ruby-openid 1.1.4 → 2.0.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of ruby-openid might be problematic. Click here for more details.
- data/INSTALL +0 -9
- data/README +21 -22
- data/UPGRADE +117 -0
- data/admin/runtests.rb +36 -0
- data/examples/README +13 -21
- data/examples/active_record_openid_store/README +8 -3
- data/examples/active_record_openid_store/XXX_add_open_id_store_to_db.rb +4 -8
- data/examples/active_record_openid_store/XXX_upgrade_open_id_store.rb +26 -0
- data/examples/active_record_openid_store/lib/association.rb +2 -0
- data/examples/active_record_openid_store/lib/openid_ar_store.rb +22 -47
- data/examples/active_record_openid_store/test/store_test.rb +78 -48
- data/examples/discover +46 -0
- data/examples/{rails_server → rails_openid}/README +0 -0
- data/examples/{rails_server → rails_openid}/Rakefile +0 -0
- data/examples/{rails_server → rails_openid}/app/controllers/application.rb +0 -0
- data/examples/rails_openid/app/controllers/consumer_controller.rb +115 -0
- data/examples/{rails_server → rails_openid}/app/controllers/login_controller.rb +10 -2
- data/examples/rails_openid/app/controllers/server_controller.rb +265 -0
- data/examples/{rails_server → rails_openid}/app/helpers/application_helper.rb +0 -0
- data/examples/{rails_server → rails_openid}/app/helpers/login_helper.rb +0 -0
- data/examples/{rails_server → rails_openid}/app/helpers/server_helper.rb +0 -0
- data/examples/rails_openid/app/views/consumer/index.rhtml +81 -0
- data/examples/rails_openid/app/views/consumer/start.rhtml +8 -0
- data/examples/{rails_server → rails_openid}/app/views/layouts/server.rhtml +0 -0
- data/examples/{rails_server → rails_openid}/app/views/login/index.rhtml +1 -1
- data/examples/rails_openid/app/views/server/decide.rhtml +26 -0
- data/examples/{rails_server → rails_openid}/config/boot.rb +0 -0
- data/examples/{rails_server → rails_openid}/config/database.yml +0 -0
- data/examples/{rails_server → rails_openid}/config/environment.rb +0 -0
- data/examples/{rails_server → rails_openid}/config/environments/development.rb +0 -0
- data/examples/{rails_server → rails_openid}/config/environments/production.rb +0 -0
- data/examples/{rails_server → rails_openid}/config/environments/test.rb +0 -0
- data/examples/{rails_server → rails_openid}/config/routes.rb +2 -1
- data/examples/{rails_server → rails_openid}/doc/README_FOR_APP +0 -0
- data/examples/{rails_server → rails_openid}/public/404.html +0 -0
- data/examples/{rails_server → rails_openid}/public/500.html +0 -0
- data/examples/{rails_server → rails_openid}/public/dispatch.cgi +0 -0
- data/examples/{rails_server → rails_openid}/public/dispatch.fcgi +0 -0
- data/examples/{rails_server → rails_openid}/public/dispatch.rb +0 -0
- data/examples/{rails_server → rails_openid}/public/favicon.ico +0 -0
- data/examples/rails_openid/public/images/openid_login_bg.gif +0 -0
- data/examples/{rails_server → rails_openid}/public/javascripts/controls.js +0 -0
- data/examples/{rails_server → rails_openid}/public/javascripts/dragdrop.js +0 -0
- data/examples/{rails_server → rails_openid}/public/javascripts/effects.js +0 -0
- data/examples/{rails_server → rails_openid}/public/javascripts/prototype.js +0 -0
- data/examples/{rails_server → rails_openid}/public/robots.txt +0 -0
- data/examples/{rails_server → rails_openid}/script/about +0 -0
- data/examples/{rails_server → rails_openid}/script/breakpointer +0 -0
- data/examples/{rails_server → rails_openid}/script/console +0 -0
- data/examples/{rails_server → rails_openid}/script/destroy +0 -0
- data/examples/{rails_server → rails_openid}/script/generate +0 -0
- data/examples/{rails_server → rails_openid}/script/performance/benchmarker +0 -0
- data/examples/{rails_server → rails_openid}/script/performance/profiler +0 -0
- data/examples/{rails_server → rails_openid}/script/plugin +0 -0
- data/examples/{rails_server → rails_openid}/script/process/reaper +0 -0
- data/examples/{rails_server → rails_openid}/script/process/spawner +0 -0
- data/examples/{rails_server → rails_openid}/script/process/spinner +0 -0
- data/examples/{rails_server → rails_openid}/script/runner +0 -0
- data/examples/{rails_server → rails_openid}/script/server +0 -0
- data/examples/{rails_server → rails_openid}/test/functional/login_controller_test.rb +0 -0
- data/examples/{rails_server → rails_openid}/test/functional/server_controller_test.rb +0 -0
- data/examples/{rails_server → rails_openid}/test/test_helper.rb +0 -0
- data/lib/{hmac.rb → hmac/hmac.rb} +0 -0
- data/lib/{hmac-sha1.rb → hmac/sha1.rb} +1 -1
- data/lib/{hmac-sha2.rb → hmac/sha2.rb} +1 -1
- data/lib/openid/association.rb +213 -73
- data/lib/openid/consumer/associationmanager.rb +338 -0
- data/lib/openid/consumer/checkid_request.rb +175 -0
- data/lib/openid/consumer/discovery.rb +480 -0
- data/lib/openid/consumer/discovery_manager.rb +123 -0
- data/lib/openid/consumer/html_parse.rb +136 -0
- data/lib/openid/consumer/idres.rb +525 -0
- data/lib/openid/consumer/responses.rb +133 -0
- data/lib/openid/consumer.rb +280 -807
- data/lib/openid/cryptutil.rb +85 -0
- data/lib/openid/dh.rb +60 -23
- data/lib/openid/extension.rb +31 -0
- data/lib/openid/extensions/ax.rb +506 -0
- data/lib/openid/extensions/pape.rb +182 -0
- data/lib/openid/extensions/sreg.rb +275 -0
- data/lib/openid/extras.rb +11 -0
- data/lib/openid/fetchers.rb +132 -93
- data/lib/openid/kvform.rb +133 -0
- data/lib/openid/kvpost.rb +56 -0
- data/lib/openid/message.rb +534 -0
- data/lib/openid/protocolerror.rb +6 -0
- data/lib/openid/server.rb +1215 -666
- data/lib/openid/store/filesystem.rb +271 -0
- data/lib/openid/store/interface.rb +75 -0
- data/lib/openid/store/memory.rb +84 -0
- data/lib/openid/store/nonce.rb +68 -0
- data/lib/openid/trustroot.rb +314 -87
- data/lib/openid/urinorm.rb +37 -34
- data/lib/openid/util.rb +42 -220
- data/lib/openid/yadis/accept.rb +148 -0
- data/lib/openid/yadis/constants.rb +21 -0
- data/lib/openid/yadis/discovery.rb +153 -0
- data/lib/openid/yadis/filters.rb +205 -0
- data/lib/openid/{htmltokenizer.rb → yadis/htmltokenizer.rb} +1 -54
- data/lib/openid/yadis/parsehtml.rb +36 -0
- data/lib/openid/yadis/services.rb +42 -0
- data/lib/openid/yadis/xrds.rb +171 -0
- data/lib/openid/yadis/xri.rb +90 -0
- data/lib/openid/yadis/xrires.rb +106 -0
- data/lib/openid.rb +1 -4
- data/test/data/accept.txt +124 -0
- data/test/data/dh.txt +29 -0
- data/test/data/example-xrds.xml +14 -0
- data/test/data/linkparse.txt +587 -0
- data/test/data/n2b64 +650 -0
- data/test/data/test1-discover.txt +137 -0
- data/test/data/test1-parsehtml.txt +128 -0
- data/test/data/test_discover/openid.html +11 -0
- data/test/data/test_discover/openid2.html +11 -0
- data/test/data/test_discover/openid2_xrds.xml +12 -0
- data/test/data/test_discover/openid2_xrds_no_local_id.xml +11 -0
- data/test/data/test_discover/openid_1_and_2.html +11 -0
- data/test/data/test_discover/openid_1_and_2_xrds.xml +16 -0
- data/test/data/test_discover/openid_1_and_2_xrds_bad_delegate.xml +17 -0
- data/test/data/test_discover/openid_and_yadis.html +12 -0
- data/test/data/test_discover/openid_no_delegate.html +10 -0
- data/test/data/test_discover/yadis_0entries.xml +12 -0
- data/test/data/test_discover/yadis_2_bad_local_id.xml +15 -0
- data/test/data/test_discover/yadis_2entries_delegate.xml +22 -0
- data/test/data/test_discover/yadis_2entries_idp.xml +21 -0
- data/test/data/test_discover/yadis_another_delegate.xml +14 -0
- data/test/data/test_discover/yadis_idp.xml +12 -0
- data/test/data/test_discover/yadis_idp_delegate.xml +13 -0
- data/test/data/test_discover/yadis_no_delegate.xml +11 -0
- data/test/data/test_xrds/=j3h.2007.11.14.xrds +25 -0
- data/test/data/test_xrds/README +12 -0
- data/test/data/test_xrds/delegated-20060809-r1.xrds +34 -0
- data/test/data/test_xrds/delegated-20060809-r2.xrds +34 -0
- data/test/data/test_xrds/delegated-20060809.xrds +34 -0
- data/test/data/test_xrds/no-xrd.xml +7 -0
- data/test/data/test_xrds/not-xrds.xml +2 -0
- data/test/data/test_xrds/prefixsometimes.xrds +34 -0
- data/test/data/test_xrds/ref.xrds +109 -0
- data/test/data/test_xrds/sometimesprefix.xrds +34 -0
- data/test/data/test_xrds/spoof1.xrds +25 -0
- data/test/data/test_xrds/spoof2.xrds +25 -0
- data/test/data/test_xrds/spoof3.xrds +37 -0
- data/test/data/test_xrds/status222.xrds +9 -0
- data/test/data/test_xrds/valid-populated-xrds.xml +39 -0
- data/test/data/trustroot.txt +147 -0
- data/test/discoverdata.rb +131 -0
- data/test/test_accept.rb +170 -0
- data/test/test_association.rb +266 -0
- data/test/test_associationmanager.rb +899 -0
- data/test/test_ax.rb +587 -0
- data/test/test_checkid_request.rb +297 -0
- data/test/test_consumer.rb +257 -0
- data/test/test_cryptutil.rb +117 -0
- data/test/test_dh.rb +86 -0
- data/test/test_discover.rb +772 -0
- data/test/test_discovery_manager.rb +262 -0
- data/test/test_extras.rb +35 -0
- data/test/test_fetchers.rb +472 -0
- data/test/test_filters.rb +270 -0
- data/test/test_idres.rb +816 -0
- data/test/test_kvform.rb +165 -0
- data/test/test_kvpost.rb +65 -0
- data/test/test_linkparse.rb +101 -0
- data/test/test_message.rb +1058 -0
- data/test/test_nonce.rb +89 -0
- data/test/test_openid_yadis.rb +178 -0
- data/test/test_pape.rb +233 -0
- data/test/test_parsehtml.rb +80 -0
- data/test/test_responses.rb +63 -0
- data/test/test_server.rb +2270 -0
- data/test/test_sreg.rb +479 -0
- data/test/test_stores.rb +269 -0
- data/test/test_trustroot.rb +112 -0
- data/test/{urinorm.rb → test_urinorm.rb} +6 -3
- data/test/test_util.rb +144 -0
- data/test/test_xrds.rb +160 -0
- data/test/test_xri.rb +48 -0
- data/test/test_xrires.rb +63 -0
- data/test/test_yadis_discovery.rb +207 -0
- data/test/testutil.rb +116 -0
- data/test/util.rb +47 -50
- metadata +233 -143
- data/examples/consumer.rb +0 -290
- data/examples/rails_openid_login_generator/openid_login_generator-0.1.gem +0 -0
- data/examples/rails_server/app/controllers/server_controller.rb +0 -190
- data/examples/rails_server/app/views/server/decide.rhtml +0 -11
- data/examples/rails_server/public/images/rails.png +0 -0
- data/lib/hmac-md5.rb +0 -11
- data/lib/hmac-rmd160.rb +0 -11
- data/lib/openid/discovery.rb +0 -122
- data/lib/openid/filestore.rb +0 -315
- data/lib/openid/parse.rb +0 -23
- data/lib/openid/service.rb +0 -147
- data/lib/openid/stores.rb +0 -178
- data/test/assoc.rb +0 -38
- data/test/consumer.rb +0 -376
- data/test/data/brian.xrds +0 -16
- data/test/data/brianellin.mylid.xrds +0 -42
- data/test/dh.rb +0 -20
- data/test/extensions.rb +0 -30
- data/test/linkparse.rb +0 -305
- data/test/runtests.rb +0 -22
- data/test/server2.rb +0 -1053
- data/test/service.rb +0 -47
- data/test/storetestcase.rb +0 -172
- data/test/teststore.rb +0 -47
- data/test/trustroot.rb +0 -117
@@ -0,0 +1,338 @@
|
|
1
|
+
require "openid/dh"
|
2
|
+
require "openid/util"
|
3
|
+
require "openid/kvpost"
|
4
|
+
require "openid/cryptutil"
|
5
|
+
require "openid/protocolerror"
|
6
|
+
require "openid/association"
|
7
|
+
|
8
|
+
module OpenID
|
9
|
+
class Consumer
|
10
|
+
|
11
|
+
# A superclass for implementing Diffie-Hellman association sessions.
|
12
|
+
class DiffieHellmanSession
|
13
|
+
class << self
|
14
|
+
attr_reader :session_type, :secret_size, :allowed_assoc_types,
|
15
|
+
:hashfunc
|
16
|
+
end
|
17
|
+
|
18
|
+
def initialize(dh=nil)
|
19
|
+
if dh.nil?
|
20
|
+
dh = DiffieHellman.from_defaults
|
21
|
+
end
|
22
|
+
@dh = dh
|
23
|
+
end
|
24
|
+
|
25
|
+
# Return the query parameters for requesting an association
|
26
|
+
# using this Diffie-Hellman association session
|
27
|
+
def get_request
|
28
|
+
args = {'dh_consumer_public' => CryptUtil.num_to_base64(@dh.public)}
|
29
|
+
if (!@dh.using_default_values?)
|
30
|
+
args['dh_modulus'] = CryptUtil.num_to_base64(@dh.modulus)
|
31
|
+
args['dh_gen'] = CryptUtil.num_to_base64(@dh.generator)
|
32
|
+
end
|
33
|
+
|
34
|
+
return args
|
35
|
+
end
|
36
|
+
|
37
|
+
# Process the response from a successful association request and
|
38
|
+
# return the shared secret for this association
|
39
|
+
def extract_secret(response)
|
40
|
+
dh_server_public64 = response.get_arg(OPENID_NS, 'dh_server_public',
|
41
|
+
NO_DEFAULT)
|
42
|
+
enc_mac_key64 = response.get_arg(OPENID_NS, 'enc_mac_key', NO_DEFAULT)
|
43
|
+
dh_server_public = CryptUtil.base64_to_num(dh_server_public64)
|
44
|
+
enc_mac_key = Util.from_base64(enc_mac_key64)
|
45
|
+
return @dh.xor_secret(self.class.hashfunc,
|
46
|
+
dh_server_public, enc_mac_key)
|
47
|
+
end
|
48
|
+
end
|
49
|
+
|
50
|
+
# A Diffie-Hellman association session that uses SHA1 as its hash
|
51
|
+
# function
|
52
|
+
class DiffieHellmanSHA1Session < DiffieHellmanSession
|
53
|
+
@session_type = 'DH-SHA1'
|
54
|
+
@secret_size = 20
|
55
|
+
@allowed_assoc_types = ['HMAC-SHA1']
|
56
|
+
@hashfunc = CryptUtil.method(:sha1)
|
57
|
+
end
|
58
|
+
|
59
|
+
# A Diffie-Hellman association session that uses SHA256 as its hash
|
60
|
+
# function
|
61
|
+
class DiffieHellmanSHA256Session < DiffieHellmanSession
|
62
|
+
@session_type = 'DH-SHA256'
|
63
|
+
@secret_size = 32
|
64
|
+
@allowed_assoc_types = ['HMAC-SHA256']
|
65
|
+
@hashfunc = CryptUtil.method(:sha256)
|
66
|
+
end
|
67
|
+
|
68
|
+
# An association session that does not use encryption
|
69
|
+
class NoEncryptionSession
|
70
|
+
class << self
|
71
|
+
attr_reader :session_type, :allowed_assoc_types
|
72
|
+
end
|
73
|
+
@session_type = 'no-encryption'
|
74
|
+
@allowed_assoc_types = ['HMAC-SHA1', 'HMAC-SHA256']
|
75
|
+
|
76
|
+
def get_request
|
77
|
+
return {}
|
78
|
+
end
|
79
|
+
|
80
|
+
def extract_secret(response)
|
81
|
+
mac_key64 = response.get_arg(OPENID_NS, 'mac_key', NO_DEFAULT)
|
82
|
+
return Util.from_base64(mac_key64)
|
83
|
+
end
|
84
|
+
end
|
85
|
+
|
86
|
+
# An object that manages creating and storing associations for an
|
87
|
+
# OpenID provider endpoint
|
88
|
+
class AssociationManager
|
89
|
+
def self.create_session(session_type)
|
90
|
+
case session_type
|
91
|
+
when 'no-encryption'
|
92
|
+
NoEncryptionSession.new
|
93
|
+
when 'DH-SHA1'
|
94
|
+
DiffieHellmanSHA1Session.new
|
95
|
+
when 'DH-SHA256'
|
96
|
+
DiffieHellmanSHA256Session.new
|
97
|
+
else
|
98
|
+
raise ArgumentError, "Unknown association session type: "\
|
99
|
+
"#{session_type.inspect}"
|
100
|
+
end
|
101
|
+
end
|
102
|
+
|
103
|
+
def initialize(store, server_url, compatibility_mode=false,
|
104
|
+
negotiator=nil)
|
105
|
+
@store = store
|
106
|
+
@server_url = server_url
|
107
|
+
@compatibility_mode = compatibility_mode
|
108
|
+
@negotiator = negotiator || DefaultNegotiator
|
109
|
+
end
|
110
|
+
|
111
|
+
def get_association
|
112
|
+
if @store.nil?
|
113
|
+
return nil
|
114
|
+
end
|
115
|
+
|
116
|
+
assoc = @store.get_association(@server_url)
|
117
|
+
if assoc.nil? || assoc.expires_in <= 0
|
118
|
+
assoc = negotiate_association
|
119
|
+
if !assoc.nil?
|
120
|
+
@store.store_association(@server_url, assoc)
|
121
|
+
end
|
122
|
+
end
|
123
|
+
|
124
|
+
return assoc
|
125
|
+
end
|
126
|
+
|
127
|
+
def negotiate_association
|
128
|
+
assoc_type, session_type = @negotiator.get_allowed_type
|
129
|
+
begin
|
130
|
+
return request_association(assoc_type, session_type)
|
131
|
+
rescue ServerError => why
|
132
|
+
supported_types = extract_supported_association_type(why, assoc_type)
|
133
|
+
if !supported_types.nil?
|
134
|
+
# Attempt to create an association from the assoc_type and
|
135
|
+
# session_type that the server told us it supported.
|
136
|
+
assoc_type, session_type = supported_types
|
137
|
+
begin
|
138
|
+
return request_association(assoc_type, session_type)
|
139
|
+
rescue ServerError => why
|
140
|
+
Util.log("Server #{@server_url} refused its suggested " \
|
141
|
+
"association type: session_type=#{session_type}, " \
|
142
|
+
"assoc_type=#{assoc_type}")
|
143
|
+
return nil
|
144
|
+
end
|
145
|
+
end
|
146
|
+
end
|
147
|
+
end
|
148
|
+
|
149
|
+
protected
|
150
|
+
def extract_supported_association_type(server_error, assoc_type)
|
151
|
+
# Any error message whose code is not 'unsupported-type' should
|
152
|
+
# be considered a total failure.
|
153
|
+
if (server_error.error_code != 'unsupported-type' or
|
154
|
+
server_error.message.is_openid1)
|
155
|
+
Util.log("Server error when requesting an association from "\
|
156
|
+
"#{@server_url}: #{server_error.error_text}")
|
157
|
+
return nil
|
158
|
+
end
|
159
|
+
|
160
|
+
# The server didn't like the association/session type that we
|
161
|
+
# sent, and it sent us back a message that might tell us how to
|
162
|
+
# handle it.
|
163
|
+
Util.log("Unsupported association type #{assoc_type}: "\
|
164
|
+
"#{server_error.error_text}")
|
165
|
+
|
166
|
+
# Extract the session_type and assoc_type from the error message
|
167
|
+
assoc_type = server_error.message.get_arg(OPENID_NS, 'assoc_type')
|
168
|
+
session_type = server_error.message.get_arg(OPENID_NS, 'session_type')
|
169
|
+
|
170
|
+
if assoc_type.nil? or session_type.nil?
|
171
|
+
Util.log("Server #{@server_url} responded with unsupported "\
|
172
|
+
"association session but did not supply a fallback.")
|
173
|
+
return nil
|
174
|
+
elsif !@negotiator.allowed?(assoc_type, session_type)
|
175
|
+
Util.log("Server sent unsupported session/association type: "\
|
176
|
+
"session_type=#{session_type}, assoc_type=#{assoc_type}")
|
177
|
+
return nil
|
178
|
+
else
|
179
|
+
return [assoc_type, session_type]
|
180
|
+
end
|
181
|
+
end
|
182
|
+
|
183
|
+
# Make and process one association request to this endpoint's OP
|
184
|
+
# endpoint URL. Returns an association object or nil if the
|
185
|
+
# association processing failed. Raises ServerError when the
|
186
|
+
# remote OpenID server returns an error.
|
187
|
+
def request_association(assoc_type, session_type)
|
188
|
+
assoc_session, args = create_associate_request(assoc_type, session_type)
|
189
|
+
|
190
|
+
response = OpenID.make_kv_post(args, @server_url)
|
191
|
+
|
192
|
+
begin
|
193
|
+
return extract_association(response, assoc_session)
|
194
|
+
rescue Message::KeyNotFound => why
|
195
|
+
Util.log("Missing required parameter in response from "\
|
196
|
+
"#{@server_url}: #{why}")
|
197
|
+
return nil
|
198
|
+
|
199
|
+
rescue ProtocolError => why
|
200
|
+
Util.log("Protocol error processing response from #{@server_url}: "\
|
201
|
+
"#{why}")
|
202
|
+
return nil
|
203
|
+
end
|
204
|
+
end
|
205
|
+
|
206
|
+
# Create an association request for the given assoc_type and
|
207
|
+
# session_type. Returns a pair of the association session object
|
208
|
+
# and the request message that will be sent to the server.
|
209
|
+
def create_associate_request(assoc_type, session_type)
|
210
|
+
assoc_session = self.class.create_session(session_type)
|
211
|
+
args = {
|
212
|
+
'mode' => 'associate',
|
213
|
+
'assoc_type' => assoc_type,
|
214
|
+
}
|
215
|
+
|
216
|
+
if !@compatibility_mode
|
217
|
+
args['ns'] = OPENID2_NS
|
218
|
+
end
|
219
|
+
|
220
|
+
# Leave out the session type if we're in compatibility mode
|
221
|
+
# *and* it's no-encryption.
|
222
|
+
if !@compatibility_mode ||
|
223
|
+
assoc_session.class.session_type != 'no-encryption'
|
224
|
+
args['session_type'] = assoc_session.class.session_type
|
225
|
+
end
|
226
|
+
|
227
|
+
args.merge!(assoc_session.get_request)
|
228
|
+
message = Message.from_openid_args(args)
|
229
|
+
return assoc_session, message
|
230
|
+
end
|
231
|
+
|
232
|
+
# Given an association response message, extract the OpenID 1.X
|
233
|
+
# session type. Returns the association type for this message
|
234
|
+
#
|
235
|
+
# This function mostly takes care of the 'no-encryption' default
|
236
|
+
# behavior in OpenID 1.
|
237
|
+
#
|
238
|
+
# If the association type is plain-text, this function will
|
239
|
+
# return 'no-encryption'
|
240
|
+
def get_openid1_session_type(assoc_response)
|
241
|
+
# If it's an OpenID 1 message, allow session_type to default
|
242
|
+
# to nil (which signifies "no-encryption")
|
243
|
+
session_type = assoc_response.get_arg(OPENID1_NS, 'session_type')
|
244
|
+
|
245
|
+
# Handle the differences between no-encryption association
|
246
|
+
# respones in OpenID 1 and 2:
|
247
|
+
|
248
|
+
# no-encryption is not really a valid session type for
|
249
|
+
# OpenID 1, but we'll accept it anyway, while issuing a
|
250
|
+
# warning.
|
251
|
+
if session_type == 'no-encryption'
|
252
|
+
Util.log("WARNING: #{@server_url} sent 'no-encryption'"\
|
253
|
+
"for OpenID 1.X")
|
254
|
+
|
255
|
+
# Missing or empty session type is the way to flag a
|
256
|
+
# 'no-encryption' response. Change the session type to
|
257
|
+
# 'no-encryption' so that it can be handled in the same
|
258
|
+
# way as OpenID 2 'no-encryption' respones.
|
259
|
+
elsif session_type == '' || session_type.nil?
|
260
|
+
session_type = 'no-encryption'
|
261
|
+
end
|
262
|
+
|
263
|
+
return session_type
|
264
|
+
end
|
265
|
+
|
266
|
+
def self.extract_expires_in(message)
|
267
|
+
# expires_in should be a base-10 string.
|
268
|
+
expires_in_str = message.get_arg(OPENID_NS, 'expires_in', NO_DEFAULT)
|
269
|
+
if !(/\A\d+\Z/ =~ expires_in_str)
|
270
|
+
raise ProtocolError, "Invalid expires_in field: #{expires_in_str}"
|
271
|
+
end
|
272
|
+
expires_in_str.to_i
|
273
|
+
end
|
274
|
+
|
275
|
+
# Attempt to extract an association from the response, given the
|
276
|
+
# association response message and the established association
|
277
|
+
# session.
|
278
|
+
def extract_association(assoc_response, assoc_session)
|
279
|
+
# Extract the common fields from the response, raising an
|
280
|
+
# exception if they are not found
|
281
|
+
assoc_type = assoc_response.get_arg(OPENID_NS, 'assoc_type',
|
282
|
+
NO_DEFAULT)
|
283
|
+
assoc_handle = assoc_response.get_arg(OPENID_NS, 'assoc_handle',
|
284
|
+
NO_DEFAULT)
|
285
|
+
expires_in = self.class.extract_expires_in(assoc_response)
|
286
|
+
|
287
|
+
# OpenID 1 has funny association session behaviour.
|
288
|
+
if assoc_response.is_openid1:
|
289
|
+
session_type = get_openid1_session_type(assoc_response)
|
290
|
+
else
|
291
|
+
session_type = assoc_response.get_arg(OPENID2_NS, 'session_type',
|
292
|
+
NO_DEFAULT)
|
293
|
+
end
|
294
|
+
|
295
|
+
# Session type mismatch
|
296
|
+
if assoc_session.class.session_type != session_type
|
297
|
+
if (assoc_response.is_openid1 and session_type == 'no-encryption')
|
298
|
+
# In OpenID 1, any association request can result in a
|
299
|
+
# 'no-encryption' association response. Setting
|
300
|
+
# assoc_session to a new no-encryption session should
|
301
|
+
# make the rest of this function work properly for
|
302
|
+
# that case.
|
303
|
+
assoc_session = NoEncryptionSession.new
|
304
|
+
else
|
305
|
+
# Any other mismatch, regardless of protocol version
|
306
|
+
# results in the failure of the association session
|
307
|
+
# altogether.
|
308
|
+
raise ProtocolError, "Session type mismatch. Expected "\
|
309
|
+
"#{assoc_session.class.session_type}, got "\
|
310
|
+
"#{session_type}"
|
311
|
+
end
|
312
|
+
end
|
313
|
+
|
314
|
+
# Make sure assoc_type is valid for session_type
|
315
|
+
if !assoc_session.class.allowed_assoc_types.member?(assoc_type)
|
316
|
+
raise ProtocolError, "Unsupported assoc_type for session "\
|
317
|
+
"#{assoc_session.class.session_type} "\
|
318
|
+
"returned: #{assoc_type}"
|
319
|
+
end
|
320
|
+
|
321
|
+
# Delegate to the association session to extract the secret
|
322
|
+
# from the response, however is appropriate for that session
|
323
|
+
# type.
|
324
|
+
begin
|
325
|
+
secret = assoc_session.extract_secret(assoc_response)
|
326
|
+
rescue Message::KeyNotFound, ArgumentError => why
|
327
|
+
raise ProtocolError, "Malformed response for "\
|
328
|
+
"#{assoc_session.class.session_type} "\
|
329
|
+
"session: #{why.message}"
|
330
|
+
end
|
331
|
+
|
332
|
+
|
333
|
+
return Association.from_expires_in(expires_in, assoc_handle, secret,
|
334
|
+
assoc_type)
|
335
|
+
end
|
336
|
+
end
|
337
|
+
end
|
338
|
+
end
|
@@ -0,0 +1,175 @@
|
|
1
|
+
require "openid/message"
|
2
|
+
require "openid/util"
|
3
|
+
|
4
|
+
module OpenID
|
5
|
+
class Consumer
|
6
|
+
# An object that holds the state necessary for generating an
|
7
|
+
# OpenID authentication request. This object holds the association
|
8
|
+
# with the server and the discovered information with which the
|
9
|
+
# request will be made.
|
10
|
+
#
|
11
|
+
# It is separate from the consumer because you may wish to add
|
12
|
+
# things to the request before sending it on its way to the
|
13
|
+
# server. It also has serialization options that let you encode
|
14
|
+
# the authentication request as a URL or as a form POST.
|
15
|
+
class CheckIDRequest
|
16
|
+
attr_accessor :return_to_args
|
17
|
+
attr_reader :endpoint
|
18
|
+
|
19
|
+
# Users of this library should not create instances of this
|
20
|
+
# class. Instances of this class are created by the library
|
21
|
+
# when needed.
|
22
|
+
def initialize(assoc, endpoint)
|
23
|
+
@assoc = assoc
|
24
|
+
@endpoint = endpoint
|
25
|
+
@return_to_args = {}
|
26
|
+
@message = Message.new(endpoint.preferred_namespace)
|
27
|
+
@anonymous = false
|
28
|
+
end
|
29
|
+
|
30
|
+
attr_reader :anonymous
|
31
|
+
|
32
|
+
# Set whether this request should be made anonymously. If a
|
33
|
+
# request is anonymous, the identifier will not be sent in the
|
34
|
+
# request. This is only useful if you are making another kind of
|
35
|
+
# request with an extension in this request.
|
36
|
+
#
|
37
|
+
# Anonymous requests are not allowed when the request is made
|
38
|
+
# with OpenID 1.
|
39
|
+
def anonymous=(is_anonymous)
|
40
|
+
if is_anonymous && @message.is_openid1
|
41
|
+
raise ArgumentError, ("OpenID1 requests MUST include the "\
|
42
|
+
"identifier in the request")
|
43
|
+
end
|
44
|
+
@anonymous = is_anonymous
|
45
|
+
end
|
46
|
+
|
47
|
+
# Add an object that implements the extension interface for
|
48
|
+
# adding arguments to an OpenID message to this checkid request.
|
49
|
+
#
|
50
|
+
# extension_request: an OpenID::Extension object.
|
51
|
+
def add_extension(extension_request)
|
52
|
+
extension_request.to_message(@message)
|
53
|
+
end
|
54
|
+
|
55
|
+
# Add an extension argument to this OpenID authentication
|
56
|
+
# request. You probably want to use add_extension and the
|
57
|
+
# OpenID::Extension interface.
|
58
|
+
#
|
59
|
+
# Use caution when adding arguments, because they will be
|
60
|
+
# URL-escaped and appended to the redirect URL, which can easily
|
61
|
+
# get quite long.
|
62
|
+
def add_extension_arg(namespace, key, value)
|
63
|
+
@message.set_arg(namespace, key, value)
|
64
|
+
end
|
65
|
+
|
66
|
+
# Produce a OpenID::Message representing this request.
|
67
|
+
#
|
68
|
+
# Not specifying a return_to URL means that the user will not be
|
69
|
+
# returned to the site issuing the request upon its completion.
|
70
|
+
#
|
71
|
+
# If immediate mode is requested, the OpenID provider is to send
|
72
|
+
# back a response immediately, useful for behind-the-scenes
|
73
|
+
# authentication attempts. Otherwise the OpenID provider may
|
74
|
+
# engage the user before providing a response. This is the
|
75
|
+
# default case, as the user may need to provide credentials or
|
76
|
+
# approve the request before a positive response can be sent.
|
77
|
+
def get_message(realm, return_to=nil, immediate=false)
|
78
|
+
if !return_to.nil?
|
79
|
+
return_to = Util.append_args(return_to, @return_to_args)
|
80
|
+
elsif immediate
|
81
|
+
raise ArgumentError, ('"return_to" is mandatory when using '\
|
82
|
+
'"checkid_immediate"')
|
83
|
+
elsif @message.is_openid1
|
84
|
+
raise ArgumentError, ('"return_to" is mandatory for OpenID 1 '\
|
85
|
+
'requests')
|
86
|
+
elsif @return_to_args.empty?
|
87
|
+
raise ArgumentError, ('extra "return_to" arguments were specified, '\
|
88
|
+
'but no return_to was specified')
|
89
|
+
end
|
90
|
+
|
91
|
+
|
92
|
+
message = @message.copy
|
93
|
+
|
94
|
+
mode = immediate ? 'checkid_immediate' : 'checkid_setup'
|
95
|
+
message.set_arg(OPENID_NS, 'mode', mode)
|
96
|
+
|
97
|
+
realm_key = message.is_openid1 ? 'trust_root' : 'realm'
|
98
|
+
message.set_arg(OPENID_NS, realm_key, realm)
|
99
|
+
|
100
|
+
if !return_to.nil?
|
101
|
+
message.set_arg(OPENID_NS, 'return_to', return_to)
|
102
|
+
end
|
103
|
+
|
104
|
+
if not @anonymous
|
105
|
+
if @endpoint.is_op_identifier
|
106
|
+
# This will never happen when we're in OpenID 1
|
107
|
+
# compatibility mode, as long as is_op_identifier()
|
108
|
+
# returns false whenever preferred_namespace returns
|
109
|
+
# OPENID1_NS.
|
110
|
+
claimed_id = request_identity = IDENTIFIER_SELECT
|
111
|
+
else
|
112
|
+
request_identity = @endpoint.get_local_id
|
113
|
+
claimed_id = @endpoint.claimed_id
|
114
|
+
end
|
115
|
+
|
116
|
+
# This is true for both OpenID 1 and 2
|
117
|
+
message.set_arg(OPENID_NS, 'identity', request_identity)
|
118
|
+
|
119
|
+
if message.is_openid2
|
120
|
+
message.set_arg(OPENID2_NS, 'claimed_id', claimed_id)
|
121
|
+
end
|
122
|
+
end
|
123
|
+
|
124
|
+
if @assoc
|
125
|
+
message.set_arg(OPENID_NS, 'assoc_handle', @assoc.handle)
|
126
|
+
assoc_log_msg = "with assocication #{@assoc.handle}"
|
127
|
+
else
|
128
|
+
assoc_log_msg = 'using stateless mode.'
|
129
|
+
end
|
130
|
+
|
131
|
+
Util.log("Generated #{mode} request to #{@endpoint.server_url} "\
|
132
|
+
"#{assoc_log_msg}")
|
133
|
+
return message
|
134
|
+
end
|
135
|
+
|
136
|
+
# Returns a URL with an encoded OpenID request.
|
137
|
+
#
|
138
|
+
# The resulting URL is the OpenID provider's endpoint URL with
|
139
|
+
# parameters appended as query arguments. You should redirect
|
140
|
+
# the user agent to this URL.
|
141
|
+
#
|
142
|
+
# OpenID 2.0 endpoints also accept POST requests, see
|
143
|
+
# 'send_redirect?' and 'form_markup'.
|
144
|
+
def redirect_url(realm, return_to=nil, immediate=false)
|
145
|
+
message = get_message(realm, return_to, immediate)
|
146
|
+
return message.to_url(@endpoint.server_url)
|
147
|
+
end
|
148
|
+
|
149
|
+
# Get html for a form to submit this request to the IDP.
|
150
|
+
#
|
151
|
+
# form_tag_attrs is a hash of attributes to be added to the form
|
152
|
+
# tag. 'accept-charset' and 'enctype' have defaults that can be
|
153
|
+
# overridden. If a value is supplied for 'action' or 'method',
|
154
|
+
# it will be replaced.
|
155
|
+
def form_markup(realm, return_to=nil, immediate=false,
|
156
|
+
form_tag_attrs=nil)
|
157
|
+
message = get_message(realm, return_to, immediate)
|
158
|
+
return message.to_form_markup(@endpoint.server_url, form_tag_attrs)
|
159
|
+
end
|
160
|
+
|
161
|
+
# Should this OpenID authentication request be sent as a HTTP
|
162
|
+
# redirect or as a POST (form submission)?
|
163
|
+
#
|
164
|
+
# This takes the same parameters as redirect_url or form_markup
|
165
|
+
def send_redirect?(realm, return_to=nil, immediate=false)
|
166
|
+
if @endpoint.compatibility_mode
|
167
|
+
return true
|
168
|
+
else
|
169
|
+
url = redirect_url(realm, return_to, immediate)
|
170
|
+
return url.length <= OPENID1_URL_LIMIT
|
171
|
+
end
|
172
|
+
end
|
173
|
+
end
|
174
|
+
end
|
175
|
+
end
|