ruby-openid 1.1.4 → 2.0.1

data/examples/rails_openid/app/views/consumer/index.rhtml

@@ -0,0 +1,81 @@
+<html>
+<head>
+<title>Rails OpenID Example Consumer</title>
+</head>
+  <style type="text/css">
+      * {
+        font-family: verdana,sans-serif;
+      }
+      body {
+        width: 50em;
+        margin: 1em;
+      }
+      div {
+        padding: .5em;
+      }
+      .alert {
+        border: 1px solid #e7dc2b;
+        background: #fff888;
+      }
+      .error {
+        border: 1px solid #ff0000;
+        background: #ffaaaa;
+      }
+      .success {
+        border: 1px solid #00ff00;
+        background: #aaffaa;
+      }
+      #verify-form {
+        border: 1px solid #777777;
+        background: #dddddd;
+        margin-top: 1em;
+        padding-bottom: 0em;
+      }
+      input.openid {
+        background: url( /images/openid_login_bg.gif ) no-repeat;
+        background-position: 0 50%;
+        background-color: #fff;
+        padding-left: 18px;
+      }
+  </style>
+  <body>
+    <h1>Rails OpenID Example Consumer</h1>
+    <% if flash[:alert] %>
+      <div class='alert'>
+       <%= h(flash[:alert]) %>
+      </div>
+    <% end %>
+    <% if flash[:error] %>
+      <div class='error'>
+       <%= h(flash[:error]) %>
+      </div>
+    <% end %>
+    <% if flash[:success] %>
+      <div class='success'>
+       <%= h(flash[:success]) %>
+      </div>
+    <% end %>
+    <% if flash[:sreg_results] %>
+      <div class='alert'>
+      <%= flash[:sreg_results] %>
+      </div>
+    <% end %>
+    <% if flash[:pape_results] %>
+      <div class='alert'>
+      <%= flash[:pape_results] %>
+      </div>
+    <% end %>
+    <div id="verify-form">
+      <form method="get" accept-charset="UTF-8" 
+            action='<%= url_for :action => 'start' %>'>
+        Identifier:
+        <input type="text" class="openid" name="openid_identifier" />
+        <input type="submit" value="Verify" /><br />
+        <input type="checkbox" name="immediate" id="immediate" /><label for="immediate">Use immediate mode</label><br/>
+        <input type="checkbox" name="use_sreg" id="use_sreg" /><label for="use_sreg">Request registration data</label><br/>
+        <input type="checkbox" name="use_pape" id="use_pape" /><label for="use_pape">Request phishing-resistent auth policy (PAPE)</label><br/>
+        <input type="checkbox" name="force_post" id="force_post" /><label for="force_post">Force the transaction to use POST by adding 2K of extra data</label>
+      </form>
+    </div>
+  </body>
+</html>

data/examples/rails_openid/app/views/consumer/start.rhtml

@@ -0,0 +1,8 @@
+<html>
+<body>
+<%= @form_text %>
+<script type="text/javascript">
+document.getElementById('openid_form').submit();
+</script>
+</body>
+</html>

data/examples/{rails_server → rails_openid}/app/views/login/index.rhtml

@@ -20,7 +20,7 @@ Welcome to the Ruby OpenID server example.  This code is a starting point for de
 <h2>To use the example</h2>
 <p>
   <ol>
-    <li>Enter a username in the form above.  You will be "Logged In" to the server, at which point you may authenticate using an OpenID consumer. Your OpenID URL will be displayed after you log in.<p>The server will automatically create an identity page for you at http://localhost:3000/user/<i>name</i></p></li>
+    <li>Enter a username in the form above.  You will be "Logged In" to the server, at which point you may authenticate using an OpenID consumer. Your OpenID URL will be displayed after you log in.<p>The server will automatically create an identity page for you at <%= @base_url %>user/<i>name</i></p></li>
     <li>Run the example OpenID consumer: <blockquote>ruby examples/consumer.rb</blockquote></li>
     <li>In another browser window visit <a href="http://localhost:2000/">http://localhost:2000/</a>, and type your OpenID URL to verfiy your identity with this server.</li>
   </ol>

data/examples/rails_openid/app/views/server/decide.rhtml

@@ -0,0 +1,26 @@
+<form method="post" action="<%= url_for :controller => 'server', :action => 'decision' %>">
+
+<table>
+  <tr><td>Site:</td><td><%= @oidreq.trust_root %></td></tr>
+
+  <% if @oidreq.id_select %>
+    <tr>
+      <td colspan="2">
+        You entered the server identifier at the relying party.
+        You'll need to send an identifier of your choosing.  Enter a
+        username below.
+      </td>
+    </tr>
+    <tr>
+      <td>Identity to send:</td>
+      <td><input type="text" name="id_to_send" size="25" /></td>
+    </tr>
+  <% else %>
+    <tr><td>Identity:</td><td><%= @oidreq.identity %></td></tr>
+  <% end %>
+</table>
+
+<input type="submit" name="yes" value="yes" />
+<input type="submit" name="no" value="no" />
+
+</form>

data/examples/{rails_server → rails_openid}/config/routes.rb

@@ -11,8 +11,9 @@ ActionController::Routing::Routes.draw do |map|
   # map.connect '', :controller => "welcome"
 
   map.connect '', :controller => 'login'
+  map.connect 'server/xrds', :controller => 'server', :action => 'idp_xrds'
   map.connect 'user/:username', :controller => 'server', :action => 'user_page'
-  map.connect 'user/:username/xrds', :controller => 'server', :action => 'xrds'
+  map.connect 'user/:username/xrds', :controller => 'server', :action => 'user_xrds'
 
   # Allow downloading Web Service WSDL as a file with an extension
   # instead of a file named 'wsdl'

data/lib/{hmac-sha1.rb → hmac/sha1.rb}

@@ -1,4 +1,4 @@
-require 'hmac'
+require 'hmac/hmac'
 require 'digest/sha1'
 
 module HMAC

data/lib/{hmac-sha2.rb → hmac/sha2.rb}

@@ -1,4 +1,4 @@
-require 'hmac'
+require 'hmac/hmac'
 require 'digest/sha2'
 
 module HMAC

data/lib/openid/association.rb

@@ -1,71 +1,57 @@
-require 'openid/util'
+require "openid/kvform"
+require "openid/util"
+require "openid/cryptutil"
+require "openid/message"
 
 module OpenID
 
-  # Represents an "association" between a consumer and server, and
-  # is also used for storage of the information exchanged
-  # during the openid.mode='associate' transaction.
-  # This class is used by the both the server and consumer.
-  class Association
-    @@version = '2'
-    @@assoc_keys = [
-                    'version',
-                    'handle',
-                    'secret',
-                    'issued',
-                    'lifetime',
-                    'assoc_type'
-                   ]
+  def self.get_secret_size(assoc_type)
+    if assoc_type == 'HMAC-SHA1'
+      return 20
+    elsif assoc_type == 'HMAC-SHA256'
+      return 32
+    else
+      raise ArgumentError("Unsupported association type: #{assoc_type}")
+    end
+  end
 
+  # An Association holds the shared secret between a relying party and
+  # an OpenID provider.
+  class Association
     attr_reader :handle, :secret, :issued, :lifetime, :assoc_type
 
-    def Association.from_expires_in(expires_in, handle, secret, assoc_type)
-      issued = Time.now.to_i
-      lifetime = expires_in
-      new(handle, secret, issued, lifetime, assoc_type) 
-    end
-
-    def Association.serialize(assoc)
-      data = [
-              '2',
-              assoc.handle,
-              OpenID::Util.to_base64(assoc.secret),
-              assoc.issued.to_i.to_s,
-              assoc.lifetime.to_i.to_s,
-              assoc.assoc_type              
-             ]
-  
-      lines = ""
-      (0...@@assoc_keys.length).collect do |i| 
-        lines += "#{@@assoc_keys[i]}: #{data[i]}\n"
+    FIELD_ORDER =
+      [:version, :handle, :secret, :issued, :lifetime, :assoc_type,]
+
+    # Load a serialized Association
+    def self.deserialize(serialized)
+      parsed = Util.kv_to_seq(serialized)
+      parsed_fields = parsed.map{|k, v| k.to_sym}
+      if parsed_fields != FIELD_ORDER
+          raise StandardError, 'Unexpected fields in serialized association'\
+          " (Expected #{FIELD_ORDER.inspect}, got #{parsed_fields.inspect})"
+      end
+      version, handle, secret64, issued_s, lifetime_s, assoc_type =
+        parsed.map {|field, value| value}
+      if version != '2'
+        raise StandardError, "Attempted to deserialize unsupported version "\
+                             "(#{parsed[0][1].inspect})"
       end
-    
-      lines
+
+      self.new(handle,
+               Util.from_base64(secret64),
+               Time.at(issued_s.to_i),
+               lifetime_s.to_i,
+               assoc_type)
     end
 
-    def Association.deserialize(assoc_s)
-      keys = []
-      values = []
-      assoc_s.split("\n").each do |line|
-        k, v = line.split(":", 2)
-        keys << k.strip
-        values << v.strip
-      end
-  
-      version, handle, secret, issued, lifetime, assoc_type = values
-      raise 'VersionError' if version != @@version
-  
-      secret = OpenID::Util.from_base64(secret)
-      issued = issued.to_i
-      lifetime = lifetime.to_i
-      Association.new(handle, secret, issued, lifetime, assoc_type)
+    # Create an Association with an issued time of now
+    def self.from_expires_in(expires_in, handle, secret, assoc_type)
+      issued = Time.now
+      self.new(handle, secret, issued, expires_in, assoc_type)
     end
 
     def initialize(handle, secret, issued, lifetime, assoc_type)
-      if assoc_type != 'HMAC-SHA1'
-        raise ArgumentError, "HMAC-SHA1 is the only supported assoc_type, got #{assoc_type}"
-      end
-      
       @handle = handle
       @secret = secret
       @issued = issued
@@ -73,37 +59,191 @@ module OpenID
       @assoc_type = assoc_type
     end
 
-    def expires_in
-      [0, @issued + @lifetime - Time.now.to_i].max
+    # Serialize the association to a form that's consistent across
+    # JanRain OpenID libraries.
+    def serialize
+      data = {
+        :version => '2',
+        :handle => handle,
+        :secret => Util.to_base64(secret),
+        :issued => issued.to_i.to_s,
+        :lifetime => lifetime.to_i.to_s,
+        :assoc_type => assoc_type,
+      }
+
+      Util.assert(data.length == FIELD_ORDER.length)
+
+      pairs = FIELD_ORDER.map{|field| [field.to_s, data[field]]}
+      return Util.seq_to_kv(pairs, strict=true)
     end
 
-    def expired?
-      return expires_in == 0
+    # The number of seconds until this association expires
+    def expires_in(now=nil)
+      if now.nil?
+        now = Time.now.to_i
+      else
+        now = now.to_i
+      end
+      time_diff = (issued.to_i + lifetime) - now
+      if time_diff < 0
+        return 0
+      else
+        return time_diff
+      end
     end
 
+    # Generate a signature for a sequence of [key, value] pairs
     def sign(pairs)
-      kv = ''
-      pairs.each {|k,v| kv << "#{k}:#{v}\n"}
-      return OpenID::Util.hmac_sha1(@secret, kv)
+      kv = Util.seq_to_kv(pairs)
+      case assoc_type
+      when 'HMAC-SHA1'
+        CryptUtil.hmac_sha1(@secret, kv)
+      when 'HMAC-SHA256'
+        CryptUtil.hmac_sha256(@secret, kv)
+      else
+        raise StandardError, "Association has unknown type: "\
+          "#{assoc_type.inspect}"
+      end
     end
 
-    def sign_hash(fields, hash, prefix='openid.')
-      pairs = []
-      fields.each { |f| pairs << [f, hash[prefix+f]] }
-      return OpenID::Util.to_base64(sign(pairs))
+    # Generate the list of pairs that form the signed elements of the
+    # given message
+    def make_pairs(message)
+      signed = message.get_arg(OPENID_NS, 'signed')
+      if signed.nil?
+        raise StandardError, 'Missing signed list'
+      end
+      signed_fields = signed.split(',', -1)
+      data = message.to_post_args
+      signed_fields.map {|field| [field, data.fetch('openid.'+field,'')] }
     end
 
-    def add_signature(fields, hash, prefix='openid.')
-      sig = sign_hash(fields, hash, prefix)
-      signed = fields.join(',')
-      hash[prefix+'sig'] = sig
-      hash[prefix+'signed'] = signed
+    # Return whether the message's signature passes
+    def check_message_signature(message)
+      message_sig = message.get_arg(OPENID_NS, 'sig')
+      if message_sig.nil?
+        raise StandardError, "#{message} has no sig."
+      end
+      calculated_sig = get_message_signature(message)
+      return calculated_sig == message_sig
+    end
+
+    # Get the signature for this message
+    def get_message_signature(message)
+      Util.to_base64(sign(make_pairs(message)))
     end
 
     def ==(other)
-      self.instance_variable_hash == other.instance_variable_hash
+      (other.class == self.class and 
+       other.handle == self.handle and
+       other.secret == self.secret and
+
+       # The internals of the time objects seemed to differ
+       # in an opaque way when serializing/unserializing.
+       # I don't think this will be a problem.
+       other.issued.to_i == self.issued.to_i and
+
+       other.lifetime == self.lifetime and
+       other.assoc_type == self.assoc_type)
+    end
+
+    # Add a signature (and a signed list) to a message.
+    def sign_message(message)
+      if (message.has_key?(OPENID_NS, 'sig') or
+          message.has_key?(OPENID_NS, 'signed'))
+        raise ArgumentError, 'Message already has signed list or signature'
+      end
+
+      extant_handle = message.get_arg(OPENID_NS, 'assoc_handle')
+      if extant_handle and extant_handle != self.handle
+        raise ArgumentError, "Message has a different association handle"
+      end
+
+      signed_message = message.copy()
+      signed_message.set_arg(OPENID_NS, 'assoc_handle', self.handle)
+      message_keys = signed_message.to_post_args.keys()
+
+      signed_list = []
+      message_keys.each { |k|
+        if k.starts_with?('openid.')
+          signed_list << k[7..-1]
+        end
+      }
+
+      signed_list << 'signed'
+      signed_list.sort!
+
+      signed_message.set_arg(OPENID_NS, 'signed', signed_list.join(','))
+      sig = get_message_signature(signed_message)
+      signed_message.set_arg(OPENID_NS, 'sig', sig)
+      return signed_message
+    end
+  end
+
+  class AssociationNegotiator
+    attr_reader :allowed_types
+
+    def self.get_session_types(assoc_type)
+      case assoc_type
+      when 'HMAC-SHA1'
+        ['DH-SHA1', 'no-encryption']
+      when 'HMAC-SHA256'
+        ['DH-SHA256', 'no-encryption']
+      else
+        raise StandardError, "Unknown association type #{assoc_type.inspect}"
+      end
+    end
+
+    def self.check_session_type(assoc_type, session_type)
+      if !get_session_types(assoc_type).include?(session_type)
+        raise StandardError, "Session type #{session_type.inspect} not "\
+                             "valid for association type #{assoc_type.inspect}"
+      end
+    end
+
+    def initialize(allowed_types)
+      self.allowed_types=(allowed_types)
     end
 
+    def copy
+      Marshal.load(Marshal.dump(self))
+    end
+
+    def allowed_types=(allowed_types)
+      allowed_types.each do |assoc_type, session_type|
+        self.class.check_session_type(assoc_type, session_type)
+      end
+      @allowed_types = allowed_types
+    end
+
+    def add_allowed_type(assoc_type, session_type=nil)
+      if session_type.nil?
+        session_types = self.class.get_session_types(assoc_type)
+      else
+        self.class.check_session_type(assoc_type, session_type)
+        session_types = [session_type]
+      end
+      session_types.each do |session_type|
+        @allowed_types << [assoc_type, session_type]
+      end
+    end
+
+    def allowed?(assoc_type, session_type)
+      @allowed_types.include?([assoc_type, session_type])
+    end
+
+    def get_allowed_type
+      @allowed_types.empty? ? nil : @allowed_types[0]
+    end
   end
 
+  DefaultNegotiator =
+    AssociationNegotiator.new([['HMAC-SHA1', 'DH-SHA1'],
+                               ['HMAC-SHA1', 'no-encryption'],
+                               ['HMAC-SHA256', 'DH-SHA256'],
+                               ['HMAC-SHA256', 'no-encryption']])
+
+  EncryptedNegotiator =
+    AssociationNegotiator.new([['HMAC-SHA1', 'DH-SHA1'],
+                               ['HMAC-SHA256', 'DH-SHA256']])
 end