ruby-openid2 3.0.0

data/lib/openid/extensions/oauth.rb

@@ -0,0 +1,88 @@
+# An implementation of the OpenID OAuth Extension
+# Extension 1.0
+# see: http://openid.net/specs/
+
+require_relative "../extension"
+
+module OpenID
+  module OAuth
+    NS_URI = "http://specs.openid.net/extensions/oauth/1.0"
+    # An OAuth token request, sent from a relying
+    # party to a provider
+    class Request < Extension
+      attr_accessor :consumer, :scope, :ns_alias, :ns_uri
+
+      def initialize(consumer = nil, scope = nil)
+        @ns_alias = "oauth"
+        @ns_uri = NS_URI
+        @consumer = consumer
+        @scope = scope
+      end
+
+      def get_extension_args
+        ns_args = {}
+        ns_args["consumer"] = @consumer if @consumer
+        ns_args["scope"] = @scope if @scope
+        ns_args
+      end
+
+      # Instantiate a Request object from the arguments in a
+      # checkid_* OpenID message
+      # return nil if the extension was not requested.
+      def self.from_openid_request(oid_req)
+        oauth_req = new
+        args = oid_req.message.get_args(NS_URI)
+        return if args == {}
+
+        oauth_req.parse_extension_args(args)
+        oauth_req
+      end
+
+      # Set the state of this request to be that expressed in these
+      # OAuth arguments
+      def parse_extension_args(args)
+        @consumer = args["consumer"]
+        @scope = args["scope"]
+      end
+    end
+
+    # A OAuth request token response, sent from a provider
+    # to a relying party
+    class Response < Extension
+      attr_accessor :request_token, :scope
+
+      def initialize(request_token = nil, scope = nil)
+        @ns_alias = "oauth"
+        @ns_uri = NS_URI
+        @request_token = request_token
+        @scope = scope
+      end
+
+      # Create a Response object from an OpenID::Consumer::SuccessResponse
+      def self.from_success_response(success_response)
+        args = success_response.get_signed_ns(NS_URI)
+        return if args.nil?
+
+        oauth_resp = new
+        oauth_resp.parse_extension_args(args)
+        oauth_resp
+      end
+
+      # parse the oauth request arguments into the
+      # internal state of this object
+      # if strict is specified, raise an exception when bad data is
+      # encountered
+      def parse_extension_args(args, _strict = false)
+        @request_token = args["request_token"]
+        @scope = args["scope"]
+      end
+
+      def get_extension_args
+        ns_args = {}
+        ns_args["request_token"] = @request_token if @request_token
+        ns_args["scope"] = @scope if @scope
+        ns_args
+      end
+    end
+  end
+end

data/lib/openid/extensions/pape.rb

@@ -0,0 +1,170 @@
+# An implementation of the OpenID Provider Authentication Policy
+# Extension 1.0
+# see: http://openid.net/specs/
+
+require_relative "../extension"
+
+module OpenID
+  module PAPE
+    NS_URI = "http://specs.openid.net/extensions/pape/1.0"
+    AUTH_MULTI_FACTOR_PHYSICAL =
+      "http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical"
+    AUTH_MULTI_FACTOR =
+      "http://schemas.openid.net/pape/policies/2007/06/multi-factor"
+    AUTH_PHISHING_RESISTANT =
+      "http://schemas.openid.net/pape/policies/2007/06/phishing-resistant"
+    TIME_VALIDATOR = /\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ/
+    # A Provider Authentication Policy request, sent from a relying
+    # party to a provider
+    class Request < Extension
+      attr_accessor :preferred_auth_policies, :max_auth_age, :ns_alias, :ns_uri
+
+      def initialize(preferred_auth_policies = [], max_auth_age = nil)
+        @ns_alias = "pape"
+        @ns_uri = NS_URI
+        @preferred_auth_policies = preferred_auth_policies
+        @max_auth_age = max_auth_age
+      end
+
+      # Add an acceptable authentication policy URI to this request
+      # This method is intended to be used by the relying party to add
+      # acceptable authentication types to the request.
+      def add_policy_uri(policy_uri)
+        return if @preferred_auth_policies.member?(policy_uri)
+
+        @preferred_auth_policies << policy_uri
+      end
+
+      def get_extension_args
+        ns_args = {
+          "preferred_auth_policies" => @preferred_auth_policies.join(" "),
+        }
+        ns_args["max_auth_age"] = @max_auth_age.to_s if @max_auth_age
+        ns_args
+      end
+
+      # Instantiate a Request object from the arguments in a
+      # checkid_* OpenID message
+      # return nil if the extension was not requested.
+      def self.from_openid_request(oid_req)
+        pape_req = new
+        args = oid_req.message.get_args(NS_URI)
+        return if args == {}
+
+        pape_req.parse_extension_args(args)
+        pape_req
+      end
+
+      # Set the state of this request to be that expressed in these
+      # PAPE arguments
+      def parse_extension_args(args)
+        @preferred_auth_policies = []
+        policies_str = args["preferred_auth_policies"]
+        if policies_str
+          policies_str.split(" ").each do |uri|
+            add_policy_uri(uri)
+          end
+        end
+
+        max_auth_age_str = args["max_auth_age"]
+        @max_auth_age = (max_auth_age_str.to_i if max_auth_age_str)
+      end
+
+      # Given a list of authentication policy URIs that a provider
+      # supports, this method returns the subset of those types
+      # that are preferred by the relying party.
+      def preferred_types(supported_types)
+        @preferred_auth_policies.select { |uri| supported_types.member?(uri) }
+      end
+    end
+
+    # A Provider Authentication Policy response, sent from a provider
+    # to a relying party
+    class Response < Extension
+      attr_accessor :ns_alias, :auth_policies, :auth_time, :nist_auth_level
+
+      def initialize(auth_policies = [], auth_time = nil, nist_auth_level = nil)
+        @ns_alias = "pape"
+        @ns_uri = NS_URI
+        @auth_policies = auth_policies
+        @auth_time = auth_time
+        @nist_auth_level = nist_auth_level
+      end
+
+      # Add a policy URI to the response
+      # see http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#auth_policies
+      def add_policy_uri(policy_uri)
+        @auth_policies << policy_uri unless @auth_policies.member?(policy_uri)
+      end
+
+      # Create a Response object from an OpenID::Consumer::SuccessResponse
+      def self.from_success_response(success_response)
+        args = success_response.get_signed_ns(NS_URI)
+        return if args.nil?
+
+        pape_resp = new
+        pape_resp.parse_extension_args(args)
+        pape_resp
+      end
+
+      # parse the provider authentication policy arguments into the
+      # internal state of this object
+      # if strict is specified, raise an exception when bad data is
+      # encountered
+      def parse_extension_args(args, strict = false)
+        policies_str = args["auth_policies"]
+        @auth_policies = policies_str.split(" ") if policies_str and policies_str != "none"
+
+        nist_level_str = args["nist_auth_level"]
+        if nist_level_str
+          # special handling of zero to handle to_i behavior
+          if nist_level_str.strip == "0"
+            nist_level = 0
+          else
+            nist_level = nist_level_str.to_i
+            # if it's zero here we have a bad value
+            nist_level = nil if nist_level == 0
+          end
+          if nist_level and nist_level >= 0 and nist_level < 5
+            @nist_auth_level = nist_level
+          elsif strict
+            raise ArgumentError, "nist_auth_level must be an integer 0 through 4, not #{nist_level_str.inspect}"
+          end
+        end
+
+        auth_time_str = args["auth_time"]
+        return unless auth_time_str
+
+        # validate time string
+        if TIME_VALIDATOR.match?(auth_time_str)
+          @auth_time = auth_time_str
+        elsif strict
+          raise ArgumentError, "auth_time must be in RFC3339 format"
+        end
+      end
+
+      def get_extension_args
+        ns_args = {}
+        ns_args["auth_policies"] = if @auth_policies.empty?
+          "none"
+        else
+          @auth_policies.join(" ")
+        end
+        if @nist_auth_level
+          unless (0..4).member?(@nist_auth_level)
+            raise ArgumentError, "nist_auth_level must be an integer 0 through 4, not #{@nist_auth_level.inspect}"
+          end
+
+          ns_args["nist_auth_level"] = @nist_auth_level.to_s
+        end
+
+        if @auth_time
+          raise ArgumentError, "auth_time must be in RFC3339 format" unless TIME_VALIDATOR.match?(@auth_time)
+
+          ns_args["auth_time"] = @auth_time
+        end
+        ns_args
+      end
+    end
+  end
+end

data/lib/openid/extensions/sreg.rb

@@ -0,0 +1,268 @@
+require_relative "../extension"
+require_relative "../util"
+require_relative "../message"
+
+module OpenID
+  module SReg
+    DATA_FIELDS = {
+      "fullname" => "Full Name",
+      "nickname" => "Nickname",
+      "dob" => "Date of Birth",
+      "email" => "E-mail Address",
+      "gender" => "Gender",
+      "postcode" => "Postal Code",
+      "country" => "Country",
+      "language" => "Language",
+      "timezone" => "Time Zone",
+    }
+
+    NS_URI_1_0 = "http://openid.net/sreg/1.0"
+    NS_URI_1_1 = "http://openid.net/extensions/sreg/1.1"
+    NS_URI = NS_URI_1_1
+
+    begin
+      Message.register_namespace_alias(NS_URI_1_1, "sreg")
+    rescue NamespaceAliasRegistrationError => e
+      Util.log(e)
+    end
+
+    # raise ArgumentError if fieldname is not in the defined sreg fields
+    def OpenID.check_sreg_field_name(fieldname)
+      return if DATA_FIELDS.member?(fieldname)
+
+      raise ArgumentError, "#{fieldname} is not a defined simple registration field"
+    end
+
+    # Does the given endpoint advertise support for simple registration?
+    def OpenID.supports_sreg?(endpoint)
+      endpoint.uses_extension(NS_URI_1_1) || endpoint.uses_extension(NS_URI_1_0)
+    end
+
+    # Extract the simple registration namespace URI from the given
+    # OpenID message. Handles OpenID 1 and 2, as well as both sreg
+    # namespace URIs found in the wild, as well as missing namespace
+    # definitions (for OpenID 1)
+    def OpenID.get_sreg_ns(message)
+      [NS_URI_1_1, NS_URI_1_0].each do |ns|
+        return ns if message.namespaces.get_alias(ns)
+      end
+      # try to add an alias, since we didn't find one
+      ns = NS_URI_1_1
+      begin
+        message.namespaces.add_alias(ns, "sreg")
+      rescue IndexError
+        raise NamespaceError
+      end
+      ns
+    end
+
+    # The simple registration namespace was not found and could not
+    # be created using the expected name (there's another extension
+    # using the name 'sreg')
+    #
+    # This is not <em>illegal</em>, for OpenID 2, although it probably
+    # indicates a problem, since it's not expected that other extensions
+    # will re-use the alias that is in use for OpenID 1.
+    #
+    # If this is an OpenID 1 request, then there is no recourse. This
+    # should not happen unless some code has modified the namespaces for
+    # the message that is being processed.
+    class NamespaceError < ArgumentError
+    end
+
+    # An object to hold the state of a simple registration request.
+    class Request < Extension
+      attr_reader :optional, :required, :ns_uri
+      attr_accessor :policy_url
+
+      def initialize(required = nil, optional = nil, policy_url = nil, ns_uri = NS_URI)
+        super()
+
+        @policy_url = policy_url
+        @ns_uri = ns_uri
+        @ns_alias = "sreg"
+        @required = []
+        @optional = []
+
+        request_fields(required, true, true) if required
+        return unless optional
+
+        request_fields(optional, false, true)
+      end
+
+      # Create a simple registration request that contains the
+      # fields that were requested in the OpenID request with the
+      # given arguments
+      # Takes an OpenID::CheckIDRequest, returns an OpenID::Sreg::Request
+      # return nil if the extension was not requested.
+      def self.from_openid_request(request)
+        # Since we're going to mess with namespace URI mapping, don't
+        # mutate the object that was passed in.
+        message = request.message.copy
+        ns_uri = OpenID.get_sreg_ns(message)
+        args = message.get_args(ns_uri)
+        return if args == {}
+
+        req = new(nil, nil, nil, ns_uri)
+        req.parse_extension_args(args)
+        req
+      end
+
+      # Parse the unqualified simple registration request
+      # parameters and add them to this object.
+      #
+      # This method is essentially the inverse of
+      # getExtensionArgs. This method restores the serialized simple
+      # registration request fields.
+      #
+      # If you are extracting arguments from a standard OpenID
+      # checkid_* request, you probably want to use fromOpenIDRequest,
+      # which will extract the sreg namespace and arguments from the
+      # OpenID request. This method is intended for cases where the
+      # OpenID server needs more control over how the arguments are
+      # parsed than that method provides.
+      def parse_extension_args(args, strict = false)
+        required_items = args["required"]
+        unless required_items.nil? or required_items.empty?
+          required_items.split(",").each do |field_name|
+            request_field(field_name, true, strict)
+          rescue ArgumentError
+            raise if strict
+          end
+        end
+
+        optional_items = args["optional"]
+        unless optional_items.nil? or optional_items.empty?
+          optional_items.split(",").each do |field_name|
+            request_field(field_name, false, strict)
+          rescue ArgumentError
+            raise if strict
+          end
+        end
+        @policy_url = args["policy_url"]
+      end
+
+      # A list of all of the simple registration fields that were
+      # requested, whether they were required or optional.
+      def all_requested_fields
+        @required + @optional
+      end
+
+      # Have any simple registration fields been requested?
+      def were_fields_requested?
+        !all_requested_fields.empty?
+      end
+
+      # Request the specified field from the OpenID user
+      # field_name: the unqualified simple registration field name
+      # required: whether the given field should be presented
+      #        to the user as being a required to successfully complete
+      #        the request
+      # strict: whether to raise an exception when a field is
+      #        added to a request more than once
+      # Raises ArgumentError if the field_name is not a simple registration
+      # field, or if strict is set and a field is added more than once
+      def request_field(field_name, required = false, strict = false)
+        OpenID.check_sreg_field_name(field_name)
+
+        if strict
+          raise ArgumentError, "That field has already been requested" if (@required + @optional).member?(field_name)
+        else
+          return if @required.member?(field_name)
+
+          if @optional.member?(field_name)
+            return unless required
+
+            @optional.delete(field_name)
+
+          end
+        end
+        if required
+          @required << field_name
+        else
+          @optional << field_name
+        end
+      end
+
+      # Add the given list of fields to the request.
+      def request_fields(field_names, required = false, strict = false)
+        raise ArgumentError unless field_names.respond_to?(:each) and
+          field_names[0].is_a?(String)
+
+        field_names.each { |fn| request_field(fn, required, strict) }
+      end
+
+      # Get a hash of unqualified simple registration arguments
+      # representing this request.
+      # This method is essentially the inverse of parse_extension_args.
+      # This method serializes the simple registration request fields.
+      def get_extension_args
+        args = {}
+        args["required"] = @required.join(",") unless @required.empty?
+        args["optional"] = @optional.join(",") unless @optional.empty?
+        args["policy_url"] = @policy_url unless @policy_url.nil?
+        args
+      end
+
+      def member?(field_name)
+        all_requested_fields.member?(field_name)
+      end
+    end
+
+    # Represents the data returned in a simple registration response
+    # inside of an OpenID id_res response. This object will be
+    # created by the OpenID server, added to the id_res response
+    # object, and then extracted from the id_res message by the Consumer.
+    class Response < Extension
+      attr_reader :ns_uri, :data
+
+      def initialize(data = {}, ns_uri = NS_URI)
+        @ns_alias = "sreg"
+        @data = data
+        @ns_uri = ns_uri
+      end
+
+      # Take a Request and a hash of simple registration
+      # values and create a Response object containing that data.
+      def self.extract_response(request, data)
+        arf = request.all_requested_fields
+        resp_data = data.reject { |k, v| !arf.member?(k) || v.nil? }
+        new(resp_data, request.ns_uri)
+      end
+
+      # Create an Response object from an
+      # OpenID::Consumer::SuccessResponse from consumer.complete
+      # If you set the signed_only parameter to false, unsigned data from
+      # the id_res message from the server will be processed.
+      def self.from_success_response(success_response, signed_only = true)
+        ns_uri = OpenID.get_sreg_ns(success_response.message)
+        if signed_only
+          args = success_response.get_signed_ns(ns_uri)
+          return if args.nil? # No signed args, so fail
+        else
+          args = success_response.message.get_args(ns_uri)
+        end
+        args.reject! { |k, _v| !DATA_FIELDS.member?(k) }
+        new(args, ns_uri)
+      end
+
+      # Get the fields to put in the simple registration namespace
+      # when adding them to an id_res message.
+      def get_extension_args
+        @data
+      end
+
+      # Read-only hashlike interface.
+      # Raises an exception if the field name is bad
+      def [](field_name)
+        OpenID.check_sreg_field_name(field_name)
+        data[field_name]
+      end
+
+      def empty?
+        @data.empty?
+      end
+      # XXX is there more to a hashlike interface I should add?
+    end
+  end
+end

data/lib/openid/extensions/ui.rb

@@ -0,0 +1,49 @@
+# An implementation of the OpenID User Interface Extension 1.0 - DRAFT 0.5
+# see: http://svn.openid.net/repos/specifications/user_interface/1.0/trunk/openid-user-interface-extension-1_0.html
+
+require_relative "../extension"
+
+module OpenID
+  module UI
+    NS_URI = "http://specs.openid.net/extensions/ui/1.0"
+
+    class Request < Extension
+      attr_accessor :lang, :icon, :mode, :ns_alias, :ns_uri
+
+      def initialize(mode = nil, icon = nil, lang = nil)
+        @ns_alias = "ui"
+        @ns_uri = NS_URI
+        @lang = lang
+        @icon = icon
+        @mode = mode
+      end
+
+      def get_extension_args
+        ns_args = {}
+        ns_args["lang"] = @lang if @lang
+        ns_args["icon"] = @icon if @icon
+        ns_args["mode"] = @mode if @mode
+        ns_args
+      end
+
+      # Instantiate a Request object from the arguments in a
+      # checkid_* OpenID message
+      # return nil if the extension was not requested.
+      def self.from_openid_request(oid_req)
+        ui_req = new
+        args = oid_req.message.get_args(NS_URI)
+        return if args == {}
+
+        ui_req.parse_extension_args(args)
+        ui_req
+      end
+
+      # Set UI extension parameters
+      def parse_extension_args(args)
+        @lang = args["lang"]
+        @icon = args["icon"]
+        @mode = args["mode"]
+      end
+    end
+  end
+end