require 'uri' require 'openid/extensions/sreg' require 'openid/extensions/ax' require 'openid/store/filesystem' require File.dirname(__FILE__) + '/open_id_authentication/association' require File.dirname(__FILE__) + '/open_id_authentication/nonce' require File.dirname(__FILE__) + '/open_id_authentication/db_store' require File.dirname(__FILE__) + '/open_id_authentication/mem_cache_store' require File.dirname(__FILE__) + '/open_id_authentication/request' require File.dirname(__FILE__) + '/open_id_authentication/timeout_fixes' if OpenID::VERSION == "2.0.4" module OpenIdAuthentication OPEN_ID_AUTHENTICATION_DIR = RAILS_ROOT + "/tmp/openids" def self.store @@store end def self.store=(*store_option) store, *parameters = *([ store_option ].flatten) @@store = case store when :db OpenIdAuthentication::DbStore.new when :mem_cache OpenIdAuthentication::MemCacheStore.new(*parameters) when :file OpenID::Store::Filesystem.new(OPEN_ID_AUTHENTICATION_DIR) else raise "Unknown store: #{store}" end end self.store = :db class InvalidOpenId < StandardError end class Result ERROR_MESSAGES = { :missing => "Sorry, the OpenID server couldn't be found", :invalid => "Sorry, but this does not appear to be a valid OpenID", :canceled => "OpenID verification was canceled", :failed => "OpenID verification failed", :setup_needed => "OpenID verification needs setup" } def self.[](code) new(code) end def initialize(code) @code = code end def status @code end ERROR_MESSAGES.keys.each { |state| define_method("#{state}?") { @code == state } } def successful? @code == :successful end def unsuccessful? ERROR_MESSAGES.keys.include?(@code) end def message ERROR_MESSAGES[@code] end end # normalizes an OpenID according to http://openid.net/specs/openid-authentication-2_0.html#normalization def self.normalize_identifier(identifier) # clean up whitespace identifier = identifier.to_s.strip # if an XRI has a prefix, strip it. identifier.gsub!(/xri:\/\//i, '') # dodge XRIs -- TODO: validate, don't just skip. unless ['=', '@', '+', '$', '!', '('].include?(identifier.at(0)) # does it begin with http? if not, add it. identifier = "http://#{identifier}" unless identifier =~ /^http/i # strip any fragments identifier.gsub!(/\#(.*)$/, '') begin uri = URI.parse(identifier) uri.scheme = uri.scheme.downcase # URI should do this identifier = uri.normalize.to_s rescue URI::InvalidURIError raise InvalidOpenId.new("#{identifier} is not an OpenID identifier") end end return identifier end # deprecated for OpenID 2.0, where not all OpenIDs are URLs def self.normalize_url(url) ActiveSupport::Deprecation.warn "normalize_url has been deprecated, use normalize_identifier instead" self.normalize_identifier(url) end protected def normalize_url(url) OpenIdAuthentication.normalize_url(url) end def normalize_identifier(url) OpenIdAuthentication.normalize_identifier(url) end # The parameter name of "openid_identifier" is used rather than the Rails convention "open_id_identifier" # because that's what the specification dictates in order to get browser auto-complete working across sites def using_open_id?(identity_url = nil) #:doc: identity_url ||= params[:openid_identifier] || params[:openid_url] !identity_url.blank? || params[:open_id_complete] end def authenticate_with_open_id(identity_url = nil, options = {}, &block) #:doc: identity_url ||= params[:openid_identifier] || params[:openid_url] if params[:open_id_complete].nil? begin_open_id_authentication(identity_url, options, &block) else complete_open_id_authentication(&block) end end private def begin_open_id_authentication(identity_url, options = {}) identity_url = normalize_identifier(identity_url) return_to = options.delete(:return_to) method = options.delete(:method) options[:required] ||= [] # reduces validation later options[:optional] ||= [] open_id_request = open_id_consumer.begin(identity_url) add_simple_registration_fields(open_id_request, options) add_ax_fields(open_id_request, options) redirect_to(open_id_redirect_url(open_id_request, return_to, method)) rescue OpenIdAuthentication::InvalidOpenId => e yield Result[:invalid], identity_url, nil rescue OpenID::OpenIDError, Timeout::Error => e logger.error("[OPENID] #{e}") yield Result[:missing], identity_url, nil end def complete_open_id_authentication params_with_path = params.reject { |key, value| request.path_parameters[key] } params_with_path.delete(:format) open_id_response = timeout_protection_from_identity_server { open_id_consumer.complete(params_with_path, requested_url) } identity_url = normalize_identifier(open_id_response.display_identifier) if open_id_response.display_identifier case open_id_response.status when OpenID::Consumer::SUCCESS profile_data = {} # merge the SReg data and the AX data into a single hash of profile data [ OpenID::SReg::Response, OpenID::AX::FetchResponse ].each do |data_response| if data_response.from_success_response( open_id_response ) profile_data.merge! data_response.from_success_response( open_id_response ).data end end yield Result[:successful], identity_url, profile_data when OpenID::Consumer::CANCEL yield Result[:canceled], identity_url, nil when OpenID::Consumer::FAILURE yield Result[:failed], identity_url, nil when OpenID::Consumer::SETUP_NEEDED yield Result[:setup_needed], open_id_response.setup_url, nil end end def open_id_consumer OpenID::Consumer.new(session, OpenIdAuthentication.store) end def add_simple_registration_fields(open_id_request, fields) sreg_request = OpenID::SReg::Request.new # filter out AX identifiers (URIs) required_fields = fields[:required].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact optional_fields = fields[:optional].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact sreg_request.request_fields(required_fields, true) unless required_fields.blank? sreg_request.request_fields(optional_fields, false) unless optional_fields.blank? sreg_request.policy_url = fields[:policy_url] if fields[:policy_url] open_id_request.add_extension(sreg_request) end def add_ax_fields( open_id_request, fields ) ax_request = OpenID::AX::FetchRequest.new # look through the :required and :optional fields for URIs (AX identifiers) fields[:required].each do |f| next unless f =~ /^https?:\/\// ax_request.add( OpenID::AX::AttrInfo.new( f, nil, true ) ) end fields[:optional].each do |f| next unless f =~ /^https?:\/\// ax_request.add( OpenID::AX::AttrInfo.new( f, nil, false ) ) end open_id_request.add_extension( ax_request ) end def open_id_redirect_url(open_id_request, return_to = nil, method = nil) open_id_request.return_to_args['_method'] = (method || request.method).to_s open_id_request.return_to_args['open_id_complete'] = '1' open_id_request.redirect_url(root_url, return_to || requested_url) end def requested_url relative_url_root = self.class.respond_to?(:relative_url_root) ? self.class.relative_url_root.to_s : request.relative_url_root "#{request.protocol}#{request.host_with_port}#{ActionController::Base.relative_url_root}#{request.path}" end def timeout_protection_from_identity_server yield rescue Timeout::Error Class.new do def status OpenID::FAILURE end def msg "Identity server timed out" end end.new end end