."
+      $names.each do |meth, name|
+        val = service.send(meth)
+        if val
+          printf("     %s: %s\n", name, val)
+        end
+      end
+      puts "     Type URIs:"
+      for type_uri in service.type_uris
+        puts "       * #{type_uri}"
+      end
+      puts
+    end
+  end
+end
+
+ARGV.each do |openid_identifier|
+  puts "=" * 50
+  puts "Running discovery on #{openid_identifier}"
+  begin
+    normalized_identifier, services = OpenID.discover(openid_identifier)
+  rescue OpenID::Yadis::DiscoveryFailure => why
+    puts "Discovery failed: #{why.message}"
+    puts
+  else
+    show_services(openid_identifier, normalized_identifier, services)
+  end
+end

data/examples/rails_openid/app/controllers/consumer_controller.rb

@@ -0,0 +1,115 @@
+require 'pathname'
+
+require "openid"
+require 'openid/extensions/sreg'
+require 'openid/extensions/pape'
+require 'openid/store/filesystem'
+
+class ConsumerController < ApplicationController
+  layout nil
+
+  def index
+    # render an openid form
+  end
+
+  def start
+    begin
+      oidreq = consumer.begin(params[:openid_identifier])
+    rescue OpenID::OpenIDError => e
+      flash[:error] = "Discovery failed for #{params[:openid_identifier]}: #{e}"
+      redirect_to :action => 'index'
+      return
+    end
+    if params[:use_sreg]
+      sregreq = OpenID::SReg::Request.new
+      # required fields
+      sregreq.request_fields(['email','nickname'], true)
+      # optional fields
+      sregreq.request_fields(['dob', 'fullname'], false)
+      oidreq.add_extension(sregreq)
+      oidreq.return_to_args['did_sreg'] = 'y'
+    end
+    if params[:use_pape]
+      papereq = OpenID::PAPE::Request.new
+      papereq.add_policy_uri(OpenID::PAPE::AUTH_PHISHING_RESISTANT)
+      papereq.max_auth_age = 2*60*60
+      oidreq.add_extension(papereq)
+      oidreq.return_to_args['did_pape'] = 'y'
+    end
+    if params[:force_post]
+      oidreq.return_to_args['force_post']='x'*2048
+    end
+    return_to = url_for :action => 'complete', :only_path => false
+    realm = url_for :action => 'index', :only_path => false
+    
+    if oidreq.send_redirect?(realm, return_to, params[:immediate])
+      redirect_to oidreq.redirect_url(realm, return_to, params[:immediate])
+    else
+      @form_text = oidreq.form_markup(realm, return_to, params[:immediate], {'id' => 'openid_form'})
+    end
+  end
+
+  def complete
+    return_to = url_for(:action => 'complete', :only_path => false)
+    parameters = params.reject{|k,v|request.path_parameters[k]}
+    oidresp = consumer.complete(parameters, return_to)
+    case oidresp.status
+    when OpenID::Consumer::FAILURE
+      if oidresp.display_identifier
+        flash[:error] = ("Verification of #{oidresp.display_identifier}"\
+                         " failed: #{oidresp.message}")
+      else
+        flash[:error] = "Verification failed: #{oidresp.message}"
+      end
+    when OpenID::Consumer::SUCCESS
+      flash[:success] = ("Verification of #{oidresp.display_identifier}"\
+                         " succeeded.")
+      if params[:did_sreg]
+        sreg_resp = OpenID::SReg::Response.from_success_response(oidresp)
+        sreg_message = "Simple Registration data was requested"
+        if sreg_resp.empty?
+          sreg_message << ", but none was returned."
+        else
+          sreg_message << ". The following data were sent:"
+          sreg_resp.data.each {|k,v|
+            sreg_message << "<br/><b>#{k}</b>: #{v}"
+          }
+        end
+        flash[:sreg_results] = sreg_message
+      end
+      if params[:did_pape]
+        pape_resp = OpenID::PAPE::Response.from_success_response(oidresp)
+        pape_message = "A phishing resistant authentication method was requested"
+        if pape_resp.auth_policies.member? OpenID::PAPE::AUTH_PHISHING_RESISTANT
+          pape_message << ", and the server reported one."
+        else
+          pape_message << ", but the server did not report one."
+        end
+        if pape_resp.auth_age
+          pape_message << "<br><b>Authentication age:</b> #{pape_resp.auth_age} seconds"
+        end
+        if pape_resp.nist_auth_level
+          pape_message << "<br><b>NIST Auth Level:</b> #{pape_resp.nist_auth_level}"
+        end
+        flash[:pape_results] = pape_message
+      end
+    when OpenID::Consumer::SETUP_NEEDED
+      flash[:alert] = "Immediate request failed - Setup Needed"
+    when OpenID::Consumer::CANCEL
+      flash[:alert] = "OpenID transaction cancelled."
+    else
+    end
+    redirect_to :action => 'index'
+  end
+
+  private
+
+  def consumer
+    if @consumer.nil?
+      dir = Pathname.new(RAILS_ROOT).join('db').join('cstore')
+      store = OpenID::Store::Filesystem.new(dir)
+      @consumer = OpenID::Consumer.new(session, store)
+    end
+    return @consumer
+  end
+end

data/examples/{rails_server → rails_openid}/app/controllers/login_controller.rb

@@ -5,19 +5,27 @@ class LoginController < ApplicationController
 
   layout 'server'
 
+  def base_url
+    url_for(:controller => 'login', :action => nil, :only_path => false)
+  end
+
   def index
+    response.headers['X-XRDS-Location'] = url_for(:controller => "server",
+                                                  :action => "idp_xrds",
+                                                  :only_path => false)
+    @base_url = base_url
     # just show the login page
   end
 
   def submit
-    user = @params[:username]
+    user = params[:username]
 
     # if we get a user, log them in by putting their username in
     # the session hash.
     unless user.nil?
       session[:username] = user unless user.nil?
       session[:approvals] = []
-      flash[:notice] = "Your OpenID URL is <b>http://localhost:3000/user/#{user}</b><br/><br/>Proceed to step 2 below."
+      flash[:notice] = "Your OpenID URL is <b>#{base_url}user/#{user}</b><br/><br/>Proceed to step 2 below."
     else
       flash[:error] = "Sorry, couldn't log you in. Try again."
     end

data/examples/rails_openid/app/controllers/server_controller.rb

@@ -0,0 +1,265 @@
+require 'pathname'
+
+# load the openid library, first trying rubygems
+#begin
+#  require "rubygems"
+#  require_gem "ruby-openid", ">= 1.0"
+#rescue LoadError
+require "openid"
+require "openid/consumer/discovery"
+require 'openid/extensions/sreg'
+require 'openid/extensions/pape'
+require 'openid/store/filesystem'
+#end
+
+class ServerController < ApplicationController
+
+  include ServerHelper
+  include OpenID::Server
+  layout nil
+
+  def index
+    begin
+      oidreq = server.decode_request(params)
+    rescue ProtocolError => e
+      # invalid openid request, so just display a page with an error message
+      render_text e.to_s
+      return
+    end
+
+    # no openid.mode was given
+    unless oidreq
+      render_text "This is an OpenID server endpoint."
+      return
+    end
+
+    oidresp = nil
+
+    if oidreq.kind_of?(CheckIDRequest)
+
+      identity = oidreq.identity
+
+      if oidreq.id_select
+        if oidreq.immediate
+          oidresp = oidreq.answer(false)
+        elsif session[:username].nil?
+          # The user hasn't logged in.
+          show_decision_page(oidreq)
+          return
+        else
+          # Else, set the identity to the one the user is using.
+          identity = url_for_user
+        end
+      end
+
+      if oidresp
+        nil
+      elsif self.is_authorized(identity, oidreq.trust_root)
+        oidresp = oidreq.answer(true, nil, identity)
+
+        # add the sreg response if requested
+        add_sreg(oidreq, oidresp)
+        # ditto pape
+        add_pape(oidreq, oidresp)
+
+      elsif oidreq.immediate
+        server_url = url_for :action => 'index'
+        oidresp = oidreq.answer(false, server_url)
+
+      else
+        show_decision_page(oidreq)
+        return
+      end
+
+    else
+      oidresp = server.handle_request(oidreq)
+    end
+
+    self.render_response(oidresp)
+  end
+
+  def show_decision_page(oidreq, message="Do you trust this site with your identity?")
+    session[:last_oidreq] = oidreq
+    @oidreq = oidreq
+
+    if message
+      flash[:notice] = message
+    end
+
+    render :template => 'server/decide', :layout => 'server'
+  end
+
+  def user_page
+    # Yadis content-negotiation: we want to return the xrds if asked for.
+    accept = request.env['HTTP_ACCEPT']
+
+    # This is not technically correct, and should eventually be updated
+    # to do real Accept header parsing and logic.  Though I expect it will work
+    # 99% of the time.
+    if accept and accept.include?('application/xrds+xml')
+      user_xrds
+      return
+    end
+
+    # content negotiation failed, so just render the user page
+    xrds_url = url_for(:controller=>'user',:action=>params[:username])+'/xrds'
+    identity_page = <<EOS
+<html><head>
+<meta http-equiv="X-XRDS-Location" content="#{xrds_url}" />
+<link rel="openid.server" href="#{url_for :action => 'index'}" />
+</head><body><p>OpenID identity page for #{params[:username]}</p>
+</body></html>
+EOS
+
+    # Also add the Yadis location header, so that they don't have
+    # to parse the html unless absolutely necessary.
+    response.headers['X-XRDS-Location'] = xrds_url
+    render_text identity_page
+  end
+
+  def user_xrds
+    types = [
+             OpenID::OPENID_2_0_TYPE,
+             OpenID::OPENID_1_0_TYPE,
+             OpenID::SREG_URI,
+            ]
+
+    render_xrds(types)
+  end
+
+  def idp_xrds
+    types = [
+             OpenID::OPENID_IDP_2_0_TYPE,
+            ]
+
+    render_xrds(types)
+  end
+
+  def decision
+    oidreq = session[:last_oidreq]
+    session[:last_oidreq] = nil
+
+    if params[:yes].nil?
+      redirect_to oidreq.cancel_url
+      return
+    else
+      id_to_send = params[:id_to_send]
+
+      identity = oidreq.identity
+      if oidreq.id_select
+        if id_to_send and id_to_send != ""
+          session[:username] = id_to_send
+          session[:approvals] = []
+          identity = url_for_user
+        else
+          msg = "You must enter a username to in order to send " +
+            "an identifier to the Relying Party."
+          show_decision_page(oidreq, msg)
+          return
+        end
+      end
+
+      if session[:approvals]
+        session[:approvals] << oidreq.trust_root
+      else
+        session[:approvals] = [oidreq.trust_root]
+      end
+      oidresp = oidreq.answer(true, nil, identity)
+      add_sreg(oidreq, oidresp)
+      add_pape(oidreq, oidresp)
+      return self.render_response(oidresp)
+    end
+  end
+
+  protected
+
+  def server
+    if @server.nil?
+      server_url = url_for :action => 'index', :only_path => false
+      dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store')
+      store = OpenID::Store::Filesystem.new(dir)
+      @server = Server.new(store, server_url)
+    end
+    return @server
+  end
+
+  def approved(trust_root)
+    return false if session[:approvals].nil?
+    return session[:approvals].member?(trust_root)
+  end
+
+  def is_authorized(identity_url, trust_root)
+    return (session[:username] and (identity_url == url_for_user) and self.approved(trust_root))
+  end
+
+  def render_xrds(types)
+    type_str = ""
+
+    types.each { |uri|
+      type_str += "<Type>#{uri}</Type>\n      "
+    }
+
+    yadis = <<EOS
+<?xml version="1.0" encoding="UTF-8"?>
+<xrds:XRDS
+    xmlns:xrds="xri://$xrds"
+    xmlns="xri://$xrd*($v*2.0)">
+  <XRD>
+    <Service priority="0">
+      #{type_str}
+      <URI>#{url_for(:controller => 'server', :only_path => false)}</URI>
+    </Service>
+  </XRD>
+</xrds:XRDS>
+EOS
+
+    response.headers['content-type'] = 'application/xrds+xml'
+    render_text yadis
+  end
+
+  def add_sreg(oidreq, oidresp)
+    # check for Simple Registration arguments and respond
+    sregreq = OpenID::SReg::Request.from_openid_request(oidreq)
+
+    return if sregreq.nil?
+    # In a real application, this data would be user-specific,
+    # and the user should be asked for permission to release
+    # it.
+    sreg_data = {
+      'nickname' => session[:username],
+      'fullname' => 'Mayor McCheese',
+      'email' => 'mayor@example.com'
+    }
+
+    sregresp = OpenID::SReg::Response.extract_response(sregreq, sreg_data)
+    oidresp.add_extension(sregresp)
+  end
+
+  def add_pape(oidreq, oidresp)
+    papereq = OpenID::PAPE::Request.from_openid_request(oidreq)
+    return if papereq.nil?
+    paperesp = OpenID::PAPE::Response.new
+    paperesp.nist_auth_level = 0 # we don't even do auth at all!
+    oidresp.add_extension(paperesp)
+  end
+
+  def render_response(oidresp)
+    if oidresp.needs_signing
+      signed_response = server.signatory.sign(oidresp)
+    end
+    web_response = server.encode_response(oidresp)
+
+    case web_response.code
+    when HTTP_OK
+      render :text => web_response.body, :status => 200
+
+    when HTTP_REDIRECT
+      redirect_to web_response.headers['location']
+
+    else
+      render :text => web_response.body, :status => 400
+    end
+  end
+
+
+end