Module: OpenID::TrustRoot

Defined in:

lib/openid/trustroot.rb

Defined Under Namespace

Classes: TrustRoot

Constant Summary

TOP_LEVEL_DOMAINS =

%w[
  ac
  ad
  ae
  aero
  af
  ag
  ai
  al
  am
  an
  ao
  aq
  ar
  arpa
  as
  asia
  at
  au
  aw
  ax
  az
  ba
  bb
  bd
  be
  bf
  bg
  bh
  bi
  biz
  bj
  bm
  bn
  bo
  br
  bs
  bt
  bv
  bw
  by
  bz
  ca
  cat
  cc
  cd
  cf
  cg
  ch
  ci
  ck
  cl
  cm
  cn
  co
  com
  coop
  cr
  cu
  cv
  cx
  cy
  cz
  de
  dj
  dk
  dm
  do
  dz
  ec
  edu
  ee
  eg
  er
  es
  et
  eu
  fi
  fj
  fk
  fm
  fo
  fr
  ga
  gb
  gd
  ge
  gf
  gg
  gh
  gi
  gl
  gm
  gn
  gov
  gp
  gq
  gr
  gs
  gt
  gu
  gw
  gy
  hk
  hm
  hn
  hr
  ht
  hu
  id
  ie
  il
  im
  in
  info
  int
  io
  iq
  ir
  is
  it
  je
  jm
  jo
  jobs
  jp
  ke
  kg
  kh
  ki
  km
  kn
  kp
  kr
  kw
  ky
  kz
  la
  lb
  lc
  li
  lk
  lr
  ls
  lt
  lu
  lv
  ly
  ma
  mc
  md
  me
  mg
  mh
  mil
  mk
  ml
  mm
  mn
  mo
  mobi
  mp
  mq
  mr
  ms
  mt
  mu
  museum
  mv
  mw
  mx
  my
  mz
  na
  name
  nc
  ne
  net
  nf
  ng
  ni
  nl
  no
  np
  nr
  nu
  nz
  om
  org
  pa
  pe
  pf
  pg
  ph
  pk
  pl
  pm
  pn
  pr
  pro
  ps
  pt
  pw
  py
  qa
  re
  ro
  rs
  ru
  rw
  sa
  sb
  sc
  sd
  se
  sg
  sh
  si
  sj
  sk
  sl
  sm
  sn
  so
  sr
  st
  su
  sv
  sy
  sz
  tc
  td
  tel
  tf
  tg
  th
  tj
  tk
  tl
  tm
  tn
  to
  tp
  tr
  travel
  tt
  tv
  tw
  tz
  ua
  ug
  uk
  us
  uy
  uz
  va
  vc
  ve
  vg
  vi
  vn
  vu
  wf
  ws
  xn--0zwm56d
  xn--11b5bs3a9aj6g
  xn--80akhbyknj4f
  xn--9t4b11yi5a
  xn--deba0ad
  xn--g6w251d
  xn--hgbk6aj7f53bba
  xn--hlcj6aya9esc7a
  xn--jxalpdlp
  xn--kgbechtv
  xn--zckzah
  ye
  yt
  yu
  za
  zm
  zw
]

ALLOWED_PROTOCOLS =

%w[http https]

RP_RETURN_TO_URL_TYPE =

The URI for relying party discovery, used in realm verification.

XXX: This should probably live somewhere else (like in OpenID or OpenID::Yadis somewhere)

"http://specs.openid.net/auth/2.0/return_to"

Class Method Summary

• ._extract_return_url(endpoint) ⇒ Object

  If the endpoint is a relying party OpenID return_to endpoint, return the endpoint URL.

• .get_allowed_return_urls(relying_party_url) ⇒ Object

  Given a relying party discovery URL return a list of return_to URLs.

• .return_to_matches(allowed_return_to_urls, return_to) ⇒ Object

  Is the return_to URL under one of the supplied allowed return_to URLs?.

• .verify_return_to(realm_str, return_to, _vrfy = nil) ⇒ Object

  Verify that a return_to URL is valid for the given realm.

Class Method Details

._extract_return_url(endpoint) ⇒ Object

If the endpoint is a relying party OpenID return_to endpoint, return the endpoint URL. Otherwise, return None.

This function is intended to be used as a filter for the Yadis filtering interface.

endpoint: An XRDS BasicServiceEndpoint, as returned by performing Yadis dicovery.

returns the endpoint URL or None if the endpoint is not a relying party endpoint.

# File 'lib/openid/trustroot.rb', line 324

def self._extract_return_url(endpoint)
  return endpoint.uri if endpoint.matchTypes([RP_RETURN_TO_URL_TYPE])

  nil
end

.get_allowed_return_urls(relying_party_url) ⇒ Object

Given a relying party discovery URL return a list of return_to URLs.

# File 'lib/openid/trustroot.rb', line 358

def self.get_allowed_return_urls(relying_party_url)
  rp_url_after_redirects, return_to_urls = services.get_service_endpoints(
    relying_party_url, _extract_return_url
  )

  if rp_url_after_redirects != relying_party_url
    # Verification caused a redirect
    raise RealmVerificationRedirected.new(
      relying_party_url, rp_url_after_redirects
    )
  end

  return_to_urls
end

.return_to_matches(allowed_return_to_urls, return_to) ⇒ Object

Is the return_to URL under one of the supplied allowed return_to URLs?

# File 'lib/openid/trustroot.rb', line 332

def self.return_to_matches(allowed_return_to_urls, return_to)
  allowed_return_to_urls.each do |allowed_return_to|
    # A return_to pattern works the same as a realm, except that
    # it's not allowed to use a wildcard. We'll model this by
    # parsing it as a realm, and not trying to match it if it has
    # a wildcard.

    return_realm = TrustRoot.parse(allowed_return_to)
    if !return_realm.nil? and

        # Does not have a wildcard
        !return_realm.wildcard and

        # Matches the return_to that we passed in with it
        return_realm.validate_url(return_to) # Parses as a trust root

      return true
    end
  end

  # No URL in the list matched
  false
end

.verify_return_to(realm_str, return_to, _vrfy = nil) ⇒ Object

Verify that a return_to URL is valid for the given realm.

This function builds a discovery URL, performs Yadis discovery on it, makes sure that the URL does not redirect, parses out the return_to URLs, and finally checks to see if the current return_to URL matches the return_to.

raises DiscoveryFailure when Yadis discovery fails returns true if the return_to URL is valid for the realm

Raises:

• (ArgumentError)

# File 'lib/openid/trustroot.rb', line 382

def self.verify_return_to(realm_str, return_to, _vrfy = nil)
  # _vrfy parameter is there to make testing easier
  _vrfy = method(:get_allowed_return_urls) if _vrfy.nil?

  raise ArgumentError, "_vrfy must be a Proc or Method" unless _vrfy.is_a?(Proc) or _vrfy.is_a?(Method)

  realm = TrustRoot.parse(realm_str)
  if realm.nil?
    # The realm does not parse as a URL pattern
    return false
  end

  begin
    allowable_urls = _vrfy.call(realm.build_discovery_url)
  rescue RealmVerificationRedirected => e
    Util.log(e.to_s)
    return false
  end

  return true if return_to_matches(allowable_urls, return_to)

  Util.log("Failed to validate return_to #{return_to} for " +
      "realm #{realm_str}, was not in #{allowable_urls}")
  false
end