ruby-openid2 3.0.0

data/lib/openid/consumer/html_parse.rb

@@ -0,0 +1,142 @@
+require_relative "../yadis/htmltokenizer"
+
+module OpenID
+  # Stuff to remove before we start looking for tags
+  REMOVED_RE = %r{
+    # Comments
+    <!--.*?-->
+
+    # CDATA blocks
+  | <!\[CDATA\[.*?\]\]>
+
+    # script blocks
+  | <script\b
+
+    # make sure script is not an XML namespace
+    (?!:)
+
+    [^>]*>.*?</script>
+
+  }mix
+
+  def self.openid_unescape(s)
+    s.gsub("&amp;", "&").gsub("&lt;", "<").gsub("&gt;", ">").gsub("&quot;", '"')
+  end
+
+  def self.unescape_hash(h)
+    newh = {}
+    h.map do |k, v|
+      newh[k] = openid_unescape(v)
+    end
+    newh
+  end
+
+  def self.parse_link_attrs(html)
+    begin
+      stripped = html.gsub(REMOVED_RE, "")
+    rescue ArgumentError
+      begin
+        stripped = html.encode("UTF-8", "binary", invalid: :replace, undef: :replace, replace: "").gsub(
+          REMOVED_RE, ""
+        )
+      rescue Encoding::UndefinedConversionError, Encoding::ConverterNotFoundError
+        # needed for a problem in JRuby where it can't handle the conversion.
+        # see details here: https://github.com/jruby/jruby/issues/829
+        stripped = html.encode("UTF-8", "ASCII", invalid: :replace, undef: :replace, replace: "").gsub(
+          REMOVED_RE, ""
+        )
+      end
+    end
+    parser = HTMLTokenizer.new(stripped)
+
+    links = []
+    # to keep track of whether or not we are in the head element
+    in_head = false
+    in_html = false
+    saw_head = false
+
+    begin
+      while el = parser.getTag(
+        "head",
+        "/head",
+        "link",
+        "body",
+        "/body",
+        "html",
+        "/html",
+      )
+
+        # we are leaving head or have reached body, so we bail
+        return links if ["/head", "body", "/body", "/html"].member?(el.tag_name)
+
+        # enforce html > head > link
+        in_html = true if el.tag_name == "html"
+        next unless in_html
+
+        if el.tag_name == "head"
+          if saw_head
+            return links # only allow one head
+          end
+
+          saw_head = true
+          in_head = true unless el.to_s[-2] == 47 # tag ends with a /: a short tag
+        end
+        next unless in_head
+
+        return links if el.tag_name == "html"
+
+        links << unescape_hash(el.attr_hash) if el.tag_name == "link"
+
+      end
+    rescue Exception # just stop parsing if there's an error
+    end
+    links
+  end
+
+  def self.rel_matches(rel_attr, target_rel)
+    # Does this target_rel appear in the rel_str?
+    # XXX: TESTME
+    rels = rel_attr.strip.split
+    rels.each do |rel|
+      rel = rel.downcase
+      return true if rel == target_rel
+    end
+
+    false
+  end
+
+  def self.link_has_rel(link_attrs, target_rel)
+    # Does this link have target_rel as a relationship?
+
+    # XXX: TESTME
+    rel_attr = link_attrs["rel"]
+    (rel_attr and rel_matches(rel_attr, target_rel))
+  end
+
+  def self.find_links_rel(link_attrs_list, target_rel)
+    # Filter the list of link attributes on whether it has target_rel
+    # as a relationship.
+
+    # XXX: TESTME
+    matches_target = ->(attrs) { link_has_rel(attrs, target_rel) }
+    result = []
+
+    link_attrs_list.each do |item|
+      result << item if matches_target.call(item)
+    end
+
+    result
+  end
+
+  def self.find_first_href(link_attrs_list, target_rel)
+    # Return the value of the href attribute for the first link tag in
+    # the list that has target_rel as a relationship.
+
+    # XXX: TESTME
+    matches = find_links_rel(link_attrs_list, target_rel)
+    return if !matches or matches.empty?
+
+    first = matches[0]
+    first["href"]
+  end
+end

data/lib/openid/consumer/idres.rb

@@ -0,0 +1,513 @@
+require_relative "../message"
+require_relative "../protocolerror"
+require_relative "../kvpost"
+require_relative "../urinorm"
+require_relative "discovery"
+
+module OpenID
+  class TypeURIMismatch < ProtocolError
+    attr_reader :type_uri, :endpoint
+
+    def initialize(type_uri, endpoint)
+      @type_uri = type_uri
+      @endpoint = endpoint
+    end
+  end
+
+  class Consumer
+    @openid1_return_to_nonce_name = "rp_nonce"
+    @openid1_return_to_claimed_id_name = "openid1_claimed_id"
+
+    # Set the name of the query parameter that this library will use
+    # to thread a nonce through an OpenID 1 transaction. It will be
+    # appended to the return_to URL.
+    class << self
+      attr_accessor :openid1_return_to_nonce_name
+    end
+
+    # Set the name of the query parameter that this library will use
+    # to thread the requested URL through an OpenID 1 transaction (for
+    # use when verifying discovered information). It will be appended
+    # to the return_to URL.
+    class << self
+      attr_accessor :openid1_return_to_claimed_id_name
+    end
+
+    # Handles an openid.mode=id_res response. This object is
+    # instantiated and used by the Consumer.
+    class IdResHandler
+      attr_reader :endpoint, :message
+
+      def initialize(message, current_url, store = nil, endpoint = nil)
+        @store = store # Fer the nonce and invalidate_handle
+        @message = message
+        @endpoint = endpoint
+        @current_url = current_url
+        @signed_list = nil
+
+        # Start the verification process
+        id_res
+      end
+
+      def signed_fields
+        signed_list.map { |x| "openid." + x }
+      end
+
+      protected
+
+      # This method will raise ProtocolError unless the request is a
+      # valid id_res response. Once it has been verified, the methods
+      # 'endpoint', 'message', and 'signed_fields' contain the
+      # verified information.
+      def id_res
+        check_for_fields
+        check_signature
+        check_nonce
+        verify_return_to
+        verify_discovery_results
+      end
+
+      def server_url
+        @endpoint.nil? ? nil : @endpoint.server_url
+      end
+
+      def openid_namespace
+        @message.get_openid_namespace
+      end
+
+      def fetch(field, default = NO_DEFAULT)
+        @message.get_arg(OPENID_NS, field, default)
+      end
+
+      def signed_list
+        if @signed_list.nil?
+          signed_list_str = fetch("signed", nil)
+          raise ProtocolError, "Response missing signed list" if signed_list_str.nil?
+
+          @signed_list = signed_list_str.split(",", -1)
+        end
+        @signed_list
+      end
+
+      def check_for_fields
+        # XXX: if a field is missing, we should not have to explicitly
+        # check that it's present, just make sure that the fields are
+        # actually being used by the rest of the code in
+        # tests. Although, which fields are signed does need to be
+        # checked somewhere.
+        basic_fields = %w[return_to assoc_handle sig signed]
+        basic_sig_fields = %w[return_to identity]
+
+        case openid_namespace
+        when OPENID2_NS
+          require_fields = basic_fields + ["op_endpoint"]
+          require_sigs = basic_sig_fields +
+            %w[response_nonce claimed_id assoc_handle op_endpoint]
+        when OPENID1_NS, OPENID11_NS
+          require_fields = basic_fields + ["identity"]
+          require_sigs = basic_sig_fields
+        else
+          raise "check_for_fields doesn't know about " \
+            "namespace #{openid_namespace.inspect}"
+        end
+
+        require_fields.each do |field|
+          raise ProtocolError, "Missing required field #{field}" unless @message.has_key?(OPENID_NS, field)
+        end
+
+        require_sigs.each do |field|
+          # Field is present and not in signed list
+          if @message.has_key?(OPENID_NS, field) && !signed_list.member?(field)
+            raise ProtocolError, "#{field.inspect} not signed"
+          end
+        end
+      end
+
+      def verify_return_to
+        begin
+          msg_return_to = URI.parse(URINorm.urinorm(fetch("return_to")))
+        rescue URI::InvalidURIError
+          raise ProtocolError, ("return_to is not a valid URI")
+        end
+
+        verify_return_to_args(msg_return_to)
+        return if @current_url.nil?
+
+        verify_return_to_base(msg_return_to)
+      end
+
+      def verify_return_to_args(msg_return_to)
+        return_to_parsed_query = {}
+        unless msg_return_to.query.nil?
+          CGI.parse(msg_return_to.query).each_pair do |k, vs|
+            return_to_parsed_query[k] = vs[0]
+          end
+        end
+        query = @message.to_post_args
+        return_to_parsed_query.each_pair do |rt_key, rt_val|
+          msg_val = query[rt_key]
+          if msg_val.nil? && !rt_val.nil?
+            raise ProtocolError, "Message missing return_to argument '#{rt_key}'"
+          elsif msg_val != rt_val
+            raise ProtocolError, "Parameter '#{rt_key}' value " \
+              "#{msg_val.inspect} does not match " \
+              "return_to's value #{rt_val.inspect}"
+          end
+        end
+        @message.get_args(BARE_NS).each_pair do |bare_key, bare_val|
+          rt_val = return_to_parsed_query[bare_key]
+          unless return_to_parsed_query.has_key?(bare_key)
+            # This may be caused by your web framework throwing extra
+            # entries in to your parameters hash that were not GET or
+            # POST parameters.  For example, Rails has been known to
+            # add "controller" and "action" keys; another server adds
+            # at least a "format" key.
+            raise ProtocolError, "Unexpected parameter (not on return_to): " \
+              "'#{bare_key}'=#{rt_val.inspect})"
+          end
+          next unless rt_val != bare_val
+
+          raise ProtocolError, "Parameter '#{bare_key}' value " \
+            "#{bare_val.inspect} does not match " \
+            "return_to's value #{rt_val.inspect}"
+        end
+      end
+
+      def verify_return_to_base(msg_return_to)
+        begin
+          app_parsed = URI.parse(URINorm.urinorm(@current_url))
+        rescue URI::InvalidURIError
+          raise ProtocolError, "current_url is not a valid URI: #{@current_url}"
+        end
+
+        %i[scheme host port path].each do |meth|
+          raise ProtocolError, "return_to #{meth} does not match" if msg_return_to.send(meth) != app_parsed.send(meth)
+        end
+      end
+
+      # Raises ProtocolError if the signature is bad
+      def check_signature
+        # ----------------------------------------------------------------------
+        # The server url must be defined within the endpoint instance for the
+        # OpenID2 namespace in order for the signature check to complete
+        # successfully.
+        #
+        # This fix corrects issue #125 - Unable to complete OpenID login
+        #                                with ruby-openid 2.9.0/2.9.1
+        # ---------------------------------------------------------------------
+        set_endpoint_flag = false
+        if @endpoint.nil? && openid_namespace == OPENID2_NS
+          @endpoint = OpenIDServiceEndpoint.new
+          @endpoint.server_url = fetch("op_endpoint")
+          set_endpoint_flag = true
+        end
+
+        assoc = if @store.nil?
+          nil
+        else
+          @store.get_association(server_url, fetch("assoc_handle"))
+        end
+
+        if assoc.nil?
+          check_auth
+        elsif assoc.expires_in <= 0
+          raise ProtocolError, "Association with #{server_url} expired"
+        # XXX: It might be a good idea sometimes to re-start the
+        # authentication with a new association. Doing it
+        # automatically opens the possibility for
+        # denial-of-service by a server that just returns expired
+        # associations (or really short-lived associations)
+        elsif !assoc.check_message_signature(@message)
+          raise ProtocolError, "Bad signature in response from #{server_url}"
+        end
+        @endpoint = nil if set_endpoint_flag  # Clear endpoint if we defined it.
+      end
+
+      def check_auth
+        Util.log("Using 'check_authentication' with #{server_url}")
+        begin
+          request = create_check_auth_request
+        rescue Message::KeyNotFound => e
+          raise ProtocolError, "Could not generate 'check_authentication' " \
+            "request: #{e.message}"
+        end
+
+        response = OpenID.make_kv_post(request, server_url)
+
+        process_check_auth_response(response)
+      end
+
+      def create_check_auth_request
+        signed_list = @message.get_arg(OPENID_NS, "signed", NO_DEFAULT).split(",")
+
+        # check that we got all the signed arguments
+        signed_list.each do |k|
+          @message.get_aliased_arg(k, NO_DEFAULT)
+        end
+
+        ca_message = @message.copy
+        ca_message.set_arg(OPENID_NS, "mode", "check_authentication")
+
+        ca_message
+      end
+
+      # Process the response message from a check_authentication
+      # request, invalidating associations if requested.
+      def process_check_auth_response(response)
+        is_valid = response.get_arg(OPENID_NS, "is_valid", "false")
+
+        invalidate_handle = response.get_arg(OPENID_NS, "invalidate_handle")
+        unless invalidate_handle.nil?
+          Util.log("Received 'invalidate_handle' from server #{server_url}")
+          if @store.nil?
+            Util.log('Unexpectedly got "invalidate_handle" without a store!')
+          else
+            @store.remove_association(server_url, invalidate_handle)
+          end
+        end
+
+        return unless is_valid != "true"
+
+        raise ProtocolError, "Server #{server_url} responds that the " \
+          "'check_authentication' call is not valid"
+      end
+
+      def check_nonce
+        case openid_namespace
+        when OPENID1_NS, OPENID11_NS
+          nonce =
+            @message.get_arg(BARE_NS, Consumer.openid1_return_to_nonce_name)
+
+          # We generated the nonce, so it uses the empty string as the
+          # server URL
+          server_url = ""
+        when OPENID2_NS
+          nonce = @message.get_arg(OPENID2_NS, "response_nonce")
+          server_url = self.server_url
+        else
+          raise StandardError, "Not reached"
+        end
+
+        raise ProtocolError, "Nonce missing from response" if nonce.nil?
+
+        begin
+          time, extra = Nonce.split_nonce(nonce)
+        rescue ArgumentError
+          raise ProtocolError, "Malformed nonce: #{nonce.inspect}"
+        end
+
+        return unless !@store.nil? && !@store.use_nonce(server_url, time, extra)
+
+        raise ProtocolError, "Nonce already used or out of range: " \
+          "#{nonce.inspect}"
+      end
+
+      def verify_discovery_results
+        case openid_namespace
+        when OPENID1_NS, OPENID11_NS
+          verify_discovery_results_openid1
+        when OPENID2_NS
+          verify_discovery_results_openid2
+        else
+          raise StandardError, "Not reached: #{openid_namespace}"
+        end
+      rescue Message::KeyNotFound => e
+        raise ProtocolError, "Missing required field: #{e.message}"
+      end
+
+      def verify_discovery_results_openid2
+        to_match = OpenIDServiceEndpoint.new
+        to_match.type_uris = [OPENID_2_0_TYPE]
+        to_match.claimed_id = fetch("claimed_id", nil)
+        to_match.local_id = fetch("identity", nil)
+        to_match.server_url = fetch("op_endpoint")
+
+        if to_match.claimed_id.nil? && !to_match.local_id.nil?
+          raise ProtocolError, "openid.identity is present without " \
+            "openid.claimed_id"
+        elsif !to_match.claimed_id.nil? && to_match.local_id.nil?
+          raise ProtocolError, "openid.claimed_id is present without " \
+            "openid.identity"
+
+        # This is a response without identifiers, so there's really no
+        # checking that we can do, so return an endpoint that's for
+        # the specified `openid.op_endpoint'
+        elsif to_match.claimed_id.nil?
+          @endpoint =
+            OpenIDServiceEndpoint.from_op_endpoint_url(to_match.server_url)
+          return
+        end
+
+        if @endpoint.nil?
+          Util.log("No pre-discovered information supplied")
+          discover_and_verify(to_match.claimed_id, [to_match])
+        else
+          begin
+            verify_discovery_single(@endpoint, to_match)
+          rescue ProtocolError => e
+            Util.log("Error attempting to use stored discovery " \
+              "information: #{e.message}")
+            Util.log("Attempting discovery to verify endpoint")
+            discover_and_verify(to_match.claimed_id, [to_match])
+          end
+        end
+
+        return unless @endpoint.claimed_id != to_match.claimed_id
+
+        @endpoint = @endpoint.dup
+        @endpoint.claimed_id = to_match.claimed_id
+      end
+
+      def verify_discovery_results_openid1
+        claimed_id =
+          @message.get_arg(BARE_NS, Consumer.openid1_return_to_claimed_id_name)
+
+        if claimed_id.nil?
+          if @endpoint.nil?
+            raise ProtocolError, "When using OpenID 1, the claimed ID must " \
+              "be supplied, either by passing it through " \
+              "as a return_to parameter or by using a " \
+              "session, and supplied to the IdResHandler " \
+              "when it is constructed."
+          else
+            claimed_id = @endpoint.claimed_id
+          end
+        end
+
+        to_match = OpenIDServiceEndpoint.new
+        to_match.type_uris = [OPENID_1_1_TYPE]
+        to_match.local_id = fetch("identity")
+        # Restore delegate information from the initiation phase
+        to_match.claimed_id = claimed_id
+
+        to_match_1_0 = to_match.dup
+        to_match_1_0.type_uris = [OPENID_1_0_TYPE]
+
+        unless @endpoint.nil?
+          begin
+            begin
+              verify_discovery_single(@endpoint, to_match)
+            rescue TypeURIMismatch
+              verify_discovery_single(@endpoint, to_match_1_0)
+            end
+          rescue ProtocolError => e
+            Util.log("Error attempting to use stored discovery information: " +
+                     e.message)
+            Util.log("Attempting discovery to verify endpoint")
+          else
+            return @endpoint
+          end
+        end
+
+        # Either no endpoint was supplied or OpenID 1.x verification
+        # of the information that's in the message failed on that
+        # endpoint.
+        discover_and_verify(to_match.claimed_id, [to_match, to_match_1_0])
+      end
+
+      # Given an endpoint object created from the information in an
+      # OpenID response, perform discovery and verify the discovery
+      # results, returning the matching endpoint that is the result of
+      # doing that discovery.
+      def discover_and_verify(claimed_id, to_match_endpoints)
+        Util.log("Performing discovery on #{claimed_id}")
+        _, services = OpenID.discover(claimed_id)
+        if services.length == 0
+          # XXX: this might want to be something other than
+          # ProtocolError. In Python, it's DiscoveryFailure
+          raise ProtocolError, "No OpenID information found at " \
+            "#{claimed_id}"
+        end
+        verify_discovered_services(claimed_id, services, to_match_endpoints)
+      end
+
+      def verify_discovered_services(claimed_id, services, to_match_endpoints)
+        # Search the services resulting from discovery to find one
+        # that matches the information from the assertion
+        failure_messages = []
+        for endpoint in services
+          for to_match_endpoint in to_match_endpoints
+            begin
+              verify_discovery_single(endpoint, to_match_endpoint)
+            rescue ProtocolError => e
+              failure_messages << e.message
+            else
+              # It matches, so discover verification has
+              # succeeded. Return this endpoint.
+              @endpoint = endpoint
+              return
+            end
+          end
+        end
+
+        Util.log("Discovery verification failure for #{claimed_id}")
+        failure_messages.each do |failure_message|
+          Util.log(" * Endpoint mismatch: " + failure_message)
+        end
+
+        # XXX: is DiscoveryFailure in Python OpenID
+        raise ProtocolError, "No matching endpoint found after " \
+          "discovering #{claimed_id}"
+      end
+
+      def verify_discovery_single(endpoint, to_match)
+        # Every type URI that's in the to_match endpoint has to be
+        # present in the discovered endpoint.
+        for type_uri in to_match.type_uris
+          raise TypeURIMismatch.new(type_uri, endpoint) unless endpoint.uses_extension(type_uri)
+        end
+
+        # Fragments do not influence discovery, so we can't compare a
+        # claimed identifier with a fragment to discovered information.
+        defragged_claimed_id =
+          case Yadis::XRI.identifier_scheme(to_match.claimed_id)
+          when :xri
+            to_match.claimed_id
+          when :uri
+            begin
+              parsed = URI.parse(to_match.claimed_id)
+            rescue URI::InvalidURIError
+              to_match.claimed_id
+            else
+              parsed.fragment = nil
+              parsed.to_s
+            end
+          else
+            raise StandardError, "Not reached"
+          end
+
+        if defragged_claimed_id != endpoint.claimed_id
+          raise ProtocolError, "Claimed ID does not match (different " \
+            "subjects!), Expected " \
+            "#{defragged_claimed_id}, got " \
+            "#{endpoint.claimed_id}"
+        end
+
+        if to_match.get_local_id != endpoint.get_local_id
+          raise ProtocolError, "local_id mismatch. Expected " \
+            "#{to_match.get_local_id}, got " \
+            "#{endpoint.get_local_id}"
+        end
+
+        # If the server URL is nil, this must be an OpenID 1
+        # response, because op_endpoint is a required parameter in
+        # OpenID 2. In that case, we don't actually care what the
+        # discovered server_url is, because signature checking or
+        # check_auth should take care of that check for us.
+        if to_match.server_url.nil?
+          if to_match.preferred_namespace != OPENID1_NS
+            raise StandardError,
+              "The code calling this must ensure that OpenID 2 " \
+                "responses have a non-none `openid.op_endpoint' and " \
+                "that it is set as the `server_url' attribute of the " \
+                "`to_match' endpoint."
+          end
+        elsif to_match.server_url != endpoint.server_url
+          raise ProtocolError, "OP Endpoint mismatch. Expected" \
+            "#{to_match.server_url}, got " \
+            "#{endpoint.server_url}"
+        end
+      end
+    end
+  end
+end