Chris@0: require 'uri' Chris@0: require 'openid/extensions/sreg' Chris@0: require 'openid/extensions/ax' Chris@0: require 'openid/store/filesystem' Chris@0: Chris@0: require File.dirname(__FILE__) + '/open_id_authentication/db_store' Chris@0: require File.dirname(__FILE__) + '/open_id_authentication/mem_cache_store' Chris@0: require File.dirname(__FILE__) + '/open_id_authentication/request' Chris@0: require File.dirname(__FILE__) + '/open_id_authentication/timeout_fixes' if OpenID::VERSION == "2.0.4" Chris@0: Chris@0: module OpenIdAuthentication Chris@0: OPEN_ID_AUTHENTICATION_DIR = RAILS_ROOT + "/tmp/openids" Chris@0: Chris@0: def self.store Chris@0: @@store Chris@0: end Chris@0: Chris@0: def self.store=(*store_option) Chris@0: store, *parameters = *([ store_option ].flatten) Chris@0: Chris@0: @@store = case store Chris@0: when :db Chris@0: OpenIdAuthentication::DbStore.new Chris@0: when :mem_cache Chris@0: OpenIdAuthentication::MemCacheStore.new(*parameters) Chris@0: when :file Chris@0: OpenID::Store::Filesystem.new(OPEN_ID_AUTHENTICATION_DIR) Chris@0: else Chris@0: raise "Unknown store: #{store}" Chris@0: end Chris@0: end Chris@0: Chris@0: self.store = :db Chris@0: Chris@0: class InvalidOpenId < StandardError Chris@0: end Chris@0: Chris@0: class Result Chris@0: ERROR_MESSAGES = { Chris@0: :missing => "Sorry, the OpenID server couldn't be found", Chris@0: :invalid => "Sorry, but this does not appear to be a valid OpenID", Chris@0: :canceled => "OpenID verification was canceled", Chris@0: :failed => "OpenID verification failed", Chris@0: :setup_needed => "OpenID verification needs setup" Chris@0: } Chris@0: Chris@0: def self.[](code) Chris@0: new(code) Chris@0: end Chris@0: Chris@0: def initialize(code) Chris@0: @code = code Chris@0: end Chris@0: Chris@0: def status Chris@0: @code Chris@0: end Chris@0: Chris@0: ERROR_MESSAGES.keys.each { |state| define_method("#{state}?") { @code == state } } Chris@0: Chris@0: def successful? Chris@0: @code == :successful Chris@0: end Chris@0: Chris@0: def unsuccessful? Chris@0: ERROR_MESSAGES.keys.include?(@code) Chris@0: end Chris@0: Chris@0: def message Chris@0: ERROR_MESSAGES[@code] Chris@0: end Chris@0: end Chris@0: Chris@0: # normalizes an OpenID according to http://openid.net/specs/openid-authentication-2_0.html#normalization Chris@0: def self.normalize_identifier(identifier) Chris@0: # clean up whitespace Chris@0: identifier = identifier.to_s.strip Chris@0: Chris@0: # if an XRI has a prefix, strip it. Chris@0: identifier.gsub!(/xri:\/\//i, '') Chris@0: Chris@0: # dodge XRIs -- TODO: validate, don't just skip. Chris@0: unless ['=', '@', '+', '$', '!', '('].include?(identifier.at(0)) Chris@0: # does it begin with http? if not, add it. Chris@0: identifier = "http://#{identifier}" unless identifier =~ /^http/i Chris@0: Chris@0: # strip any fragments Chris@0: identifier.gsub!(/\#(.*)$/, '') Chris@0: Chris@0: begin Chris@0: uri = URI.parse(identifier) Chris@14: uri.scheme = uri.scheme.downcase if uri.scheme # URI should do this Chris@0: identifier = uri.normalize.to_s Chris@0: rescue URI::InvalidURIError Chris@0: raise InvalidOpenId.new("#{identifier} is not an OpenID identifier") Chris@0: end Chris@0: end Chris@0: Chris@0: return identifier Chris@0: end Chris@0: Chris@0: # deprecated for OpenID 2.0, where not all OpenIDs are URLs Chris@0: def self.normalize_url(url) Chris@0: ActiveSupport::Deprecation.warn "normalize_url has been deprecated, use normalize_identifier instead" Chris@0: self.normalize_identifier(url) Chris@0: end Chris@0: Chris@0: protected Chris@0: def normalize_url(url) Chris@0: OpenIdAuthentication.normalize_url(url) Chris@0: end Chris@0: Chris@0: def normalize_identifier(url) Chris@0: OpenIdAuthentication.normalize_identifier(url) Chris@0: end Chris@0: Chris@0: # The parameter name of "openid_identifier" is used rather than the Rails convention "open_id_identifier" Chris@0: # because that's what the specification dictates in order to get browser auto-complete working across sites Chris@0: def using_open_id?(identity_url = nil) #:doc: Chris@0: identity_url ||= params[:openid_identifier] || params[:openid_url] Chris@0: !identity_url.blank? || params[:open_id_complete] Chris@0: end Chris@0: Chris@0: def authenticate_with_open_id(identity_url = nil, options = {}, &block) #:doc: Chris@0: identity_url ||= params[:openid_identifier] || params[:openid_url] Chris@0: Chris@0: if params[:open_id_complete].nil? Chris@0: begin_open_id_authentication(identity_url, options, &block) Chris@0: else Chris@0: complete_open_id_authentication(&block) Chris@0: end Chris@0: end Chris@0: Chris@0: private Chris@0: def begin_open_id_authentication(identity_url, options = {}) Chris@0: identity_url = normalize_identifier(identity_url) Chris@0: return_to = options.delete(:return_to) Chris@0: method = options.delete(:method) Chris@0: Chris@0: options[:required] ||= [] # reduces validation later Chris@0: options[:optional] ||= [] Chris@0: Chris@0: open_id_request = open_id_consumer.begin(identity_url) Chris@0: add_simple_registration_fields(open_id_request, options) Chris@0: add_ax_fields(open_id_request, options) Chris@0: redirect_to(open_id_redirect_url(open_id_request, return_to, method)) Chris@0: rescue OpenIdAuthentication::InvalidOpenId => e Chris@0: yield Result[:invalid], identity_url, nil Chris@0: rescue OpenID::OpenIDError, Timeout::Error => e Chris@0: logger.error("[OPENID] #{e}") Chris@0: yield Result[:missing], identity_url, nil Chris@0: end Chris@0: Chris@0: def complete_open_id_authentication Chris@0: params_with_path = params.reject { |key, value| request.path_parameters[key] } Chris@0: params_with_path.delete(:format) Chris@0: open_id_response = timeout_protection_from_identity_server { open_id_consumer.complete(params_with_path, requested_url) } Chris@0: identity_url = normalize_identifier(open_id_response.display_identifier) if open_id_response.display_identifier Chris@0: Chris@0: case open_id_response.status Chris@0: when OpenID::Consumer::SUCCESS Chris@0: profile_data = {} Chris@0: Chris@0: # merge the SReg data and the AX data into a single hash of profile data Chris@0: [ OpenID::SReg::Response, OpenID::AX::FetchResponse ].each do |data_response| Chris@0: if data_response.from_success_response( open_id_response ) Chris@0: profile_data.merge! data_response.from_success_response( open_id_response ).data Chris@0: end Chris@0: end Chris@0: Chris@0: yield Result[:successful], identity_url, profile_data Chris@0: when OpenID::Consumer::CANCEL Chris@0: yield Result[:canceled], identity_url, nil Chris@0: when OpenID::Consumer::FAILURE Chris@0: yield Result[:failed], identity_url, nil Chris@0: when OpenID::Consumer::SETUP_NEEDED Chris@0: yield Result[:setup_needed], open_id_response.setup_url, nil Chris@0: end Chris@0: end Chris@0: Chris@0: def open_id_consumer Chris@0: OpenID::Consumer.new(session, OpenIdAuthentication.store) Chris@0: end Chris@0: Chris@0: def add_simple_registration_fields(open_id_request, fields) Chris@0: sreg_request = OpenID::SReg::Request.new Chris@0: Chris@0: # filter out AX identifiers (URIs) Chris@0: required_fields = fields[:required].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact Chris@0: optional_fields = fields[:optional].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact Chris@0: Chris@0: sreg_request.request_fields(required_fields, true) unless required_fields.blank? Chris@0: sreg_request.request_fields(optional_fields, false) unless optional_fields.blank? Chris@0: sreg_request.policy_url = fields[:policy_url] if fields[:policy_url] Chris@0: open_id_request.add_extension(sreg_request) Chris@0: end Chris@0: Chris@0: def add_ax_fields( open_id_request, fields ) Chris@0: ax_request = OpenID::AX::FetchRequest.new Chris@0: Chris@0: # look through the :required and :optional fields for URIs (AX identifiers) Chris@0: fields[:required].each do |f| Chris@0: next unless f =~ /^https?:\/\// Chris@0: ax_request.add( OpenID::AX::AttrInfo.new( f, nil, true ) ) Chris@0: end Chris@0: Chris@0: fields[:optional].each do |f| Chris@0: next unless f =~ /^https?:\/\// Chris@0: ax_request.add( OpenID::AX::AttrInfo.new( f, nil, false ) ) Chris@0: end Chris@0: Chris@0: open_id_request.add_extension( ax_request ) Chris@0: end Chris@0: Chris@0: def open_id_redirect_url(open_id_request, return_to = nil, method = nil) Chris@0: open_id_request.return_to_args['_method'] = (method || request.method).to_s Chris@0: open_id_request.return_to_args['open_id_complete'] = '1' Chris@0: open_id_request.redirect_url(root_url, return_to || requested_url) Chris@0: end Chris@0: Chris@0: def requested_url Chris@0: relative_url_root = self.class.respond_to?(:relative_url_root) ? Chris@0: self.class.relative_url_root.to_s : Chris@0: request.relative_url_root Chris@0: "#{request.protocol}#{request.host_with_port}#{relative_url_root}#{request.path}" Chris@0: end Chris@0: Chris@0: def timeout_protection_from_identity_server Chris@0: yield Chris@0: rescue Timeout::Error Chris@0: Class.new do Chris@0: def status Chris@0: OpenID::FAILURE Chris@0: end Chris@0: Chris@0: def msg Chris@0: "Identity server timed out" Chris@0: end Chris@0: end.new Chris@0: end Chris@0: end