ruby-openid 2.0.4 → 2.1.2

data/lib/openid/server.rb

@@ -26,7 +26,7 @@ module OpenID
     UNUSED = nil
 
     class OpenIDRequest
-      attr_accessor :namespace, :message, :mode
+      attr_accessor :message, :mode
 
       # I represent an incoming OpenID request.
       #
@@ -34,6 +34,15 @@ module OpenID
       # mode:: The "openid.mode" of this request
       def initialize
         @mode = nil
+        @message = nil
+      end
+
+      def namespace
+        if @message.nil?
+          raise RuntimeError, "Request has no message"
+        else
+          return @message.get_openid_namespace
+        end
       end
     end
 
@@ -74,7 +83,6 @@ module OpenID
         @assoc_handle = assoc_handle
         @signed = signed
         @invalidate_handle = invalidate_handle
-        @namespace = OPENID2_NS
       end
 
       # Construct me from an OpenID::Message.
@@ -93,7 +101,6 @@ module OpenID
 
         obj = self.new(assoc_handle, signed, invalidate_handle)
         obj.message = message
-        obj.namespace = message.get_openid_namespace()
         obj.sig = message.get_arg(OPENID_NS, 'sig')
 
         if !obj.assoc_handle or
@@ -297,7 +304,6 @@ module OpenID
         super()
         @session = session
         @assoc_type = assoc_type
-        @namespace = OPENID2_NS
 
         @mode = "associate"
       end
@@ -305,10 +311,10 @@ module OpenID
       # Construct me from an OpenID Message.
       def self.from_message(message, op_endpoint=UNUSED)
         if message.is_openid1()
-          session_type = message.get_arg(OPENID1_NS, 'session_type')
+          session_type = message.get_arg(OPENID_NS, 'session_type')
           if session_type == 'no-encryption'
             Util.log('Received OpenID 1 request with a no-encryption ' +
-                     'assocaition session type. Continuing anyway.')
+                     'association session type. Continuing anyway.')
           elsif !session_type
             session_type = 'no-encryption'
           end
@@ -345,7 +351,6 @@ module OpenID
 
         obj = self.new(session, assoc_type)
         obj.message = message
-        obj.namespace = message.get_openid_namespace()
         return obj
       end
 
@@ -364,7 +369,8 @@ module OpenID
             })
         response.fields.update_args(OPENID_NS,
                                    @session.answer(assoc.secret))
-        if @session.session_type != 'no-encryption'
+        unless (@session.session_type == 'no-encryption' and
+                @message.is_openid1)
           response.fields.set_arg(
               OPENID_NS, 'session_type', @session.session_type)
         end
@@ -440,13 +446,13 @@ module OpenID
       # a URL.
       def initialize(identity, return_to, op_endpoint, trust_root=nil,
                      immediate=false, assoc_handle=nil)
-        @namespace = OPENID2_NS
         @assoc_handle = assoc_handle
         @identity = identity
         @claimed_id = identity
         @return_to = return_to
         @trust_root = trust_root or return_to
         @op_endpoint = op_endpoint
+        @message = nil
 
         if immediate
           @immediate = true
@@ -484,7 +490,6 @@ module OpenID
       def self.from_message(message, op_endpoint)
         obj = self.allocate
         obj.message = message
-        obj.namespace = message.get_openid_namespace()
         obj.op_endpoint = op_endpoint
         mode = message.get_arg(OPENID_NS, 'mode')
         if mode == "checkid_immediate"
@@ -496,44 +501,46 @@ module OpenID
         end
 
         obj.return_to = message.get_arg(OPENID_NS, 'return_to')
-        if obj.namespace == OPENID1_NS and !obj.return_to
+        if message.is_openid1 and !obj.return_to
           msg = sprintf("Missing required field 'return_to' from %s",
                         message)
           raise ProtocolError.new(message, msg)
         end
 
         obj.identity = message.get_arg(OPENID_NS, 'identity')
-        if obj.identity and message.is_openid2()
-          obj.claimed_id = message.get_arg(OPENID_NS, 'claimed_id')
-          if !obj.claimed_id
+        obj.claimed_id = message.get_arg(OPENID_NS, 'claimed_id')
+        if message.is_openid1()
+          if !obj.identity
+            s = "OpenID 1 message did not contain openid.identity"
+            raise ProtocolError.new(message, s)
+          end
+        else
+          if obj.identity and not obj.claimed_id
             s = ("OpenID 2.0 message contained openid.identity but not " +
                  "claimed_id")
             raise ProtocolError.new(message, s)
+          elsif obj.claimed_id and not obj.identity
+            s = ("OpenID 2.0 message contained openid.claimed_id but not " +
+                 "identity")
+            raise ProtocolError.new(message, s)
           end
-        else
-          obj.claimed_id = nil
-        end
-
-        if !obj.identity and obj.namespace == OPENID1_NS
-          s = "OpenID 1 message did not contain openid.identity"
-          raise ProtocolError.new(message, s)
         end
 
         # There's a case for making self.trust_root be a TrustRoot
         # here.  But if TrustRoot isn't currently part of the "public"
         # API, I'm not sure it's worth doing.
-        if obj.namespace == OPENID1_NS
-          obj.trust_root = message.get_arg(
-                OPENID_NS, 'trust_root', obj.return_to)
+        if message.is_openid1
+          trust_root_param = 'trust_root'
         else
-          obj.trust_root = message.get_arg(
-                OPENID_NS, 'realm', obj.return_to)
+          trust_root_param = 'realm'
+        end
+        trust_root = message.get_arg(OPENID_NS, trust_root_param)
+        trust_root = obj.return_to if (trust_root.nil? || trust_root.empty?)
+        obj.trust_root = trust_root
 
-          if !obj.return_to and
-              !obj.trust_root
-            raise ProtocolError.new(message, "openid.realm required when " +
-                                    "openid.return_to absent")
-          end
+        if !message.is_openid1 and !obj.return_to and !obj.trust_root
+          raise ProtocolError.new(message, "openid.realm required when " +
+                                  "openid.return_to absent")
         end
 
         obj.assoc_handle = message.get_arg(OPENID_NS, 'assoc_handle')
@@ -642,15 +649,18 @@ module OpenID
       #
       #              This parameter is new in OpenID 2.0.
       #
+      # Returns an OpenIDResponse object containing a OpenID id_res message.
+      #
+      # Raises NoReturnToError if the return_to is missing.
+      #
       # Version 2.0 deprecates +server_url+ and adds +claimed_id+.
       def answer(allow, server_url=nil, identity=nil, claimed_id=nil)
-        # FIXME: undocumented exceptions
         if !@return_to
           raise NoReturnToError
         end
 
         if !server_url
-          if @namespace != OPENID1_NS and !@op_endpoint
+          if @message.is_openid2 and !@op_endpoint
             # In other words, that warning I raised in
             # Server.__init__?  You should pay attention to it now.
             raise RuntimeError, ("#{self} should be constructed with "\
@@ -663,7 +673,7 @@ module OpenID
 
         if allow
           mode = 'id_res'
-        elsif @namespace == OPENID1_NS
+        elsif @message.is_openid1
           if @immediate
             mode = 'id_res'
           else
@@ -679,9 +689,9 @@ module OpenID
 
         response = OpenIDResponse.new(self)
 
-        if claimed_id and @namespace == OPENID1_NS
+        if claimed_id and @message.is_openid1
           raise VersionError, ("claimed_id is new in OpenID 2.0 and not "\
-                               "available for #{@namespace}")
+                               "available for #{@message.get_openid_namespace}")
         end
 
         if identity and !claimed_id
@@ -715,7 +725,7 @@ module OpenID
             response_identity = nil
           end
 
-          if @namespace == OPENID1_NS and !response_identity
+          if @message.is_openid1 and !response_identity
             raise ArgumentError, ("Request was an OpenID 1 request, so "\
                                   "response must include an identifier.")
           end
@@ -729,7 +739,7 @@ module OpenID
 
           if response_identity
             response.fields.set_arg(OPENID_NS, 'identity', response_identity)
-            if @namespace == OPENID2_NS
+            if @message.is_openid2
               response.fields.set_arg(OPENID_NS,
                                       'claimed_id', response_claimed_id)
             end
@@ -737,7 +747,7 @@ module OpenID
         else
           response.fields.set_arg(OPENID_NS, 'mode', mode)
           if @immediate
-            if @namespace == OPENID1_NS and !server_url
+            if @message.is_openid1 and !server_url
               raise ArgumentError, ("setup_url is required for allow=false "\
                                     "in OpenID 1.x immediate mode.")
             end
@@ -747,6 +757,7 @@ module OpenID
             setup_request = self.class.new(@identity, @return_to,
                                            @op_endpoint, @trust_root, false,
                                            @assoc_handle)
+            setup_request.message = Message.new(@message.get_openid_namespace)
             setup_url = setup_request.encode_to_url(server_url)
             response.fields.set_arg(OPENID_NS, 'user_setup_url', setup_url)
           end
@@ -774,7 +785,7 @@ module OpenID
              'return_to' => @return_to}
 
         if @trust_root
-          if @namespace == OPENID1_NS
+          if @message.is_openid1
             q['trust_root'] = @trust_root
           else
             q['realm'] = @trust_root
@@ -785,8 +796,8 @@ module OpenID
           q['assoc_handle'] = @assoc_handle
         end
 
-        response = Message.new(@namespace)
-        response.update_args(@namespace, q)
+        response = Message.new(@message.get_openid_namespace)
+        response.update_args(@message.get_openid_namespace, q)
         return response.to_url(server_url)
       end
 
@@ -810,7 +821,7 @@ module OpenID
                                   "immediate mode requests.")
         end
 
-        response = Message.new(@namespace)
+        response = Message.new(@message.get_openid_namespace)
         response.set_arg(OPENID_NS, 'mode', 'cancel')
         return response.to_url(@return_to)
       end
@@ -859,10 +870,19 @@ module OpenID
                        @fields)
       end
 
-      def to_form_markup
-        # Returns the form markup for this response.
-        return @fields.to_form_markup(
-                 @fields.get_arg(OPENID_NS, 'return_to'))
+      # form_tag_attrs is a hash of attributes to be added to the form
+      # tag. 'accept-charset' and 'enctype' have defaults that can be
+      # overridden. If a value is supplied for 'action' or 'method',
+      # it will be replaced.       
+      # Returns the form markup for this response.
+      def to_form_markup(form_tag_attrs=nil)
+        return @fields.to_form_markup(@request.return_to, form_tag_attrs)
+      end
+
+      # Wraps the form tag from to_form_markup in a complete HTML document
+      # that uses javascript to autosubmit the form.
+      def to_html(form_tag_attrs=nil)
+        return Util.auto_submit_html(to_form_markup(form_tag_attrs))
       end
 
       def render_as_form
@@ -882,7 +902,7 @@ module OpenID
         # How should I be encoded?
         # returns one of ENCODE_URL or ENCODE_KVFORM.
         if BROWSER_REQUEST_MODES.member?(@request.mode)
-          if @fields.get_openid_namespace == OPENID2_NS and
+          if @fields.is_openid2 and
               encode_to_url.length > OPENID1_URL_LIMIT
             return ENCODE_HTML_FORM
           else
@@ -1044,7 +1064,11 @@ module OpenID
           assoc = create_association(true)
         end
 
-        signed_response.fields = assoc.sign_message(signed_response.fields)
+        begin
+          signed_response.fields = assoc.sign_message(signed_response.fields)
+        rescue KVFormError => err
+          raise EncodingError, err
+        end
         return signed_response
       end
 
@@ -1220,7 +1244,14 @@ module OpenID
           return nil
         end
 
-        message = Message.from_post_args(query)
+        begin
+          message = Message.from_post_args(query)
+        rescue InvalidOpenIDNamespace => e
+          query = query.dup
+          query['openid.ns'] = OPENID2_NS
+          message = Message.from_post_args(query)
+          raise ProtocolError.new(message, e.to_s)
+        end
 
         mode = message.get_arg(OPENID_NS, 'mode')
         if !mode
@@ -1238,7 +1269,7 @@ module OpenID
       # This implementation always raises ProtocolError.
       def default_decoder(message, server)
         mode = message.get_arg(OPENID_NS, 'mode')
-        msg = sprintf("No decoder for mode %s", mode)
+        msg = sprintf("Unrecognized OpenID mode %s", mode)
         raise ProtocolError.new(message, msg)
       end
     end
@@ -1415,6 +1446,10 @@ module OpenID
         return to_message().to_form_markup(get_return_to())
       end
 
+      def to_html
+        return Util.auto_submit_html(to_form_markup)
+      end
+
       # How should I be encoded?
       #
       # Returns one of ENCODE_URL, ENCODE_KVFORM, or None.  If None,
@@ -1422,7 +1457,7 @@ module OpenID
       # displayed to the user.
       def which_encoding
         if has_return_to()
-          if @openid_message.get_openid_namespace() == OPENID2_NS and
+          if @openid_message.is_openid2 and
               encode_to_url().length > OPENID1_URL_LIMIT
             return ENCODE_HTML_FORM
           else

data/lib/openid/trustroot.rb

@@ -18,19 +18,24 @@ module OpenID
 
   module TrustRoot
     TOP_LEVEL_DOMAINS = %w'
-      com edu gov int mil net org biz info name museum coop aero ac ad
-      ae af ag ai al am an ao aq ar as at au aw az ba bb bd be bf bg
-      bh bi bj bm bn bo br bs bt bv bw by bz ca cc cd cf cg ch ci ck
-      cl cm cn co cr cu cv cx cy cz de dj dk dm do dz ec ee eg eh er
-      es et eu fi fj fk fm fo fr ga gd ge gf gg gh gi gl gm gn gp gq
-      gr gs gt gu gw gy hk hm hn hr ht hu id ie il im in io iq ir is
-      it je jm jo jp ke kg kh ki km kn kp kr kw ky kz la lb lc li lk
-      lr ls lt lu lv ly ma mc md mg mh mk ml mm mn mo mp mq mr ms mt
-      mu mv mw mx my mz na nc ne nf ng ni nl no np nr nu nz om pa pe
-      pf pg ph pk pl pm pn pr ps pt pw py qa re ro ru rw sa sb sc sd
-      se sg sh si sj sk sl sm sn so sr st sv sy sz tc td tf tg th tj
-      tk tm tn to tp tr tt tv tw tz ua ug uk um us uy uz va vc ve vg
-      vi vn vu wf ws ye yt yu za zm zw'
+      ac ad ae aero af ag ai al am an ao aq ar arpa as asia at
+      au aw ax az ba bb bd be bf bg bh bi biz bj bm bn bo br bs bt
+      bv bw by bz ca cat cc cd cf cg ch ci ck cl cm cn co com coop
+      cr cu cv cx cy cz de dj dk dm do dz ec edu ee eg er es et eu
+      fi fj fk fm fo fr ga gb gd ge gf gg gh gi gl gm gn gov gp gq
+      gr gs gt gu gw gy hk hm hn hr ht hu id ie il im in info int
+      io iq ir is it je jm jo jobs jp ke kg kh ki km kn kp kr kw
+      ky kz la lb lc li lk lr ls lt lu lv ly ma mc md me mg mh mil
+      mk ml mm mn mo mobi mp mq mr ms mt mu museum mv mw mx my mz
+      na name nc ne net nf ng ni nl no np nr nu nz om org pa pe pf
+      pg ph pk pl pm pn pr pro ps pt pw py qa re ro rs ru rw sa sb
+      sc sd se sg sh si sj sk sl sm sn so sr st su sv sy sz tc td
+      tel tf tg th tj tk tl tm tn to tp tr travel tt tv tw tz ua
+      ug uk us uy uz va vc ve vg vi vn vu wf ws xn--0zwm56d
+      xn--11b5bs3a9aj6g xn--80akhbyknj4f xn--9t4b11yi5a
+      xn--deba0ad xn--g6w251d xn--hgbk6aj7f53bba
+      xn--hlcj6aya9esc7a xn--jxalpdlp xn--kgbechtv xn--zckzah ye
+      yt yu za zm zw'
 
     ALLOWED_PROTOCOLS = ['http', 'https']
 
@@ -187,8 +192,6 @@ module OpenID
       end
 
       def TrustRoot.parse(trust_root)
-        return nil unless trust_root.instance_of?(String)
-
         trust_root = trust_root.dup
         unparsed = trust_root.dup
 
@@ -217,8 +220,13 @@ module OpenID
         return new(unparsed, proto, wildcard, host, port, path)
       end
 
-      def TrustRoot.check_sanity(trust_root)
-        return TrustRoot.parse(trust_root).sane?
+      def TrustRoot.check_sanity(trust_root_string)
+        trust_root = TrustRoot.parse(trust_root_string)
+        if trust_root.nil?
+          return false
+        else
+          return trust_root.sane?
+        end
       end
 
       # quick func for validating a url against a trust root.  See the

data/lib/openid/util.rb

@@ -4,15 +4,11 @@ require "logger"
 
 require "openid/extras"
 
-srand(Time.now.to_f)
-
 # See OpenID::Consumer or OpenID::Server modules, as well as the store classes
 module OpenID
   class AssertionError < Exception
   end
 
-  VERSION = "2.0.4"
-
   # Exceptions that are raised by the library are subclasses of this
   # exception type, so if you want to catch all exceptions raised by
   # the library, you can catch OpenIDError
@@ -90,6 +86,25 @@ module OpenID
     def Util.log(message)
       logger.info(message)
     end
+
+    def Util.auto_submit_html(form, title='OpenID transaction in progress')
+      return "
+<html>
+<head>
+  <title>#{title}</title>
+</head>
+<body onload='document.forms[0].submit();'>
+#{form}
+<script>
+var elements = document.forms[0].elements;
+for (var i = 0; i < elements.length; i++) {
+  elements[i].style.display = \"none\";
+}
+</script>
+</body>
+</html>
+"
+    end
   end
 
 end