ruby-openid 1.1.4 → 2.0.1

data/lib/openid/consumer/associationmanager.rb

@@ -0,0 +1,338 @@
+require "openid/dh"
+require "openid/util"
+require "openid/kvpost"
+require "openid/cryptutil"
+require "openid/protocolerror"
+require "openid/association"
+
+module OpenID
+  class Consumer
+
+    # A superclass for implementing Diffie-Hellman association sessions.
+    class DiffieHellmanSession
+      class << self
+        attr_reader :session_type, :secret_size, :allowed_assoc_types,
+          :hashfunc
+      end
+
+      def initialize(dh=nil)
+        if dh.nil?
+          dh = DiffieHellman.from_defaults
+        end
+        @dh = dh
+      end
+
+      # Return the query parameters for requesting an association
+      # using this Diffie-Hellman association session
+      def get_request
+        args = {'dh_consumer_public' => CryptUtil.num_to_base64(@dh.public)}
+        if (!@dh.using_default_values?)
+          args['dh_modulus'] = CryptUtil.num_to_base64(@dh.modulus)
+          args['dh_gen'] = CryptUtil.num_to_base64(@dh.generator)
+        end
+
+        return args
+      end
+
+      # Process the response from a successful association request and
+      # return the shared secret for this association
+      def extract_secret(response)
+        dh_server_public64 = response.get_arg(OPENID_NS, 'dh_server_public',
+                                              NO_DEFAULT)
+        enc_mac_key64 = response.get_arg(OPENID_NS, 'enc_mac_key', NO_DEFAULT)
+        dh_server_public = CryptUtil.base64_to_num(dh_server_public64)
+        enc_mac_key = Util.from_base64(enc_mac_key64)
+        return @dh.xor_secret(self.class.hashfunc,
+                              dh_server_public, enc_mac_key)
+      end
+    end
+
+    # A Diffie-Hellman association session that uses SHA1 as its hash
+    # function
+    class DiffieHellmanSHA1Session < DiffieHellmanSession
+      @session_type = 'DH-SHA1'
+      @secret_size = 20
+      @allowed_assoc_types = ['HMAC-SHA1']
+      @hashfunc = CryptUtil.method(:sha1)
+    end
+
+    # A Diffie-Hellman association session that uses SHA256 as its hash
+    # function
+    class DiffieHellmanSHA256Session < DiffieHellmanSession
+      @session_type = 'DH-SHA256'
+      @secret_size = 32
+      @allowed_assoc_types = ['HMAC-SHA256']
+      @hashfunc = CryptUtil.method(:sha256)
+    end
+
+    # An association session that does not use encryption
+    class NoEncryptionSession
+      class << self
+        attr_reader :session_type, :allowed_assoc_types
+      end
+      @session_type = 'no-encryption'
+      @allowed_assoc_types = ['HMAC-SHA1', 'HMAC-SHA256']
+
+      def get_request
+        return {}
+      end
+
+      def extract_secret(response)
+        mac_key64 = response.get_arg(OPENID_NS, 'mac_key', NO_DEFAULT)
+        return Util.from_base64(mac_key64)
+      end
+    end
+
+    # An object that manages creating and storing associations for an
+    # OpenID provider endpoint
+    class AssociationManager
+      def self.create_session(session_type)
+        case session_type
+        when 'no-encryption'
+          NoEncryptionSession.new
+        when 'DH-SHA1'
+          DiffieHellmanSHA1Session.new
+        when 'DH-SHA256'
+          DiffieHellmanSHA256Session.new
+        else
+          raise ArgumentError, "Unknown association session type: "\
+                               "#{session_type.inspect}"
+        end
+      end
+
+      def initialize(store, server_url, compatibility_mode=false,
+                     negotiator=nil)
+        @store = store
+        @server_url = server_url
+        @compatibility_mode = compatibility_mode
+        @negotiator = negotiator || DefaultNegotiator
+      end
+
+      def get_association
+        if @store.nil?
+          return nil
+        end
+
+        assoc = @store.get_association(@server_url)
+        if assoc.nil? || assoc.expires_in <= 0
+          assoc = negotiate_association
+          if !assoc.nil?
+            @store.store_association(@server_url, assoc)
+          end
+        end
+
+        return assoc
+      end
+
+      def negotiate_association
+        assoc_type, session_type = @negotiator.get_allowed_type
+        begin
+          return request_association(assoc_type, session_type)
+        rescue ServerError => why
+          supported_types = extract_supported_association_type(why, assoc_type)
+          if !supported_types.nil?
+            # Attempt to create an association from the assoc_type and
+            # session_type that the server told us it supported.
+            assoc_type, session_type = supported_types
+            begin
+              return request_association(assoc_type, session_type)
+            rescue ServerError => why
+              Util.log("Server #{@server_url} refused its suggested " \
+                       "association type: session_type=#{session_type}, " \
+                       "assoc_type=#{assoc_type}")
+              return nil
+            end
+          end
+        end
+      end
+
+      protected
+      def extract_supported_association_type(server_error, assoc_type)
+        # Any error message whose code is not 'unsupported-type' should
+        # be considered a total failure.
+        if (server_error.error_code != 'unsupported-type' or
+            server_error.message.is_openid1)
+          Util.log("Server error when requesting an association from "\
+                   "#{@server_url}: #{server_error.error_text}")
+          return nil
+        end
+
+        # The server didn't like the association/session type that we
+        # sent, and it sent us back a message that might tell us how to
+        # handle it.
+        Util.log("Unsupported association type #{assoc_type}: "\
+                 "#{server_error.error_text}")
+
+        # Extract the session_type and assoc_type from the error message
+        assoc_type = server_error.message.get_arg(OPENID_NS, 'assoc_type')
+        session_type = server_error.message.get_arg(OPENID_NS, 'session_type')
+
+        if assoc_type.nil? or session_type.nil?
+          Util.log("Server #{@server_url} responded with unsupported "\
+                   "association session but did not supply a fallback.")
+          return nil
+        elsif !@negotiator.allowed?(assoc_type, session_type)
+          Util.log("Server sent unsupported session/association type: "\
+                   "session_type=#{session_type}, assoc_type=#{assoc_type}")
+          return nil
+        else
+          return [assoc_type, session_type]
+        end
+      end
+
+      # Make and process one association request to this endpoint's OP
+      # endpoint URL. Returns an association object or nil if the
+      # association processing failed. Raises ServerError when the
+      # remote OpenID server returns an error.
+      def request_association(assoc_type, session_type)
+        assoc_session, args = create_associate_request(assoc_type, session_type)
+
+        response = OpenID.make_kv_post(args, @server_url)
+
+        begin
+          return extract_association(response, assoc_session)
+        rescue Message::KeyNotFound => why
+          Util.log("Missing required parameter in response from "\
+                   "#{@server_url}: #{why}")
+          return nil
+
+        rescue ProtocolError => why
+          Util.log("Protocol error processing response from #{@server_url}: "\
+                   "#{why}")
+          return nil
+        end
+      end
+
+      # Create an association request for the given assoc_type and
+      # session_type. Returns a pair of the association session object
+      # and the request message that will be sent to the server.
+      def create_associate_request(assoc_type, session_type)
+        assoc_session = self.class.create_session(session_type)
+        args = {
+          'mode' => 'associate',
+          'assoc_type' => assoc_type,
+        }
+
+        if !@compatibility_mode
+          args['ns'] = OPENID2_NS
+        end
+
+        # Leave out the session type if we're in compatibility mode
+        # *and* it's no-encryption.
+        if !@compatibility_mode ||
+            assoc_session.class.session_type != 'no-encryption'
+          args['session_type'] = assoc_session.class.session_type
+        end
+
+        args.merge!(assoc_session.get_request)
+        message = Message.from_openid_args(args)
+        return assoc_session, message
+      end
+
+      # Given an association response message, extract the OpenID 1.X
+      # session type. Returns the association type for this message
+      #
+      # This function mostly takes care of the 'no-encryption' default
+      # behavior in OpenID 1.
+      #
+      # If the association type is plain-text, this function will
+      # return 'no-encryption'
+      def get_openid1_session_type(assoc_response)
+        # If it's an OpenID 1 message, allow session_type to default
+        # to nil (which signifies "no-encryption")
+        session_type = assoc_response.get_arg(OPENID1_NS, 'session_type')
+
+        # Handle the differences between no-encryption association
+        # respones in OpenID 1 and 2:
+
+        # no-encryption is not really a valid session type for
+        # OpenID 1, but we'll accept it anyway, while issuing a
+        # warning.
+        if session_type == 'no-encryption'
+          Util.log("WARNING: #{@server_url} sent 'no-encryption'"\
+                   "for OpenID 1.X")
+
+        # Missing or empty session type is the way to flag a
+        # 'no-encryption' response. Change the session type to
+        # 'no-encryption' so that it can be handled in the same
+        # way as OpenID 2 'no-encryption' respones.
+        elsif session_type == '' || session_type.nil?
+          session_type = 'no-encryption'
+        end
+
+        return session_type
+      end
+
+      def self.extract_expires_in(message)
+        # expires_in should be a base-10 string.
+        expires_in_str = message.get_arg(OPENID_NS, 'expires_in', NO_DEFAULT)
+        if !(/\A\d+\Z/ =~ expires_in_str)
+          raise ProtocolError, "Invalid expires_in field: #{expires_in_str}"
+        end
+        expires_in_str.to_i
+      end
+
+      # Attempt to extract an association from the response, given the
+      # association response message and the established association
+      # session.
+      def extract_association(assoc_response, assoc_session)
+        # Extract the common fields from the response, raising an
+        # exception if they are not found
+        assoc_type = assoc_response.get_arg(OPENID_NS, 'assoc_type',
+                                            NO_DEFAULT)
+        assoc_handle = assoc_response.get_arg(OPENID_NS, 'assoc_handle',
+                                              NO_DEFAULT)
+        expires_in = self.class.extract_expires_in(assoc_response)
+
+        # OpenID 1 has funny association session behaviour.
+        if assoc_response.is_openid1:
+            session_type = get_openid1_session_type(assoc_response)
+        else
+          session_type = assoc_response.get_arg(OPENID2_NS, 'session_type',
+                                                NO_DEFAULT)
+        end
+
+        # Session type mismatch
+        if assoc_session.class.session_type != session_type
+          if (assoc_response.is_openid1 and session_type == 'no-encryption')
+            # In OpenID 1, any association request can result in a
+            # 'no-encryption' association response. Setting
+            # assoc_session to a new no-encryption session should
+            # make the rest of this function work properly for
+            # that case.
+            assoc_session = NoEncryptionSession.new
+          else
+            # Any other mismatch, regardless of protocol version
+            # results in the failure of the association session
+            # altogether.
+            raise ProtocolError, "Session type mismatch. Expected "\
+                                 "#{assoc_session.class.session_type}, got "\
+                                 "#{session_type}"
+          end
+        end
+
+        # Make sure assoc_type is valid for session_type
+        if !assoc_session.class.allowed_assoc_types.member?(assoc_type)
+          raise ProtocolError, "Unsupported assoc_type for session "\
+                               "#{assoc_session.class.session_type} "\
+                               "returned: #{assoc_type}"
+        end
+
+        # Delegate to the association session to extract the secret
+        # from the response, however is appropriate for that session
+        # type.
+        begin
+          secret = assoc_session.extract_secret(assoc_response)
+        rescue Message::KeyNotFound, ArgumentError => why
+          raise ProtocolError, "Malformed response for "\
+                               "#{assoc_session.class.session_type} "\
+                               "session: #{why.message}"
+        end
+
+
+        return Association.from_expires_in(expires_in, assoc_handle, secret,
+                                           assoc_type)
+      end
+    end
+  end
+end

data/lib/openid/consumer/checkid_request.rb

@@ -0,0 +1,175 @@
+require "openid/message"
+require "openid/util"
+
+module OpenID
+  class Consumer
+    # An object that holds the state necessary for generating an
+    # OpenID authentication request. This object holds the association
+    # with the server and the discovered information with which the
+    # request will be made.
+    #
+    # It is separate from the consumer because you may wish to add
+    # things to the request before sending it on its way to the
+    # server. It also has serialization options that let you encode
+    # the authentication request as a URL or as a form POST.
+    class CheckIDRequest
+      attr_accessor :return_to_args
+      attr_reader :endpoint
+
+      # Users of this library should not create instances of this
+      # class.  Instances of this class are created by the library
+      # when needed.
+      def initialize(assoc, endpoint)
+        @assoc = assoc
+        @endpoint = endpoint
+        @return_to_args = {}
+        @message = Message.new(endpoint.preferred_namespace)
+        @anonymous = false
+      end
+
+      attr_reader :anonymous
+
+      # Set whether this request should be made anonymously. If a
+      # request is anonymous, the identifier will not be sent in the
+      # request. This is only useful if you are making another kind of
+      # request with an extension in this request.
+      #
+      # Anonymous requests are not allowed when the request is made
+      # with OpenID 1.
+      def anonymous=(is_anonymous)
+        if is_anonymous && @message.is_openid1
+          raise ArgumentError, ("OpenID1 requests MUST include the "\
+                                "identifier in the request")
+        end
+        @anonymous = is_anonymous
+      end
+
+      # Add an object that implements the extension interface for
+      # adding arguments to an OpenID message to this checkid request.
+      #
+      # extension_request: an OpenID::Extension object.
+      def add_extension(extension_request)
+        extension_request.to_message(@message)
+      end
+
+      # Add an extension argument to this OpenID authentication
+      # request. You probably want to use add_extension and the
+      # OpenID::Extension interface.
+      #
+      # Use caution when adding arguments, because they will be
+      # URL-escaped and appended to the redirect URL, which can easily
+      # get quite long.
+      def add_extension_arg(namespace, key, value)
+        @message.set_arg(namespace, key, value)
+      end
+
+      # Produce a OpenID::Message representing this request.
+      #
+      # Not specifying a return_to URL means that the user will not be
+      # returned to the site issuing the request upon its completion.
+      #
+      # If immediate mode is requested, the OpenID provider is to send
+      # back a response immediately, useful for behind-the-scenes
+      # authentication attempts.  Otherwise the OpenID provider may
+      # engage the user before providing a response.  This is the
+      # default case, as the user may need to provide credentials or
+      # approve the request before a positive response can be sent.
+      def get_message(realm, return_to=nil, immediate=false)
+        if !return_to.nil?
+          return_to = Util.append_args(return_to, @return_to_args)
+        elsif immediate
+          raise ArgumentError, ('"return_to" is mandatory when using '\
+                                '"checkid_immediate"')
+        elsif @message.is_openid1
+          raise ArgumentError, ('"return_to" is mandatory for OpenID 1 '\
+                                'requests')
+        elsif @return_to_args.empty?
+          raise ArgumentError, ('extra "return_to" arguments were specified, '\
+                                'but no return_to was specified')
+        end
+
+
+        message = @message.copy
+
+        mode = immediate ? 'checkid_immediate' : 'checkid_setup'
+        message.set_arg(OPENID_NS, 'mode', mode)
+
+        realm_key = message.is_openid1 ? 'trust_root' : 'realm'
+        message.set_arg(OPENID_NS, realm_key, realm)
+
+        if !return_to.nil?
+          message.set_arg(OPENID_NS, 'return_to', return_to)
+        end
+
+        if not @anonymous
+          if @endpoint.is_op_identifier
+            # This will never happen when we're in OpenID 1
+            # compatibility mode, as long as is_op_identifier()
+            # returns false whenever preferred_namespace returns
+            # OPENID1_NS.
+            claimed_id = request_identity = IDENTIFIER_SELECT
+          else
+            request_identity = @endpoint.get_local_id
+            claimed_id = @endpoint.claimed_id
+          end
+
+          # This is true for both OpenID 1 and 2
+          message.set_arg(OPENID_NS, 'identity', request_identity)
+
+          if message.is_openid2
+            message.set_arg(OPENID2_NS, 'claimed_id', claimed_id)
+          end
+        end
+
+        if @assoc
+          message.set_arg(OPENID_NS, 'assoc_handle', @assoc.handle)
+          assoc_log_msg = "with assocication #{@assoc.handle}"
+        else
+          assoc_log_msg = 'using stateless mode.'
+        end
+
+        Util.log("Generated #{mode} request to #{@endpoint.server_url} "\
+                 "#{assoc_log_msg}")
+        return message
+      end
+
+      # Returns a URL with an encoded OpenID request.
+      #
+      # The resulting URL is the OpenID provider's endpoint URL with
+      # parameters appended as query arguments.  You should redirect
+      # the user agent to this URL.
+      #
+      # OpenID 2.0 endpoints also accept POST requests, see
+      # 'send_redirect?' and 'form_markup'.
+      def redirect_url(realm, return_to=nil, immediate=false)
+        message = get_message(realm, return_to, immediate)
+        return message.to_url(@endpoint.server_url)
+      end
+
+      # Get html for a form to submit this request to the IDP.
+      #
+      # form_tag_attrs is a hash of attributes to be added to the form
+      # tag. 'accept-charset' and 'enctype' have defaults that can be
+      # overridden. If a value is supplied for 'action' or 'method',
+      # it will be replaced.
+      def form_markup(realm, return_to=nil, immediate=false,
+                      form_tag_attrs=nil)
+        message = get_message(realm, return_to, immediate)
+        return message.to_form_markup(@endpoint.server_url, form_tag_attrs)
+      end
+
+      # Should this OpenID authentication request be sent as a HTTP
+      # redirect or as a POST (form submission)?
+      #
+      # This takes the same parameters as redirect_url or form_markup
+      def send_redirect?(realm, return_to=nil, immediate=false)
+        if @endpoint.compatibility_mode
+          return true
+        else
+          url = redirect_url(realm, return_to, immediate)
+          return url.length <= OPENID1_URL_LIMIT
+        end
+      end
+    end
+  end
+end