Class: OpenID::Consumer

Inherits:

Object

• Object
• OpenID::Consumer

Includes:

OpenID

Defined in:

lib/openid/consumer.rb

Overview

class SimpleHTTPClient

Constant Summary

Constants included from OpenID

DEFAULT_DH_GEN, DEFAULT_DH_MODULUS, SECRET_SIZES

Instance Method Summary

• #_dumb_auth(server_url, now, req) ⇒ Object
• #determine_server_url(req) ⇒ Object
• #do_cancel(req) ⇒ Object
• #do_error(req) ⇒ Object

  Handle an error from the server.

• #do_id_res(req) ⇒ Object
• #find_server(url) ⇒ Object

  Returns identity_url, server_url or nil if no server is found.

• #handle_request(url, return_to, trust_root = nil, immediate = false) ⇒ Object

  Returns the url to redirect to or nil if no identity is found.

• #handle_response(req) ⇒ Object

  Handles an OpenID GET request with openid.mode in the arguments.

• #initialize(http_client = SimpleHTTPClient.new(), association_manager = DumbAssociationManager.new()) ⇒ Consumer constructor

  Takes an http_client and an association_manager.

• #verify_return_to(req) ⇒ Object

  This is called before the consumer makes a check_authentication call to the server.

Methods included from OpenID

#append_args, #error_page, #from_btwoc, #normalize_url, #parse_kv, #parse_link_attrs, #quote_minimal, #redirect, #response_page, #sign_reply, #url_encode

Constructor Details

#initialize(http_client = SimpleHTTPClient.new(), association_manager = DumbAssociationManager.new()) ⇒ Consumer

Takes an http_client and an association_manager. Will create some automatically if none are passed in.

# File 'lib/openid/consumer.rb', line 63

def initialize(http_client = SimpleHTTPClient.new(), association_manager = DumbAssociationManager.new())
  @http_client = http_client
  @association_manager = association_manager
end

Instance Method Details

#_dumb_auth(server_url, now, req) ⇒ Object

# File 'lib/openid/consumer.rb', line 140

def _dumb_auth(server_url, now, req)
  if !verify_return_to(req)
    raise ValueMismatchError, "return_to is not valid", caller
  end
  check_args = {}
  req.args.each { |k, v| check_args[k] = v if k.index('openid.') == 0 }
  check_args['openid.mode'] = 'check_authentication'
  body = url_encode(check_args)
  url, data = @http_client.post(server_url, body)
  results = parse_kv(data)
  lifetime = results['lifetime'].to_i
  if lifetime
    invalidate_handle = results['invalidate_handle']
    if invalidate_handle
      @association_manager.invalidate(server_url, invalidate_handle)
    end
    return now + lifetime
  else
    raise ValueMismatchError, 'Server failed to validate signature', caller
  end
end

#determine_server_url(req) ⇒ Object

# File 'lib/openid/consumer.rb', line 110

def determine_server_url(req)
  identity, server_url = find_server(req['identity'])
  if req['identity'] != identity
    raise ValueMismatchError, "ID URL #{req['identity']} seems to have moved: #{identity}", caller
  end
  return server_url
end

#do_cancel(req) ⇒ Object

Raises:

• (UserCancelled)

# File 'lib/openid/consumer.rb', line 191

def do_cancel(req)
  raise UserCancelled
end

#do_error(req) ⇒ Object

Handle an error from the server

# File 'lib/openid/consumer.rb', line 182

def do_error(req)
  error = req.get('error')
  if error
    raise ProtocolError, "Server Response: #{error}", caller
  else
    raise ProtocolError, "Unspecified Server Error: #{req.args}", caller
  end
end

#do_id_res(req) ⇒ Object

Raises:

• (UserSetupNeeded)

# File 'lib/openid/consumer.rb', line 162

def do_id_res(req)
  now = Time.now
  user_setup_url = req.get('user_setup_url')
  raise UserSetupNeeded, user_setup_url, caller if user_setup_url
  server_url = determine_server_url(req)
  assoc = @association_manager.get_association(server_url, req['assoc_handle'])
  if assoc == nil
    return _dumb_auth(server_url, now, req)
  end
  sig = req.get('sig')
  signed_fields = req.get('signed').strip.split(',')
  signed, v_sig = sign_reply(req.args, assoc.secret, signed_fields)
  if v_sig != sig
    raise ValueMismatchError, "Signatures did not match: #{req.args}, #{v_sig}, #{assoc.secret}", caller
  end
  issued = DateTime.strptime(req.get('issued')).to_time
  valid_to = [assoc.expiry, DateTime.strptime(req.get('valid_to')).to_time].min
  return now + (valid_to - issued)
end

#find_server(url) ⇒ Object

Returns identity_url, server_url or nil if no server is found.

# File 'lib/openid/consumer.rb', line 119

def find_server(url)
  identity, data = @http_client.get(url)
  identity = identity.to_s
  server = nil
  delegate = nil
  parse_link_attrs(data) { |link|
    rel = link['rel']
    if rel == 'openid.server' and server == nil
      href = link['href']
      server = href if href
    end
    if rel == 'openid.delegate' and delegate == nil
      href = link['href']
      delegate = href if href
    end
  }
  return nil if !server
  identity = delegate if delegate
  return normalize_url(identity), normalize_url(server)
end

#handle_request(url, return_to, trust_root = nil, immediate = false) ⇒ Object

Returns the url to redirect to or nil if no identity is found

# File 'lib/openid/consumer.rb', line 68

def handle_request(url, return_to, trust_root = nil, immediate = false)
  url = normalize_url(url)
  
  server_info = find_server(url)
  return nil if server_info == nil
  identity, server_url = server_info
  redir_args = { 'openid.identity' => identity, 'openid.return_to' => return_to}
  
  redir_args['openid.trust_root'] = trust_root if trust_root
  
  if immediate
    mode = 'checkid_immediate'
  else
    mode = 'checkid_setup'
  end
  
  redir_args['openid.mode'] = mode
  assoc_handle = @association_manager.associate(server_url)
  if assoc_handle
    redir_args['openid.assoc_handle'] = assoc_handle
  end
  
  return append_args(server_url, redir_args).to_s
end

#handle_response(req) ⇒ Object

Handles an OpenID GET request with openid.mode in the arguments. req should be a Request instance, properly initialized with the http arguments given, and the http method used to make the request. Returns the expiry time of the session as a Time.

Will raise a ProtocolError if the http_method is not GET, or the request mode is unknown.

# File 'lib/openid/consumer.rb', line 99

def handle_response(req)
  if req.http_method != 'GET'
    raise ProtocolError, "Expected HTTP Method 'GET', got #{req.http_method}", caller
  end
  begin
    return __send__('do_' + req['mode'], req)
  rescue NoMethodError
    raise ProtocolError, "Unknown Mode: #{req['mode']}", caller
  end
end

#verify_return_to(req) ⇒ Object

This is called before the consumer makes a check_authentication call to the server. It can be used to verify that the request being authenticated is valid by confirming that the openid.return_to value signed by the server corresponds to this consumer. The full OpenID::Request object is passed in. Should return true if the return_to field corresponds to this consumer, false otherwise. The default function performs no check and returns true.

# File 'lib/openid/consumer.rb', line 201

def verify_return_to(req)
  return true  
end