Class: OpenID::GoogleDiscovery

Inherits:

Object

• Object
• OpenID::GoogleDiscovery

Defined in:

lib/warden-googleapps/gapps_openid.rb

Overview

Handles the bulk of Google’s modified discovery prototcol See groups.google.com/group/google-federated-login-api/web/openid-discovery-for-hosted-domains

Constant Summary

NAMESPACES =

{
  'xrds' => 'xri://$xrd*($v*2.0)',
  'xrd' => 'xri://$xrds',
  'openid' => 'http://namespace.google.com/openid/xmlns'
}

Instance Method Summary

• #discover_site(domain) ⇒ Object

  Handles discovery for a domain.

• #discover_user(domain, claimed_id) ⇒ Object

  Handles discovery for a user’s claimed ID.

• #fetch_host_meta(domain) ⇒ Object

  Kickstart the discovery process by checking against Google’s well-known location for hosted domains.

• #fetch_xrds(authority, url, cache = true) ⇒ Object

  Fetches the XRDS and verifies the signature and authority for the doc.

• #get_cache(key) ⇒ Object
• #get_user_xrds_url(xrds, claimed_id) ⇒ Object

  Process the URITemplate in the XRDS to derive the location of the claimed id’s XRDS.

• #perform_discovery(uri) ⇒ Object

  Main entry point for discovery.

• #put_cache(key, item) ⇒ Object

Instance Method Details

#discover_site(domain) ⇒ Object

Handles discovery for a domain

# File 'lib/warden-googleapps/gapps_openid.rb', line 113

def discover_site(domain)
  url = fetch_host_meta(domain)
  if url.nil?
    return nil # Not a Google Apps domain
  end
  xrds = fetch_xrds(domain, url)
  unless xrds.nil?
      endpoints = OpenID::OpenIDServiceEndpoint.from_xrds(domain, xrds)
      return [domain, OpenID.get_op_or_user_services(endpoints)]
  end
  return nil
end

#discover_user(domain, claimed_id) ⇒ Object

Handles discovery for a user’s claimed ID.

# File 'lib/warden-googleapps/gapps_openid.rb', line 98

def discover_user(domain, claimed_id)
  url = fetch_host_meta(domain)
  if url.nil?
    return nil # Not a Google Apps domain
  end
  xrds = fetch_xrds(domain, url)
  user_url, authority = get_user_xrds_url(xrds, claimed_id)
  user_xrds = fetch_xrds(authority, user_url, false)
  return if user_xrds.nil?

  endpoints = OpenID::OpenIDServiceEndpoint.from_xrds(claimed_id, user_xrds)
  return [claimed_id, OpenID.get_op_or_user_services(endpoints)]
end

#fetch_host_meta(domain) ⇒ Object

Kickstart the discovery process by checking against Google’s well-known location for hosted domains. This gives us the location of the site’s XRDS doc

# File 'lib/warden-googleapps/gapps_openid.rb', line 128

def fetch_host_meta(domain)
  cached_value = get_cache(domain)
  return cached_value unless cached_value.nil?

  host_meta_url = "https://www.google.com/accounts/o8/.well-known/host-meta?hd=#{CGI::escape(domain)}"
  http_resp = OpenID.fetch(host_meta_url)
  if http_resp.code != "200" and http_resp.code != "206"
    return nil
  end
  matches = /Link: <(.*)>/.match( http_resp.body )
  if matches.nil?
    return nil
  end
  put_cache(domain, matches[1])
  return matches[1]
end

#fetch_xrds(authority, url, cache = true) ⇒ Object

Fetches the XRDS and verifies the signature and authority for the doc

# File 'lib/warden-googleapps/gapps_openid.rb', line 146

def fetch_xrds(authority, url, cache=true)
  return if url.nil?

  cached_xrds = get_cache(url)
  return cached_xrds unless cached_xrds.nil?

  http_resp = OpenID.fetch(url)
  return if http_resp.code != "200" and http_resp.code != "206"

  body = http_resp.body
  signature = http_resp["Signature"]
  signed_by = SimpleSign.verify(body, signature)
  if !signed_by.casecmp(authority) or !signed_by.casecmp('hosted-id.google.com')
    return false # Signed, but not by the right domain.
  end


  # Everything is OK
  if cache
    put_cache(url, body)
  end
  return body
end

#get_cache(key) ⇒ Object

# File 'lib/warden-googleapps/gapps_openid.rb', line 189

def get_cache(key)
  return nil if @@cache.nil?
  return @@cache.read("__GAPPS_OPENID__#{key}")
end

#get_user_xrds_url(xrds, claimed_id) ⇒ Object

Process the URITemplate in the XRDS to derive the location of the claimed id’s XRDS

# File 'lib/warden-googleapps/gapps_openid.rb', line 171

def get_user_xrds_url(xrds, claimed_id)
  types_to_match = ['http://www.iana.org/assignments/relation/describedby']
  services = OpenID::Yadis::apply_filter(claimed_id, xrds)
  services.each do | service |
    if service.match_types(types_to_match)
      template = REXML::XPath.first(service.service_element, '//openid:URITemplate', NAMESPACES)
      authority = REXML::XPath.first(service.service_element, '//openid:NextAuthority', NAMESPACES)
      url = template.text.gsub('{%uri}', CGI::escape(claimed_id))
      return [url, authority.text]
    end
  end
end

#perform_discovery(uri) ⇒ Object

Main entry point for discovery. Attempts to detect whether or not the URI is a raw domain name (‘mycompany.com’) vs. a user’s claimed ID (‘mycompany.com/openid?id=12345’) and performs the site or user discovery appropriately

# File 'lib/warden-googleapps/gapps_openid.rb', line 84

def perform_discovery(uri)
  begin
    parsed_uri = URI::parse(uri)
    if parsed_uri.scheme.nil?
      return discover_site(uri)
    end
    return discover_user(parsed_uri.host, uri)
  rescue
    # If we fail, just return nothing and fallback on default discovery mechanisms
    return nil
  end
end

#put_cache(key, item) ⇒ Object

# File 'lib/warden-googleapps/gapps_openid.rb', line 184

def put_cache(key, item)
  return if @@cache.nil?
  @@cache.write("__GAPPS_OPENID__#{key}", item)
end