ruby-openid2 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +0 -0
- data/CHANGELOG.md +136 -0
- data/CODE_OF_CONDUCT.md +84 -0
- data/CONTRIBUTING.md +54 -0
- data/LICENSE.txt +210 -0
- data/README.md +81 -0
- data/SECURITY.md +15 -0
- data/lib/hmac/hmac.rb +110 -0
- data/lib/hmac/sha1.rb +11 -0
- data/lib/hmac/sha2.rb +25 -0
- data/lib/openid/association.rb +246 -0
- data/lib/openid/consumer/associationmanager.rb +354 -0
- data/lib/openid/consumer/checkid_request.rb +179 -0
- data/lib/openid/consumer/discovery.rb +516 -0
- data/lib/openid/consumer/discovery_manager.rb +144 -0
- data/lib/openid/consumer/html_parse.rb +142 -0
- data/lib/openid/consumer/idres.rb +513 -0
- data/lib/openid/consumer/responses.rb +147 -0
- data/lib/openid/consumer/session.rb +36 -0
- data/lib/openid/consumer.rb +406 -0
- data/lib/openid/cryptutil.rb +112 -0
- data/lib/openid/dh.rb +84 -0
- data/lib/openid/extension.rb +38 -0
- data/lib/openid/extensions/ax.rb +552 -0
- data/lib/openid/extensions/oauth.rb +88 -0
- data/lib/openid/extensions/pape.rb +170 -0
- data/lib/openid/extensions/sreg.rb +268 -0
- data/lib/openid/extensions/ui.rb +49 -0
- data/lib/openid/fetchers.rb +277 -0
- data/lib/openid/kvform.rb +113 -0
- data/lib/openid/kvpost.rb +62 -0
- data/lib/openid/message.rb +555 -0
- data/lib/openid/protocolerror.rb +7 -0
- data/lib/openid/server.rb +1571 -0
- data/lib/openid/store/filesystem.rb +260 -0
- data/lib/openid/store/interface.rb +73 -0
- data/lib/openid/store/memcache.rb +109 -0
- data/lib/openid/store/memory.rb +79 -0
- data/lib/openid/store/nonce.rb +72 -0
- data/lib/openid/trustroot.rb +597 -0
- data/lib/openid/urinorm.rb +72 -0
- data/lib/openid/util.rb +119 -0
- data/lib/openid/version.rb +5 -0
- data/lib/openid/yadis/accept.rb +141 -0
- data/lib/openid/yadis/constants.rb +16 -0
- data/lib/openid/yadis/discovery.rb +151 -0
- data/lib/openid/yadis/filters.rb +192 -0
- data/lib/openid/yadis/htmltokenizer.rb +290 -0
- data/lib/openid/yadis/parsehtml.rb +50 -0
- data/lib/openid/yadis/services.rb +44 -0
- data/lib/openid/yadis/xrds.rb +160 -0
- data/lib/openid/yadis/xri.rb +86 -0
- data/lib/openid/yadis/xrires.rb +87 -0
- data/lib/openid.rb +27 -0
- data/lib/ruby-openid.rb +1 -0
- data.tar.gz.sig +0 -0
- metadata +331 -0
- metadata.gz.sig +0 -0
@@ -0,0 +1,147 @@
|
|
1
|
+
module OpenID
|
2
|
+
class Consumer
|
3
|
+
# Code returned when either the of the
|
4
|
+
# OpenID::OpenIDConsumer.begin_auth or OpenID::OpenIDConsumer.complete_auth
|
5
|
+
# methods return successfully.
|
6
|
+
SUCCESS = :success
|
7
|
+
|
8
|
+
# Code OpenID::OpenIDConsumer.complete_auth
|
9
|
+
# returns when the value it received indicated an invalid login.
|
10
|
+
FAILURE = :failure
|
11
|
+
|
12
|
+
# Code returned by OpenIDConsumer.complete_auth when the user
|
13
|
+
# cancels the operation from the server.
|
14
|
+
CANCEL = :cancel
|
15
|
+
|
16
|
+
# Code returned by OpenID::OpenIDConsumer.complete_auth when the
|
17
|
+
# OpenIDConsumer instance is in immediate mode and ther server sends back a
|
18
|
+
# URL for the user to login with.
|
19
|
+
SETUP_NEEDED = :setup_needed
|
20
|
+
|
21
|
+
module Response
|
22
|
+
attr_reader :endpoint
|
23
|
+
|
24
|
+
def status
|
25
|
+
self.class::STATUS
|
26
|
+
end
|
27
|
+
|
28
|
+
# The identity URL that has been authenticated; the Claimed Identifier.
|
29
|
+
# See also display_identifier.
|
30
|
+
def identity_url
|
31
|
+
@endpoint ? @endpoint.claimed_id : nil
|
32
|
+
end
|
33
|
+
|
34
|
+
# The display identifier is related to the Claimed Identifier, but the
|
35
|
+
# two are not always identical. The display identifier is something the
|
36
|
+
# user should recognize as what they entered, whereas the response's
|
37
|
+
# claimed identifier (in the identity_url attribute) may have extra
|
38
|
+
# information for better persistence.
|
39
|
+
#
|
40
|
+
# URLs will be stripped of their fragments for display. XRIs will
|
41
|
+
# display the human-readable identifier (i-name) instead of the
|
42
|
+
# persistent identifier (i-number).
|
43
|
+
#
|
44
|
+
# Use the display identifier in your user interface. Use identity_url
|
45
|
+
# for querying your database or authorization server, or other
|
46
|
+
# identifier equality comparisons.
|
47
|
+
def display_identifier
|
48
|
+
@endpoint ? @endpoint.display_identifier : nil
|
49
|
+
end
|
50
|
+
end
|
51
|
+
|
52
|
+
# A successful acknowledgement from the OpenID server that the
|
53
|
+
# supplied URL is, indeed controlled by the requesting agent.
|
54
|
+
class SuccessResponse
|
55
|
+
include Response
|
56
|
+
|
57
|
+
STATUS = SUCCESS
|
58
|
+
|
59
|
+
attr_reader :message, :signed_fields
|
60
|
+
|
61
|
+
def initialize(endpoint, message, signed_fields)
|
62
|
+
# Don't use :endpoint=, because endpoint should never be nil
|
63
|
+
# for a successfull transaction.
|
64
|
+
@endpoint = endpoint
|
65
|
+
@identity_url = endpoint.claimed_id
|
66
|
+
@message = message
|
67
|
+
@signed_fields = signed_fields
|
68
|
+
end
|
69
|
+
|
70
|
+
# Was this authentication response an OpenID 1 authentication
|
71
|
+
# response?
|
72
|
+
def is_openid1
|
73
|
+
@message.is_openid1
|
74
|
+
end
|
75
|
+
|
76
|
+
# Return whether a particular key is signed, regardless of its
|
77
|
+
# namespace alias
|
78
|
+
def signed?(ns_uri, ns_key)
|
79
|
+
@signed_fields.member?(@message.get_key(ns_uri, ns_key))
|
80
|
+
end
|
81
|
+
|
82
|
+
# Return the specified signed field if available, otherwise
|
83
|
+
# return default
|
84
|
+
def get_signed(ns_uri, ns_key, default = nil)
|
85
|
+
return @message.get_arg(ns_uri, ns_key, default) if signed?(ns_uri, ns_key)
|
86
|
+
|
87
|
+
default
|
88
|
+
end
|
89
|
+
|
90
|
+
# Get signed arguments from the response message. Return a dict
|
91
|
+
# of all arguments in the specified namespace. If any of the
|
92
|
+
# arguments are not signed, return nil.
|
93
|
+
def get_signed_ns(ns_uri)
|
94
|
+
msg_args = @message.get_args(ns_uri)
|
95
|
+
msg_args.each_key do |key|
|
96
|
+
return nil unless signed?(ns_uri, key)
|
97
|
+
end
|
98
|
+
msg_args
|
99
|
+
end
|
100
|
+
|
101
|
+
# Return response arguments in the specified namespace.
|
102
|
+
# If require_signed is true and the arguments are not signed,
|
103
|
+
# return nil.
|
104
|
+
def extension_response(namespace_uri, require_signed)
|
105
|
+
if require_signed
|
106
|
+
get_signed_ns(namespace_uri)
|
107
|
+
else
|
108
|
+
@message.get_args(namespace_uri)
|
109
|
+
end
|
110
|
+
end
|
111
|
+
end
|
112
|
+
|
113
|
+
class FailureResponse
|
114
|
+
include Response
|
115
|
+
STATUS = FAILURE
|
116
|
+
|
117
|
+
attr_reader :message, :contact, :reference
|
118
|
+
|
119
|
+
def initialize(endpoint, message, contact = nil, reference = nil)
|
120
|
+
@endpoint = endpoint
|
121
|
+
@message = message
|
122
|
+
@contact = contact
|
123
|
+
@reference = reference
|
124
|
+
end
|
125
|
+
end
|
126
|
+
|
127
|
+
class CancelResponse
|
128
|
+
include Response
|
129
|
+
STATUS = CANCEL
|
130
|
+
def initialize(endpoint)
|
131
|
+
@endpoint = endpoint
|
132
|
+
end
|
133
|
+
end
|
134
|
+
|
135
|
+
class SetupNeededResponse
|
136
|
+
include Response
|
137
|
+
STATUS = SETUP_NEEDED
|
138
|
+
|
139
|
+
attr_reader :setup_url
|
140
|
+
|
141
|
+
def initialize(endpoint, setup_url)
|
142
|
+
@endpoint = endpoint
|
143
|
+
@setup_url = setup_url
|
144
|
+
end
|
145
|
+
end
|
146
|
+
end
|
147
|
+
end
|
@@ -0,0 +1,36 @@
|
|
1
|
+
module OpenID
|
2
|
+
class Consumer
|
3
|
+
class Session
|
4
|
+
def initialize(session, decode_klass = nil)
|
5
|
+
@session = session
|
6
|
+
@decode_klass = decode_klass
|
7
|
+
end
|
8
|
+
|
9
|
+
def [](key)
|
10
|
+
val = @session[key]
|
11
|
+
@decode_klass ? @decode_klass.from_session_value(val) : val
|
12
|
+
end
|
13
|
+
|
14
|
+
def []=(key, val)
|
15
|
+
@session[key] = to_session_value(val)
|
16
|
+
end
|
17
|
+
|
18
|
+
def keys
|
19
|
+
@session.keys
|
20
|
+
end
|
21
|
+
|
22
|
+
private
|
23
|
+
|
24
|
+
def to_session_value(val)
|
25
|
+
case val
|
26
|
+
when Array
|
27
|
+
val.map { |ele| to_session_value(ele) }
|
28
|
+
when Hash
|
29
|
+
Hash[*val.flat_map { |k, v| [k, to_session_value(v)] }]
|
30
|
+
else
|
31
|
+
val.respond_to?(:to_session_value) ? val.to_session_value : val
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
36
|
+
end
|
@@ -0,0 +1,406 @@
|
|
1
|
+
require_relative "consumer/idres"
|
2
|
+
require_relative "consumer/checkid_request"
|
3
|
+
require_relative "consumer/associationmanager"
|
4
|
+
require_relative "consumer/responses"
|
5
|
+
require_relative "consumer/session"
|
6
|
+
require_relative "consumer/discovery_manager"
|
7
|
+
require_relative "consumer/discovery"
|
8
|
+
require_relative "message"
|
9
|
+
require_relative "yadis/discovery"
|
10
|
+
require_relative "store/nonce"
|
11
|
+
|
12
|
+
module OpenID
|
13
|
+
# OpenID support for Relying Parties (aka Consumers).
|
14
|
+
#
|
15
|
+
# This module documents the main interface with the OpenID consumer
|
16
|
+
# library. The only part of the library which has to be used and
|
17
|
+
# isn't documented in full here is the store required to create an
|
18
|
+
# Consumer instance.
|
19
|
+
#
|
20
|
+
# = OVERVIEW
|
21
|
+
#
|
22
|
+
# The OpenID identity verification process most commonly uses the
|
23
|
+
# following steps, as visible to the user of this library:
|
24
|
+
#
|
25
|
+
# 1. The user enters their OpenID into a field on the consumer's
|
26
|
+
# site, and hits a login button.
|
27
|
+
#
|
28
|
+
# 2. The consumer site discovers the user's OpenID provider using
|
29
|
+
# the Yadis protocol.
|
30
|
+
#
|
31
|
+
# 3. The consumer site sends the browser a redirect to the OpenID
|
32
|
+
# provider. This is the authentication request as described in
|
33
|
+
# the OpenID specification.
|
34
|
+
#
|
35
|
+
# 4. The OpenID provider's site sends the browser a redirect back to
|
36
|
+
# the consumer site. This redirect contains the provider's
|
37
|
+
# response to the authentication request.
|
38
|
+
#
|
39
|
+
# The most important part of the flow to note is the consumer's site
|
40
|
+
# must handle two separate HTTP requests in order to perform the
|
41
|
+
# full identity check.
|
42
|
+
#
|
43
|
+
# = LIBRARY DESIGN
|
44
|
+
#
|
45
|
+
# This consumer library is designed with that flow in mind. The
|
46
|
+
# goal is to make it as easy as possible to perform the above steps
|
47
|
+
# securely.
|
48
|
+
#
|
49
|
+
# At a high level, there are two important parts in the consumer
|
50
|
+
# library. The first important part is this module, which contains
|
51
|
+
# the interface to actually use this library. The second is
|
52
|
+
# openid/store/interface.rb, which describes the interface to use if
|
53
|
+
# you need to create a custom method for storing the state this
|
54
|
+
# library needs to maintain between requests.
|
55
|
+
#
|
56
|
+
# In general, the second part is less important for users of the
|
57
|
+
# library to know about, as several implementations are provided
|
58
|
+
# which cover a wide variety of situations in which consumers may
|
59
|
+
# use the library.
|
60
|
+
#
|
61
|
+
# The Consumer class has methods corresponding to the actions
|
62
|
+
# necessary in each of steps 2, 3, and 4 described in the overview.
|
63
|
+
# Use of this library should be as easy as creating an Consumer
|
64
|
+
# instance and calling the methods appropriate for the action the
|
65
|
+
# site wants to take.
|
66
|
+
#
|
67
|
+
# This library automatically detects which version of the OpenID
|
68
|
+
# protocol should be used for a transaction and constructs the
|
69
|
+
# proper requests and responses. Users of this library do not need
|
70
|
+
# to worry about supporting multiple protocol versions; the library
|
71
|
+
# supports them implicitly. Depending on the version of the
|
72
|
+
# protocol in use, the OpenID transaction may be more secure. See
|
73
|
+
# the OpenID specifications for more information.
|
74
|
+
#
|
75
|
+
# = SESSIONS, STORES, AND STATELESS MODE
|
76
|
+
#
|
77
|
+
# The Consumer object keeps track of two types of state:
|
78
|
+
#
|
79
|
+
# 1. State of the user's current authentication attempt. Things
|
80
|
+
# like the identity URL, the list of endpoints discovered for
|
81
|
+
# that URL, and in case where some endpoints are unreachable, the
|
82
|
+
# list of endpoints already tried. This state needs to be held
|
83
|
+
# from Consumer.begin() to Consumer.complete(), but it is only
|
84
|
+
# applicable to a single session with a single user agent, and at
|
85
|
+
# the end of the authentication process (i.e. when an OP replies
|
86
|
+
# with either <tt>id_res</tt>. or <tt>cancel</tt> it may be
|
87
|
+
# discarded.
|
88
|
+
#
|
89
|
+
# 2. State of relationships with servers, i.e. shared secrets
|
90
|
+
# (associations) with servers and nonces seen on signed messages.
|
91
|
+
# This information should persist from one session to the next
|
92
|
+
# and should not be bound to a particular user-agent.
|
93
|
+
#
|
94
|
+
# These two types of storage are reflected in the first two
|
95
|
+
# arguments of Consumer's constructor, <tt>session</tt> and
|
96
|
+
# <tt>store</tt>. <tt>session</tt> is a dict-like object and we
|
97
|
+
# hope your web framework provides you with one of these bound to
|
98
|
+
# the user agent. <tt>store</tt> is an instance of Store.
|
99
|
+
#
|
100
|
+
# Since the store does hold secrets shared between your application
|
101
|
+
# and the OpenID provider, you should be careful about how you use
|
102
|
+
# it in a shared hosting environment. If the filesystem or database
|
103
|
+
# permissions of your web host allow strangers to read from them, do
|
104
|
+
# not store your data there! If you have no safe place to store
|
105
|
+
# your data, construct your consumer with nil for the store, and it
|
106
|
+
# will operate only in stateless mode. Stateless mode may be
|
107
|
+
# slower, put more load on the OpenID provider, and trusts the
|
108
|
+
# provider to keep you safe from replay attacks.
|
109
|
+
#
|
110
|
+
# Several store implementation are provided, and the interface is
|
111
|
+
# fully documented so that custom stores can be used as well. See
|
112
|
+
# the documentation for the Consumer class for more information on
|
113
|
+
# the interface for stores. The implementations that are provided
|
114
|
+
# allow the consumer site to store the necessary data in several
|
115
|
+
# different ways, including several SQL databases and normal files
|
116
|
+
# on disk.
|
117
|
+
#
|
118
|
+
# = IMMEDIATE MODE
|
119
|
+
#
|
120
|
+
# In the flow described above, the user may need to confirm to the
|
121
|
+
# OpenID provider that it's ok to disclose his or her identity. The
|
122
|
+
# provider may draw pages asking for information from the user
|
123
|
+
# before it redirects the browser back to the consumer's site. This
|
124
|
+
# is generally transparent to the consumer site, so it is typically
|
125
|
+
# ignored as an implementation detail.
|
126
|
+
#
|
127
|
+
# There can be times, however, where the consumer site wants to get
|
128
|
+
# a response immediately. When this is the case, the consumer can
|
129
|
+
# put the library in immediate mode. In immediate mode, there is an
|
130
|
+
# extra response possible from the server, which is essentially the
|
131
|
+
# server reporting that it doesn't have enough information to answer
|
132
|
+
# the question yet.
|
133
|
+
#
|
134
|
+
# = USING THIS LIBRARY
|
135
|
+
#
|
136
|
+
# Integrating this library into an application is usually a
|
137
|
+
# relatively straightforward process. The process should basically
|
138
|
+
# follow this plan:
|
139
|
+
#
|
140
|
+
# Add an OpenID login field somewhere on your site. When an OpenID
|
141
|
+
# is entered in that field and the form is submitted, it should make
|
142
|
+
# a request to the site that includes that OpenID URL.
|
143
|
+
#
|
144
|
+
# First, the application should instantiate a Consumer with a
|
145
|
+
# session for per-user state and store for shared state using the
|
146
|
+
# store of choice.
|
147
|
+
#
|
148
|
+
# Next, the application should call the <tt>begin</tt> method of
|
149
|
+
# Consumer instance. This method takes the OpenID URL as entered by
|
150
|
+
# the user. The <tt>begin</tt> method returns a CheckIDRequest
|
151
|
+
# object.
|
152
|
+
#
|
153
|
+
# Next, the application should call the redirect_url method on the
|
154
|
+
# CheckIDRequest object. The parameter <tt>return_to</tt> is the
|
155
|
+
# URL that the OpenID server will send the user back to after
|
156
|
+
# attempting to verify his or her identity. The <tt>realm</tt>
|
157
|
+
# parameter is the URL (or URL pattern) that identifies your web
|
158
|
+
# site to the user when he or she is authorizing it. Send a
|
159
|
+
# redirect to the resulting URL to the user's browser.
|
160
|
+
#
|
161
|
+
# That's the first half of the authentication process. The second
|
162
|
+
# half of the process is done after the user's OpenID Provider sends
|
163
|
+
# the user's browser a redirect back to your site to complete their
|
164
|
+
# login.
|
165
|
+
#
|
166
|
+
# When that happens, the user will contact your site at the URL
|
167
|
+
# given as the <tt>return_to</tt> URL to the redirect_url call made
|
168
|
+
# above. The request will have several query parameters added to
|
169
|
+
# the URL by the OpenID provider as the information necessary to
|
170
|
+
# finish the request.
|
171
|
+
#
|
172
|
+
# Get a Consumer instance with the same session and store as before
|
173
|
+
# and call its complete() method, passing in all the received query
|
174
|
+
# arguments and URL currently being handled.
|
175
|
+
#
|
176
|
+
# There are multiple possible return types possible from that
|
177
|
+
# method. These indicate the whether or not the login was
|
178
|
+
# successful, and include any additional information appropriate for
|
179
|
+
# their type.
|
180
|
+
class Consumer
|
181
|
+
attr_accessor :session_key_prefix
|
182
|
+
|
183
|
+
# Initialize a Consumer instance.
|
184
|
+
#
|
185
|
+
# You should create a new instance of the Consumer object with
|
186
|
+
# every HTTP request that handles OpenID transactions.
|
187
|
+
#
|
188
|
+
# session: the session object to use to store request information.
|
189
|
+
# The session should behave like a hash.
|
190
|
+
#
|
191
|
+
# store: an object that implements the interface in Store.
|
192
|
+
def initialize(session, store)
|
193
|
+
@origin_session = session
|
194
|
+
@session = Session.new(session, OpenID::OpenIDServiceEndpoint)
|
195
|
+
@store = store
|
196
|
+
@session_key_prefix = "OpenID::Consumer::"
|
197
|
+
end
|
198
|
+
|
199
|
+
# Start the OpenID authentication process. See steps 1-2 in the
|
200
|
+
# overview for the Consumer class.
|
201
|
+
#
|
202
|
+
# user_url: Identity URL given by the user. This method performs a
|
203
|
+
# textual transformation of the URL to try and make sure it is
|
204
|
+
# normalized. For example, a user_url of example.com will be
|
205
|
+
# normalized to http://example.com/ normalizing and resolving any
|
206
|
+
# redirects the server might issue.
|
207
|
+
#
|
208
|
+
# anonymous: A boolean value. Whether to make an anonymous
|
209
|
+
# request of the OpenID provider. Such a request does not ask for
|
210
|
+
# an authorization assertion for an OpenID identifier, but may be
|
211
|
+
# used with extensions to pass other data. e.g. "I don't care who
|
212
|
+
# you are, but I'd like to know your time zone."
|
213
|
+
#
|
214
|
+
# Returns a CheckIDRequest object containing the discovered
|
215
|
+
# information, with a method for building a redirect URL to the
|
216
|
+
# server, as described in step 3 of the overview. This object may
|
217
|
+
# also be used to add extension arguments to the request, using
|
218
|
+
# its add_extension_arg method.
|
219
|
+
#
|
220
|
+
# Raises DiscoveryFailure when no OpenID server can be found for
|
221
|
+
# this URL.
|
222
|
+
def begin(openid_identifier, anonymous = false)
|
223
|
+
manager = discovery_manager(openid_identifier)
|
224
|
+
service = manager.get_next_service(&method(:discover))
|
225
|
+
|
226
|
+
if service.nil?
|
227
|
+
raise DiscoveryFailure.new(
|
228
|
+
"No usable OpenID services were found " \
|
229
|
+
"for #{openid_identifier.inspect}",
|
230
|
+
nil,
|
231
|
+
)
|
232
|
+
else
|
233
|
+
begin_without_discovery(service, anonymous)
|
234
|
+
end
|
235
|
+
end
|
236
|
+
|
237
|
+
# Start OpenID verification without doing OpenID server
|
238
|
+
# discovery. This method is used internally by Consumer.begin()
|
239
|
+
# after discovery is performed, and exists to provide an interface
|
240
|
+
# for library users needing to perform their own discovery.
|
241
|
+
#
|
242
|
+
# service: an OpenID service endpoint descriptor. This object and
|
243
|
+
# factories for it are found in the openid/consumer/discovery.rb
|
244
|
+
# module.
|
245
|
+
#
|
246
|
+
# Returns an OpenID authentication request object.
|
247
|
+
def begin_without_discovery(service, anonymous)
|
248
|
+
assoc = association_manager(service).get_association
|
249
|
+
checkid_request = CheckIDRequest.new(assoc, service)
|
250
|
+
checkid_request.anonymous = anonymous
|
251
|
+
|
252
|
+
if service.compatibility_mode
|
253
|
+
rt_args = checkid_request.return_to_args
|
254
|
+
rt_args[Consumer.openid1_return_to_nonce_name] = Nonce.mk_nonce
|
255
|
+
rt_args[Consumer.openid1_return_to_claimed_id_name] =
|
256
|
+
service.claimed_id
|
257
|
+
end
|
258
|
+
|
259
|
+
self.last_requested_endpoint = service
|
260
|
+
checkid_request
|
261
|
+
end
|
262
|
+
|
263
|
+
# Called to interpret the server's response to an OpenID
|
264
|
+
# request. It is called in step 4 of the flow described in the
|
265
|
+
# Consumer overview.
|
266
|
+
#
|
267
|
+
# query: A hash of the query parameters for this HTTP request.
|
268
|
+
# Note that in rails, this is <b>not</b> <tt>params</tt> but
|
269
|
+
# <tt>params.reject{|k,v|request.path_parameters[k]}</tt>
|
270
|
+
# because <tt>controller</tt> and <tt>action</tt> and other
|
271
|
+
# "path parameters" are included in params.
|
272
|
+
#
|
273
|
+
# current_url: Extract the URL of the current request from your
|
274
|
+
# application's web request framework and specify it here to have it
|
275
|
+
# checked against the openid.return_to value in the response. Do not
|
276
|
+
# just pass <tt>args['openid.return_to']</tt> here; that will defeat the
|
277
|
+
# purpose of this check. (See OpenID Authentication 2.0 section 11.1.)
|
278
|
+
#
|
279
|
+
# If the return_to URL check fails, the status of the completion will be
|
280
|
+
# FAILURE.
|
281
|
+
|
282
|
+
#
|
283
|
+
# Returns a subclass of Response. The type of response is
|
284
|
+
# indicated by the status attribute, which will be one of
|
285
|
+
# SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED.
|
286
|
+
def complete(query, current_url)
|
287
|
+
message = Message.from_post_args(query)
|
288
|
+
mode = message.get_arg(OPENID_NS, "mode", "invalid")
|
289
|
+
begin
|
290
|
+
meth = method("complete_" + mode)
|
291
|
+
rescue NameError
|
292
|
+
meth = method(:complete_invalid)
|
293
|
+
end
|
294
|
+
response = meth.call(message, current_url)
|
295
|
+
cleanup_last_requested_endpoint
|
296
|
+
cleanup_session if [SUCCESS, CANCEL].member?(response.status)
|
297
|
+
response
|
298
|
+
end
|
299
|
+
|
300
|
+
protected
|
301
|
+
|
302
|
+
def session_get(name)
|
303
|
+
@session[session_key(name)]
|
304
|
+
end
|
305
|
+
|
306
|
+
def session_set(name, val)
|
307
|
+
@session[session_key(name)] = val
|
308
|
+
end
|
309
|
+
|
310
|
+
def session_key(suffix)
|
311
|
+
@session_key_prefix + suffix
|
312
|
+
end
|
313
|
+
|
314
|
+
def last_requested_endpoint
|
315
|
+
session_get("last_requested_endpoint")
|
316
|
+
end
|
317
|
+
|
318
|
+
def last_requested_endpoint=(endpoint)
|
319
|
+
session_set("last_requested_endpoint", endpoint)
|
320
|
+
end
|
321
|
+
|
322
|
+
def cleanup_last_requested_endpoint
|
323
|
+
@session[session_key("last_requested_endpoint")] = nil
|
324
|
+
end
|
325
|
+
|
326
|
+
def discovery_manager(openid_identifier)
|
327
|
+
DiscoveryManager.new(@origin_session, openid_identifier, @session_key_prefix)
|
328
|
+
end
|
329
|
+
|
330
|
+
def cleanup_session
|
331
|
+
discovery_manager(nil).cleanup(true)
|
332
|
+
end
|
333
|
+
|
334
|
+
def discover(identifier)
|
335
|
+
OpenID.discover(identifier)
|
336
|
+
end
|
337
|
+
|
338
|
+
def negotiator
|
339
|
+
DefaultNegotiator
|
340
|
+
end
|
341
|
+
|
342
|
+
def association_manager(service)
|
343
|
+
AssociationManager.new(
|
344
|
+
@store,
|
345
|
+
service.server_url,
|
346
|
+
service.compatibility_mode,
|
347
|
+
negotiator,
|
348
|
+
)
|
349
|
+
end
|
350
|
+
|
351
|
+
def handle_idres(message, current_url)
|
352
|
+
IdResHandler.new(message, current_url, @store, last_requested_endpoint)
|
353
|
+
end
|
354
|
+
|
355
|
+
def complete_invalid(message, _unused_return_to)
|
356
|
+
mode = message.get_arg(OPENID_NS, "mode", "<No mode set>")
|
357
|
+
FailureResponse.new(
|
358
|
+
last_requested_endpoint,
|
359
|
+
"Invalid openid.mode: #{mode}",
|
360
|
+
)
|
361
|
+
end
|
362
|
+
|
363
|
+
def complete_cancel(_unused_message, _unused_return_to)
|
364
|
+
CancelResponse.new(last_requested_endpoint)
|
365
|
+
end
|
366
|
+
|
367
|
+
def complete_error(message, _unused_return_to)
|
368
|
+
error = message.get_arg(OPENID_NS, "error")
|
369
|
+
contact = message.get_arg(OPENID_NS, "contact")
|
370
|
+
reference = message.get_arg(OPENID_NS, "reference")
|
371
|
+
|
372
|
+
FailureResponse.new(
|
373
|
+
last_requested_endpoint,
|
374
|
+
error,
|
375
|
+
contact,
|
376
|
+
reference,
|
377
|
+
)
|
378
|
+
end
|
379
|
+
|
380
|
+
def complete_setup_needed(message, _unused_return_to)
|
381
|
+
return complete_invalid(message, nil) if message.is_openid1
|
382
|
+
|
383
|
+
setup_url = message.get_arg(OPENID2_NS, "user_setup_url")
|
384
|
+
SetupNeededResponse.new(last_requested_endpoint, setup_url)
|
385
|
+
end
|
386
|
+
|
387
|
+
def complete_id_res(message, current_url)
|
388
|
+
if message.is_openid1
|
389
|
+
setup_url = message.get_arg(OPENID_NS, "user_setup_url")
|
390
|
+
return SetupNeededResponse.new(last_requested_endpoint, setup_url) unless setup_url.nil?
|
391
|
+
end
|
392
|
+
|
393
|
+
begin
|
394
|
+
idres = handle_idres(message, current_url)
|
395
|
+
rescue OpenIDError => e
|
396
|
+
FailureResponse.new(last_requested_endpoint, e.message)
|
397
|
+
else
|
398
|
+
SuccessResponse.new(
|
399
|
+
idres.endpoint,
|
400
|
+
message,
|
401
|
+
idres.signed_fields,
|
402
|
+
)
|
403
|
+
end
|
404
|
+
end
|
405
|
+
end
|
406
|
+
end
|
@@ -0,0 +1,112 @@
|
|
1
|
+
# stdlib
|
2
|
+
require "digest/sha1"
|
3
|
+
require "digest/sha2"
|
4
|
+
begin
|
5
|
+
require "openssl"
|
6
|
+
rescue LoadError
|
7
|
+
begin
|
8
|
+
# Try loading the ruby-hmac files if they exist
|
9
|
+
require "hmac-sha1"
|
10
|
+
require "hmac-sha2"
|
11
|
+
rescue LoadError
|
12
|
+
# Nothing exists use included hmac files
|
13
|
+
require_relative "../hmac/sha1"
|
14
|
+
require_relative "../hmac/sha2"
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
# This library
|
19
|
+
require_relative "util"
|
20
|
+
|
21
|
+
module OpenID
|
22
|
+
# This module contains everything needed to perform low-level
|
23
|
+
# cryptograph and data manipulation tasks.
|
24
|
+
module CryptUtil
|
25
|
+
# Generate a random number, doing a little extra work to make it
|
26
|
+
# more likely that it's suitable for cryptography. If your system
|
27
|
+
# doesn't have /dev/urandom then this number is not
|
28
|
+
# cryptographically safe. See
|
29
|
+
# <http://www.cosine.org/2007/08/07/security-ruby-kernel-rand/>
|
30
|
+
# for more information. max is the largest possible value of such
|
31
|
+
# a random number, where the result will be less than max.
|
32
|
+
def self.rand(max)
|
33
|
+
Kernel.srand
|
34
|
+
Kernel.rand(max)
|
35
|
+
end
|
36
|
+
|
37
|
+
def self.sha1(text)
|
38
|
+
Digest::SHA1.digest(text)
|
39
|
+
end
|
40
|
+
|
41
|
+
def self.hmac_sha1(key, text)
|
42
|
+
return HMAC::SHA1.digest(key, text) unless defined? OpenSSL
|
43
|
+
|
44
|
+
OpenSSL::HMAC.digest(OpenSSL::Digest.new("SHA1"), key, text)
|
45
|
+
end
|
46
|
+
|
47
|
+
def self.sha256(text)
|
48
|
+
Digest::SHA256.digest(text)
|
49
|
+
end
|
50
|
+
|
51
|
+
def self.hmac_sha256(key, text)
|
52
|
+
return HMAC::SHA256.digest(key, text) unless defined? OpenSSL
|
53
|
+
|
54
|
+
OpenSSL::HMAC.digest(OpenSSL::Digest.new("SHA256"), key, text)
|
55
|
+
end
|
56
|
+
|
57
|
+
# Generate a random string of the given length, composed of the
|
58
|
+
# specified characters. If chars is nil, generate a string
|
59
|
+
# composed of characters in the range 0..255.
|
60
|
+
def self.random_string(length, chars = nil)
|
61
|
+
s = ""
|
62
|
+
|
63
|
+
if chars.nil?
|
64
|
+
length.times { s << rand(256).chr }
|
65
|
+
else
|
66
|
+
length.times { s << chars[rand(chars.length)] }
|
67
|
+
end
|
68
|
+
s
|
69
|
+
end
|
70
|
+
|
71
|
+
# Convert a number to its binary representation; return a string
|
72
|
+
# of bytes.
|
73
|
+
def self.num_to_binary(n)
|
74
|
+
bits = n.to_s(2)
|
75
|
+
prepend = (8 - bits.length % 8)
|
76
|
+
bits = ("0" * prepend) + bits
|
77
|
+
[bits].pack("B*")
|
78
|
+
end
|
79
|
+
|
80
|
+
# Convert a string of bytes into a number.
|
81
|
+
def self.binary_to_num(s)
|
82
|
+
# taken from openid-ruby 0.0.1
|
83
|
+
s = "\000" * (4 - (s.length % 4)) + s
|
84
|
+
num = 0
|
85
|
+
s.unpack("N*").each do |x|
|
86
|
+
num <<= 32
|
87
|
+
num |= x
|
88
|
+
end
|
89
|
+
num
|
90
|
+
end
|
91
|
+
|
92
|
+
# Encode a number as a base64-encoded byte string.
|
93
|
+
def self.num_to_base64(l)
|
94
|
+
OpenID::Util.to_base64(num_to_binary(l))
|
95
|
+
end
|
96
|
+
|
97
|
+
# Decode a base64 byte string to a number.
|
98
|
+
def self.base64_to_num(s)
|
99
|
+
binary_to_num(OpenID::Util.from_base64(s))
|
100
|
+
end
|
101
|
+
|
102
|
+
def self.const_eq(s1, s2)
|
103
|
+
return false if s1.length != s2.length
|
104
|
+
|
105
|
+
result = true
|
106
|
+
s1.length.times do |i|
|
107
|
+
result &= (s1[i] == s2[i])
|
108
|
+
end
|
109
|
+
result
|
110
|
+
end
|
111
|
+
end
|
112
|
+
end
|