ruby-openid2 3.0.0

data/lib/openid/consumer/responses.rb

@@ -0,0 +1,147 @@
+module OpenID
+  class Consumer
+    # Code returned when either the of the
+    # OpenID::OpenIDConsumer.begin_auth or OpenID::OpenIDConsumer.complete_auth
+    # methods return successfully.
+    SUCCESS = :success
+
+    # Code OpenID::OpenIDConsumer.complete_auth
+    # returns when the value it received indicated an invalid login.
+    FAILURE = :failure
+
+    # Code returned by OpenIDConsumer.complete_auth when the user
+    # cancels the operation from the server.
+    CANCEL = :cancel
+
+    # Code returned by OpenID::OpenIDConsumer.complete_auth when the
+    # OpenIDConsumer instance is in immediate mode and ther server sends back a
+    # URL for the user to login with.
+    SETUP_NEEDED = :setup_needed
+
+    module Response
+      attr_reader :endpoint
+
+      def status
+        self.class::STATUS
+      end
+
+      # The identity URL that has been authenticated; the Claimed Identifier.
+      # See also display_identifier.
+      def identity_url
+        @endpoint ? @endpoint.claimed_id : nil
+      end
+
+      # The display identifier is related to the Claimed Identifier, but the
+      # two are not always identical.  The display identifier is something the
+      # user should recognize as what they entered, whereas the response's
+      # claimed identifier (in the identity_url attribute) may have extra
+      # information for better persistence.
+      #
+      # URLs will be stripped of their fragments for display.  XRIs will
+      # display the human-readable identifier (i-name) instead of the
+      # persistent identifier (i-number).
+      #
+      # Use the display identifier in your user interface.  Use identity_url
+      # for querying your database or authorization server, or other
+      # identifier equality comparisons.
+      def display_identifier
+        @endpoint ? @endpoint.display_identifier : nil
+      end
+    end
+
+    # A successful acknowledgement from the OpenID server that the
+    # supplied URL is, indeed controlled by the requesting agent.
+    class SuccessResponse
+      include Response
+
+      STATUS = SUCCESS
+
+      attr_reader :message, :signed_fields
+
+      def initialize(endpoint, message, signed_fields)
+        # Don't use :endpoint=, because endpoint should never be nil
+        # for a successfull transaction.
+        @endpoint = endpoint
+        @identity_url = endpoint.claimed_id
+        @message = message
+        @signed_fields = signed_fields
+      end
+
+      # Was this authentication response an OpenID 1 authentication
+      # response?
+      def is_openid1
+        @message.is_openid1
+      end
+
+      # Return whether a particular key is signed, regardless of its
+      # namespace alias
+      def signed?(ns_uri, ns_key)
+        @signed_fields.member?(@message.get_key(ns_uri, ns_key))
+      end
+
+      # Return the specified signed field if available, otherwise
+      # return default
+      def get_signed(ns_uri, ns_key, default = nil)
+        return @message.get_arg(ns_uri, ns_key, default) if signed?(ns_uri, ns_key)
+
+        default
+      end
+
+      # Get signed arguments from the response message.  Return a dict
+      # of all arguments in the specified namespace.  If any of the
+      # arguments are not signed, return nil.
+      def get_signed_ns(ns_uri)
+        msg_args = @message.get_args(ns_uri)
+        msg_args.each_key do |key|
+          return nil unless signed?(ns_uri, key)
+        end
+        msg_args
+      end
+
+      # Return response arguments in the specified namespace.
+      # If require_signed is true and the arguments are not signed,
+      # return nil.
+      def extension_response(namespace_uri, require_signed)
+        if require_signed
+          get_signed_ns(namespace_uri)
+        else
+          @message.get_args(namespace_uri)
+        end
+      end
+    end
+
+    class FailureResponse
+      include Response
+      STATUS = FAILURE
+
+      attr_reader :message, :contact, :reference
+
+      def initialize(endpoint, message, contact = nil, reference = nil)
+        @endpoint = endpoint
+        @message = message
+        @contact = contact
+        @reference = reference
+      end
+    end
+
+    class CancelResponse
+      include Response
+      STATUS = CANCEL
+      def initialize(endpoint)
+        @endpoint = endpoint
+      end
+    end
+
+    class SetupNeededResponse
+      include Response
+      STATUS = SETUP_NEEDED
+
+      attr_reader :setup_url
+
+      def initialize(endpoint, setup_url)
+        @endpoint = endpoint
+        @setup_url = setup_url
+      end
+    end
+  end
+end

data/lib/openid/consumer/session.rb

@@ -0,0 +1,36 @@
+module OpenID
+  class Consumer
+    class Session
+      def initialize(session, decode_klass = nil)
+        @session = session
+        @decode_klass = decode_klass
+      end
+
+      def [](key)
+        val = @session[key]
+        @decode_klass ? @decode_klass.from_session_value(val) : val
+      end
+
+      def []=(key, val)
+        @session[key] = to_session_value(val)
+      end
+
+      def keys
+        @session.keys
+      end
+
+      private
+
+      def to_session_value(val)
+        case val
+        when Array
+          val.map { |ele| to_session_value(ele) }
+        when Hash
+          Hash[*val.flat_map { |k, v| [k, to_session_value(v)] }]
+        else
+          val.respond_to?(:to_session_value) ? val.to_session_value : val
+        end
+      end
+    end
+  end
+end

data/lib/openid/consumer.rb

@@ -0,0 +1,406 @@
+require_relative "consumer/idres"
+require_relative "consumer/checkid_request"
+require_relative "consumer/associationmanager"
+require_relative "consumer/responses"
+require_relative "consumer/session"
+require_relative "consumer/discovery_manager"
+require_relative "consumer/discovery"
+require_relative "message"
+require_relative "yadis/discovery"
+require_relative "store/nonce"
+
+module OpenID
+  # OpenID support for Relying Parties (aka Consumers).
+  #
+  # This module documents the main interface with the OpenID consumer
+  # library.  The only part of the library which has to be used and
+  # isn't documented in full here is the store required to create an
+  # Consumer instance.
+  #
+  # = OVERVIEW
+  #
+  # The OpenID identity verification process most commonly uses the
+  # following steps, as visible to the user of this library:
+  #
+  # 1. The user enters their OpenID into a field on the consumer's
+  #    site, and hits a login button.
+  #
+  # 2. The consumer site discovers the user's OpenID provider using
+  #    the Yadis protocol.
+  #
+  # 3. The consumer site sends the browser a redirect to the OpenID
+  #    provider.  This is the authentication request as described in
+  #    the OpenID specification.
+  #
+  # 4. The OpenID provider's site sends the browser a redirect back to
+  #    the consumer site.  This redirect contains the provider's
+  #    response to the authentication request.
+  #
+  # The most important part of the flow to note is the consumer's site
+  # must handle two separate HTTP requests in order to perform the
+  # full identity check.
+  #
+  # = LIBRARY DESIGN
+  #
+  # This consumer library is designed with that flow in mind.  The
+  # goal is to make it as easy as possible to perform the above steps
+  # securely.
+  #
+  # At a high level, there are two important parts in the consumer
+  # library.  The first important part is this module, which contains
+  # the interface to actually use this library.  The second is
+  # openid/store/interface.rb, which describes the interface to use if
+  # you need to create a custom method for storing the state this
+  # library needs to maintain between requests.
+  #
+  # In general, the second part is less important for users of the
+  # library to know about, as several implementations are provided
+  # which cover a wide variety of situations in which consumers may
+  # use the library.
+  #
+  # The Consumer class has methods corresponding to the actions
+  # necessary in each of steps 2, 3, and 4 described in the overview.
+  # Use of this library should be as easy as creating an Consumer
+  # instance and calling the methods appropriate for the action the
+  # site wants to take.
+  #
+  # This library automatically detects which version of the OpenID
+  # protocol should be used for a transaction and constructs the
+  # proper requests and responses.  Users of this library do not need
+  # to worry about supporting multiple protocol versions; the library
+  # supports them implicitly.  Depending on the version of the
+  # protocol in use, the OpenID transaction may be more secure.  See
+  # the OpenID specifications for more information.
+  #
+  # = SESSIONS, STORES, AND STATELESS MODE
+  #
+  # The Consumer object keeps track of two types of state:
+  #
+  # 1. State of the user's current authentication attempt.  Things
+  #    like the identity URL, the list of endpoints discovered for
+  #    that URL, and in case where some endpoints are unreachable, the
+  #    list of endpoints already tried.  This state needs to be held
+  #    from Consumer.begin() to Consumer.complete(), but it is only
+  #    applicable to a single session with a single user agent, and at
+  #    the end of the authentication process (i.e. when an OP replies
+  #    with either <tt>id_res</tt>. or <tt>cancel</tt> it may be
+  #    discarded.
+  #
+  # 2. State of relationships with servers, i.e. shared secrets
+  #    (associations) with servers and nonces seen on signed messages.
+  #    This information should persist from one session to the next
+  #    and should not be bound to a particular user-agent.
+  #
+  # These two types of storage are reflected in the first two
+  # arguments of Consumer's constructor, <tt>session</tt> and
+  # <tt>store</tt>.  <tt>session</tt> is a dict-like object and we
+  # hope your web framework provides you with one of these bound to
+  # the user agent.  <tt>store</tt> is an instance of Store.
+  #
+  # Since the store does hold secrets shared between your application
+  # and the OpenID provider, you should be careful about how you use
+  # it in a shared hosting environment.  If the filesystem or database
+  # permissions of your web host allow strangers to read from them, do
+  # not store your data there!  If you have no safe place to store
+  # your data, construct your consumer with nil for the store, and it
+  # will operate only in stateless mode.  Stateless mode may be
+  # slower, put more load on the OpenID provider, and trusts the
+  # provider to keep you safe from replay attacks.
+  #
+  # Several store implementation are provided, and the interface is
+  # fully documented so that custom stores can be used as well.  See
+  # the documentation for the Consumer class for more information on
+  # the interface for stores.  The implementations that are provided
+  # allow the consumer site to store the necessary data in several
+  # different ways, including several SQL databases and normal files
+  # on disk.
+  #
+  # = IMMEDIATE MODE
+  #
+  # In the flow described above, the user may need to confirm to the
+  # OpenID provider that it's ok to disclose his or her identity.  The
+  # provider may draw pages asking for information from the user
+  # before it redirects the browser back to the consumer's site.  This
+  # is generally transparent to the consumer site, so it is typically
+  # ignored as an implementation detail.
+  #
+  # There can be times, however, where the consumer site wants to get
+  # a response immediately.  When this is the case, the consumer can
+  # put the library in immediate mode.  In immediate mode, there is an
+  # extra response possible from the server, which is essentially the
+  # server reporting that it doesn't have enough information to answer
+  # the question yet.
+  #
+  # = USING THIS LIBRARY
+  #
+  # Integrating this library into an application is usually a
+  # relatively straightforward process.  The process should basically
+  # follow this plan:
+  #
+  # Add an OpenID login field somewhere on your site.  When an OpenID
+  # is entered in that field and the form is submitted, it should make
+  # a request to the site that includes that OpenID URL.
+  #
+  # First, the application should instantiate a Consumer with a
+  # session for per-user state and store for shared state using the
+  # store of choice.
+  #
+  # Next, the application should call the <tt>begin</tt> method of
+  # Consumer instance.  This method takes the OpenID URL as entered by
+  # the user.  The <tt>begin</tt> method returns a CheckIDRequest
+  # object.
+  #
+  # Next, the application should call the redirect_url method on the
+  # CheckIDRequest object.  The parameter <tt>return_to</tt> is the
+  # URL that the OpenID server will send the user back to after
+  # attempting to verify his or her identity.  The <tt>realm</tt>
+  # parameter is the URL (or URL pattern) that identifies your web
+  # site to the user when he or she is authorizing it.  Send a
+  # redirect to the resulting URL to the user's browser.
+  #
+  # That's the first half of the authentication process.  The second
+  # half of the process is done after the user's OpenID Provider sends
+  # the user's browser a redirect back to your site to complete their
+  # login.
+  #
+  # When that happens, the user will contact your site at the URL
+  # given as the <tt>return_to</tt> URL to the redirect_url call made
+  # above.  The request will have several query parameters added to
+  # the URL by the OpenID provider as the information necessary to
+  # finish the request.
+  #
+  # Get a Consumer instance with the same session and store as before
+  # and call its complete() method, passing in all the received query
+  # arguments and URL currently being handled.
+  #
+  # There are multiple possible return types possible from that
+  # method. These indicate the whether or not the login was
+  # successful, and include any additional information appropriate for
+  # their type.
+  class Consumer
+    attr_accessor :session_key_prefix
+
+    # Initialize a Consumer instance.
+    #
+    # You should create a new instance of the Consumer object with
+    # every HTTP request that handles OpenID transactions.
+    #
+    # session: the session object to use to store request information.
+    # The session should behave like a hash.
+    #
+    # store: an object that implements the interface in Store.
+    def initialize(session, store)
+      @origin_session = session
+      @session = Session.new(session, OpenID::OpenIDServiceEndpoint)
+      @store = store
+      @session_key_prefix = "OpenID::Consumer::"
+    end
+
+    # Start the OpenID authentication process. See steps 1-2 in the
+    # overview for the Consumer class.
+    #
+    # user_url: Identity URL given by the user. This method performs a
+    # textual transformation of the URL to try and make sure it is
+    # normalized. For example, a user_url of example.com will be
+    # normalized to http://example.com/ normalizing and resolving any
+    # redirects the server might issue.
+    #
+    # anonymous: A boolean value.  Whether to make an anonymous
+    # request of the OpenID provider.  Such a request does not ask for
+    # an authorization assertion for an OpenID identifier, but may be
+    # used with extensions to pass other data.  e.g. "I don't care who
+    # you are, but I'd like to know your time zone."
+    #
+    # Returns a CheckIDRequest object containing the discovered
+    # information, with a method for building a redirect URL to the
+    # server, as described in step 3 of the overview. This object may
+    # also be used to add extension arguments to the request, using
+    # its add_extension_arg method.
+    #
+    # Raises DiscoveryFailure when no OpenID server can be found for
+    # this URL.
+    def begin(openid_identifier, anonymous = false)
+      manager = discovery_manager(openid_identifier)
+      service = manager.get_next_service(&method(:discover))
+
+      if service.nil?
+        raise DiscoveryFailure.new(
+          "No usable OpenID services were found " \
+            "for #{openid_identifier.inspect}",
+          nil,
+        )
+      else
+        begin_without_discovery(service, anonymous)
+      end
+    end
+
+    # Start OpenID verification without doing OpenID server
+    # discovery. This method is used internally by Consumer.begin()
+    # after discovery is performed, and exists to provide an interface
+    # for library users needing to perform their own discovery.
+    #
+    # service: an OpenID service endpoint descriptor.  This object and
+    # factories for it are found in the openid/consumer/discovery.rb
+    # module.
+    #
+    # Returns an OpenID authentication request object.
+    def begin_without_discovery(service, anonymous)
+      assoc = association_manager(service).get_association
+      checkid_request = CheckIDRequest.new(assoc, service)
+      checkid_request.anonymous = anonymous
+
+      if service.compatibility_mode
+        rt_args = checkid_request.return_to_args
+        rt_args[Consumer.openid1_return_to_nonce_name] = Nonce.mk_nonce
+        rt_args[Consumer.openid1_return_to_claimed_id_name] =
+          service.claimed_id
+      end
+
+      self.last_requested_endpoint = service
+      checkid_request
+    end
+
+    # Called to interpret the server's response to an OpenID
+    # request. It is called in step 4 of the flow described in the
+    # Consumer overview.
+    #
+    # query: A hash of the query parameters for this HTTP request.
+    # Note that in rails, this is <b>not</b> <tt>params</tt> but
+    # <tt>params.reject{|k,v|request.path_parameters[k]}</tt>
+    # because <tt>controller</tt> and <tt>action</tt> and other
+    # "path parameters" are included in params.
+    #
+    # current_url: Extract the URL of the current request from your
+    # application's web request framework and specify it here to have it
+    # checked against the openid.return_to value in the response.  Do not
+    # just pass <tt>args['openid.return_to']</tt> here; that will defeat the
+    # purpose of this check.  (See OpenID Authentication 2.0 section 11.1.)
+    #
+    # If the return_to URL check fails, the status of the completion will be
+    # FAILURE.
+
+    #
+    # Returns a subclass of Response. The type of response is
+    # indicated by the status attribute, which will be one of
+    # SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED.
+    def complete(query, current_url)
+      message = Message.from_post_args(query)
+      mode = message.get_arg(OPENID_NS, "mode", "invalid")
+      begin
+        meth = method("complete_" + mode)
+      rescue NameError
+        meth = method(:complete_invalid)
+      end
+      response = meth.call(message, current_url)
+      cleanup_last_requested_endpoint
+      cleanup_session if [SUCCESS, CANCEL].member?(response.status)
+      response
+    end
+
+    protected
+
+    def session_get(name)
+      @session[session_key(name)]
+    end
+
+    def session_set(name, val)
+      @session[session_key(name)] = val
+    end
+
+    def session_key(suffix)
+      @session_key_prefix + suffix
+    end
+
+    def last_requested_endpoint
+      session_get("last_requested_endpoint")
+    end
+
+    def last_requested_endpoint=(endpoint)
+      session_set("last_requested_endpoint", endpoint)
+    end
+
+    def cleanup_last_requested_endpoint
+      @session[session_key("last_requested_endpoint")] = nil
+    end
+
+    def discovery_manager(openid_identifier)
+      DiscoveryManager.new(@origin_session, openid_identifier, @session_key_prefix)
+    end
+
+    def cleanup_session
+      discovery_manager(nil).cleanup(true)
+    end
+
+    def discover(identifier)
+      OpenID.discover(identifier)
+    end
+
+    def negotiator
+      DefaultNegotiator
+    end
+
+    def association_manager(service)
+      AssociationManager.new(
+        @store,
+        service.server_url,
+        service.compatibility_mode,
+        negotiator,
+      )
+    end
+
+    def handle_idres(message, current_url)
+      IdResHandler.new(message, current_url, @store, last_requested_endpoint)
+    end
+
+    def complete_invalid(message, _unused_return_to)
+      mode = message.get_arg(OPENID_NS, "mode", "<No mode set>")
+      FailureResponse.new(
+        last_requested_endpoint,
+        "Invalid openid.mode: #{mode}",
+      )
+    end
+
+    def complete_cancel(_unused_message, _unused_return_to)
+      CancelResponse.new(last_requested_endpoint)
+    end
+
+    def complete_error(message, _unused_return_to)
+      error = message.get_arg(OPENID_NS, "error")
+      contact = message.get_arg(OPENID_NS, "contact")
+      reference = message.get_arg(OPENID_NS, "reference")
+
+      FailureResponse.new(
+        last_requested_endpoint,
+        error,
+        contact,
+        reference,
+      )
+    end
+
+    def complete_setup_needed(message, _unused_return_to)
+      return complete_invalid(message, nil) if message.is_openid1
+
+      setup_url = message.get_arg(OPENID2_NS, "user_setup_url")
+      SetupNeededResponse.new(last_requested_endpoint, setup_url)
+    end
+
+    def complete_id_res(message, current_url)
+      if message.is_openid1
+        setup_url = message.get_arg(OPENID_NS, "user_setup_url")
+        return SetupNeededResponse.new(last_requested_endpoint, setup_url) unless setup_url.nil?
+      end
+
+      begin
+        idres = handle_idres(message, current_url)
+      rescue OpenIDError => e
+        FailureResponse.new(last_requested_endpoint, e.message)
+      else
+        SuccessResponse.new(
+          idres.endpoint,
+          message,
+          idres.signed_fields,
+        )
+      end
+    end
+  end
+end

data/lib/openid/cryptutil.rb

@@ -0,0 +1,112 @@
+# stdlib
+require "digest/sha1"
+require "digest/sha2"
+begin
+  require "openssl"
+rescue LoadError
+  begin
+    # Try loading the ruby-hmac files if they exist
+    require "hmac-sha1"
+    require "hmac-sha2"
+  rescue LoadError
+    # Nothing exists use included hmac files
+    require_relative "../hmac/sha1"
+    require_relative "../hmac/sha2"
+  end
+end
+
+# This library
+require_relative "util"
+
+module OpenID
+  # This module contains everything needed to perform low-level
+  # cryptograph and data manipulation tasks.
+  module CryptUtil
+    # Generate a random number, doing a little extra work to make it
+    # more likely that it's suitable for cryptography. If your system
+    # doesn't have /dev/urandom then this number is not
+    # cryptographically safe. See
+    # <http://www.cosine.org/2007/08/07/security-ruby-kernel-rand/>
+    # for more information.  max is the largest possible value of such
+    # a random number, where the result will be less than max.
+    def self.rand(max)
+      Kernel.srand
+      Kernel.rand(max)
+    end
+
+    def self.sha1(text)
+      Digest::SHA1.digest(text)
+    end
+
+    def self.hmac_sha1(key, text)
+      return HMAC::SHA1.digest(key, text) unless defined? OpenSSL
+
+      OpenSSL::HMAC.digest(OpenSSL::Digest.new("SHA1"), key, text)
+    end
+
+    def self.sha256(text)
+      Digest::SHA256.digest(text)
+    end
+
+    def self.hmac_sha256(key, text)
+      return HMAC::SHA256.digest(key, text) unless defined? OpenSSL
+
+      OpenSSL::HMAC.digest(OpenSSL::Digest.new("SHA256"), key, text)
+    end
+
+    # Generate a random string of the given length, composed of the
+    # specified characters.  If chars is nil, generate a string
+    # composed of characters in the range 0..255.
+    def self.random_string(length, chars = nil)
+      s = ""
+
+      if chars.nil?
+        length.times { s << rand(256).chr }
+      else
+        length.times { s << chars[rand(chars.length)] }
+      end
+      s
+    end
+
+    # Convert a number to its binary representation; return a string
+    # of bytes.
+    def self.num_to_binary(n)
+      bits = n.to_s(2)
+      prepend = (8 - bits.length % 8)
+      bits = ("0" * prepend) + bits
+      [bits].pack("B*")
+    end
+
+    # Convert a string of bytes into a number.
+    def self.binary_to_num(s)
+      # taken from openid-ruby 0.0.1
+      s = "\000" * (4 - (s.length % 4)) + s
+      num = 0
+      s.unpack("N*").each do |x|
+        num <<= 32
+        num |= x
+      end
+      num
+    end
+
+    # Encode a number as a base64-encoded byte string.
+    def self.num_to_base64(l)
+      OpenID::Util.to_base64(num_to_binary(l))
+    end
+
+    # Decode a base64 byte string to a number.
+    def self.base64_to_num(s)
+      binary_to_num(OpenID::Util.from_base64(s))
+    end
+
+    def self.const_eq(s1, s2)
+      return false if s1.length != s2.length
+
+      result = true
+      s1.length.times do |i|
+        result &= (s1[i] == s2[i])
+      end
+      result
+    end
+  end
+end