ruby-openid 2.0.4 → 2.1.2

data/lib/openid/extension.rb

@@ -19,9 +19,17 @@ module OpenID
     # message, or create a new message containing only those
     # arguments.  Returns the message with added extension args.
     def to_message(message = nil)
+      if message.nil?
+#         warnings.warn('Passing None to Extension.toMessage is deprecated. '
+#                       'Creating a message assuming you want OpenID 2.',
+#                       DeprecationWarning, stacklevel=2)
+        Message.new(OPENID2_NS)
+      end
       message = Message.new if message.nil?
 
-      message.namespaces.add_alias(@ns_uri, @ns_alias)
+      implicit = message.is_openid1()
+
+      message.namespaces.add_alias(@ns_uri, @ns_alias, implicit)
       # XXX python ignores keyerror if m.ns.getAlias(uri) == alias
 
       message.update_args(@ns_uri, get_extension_args)

data/lib/openid/extensions/pape.rb

@@ -14,7 +14,7 @@ module OpenID
       'http://schemas.openid.net/pape/policies/2007/06/multi-factor'
     AUTH_PHISHING_RESISTANT =
       'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant'
-
+    TIME_VALIDATOR = /\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ/
     # A Provider Authentication Policy request, sent from a relying
     # party to a provider
     class Request < Extension
@@ -86,12 +86,12 @@ module OpenID
     # A Provider Authentication Policy response, sent from a provider
     # to a relying party
     class Response < Extension
-      attr_accessor :ns_alias, :auth_policies, :auth_age, :nist_auth_level
-      def initialize(auth_policies=[], auth_age=nil, nist_auth_level=nil)
+      attr_accessor :ns_alias, :auth_policies, :auth_time, :nist_auth_level
+      def initialize(auth_policies=[], auth_time=nil, nist_auth_level=nil)
         @ns_alias = 'pape'
         @ns_uri = NS_URI
         @auth_policies = auth_policies
-        @auth_age = auth_age
+        @auth_time = auth_time
         @nist_auth_level = nist_auth_level
       end
 
@@ -104,6 +104,7 @@ module OpenID
       # Create a Response object from an OpenID::Consumer::SuccessResponse
       def self.from_success_response(success_response)
         args = success_response.get_signed_ns(NS_URI)
+        return nil if args.nil?
         pape_resp = new
         pape_resp.parse_extension_args(args)
         return pape_resp
@@ -115,7 +116,7 @@ module OpenID
       # encountered
       def parse_extension_args(args, strict=false)
         policies_str = args['auth_policies']
-        if policies_str
+        if policies_str and policies_str != 'none'
           @auth_policies = policies_str.split(' ')
         end
 
@@ -138,28 +139,24 @@ module OpenID
           end
         end
 
-        auth_age_str = args['auth_age']
-        if auth_age_str
-          # special handling of zero to handle to_i behavior
-          if auth_age_str.strip == '0'
-            auth_age = 0
-          else
-            auth_age = auth_age_str.to_i
-            # if it's zero here we have a bad value
-            if auth_age == 0
-              auth_age = nil
-            end
-          end
-          if auth_age and auth_age >= 0
-            @auth_age = auth_age
+        auth_time_str = args['auth_time']
+        if auth_time_str
+          # validate time string
+          if auth_time_str =~ TIME_VALIDATOR
+            @auth_time = auth_time_str
           elsif strict
-            raise ArgumentError, "auth_age must be a non-negative integer, not #{auth_age_str.inspect}"
+            raise ArgumentError, "auth_time must be in RFC3339 format"
           end
         end
       end
 
       def get_extension_args
-        ns_args = {'auth_policies' => @auth_policies.join(' ')}
+        ns_args = {}
+        if @auth_policies.empty?
+          ns_args['auth_policies'] = 'none'
+        else
+          ns_args['auth_policies'] = @auth_policies.join(' ')
+        end
         if @nist_auth_level
           unless (0..4).member? @nist_auth_level
             raise ArgumentError, "nist_auth_level must be an integer 0 through 4, not #{@nist_auth_level.inspect}"
@@ -167,11 +164,11 @@ module OpenID
           ns_args['nist_auth_level'] = @nist_auth_level.to_s
         end
 
-        if @auth_age
-          if @auth_age < 0
-            raise ArgumentError, "auth_age must be a non-negative integer, not #{@auth_age.inspect}"
+        if @auth_time
+          unless @auth_time =~ TIME_VALIDATOR
+            raise ArgumentError, "auth_time must be in RFC3339 format"
           end
-          ns_args['auth_age'] = @auth_age.to_s
+          ns_args['auth_time'] = @auth_time
         end
         return ns_args
       end

data/lib/openid/extensions/sreg.rb

@@ -246,6 +246,7 @@ module OpenID
         ns_uri = OpenID::get_sreg_ns(success_response.message)
         if signed_only
           args = success_response.get_signed_ns(ns_uri)
+          return nil if args.nil? # No signed args, so fail
         else
           args = success_response.message.get_args(ns_uri)
         end

data/lib/openid/fetchers.rb

@@ -10,6 +10,8 @@ rescue LoadError
   require 'net/http'
 end
 
+MAX_RESPONSE_KB = 1024
+
 module Net
   class HTTP
     def post_connection_check(hostname)
@@ -115,14 +117,17 @@ module OpenID
     USER_AGENT = "ruby-openid/#{OpenID::VERSION} (#{RUBY_PLATFORM})"
 
     REDIRECT_LIMIT = 5
+    TIMEOUT = 60
 
     attr_accessor :ca_file
+    attr_accessor :timeout
 
     # I can fetch through a HTTP proxy; arguments are as for Net::HTTP::Proxy.
     def initialize(proxy_addr=nil, proxy_port=nil,
                    proxy_user=nil, proxy_pass=nil)
       @ca_file = nil
       @proxy = Net::HTTP::Proxy(proxy_addr, proxy_port, proxy_user, proxy_pass)
+      @timeout = TIMEOUT
     end
 
     def supports_ssl?(conn)
@@ -130,7 +135,10 @@ module OpenID
     end
 
     def make_http(uri)
-      @proxy.new(uri.host, uri.port)
+      http = @proxy.new(uri.host, uri.port)
+      http.read_timeout = @timeout
+      http.open_timeout = @timeout
+      return http
     end
 
     def set_verified(conn, verify)
@@ -173,14 +181,18 @@ module OpenID
     def fetch(url, body=nil, headers=nil, redirect_limit=REDIRECT_LIMIT)
       unparsed_url = url.dup
       url = URI::parse(url)
+      if url.nil?
+        raise FetchingError, "Invalid URL: #{unparsed_url}"
+      end
 
       headers ||= {}
       headers['User-agent'] ||= USER_AGENT
-
-      conn = make_connection(url)
-      response = nil
+      headers['Range'] ||= "0-#{MAX_RESPONSE_KB*1024}"
 
       begin
+        conn = make_connection(url)
+        response = nil
+
         response = conn.start {
           # Check the certificate against the URL's hostname
           if supports_ssl?(conn) and conn.use_ssl?
@@ -194,6 +206,8 @@ module OpenID
             conn.request_post(url.request_uri, body, headers)
           end
         }
+      rescue RuntimeError => why
+        raise why
       rescue OpenSSL::SSL::SSLError => why
         raise SSLFetchingError, "Error connecting to SSL URL #{url}: #{why}"
       rescue FetchingError => why
@@ -210,7 +224,13 @@ module OpenID
           raise HTTPRedirectLimitReached.new(
             "Too many redirects, not fetching #{response['location']}")
         end
-        return fetch(response['location'], body, headers, redirect_limit - 1)
+        begin
+          return fetch(response['location'], body, headers, redirect_limit - 1)
+        rescue HTTPRedirectLimitReached => e
+          raise e
+        rescue FetchingError => why
+          raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
+        end
       else
         return HTTPResponse._from_net_response(response, unparsed_url)
       end

data/lib/openid/kvform.rb

@@ -1,6 +1,9 @@
 
 module OpenID
 
+  class KVFormError < Exception
+  end
+
   module Util
 
     def Util.seq_to_kv(seq, strict=false)
@@ -13,7 +16,7 @@ module OpenID
       err = lambda { |msg|
         msg = "seq_to_kv warning: #{msg}: #{seq.inspect}"
         if strict
-          raise ArgumentError, msg
+          raise KVFormError, msg
         else
           Util.log(msg)
         end
@@ -27,11 +30,11 @@ module OpenID
         end
 
         if !k.index("\n").nil?
-          raise ArgumentError, "Invalid input for seq_to_kv: key contains newline: #{k.inspect}"
+          raise KVFormError, "Invalid input for seq_to_kv: key contains newline: #{k.inspect}"
         end
 
         if !k.index(":").nil?
-          raise ArgumentError, "Invalid input for seq_to_kv: key contains colon: #{k.inspect}"
+          raise KVFormError, "Invalid input for seq_to_kv: key contains colon: #{k.inspect}"
         end
 
         if k.strip() != k
@@ -44,7 +47,7 @@ module OpenID
         end
 
         if !v.index("\n").nil?
-          raise ArgumentError, "Invalid input for seq_to_kv: value contains newline: #{v.inspect}"
+          raise KVFormError, "Invalid input for seq_to_kv: value contains newline: #{v.inspect}"
         end
 
         if v.strip() != v
@@ -66,7 +69,7 @@ module OpenID
       err = lambda { |msg|
         msg = "kv_to_seq warning: #{msg}: #{data.inspect}"
         if strict
-          raise ArgumentError, msg
+          raise KVFormError, msg
         else
           Util.log(msg)
         end

data/lib/openid/kvpost.rb

@@ -7,19 +7,18 @@ module OpenID
   class ServerError < OpenIDError
     attr_reader :error_text, :error_code, :message
 
-    def initialize(error_text, error_code, message, server_url)
+    def initialize(error_text, error_code, message)
       super(error_text)
       @error_text = error_text
       @error_code = error_code
-      @server_url = server_url
       @message = message
     end
 
-    def self.from_message(msg, server_url)
+    def self.from_message(msg)
       error_text = msg.get_arg(OPENID_NS, 'error',
                                '<no error message supplied>')
       error_code = msg.get_arg(OPENID_NS, 'error_code')
-      return self.new(error_text, error_code, msg, server_url)
+      return self.new(error_text, error_code, msg)
     end
   end
 
@@ -34,8 +33,10 @@ module OpenID
       case response.code.to_i
       when 200
         return msg
+      when 206
+        return msg
       when 400
-        raise ServerError.from_message(msg, server_url)
+        raise ServerError.from_message(msg)
       else
         error_message = "bad status code from server #{server_url}: "\
         "#{response.code}"

data/lib/openid/message.rb

@@ -9,8 +9,10 @@ module OpenID
   # OpenID 1.x extension, and so a special case.
   SREG_URI = 'http://openid.net/sreg/1.0'
 
-  # The OpenID 1.x namespace URI
+  # The OpenID 1.x namespace URIs
   OPENID1_NS = 'http://openid.net/signon/1.0'
+  OPENID11_NS = 'http://openid.net/signon/1.1'
+  OPENID1_NAMESPACES = [OPENID1_NS, OPENID11_NS]
 
   # The OpenID 2.0 namespace URI
   OPENID2_NS = 'http://specs.openid.net/auth/2.0'
@@ -54,6 +56,10 @@ module OpenID
   # Raised when an alias or namespace URI has already been registered.
   class NamespaceAliasRegistrationError < Exception; end
 
+  # Raised if openid.ns is not a recognized value.
+  # See Message class variable @@allowed_openid_namespaces
+  class InvalidOpenIDNamespace < Exception; end
+
   class Message
     attr_reader :namespaces
 
@@ -87,19 +93,24 @@ module OpenID
       @@registered_aliases[alias_] = namespace_uri
     end
 
-    @@allowed_openid_namespaces = [OPENID1_NS, OPENID2_NS]
+    @@allowed_openid_namespaces = [OPENID1_NS, OPENID2_NS, OPENID11_NS]
 
-    def initialize(openid_namspace=nil)
+    # Raises InvalidNamespaceError if you try to instantiate a Message
+    # with a namespace not in the above allowed list
+    def initialize(openid_namespace=nil)
       @args = {}
       @namespaces = NamespaceMap.new
-      if openid_namspace
-        self.set_openid_namespace(openid_namspace)
+      if openid_namespace
+        implicit = OPENID1_NAMESPACES.member? openid_namespace
+        self.set_openid_namespace(openid_namespace, implicit)
       else
         @openid_ns_uri = nil
       end
     end
 
     # Construct a Message containing a set of POST arguments.
+    # Raises InvalidNamespaceError if you try to instantiate a Message
+    # with a namespace not in the above allowed list
     def Message.from_post_args(args)
       m = Message.new
       openid_args = {}
@@ -123,12 +134,16 @@ module OpenID
     end
 
     # Construct a Message from a parsed KVForm message.
+    # Raises InvalidNamespaceError if you try to instantiate a Message
+    # with a namespace not in the above allowed list
     def Message.from_openid_args(openid_args)
       m = Message.new
       m._from_openid_args(openid_args)
       return m
     end
 
+    # Raises InvalidNamespaceError if you try to instantiate a Message
+    # with a namespace not in the above allowed list
     def _from_openid_args(openid_args)
       ns_args = []
 
@@ -143,47 +158,46 @@ module OpenID
         if ns_alias == 'ns'
           @namespaces.add_alias(value, ns_key)
         elsif ns_alias == NULL_NAMESPACE and ns_key == 'ns'
-          @namespaces.add_alias(value, NULL_NAMESPACE)
+          set_openid_namespace(value, false)
         else
           ns_args << [ns_alias, ns_key, value]
         end
       }
 
-      # ensure that there is an OpenID namespace definition
-      openid_ns_uri = @namespaces.get_namespace_uri(NULL_NAMESPACE)
-      openid_ns_uri = OPENID1_NS unless openid_ns_uri
-
-      self.set_openid_namespace(openid_ns_uri)
+      # implicitly set an OpenID 1 namespace
+      unless get_openid_namespace
+        set_openid_namespace(OPENID1_NS, true)
+      end
 
       # put the pairs into the appropriate namespaces
       ns_args.each { |ns_alias, ns_key, value|
         ns_uri = @namespaces.get_namespace_uri(ns_alias)
         unless ns_uri
-          # only try to map an alias to a default if it's an
-          # OpenID 1.x namespace
-          @@registered_aliases.each { |_alias, _uri|
-            if _alias == ns_alias
-              ns_uri = _uri
-              break
-            end
-          }
-
+          ns_uri = _get_default_namespace(ns_alias)
           unless ns_uri
-            ns_uri = openid_ns_uri
+            ns_uri = get_openid_namespace
             ns_key = "#{ns_alias}.#{ns_key}"
           else
-            @namespaces.add_alias(ns_uri, ns_alias)
+            @namespaces.add_alias(ns_uri, ns_alias, true)
           end
         end
         self.set_arg(ns_uri, ns_key, value)
       }
     end
 
-    def set_openid_namespace(openid_ns_uri)
+    def _get_default_namespace(mystery_alias)
+      # only try to map an alias to a default if it's an
+      # OpenID 1.x namespace
+      if is_openid1
+        @@registered_aliases[mystery_alias]
+      end
+    end
+
+    def set_openid_namespace(openid_ns_uri, implicit)
       if !@@allowed_openid_namespaces.include?(openid_ns_uri)
-        raise ArgumentError, "Invalid null namespace: #{openid_ns_uri}"
+        raise InvalidOpenIDNamespace, "Invalid null namespace: #{openid_ns_uri}"
       end
-      @namespaces.add_alias(openid_ns_uri, NULL_NAMESPACE)
+      @namespaces.add_alias(openid_ns_uri, NULL_NAMESPACE, implicit)
       @openid_ns_uri = openid_ns_uri
     end
 
@@ -192,7 +206,7 @@ module OpenID
     end
 
     def is_openid1
-      return @openid_ns_uri == OPENID1_NS
+      return OPENID1_NAMESPACES.member?(@openid_ns_uri)
     end
 
     def is_openid2
@@ -214,16 +228,15 @@ module OpenID
 
       # add namespace defs to the output
       @namespaces.each { |ns_uri, ns_alias|
+        if @namespaces.implicit?(ns_uri)
+          next
+        end
         if ns_alias == NULL_NAMESPACE
-          if ns_uri != OPENID1_NS
-            args['openid.ns'] = ns_uri
-          end
+          ns_key = 'openid.ns'
         else
-          if get_openid_namespace != OPENID1_NS
-            ns_key = 'openid.ns.' + ns_alias
-            args[ns_key] = ns_uri
-          end
+          ns_key = 'openid.ns.' + ns_alias
         end
+        args[ns_key] = ns_uri
       }
 
       @args.each { |k, value|
@@ -447,6 +460,7 @@ module OpenID
     def initialize
       @alias_to_namespace = {}
       @namespace_to_alias = {}
+      @implicit_namespaces = []
     end
 
     def get_alias(namespace_uri)
@@ -458,7 +472,7 @@ module OpenID
     end
 
     # Add an alias from this namespace URI to the alias.
-    def add_alias(namespace_uri, desired_alias)
+    def add_alias(namespace_uri, desired_alias, implicit=false)
       # Check that desired_alias is not an openid protocol field as
       # per the spec.
       Util.assert(!OPENID_PROTOCOL_FIELDS.include?(desired_alias),
@@ -487,6 +501,7 @@ module OpenID
 
       @alias_to_namespace[desired_alias] = namespace_uri
       @namespace_to_alias[namespace_uri] = desired_alias
+      @implicit_namespaces << namespace_uri if implicit
       return desired_alias
     end
 
@@ -526,6 +541,10 @@ module OpenID
       return @namespace_to_alias.keys()
     end
 
+    def implicit?(namespace_uri)
+      return @implicit_namespaces.member?(namespace_uri)
+    end
+
     def aliases
       # Return an iterator over the aliases
       return @alias_to_namespace.keys()