Unpacked OpenID gem. #699

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@2437 e93f8b46-1217-0410-a6f0-8f06a7374b81
pull/351/head
Eric Davis 16 years ago
parent 70efee1bc5
commit f70be197e0
  1. 2
      config/environment.rb
  2. 290
      vendor/gems/ruby-openid-2.1.4/.specification
  3. 11
      vendor/gems/ruby-openid-2.1.4/CHANGELOG
  4. 47
      vendor/gems/ruby-openid-2.1.4/INSTALL
  5. 210
      vendor/gems/ruby-openid-2.1.4/LICENSE
  6. 2
      vendor/gems/ruby-openid-2.1.4/NOTICE
  7. 82
      vendor/gems/ruby-openid-2.1.4/README
  8. 127
      vendor/gems/ruby-openid-2.1.4/UPGRADE
  9. 36
      vendor/gems/ruby-openid-2.1.4/admin/runtests.rb
  10. 32
      vendor/gems/ruby-openid-2.1.4/examples/README
  11. 58
      vendor/gems/ruby-openid-2.1.4/examples/active_record_openid_store/README
  12. 24
      vendor/gems/ruby-openid-2.1.4/examples/active_record_openid_store/XXX_add_open_id_store_to_db.rb
  13. 26
      vendor/gems/ruby-openid-2.1.4/examples/active_record_openid_store/XXX_upgrade_open_id_store.rb
  14. 8
      vendor/gems/ruby-openid-2.1.4/examples/active_record_openid_store/init.rb
  15. 10
      vendor/gems/ruby-openid-2.1.4/examples/active_record_openid_store/lib/association.rb
  16. 3
      vendor/gems/ruby-openid-2.1.4/examples/active_record_openid_store/lib/nonce.rb
  17. 4
      vendor/gems/ruby-openid-2.1.4/examples/active_record_openid_store/lib/open_id_setting.rb
  18. 57
      vendor/gems/ruby-openid-2.1.4/examples/active_record_openid_store/lib/openid_ar_store.rb
  19. 212
      vendor/gems/ruby-openid-2.1.4/examples/active_record_openid_store/test/store_test.rb
  20. 49
      vendor/gems/ruby-openid-2.1.4/examples/discover
  21. 153
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/README
  22. 10
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/Rakefile
  23. 4
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/app/controllers/application.rb
  24. 122
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/app/controllers/consumer_controller.rb
  25. 45
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/app/controllers/login_controller.rb
  26. 265
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/app/controllers/server_controller.rb
  27. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/app/helpers/application_helper.rb
  28. 2
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/app/helpers/login_helper.rb
  29. 9
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/app/helpers/server_helper.rb
  30. 81
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/app/views/consumer/index.rhtml
  31. 68
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/app/views/layouts/server.rhtml
  32. 56
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/app/views/login/index.rhtml
  33. 26
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/app/views/server/decide.rhtml
  34. 19
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/config/boot.rb
  35. 54
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/config/environment.rb
  36. 19
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/config/environments/development.rb
  37. 19
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/config/environments/production.rb
  38. 19
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/config/environments/test.rb
  39. 24
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/config/routes.rb
  40. 2
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/doc/README_FOR_APP
  41. 8
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/404.html
  42. 8
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/500.html
  43. 12
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/dispatch.cgi
  44. 26
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/dispatch.fcgi
  45. 12
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/dispatch.rb
  46. 0
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/favicon.ico
  47. BIN
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/images/openid_login_bg.gif
  48. 750
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/javascripts/controls.js
  49. 584
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/javascripts/dragdrop.js
  50. 854
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/javascripts/effects.js
  51. 1785
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/javascripts/prototype.js
  52. 1
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/public/robots.txt
  53. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/about
  54. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/breakpointer
  55. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/console
  56. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/destroy
  57. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/generate
  58. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/performance/benchmarker
  59. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/performance/profiler
  60. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/plugin
  61. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/process/reaper
  62. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/process/spawner
  63. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/process/spinner
  64. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/runner
  65. 3
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/script/server
  66. 18
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/test/functional/login_controller_test.rb
  67. 18
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/test/functional/server_controller_test.rb
  68. 28
      vendor/gems/ruby-openid-2.1.4/examples/rails_openid/test/test_helper.rb
  69. 112
      vendor/gems/ruby-openid-2.1.4/lib/hmac/hmac.rb
  70. 11
      vendor/gems/ruby-openid-2.1.4/lib/hmac/sha1.rb
  71. 25
      vendor/gems/ruby-openid-2.1.4/lib/hmac/sha2.rb
  72. 20
      vendor/gems/ruby-openid-2.1.4/lib/openid.rb
  73. 249
      vendor/gems/ruby-openid-2.1.4/lib/openid/association.rb
  74. 395
      vendor/gems/ruby-openid-2.1.4/lib/openid/consumer.rb
  75. 340
      vendor/gems/ruby-openid-2.1.4/lib/openid/consumer/associationmanager.rb
  76. 186
      vendor/gems/ruby-openid-2.1.4/lib/openid/consumer/checkid_request.rb
  77. 498
      vendor/gems/ruby-openid-2.1.4/lib/openid/consumer/discovery.rb
  78. 123
      vendor/gems/ruby-openid-2.1.4/lib/openid/consumer/discovery_manager.rb
  79. 134
      vendor/gems/ruby-openid-2.1.4/lib/openid/consumer/html_parse.rb
  80. 523
      vendor/gems/ruby-openid-2.1.4/lib/openid/consumer/idres.rb
  81. 148
      vendor/gems/ruby-openid-2.1.4/lib/openid/consumer/responses.rb
  82. 97
      vendor/gems/ruby-openid-2.1.4/lib/openid/cryptutil.rb
  83. 89
      vendor/gems/ruby-openid-2.1.4/lib/openid/dh.rb
  84. 39
      vendor/gems/ruby-openid-2.1.4/lib/openid/extension.rb
  85. 516
      vendor/gems/ruby-openid-2.1.4/lib/openid/extensions/ax.rb
  86. 179
      vendor/gems/ruby-openid-2.1.4/lib/openid/extensions/pape.rb
  87. 277
      vendor/gems/ruby-openid-2.1.4/lib/openid/extensions/sreg.rb
  88. 11
      vendor/gems/ruby-openid-2.1.4/lib/openid/extras.rb
  89. 238
      vendor/gems/ruby-openid-2.1.4/lib/openid/fetchers.rb
  90. 136
      vendor/gems/ruby-openid-2.1.4/lib/openid/kvform.rb
  91. 58
      vendor/gems/ruby-openid-2.1.4/lib/openid/kvpost.rb
  92. 553
      vendor/gems/ruby-openid-2.1.4/lib/openid/message.rb
  93. 8
      vendor/gems/ruby-openid-2.1.4/lib/openid/protocolerror.rb
  94. 1544
      vendor/gems/ruby-openid-2.1.4/lib/openid/server.rb
  95. 271
      vendor/gems/ruby-openid-2.1.4/lib/openid/store/filesystem.rb
  96. 75
      vendor/gems/ruby-openid-2.1.4/lib/openid/store/interface.rb
  97. 84
      vendor/gems/ruby-openid-2.1.4/lib/openid/store/memory.rb
  98. 68
      vendor/gems/ruby-openid-2.1.4/lib/openid/store/nonce.rb
  99. 349
      vendor/gems/ruby-openid-2.1.4/lib/openid/trustroot.rb
  100. 75
      vendor/gems/ruby-openid-2.1.4/lib/openid/urinorm.rb
  101. Some files were not shown because too many files have changed in this diff Show More

@ -54,4 +54,6 @@ Rails::Initializer.run do |config|
# Define your email configuration in email.yml instead.
# It will automatically turn deliveries on
config.action_mailer.perform_deliveries = false
config.gem 'ruby-openid', :lib => 'openid'
end

@ -0,0 +1,290 @@
--- !ruby/object:Gem::Specification
name: ruby-openid
version: !ruby/object:Gem::Version
version: 2.1.4
platform: ruby
authors:
- JanRain, Inc
autorequire: openid
bindir: bin
cert_chain:
date: 2008-12-19 00:00:00 -08:00
default_executable:
dependencies: []
description:
email: openid@janrain.com
executables: []
extensions: []
extra_rdoc_files:
- README
- INSTALL
- LICENSE
- UPGRADE
files:
- examples/README
- examples/active_record_openid_store
- examples/rails_openid
- examples/discover
- examples/active_record_openid_store/lib
- examples/active_record_openid_store/test
- examples/active_record_openid_store/init.rb
- examples/active_record_openid_store/README
- examples/active_record_openid_store/XXX_add_open_id_store_to_db.rb
- examples/active_record_openid_store/XXX_upgrade_open_id_store.rb
- examples/active_record_openid_store/lib/association.rb
- examples/active_record_openid_store/lib/nonce.rb
- examples/active_record_openid_store/lib/open_id_setting.rb
- examples/active_record_openid_store/lib/openid_ar_store.rb
- examples/active_record_openid_store/test/store_test.rb
- examples/rails_openid/app
- examples/rails_openid/components
- examples/rails_openid/config
- examples/rails_openid/db
- examples/rails_openid/doc
- examples/rails_openid/lib
- examples/rails_openid/log
- examples/rails_openid/public
- examples/rails_openid/script
- examples/rails_openid/test
- examples/rails_openid/vendor
- examples/rails_openid/Rakefile
- examples/rails_openid/README
- examples/rails_openid/app/controllers
- examples/rails_openid/app/helpers
- examples/rails_openid/app/models
- examples/rails_openid/app/views
- examples/rails_openid/app/controllers/application.rb
- examples/rails_openid/app/controllers/login_controller.rb
- examples/rails_openid/app/controllers/server_controller.rb
- examples/rails_openid/app/controllers/consumer_controller.rb
- examples/rails_openid/app/helpers/application_helper.rb
- examples/rails_openid/app/helpers/login_helper.rb
- examples/rails_openid/app/helpers/server_helper.rb
- examples/rails_openid/app/views/layouts
- examples/rails_openid/app/views/login
- examples/rails_openid/app/views/server
- examples/rails_openid/app/views/consumer
- examples/rails_openid/app/views/layouts/server.rhtml
- examples/rails_openid/app/views/login/index.rhtml
- examples/rails_openid/app/views/server/decide.rhtml
- examples/rails_openid/app/views/consumer/index.rhtml
- examples/rails_openid/config/environments
- examples/rails_openid/config/database.yml
- examples/rails_openid/config/boot.rb
- examples/rails_openid/config/environment.rb
- examples/rails_openid/config/routes.rb
- examples/rails_openid/config/environments/development.rb
- examples/rails_openid/config/environments/production.rb
- examples/rails_openid/config/environments/test.rb
- examples/rails_openid/doc/README_FOR_APP
- examples/rails_openid/lib/tasks
- examples/rails_openid/public/images
- examples/rails_openid/public/javascripts
- examples/rails_openid/public/stylesheets
- examples/rails_openid/public/dispatch.cgi
- examples/rails_openid/public/404.html
- examples/rails_openid/public/500.html
- examples/rails_openid/public/dispatch.fcgi
- examples/rails_openid/public/dispatch.rb
- examples/rails_openid/public/favicon.ico
- examples/rails_openid/public/robots.txt
- examples/rails_openid/public/images/openid_login_bg.gif
- examples/rails_openid/public/javascripts/controls.js
- examples/rails_openid/public/javascripts/dragdrop.js
- examples/rails_openid/public/javascripts/effects.js
- examples/rails_openid/public/javascripts/prototype.js
- examples/rails_openid/script/performance
- examples/rails_openid/script/process
- examples/rails_openid/script/console
- examples/rails_openid/script/about
- examples/rails_openid/script/breakpointer
- examples/rails_openid/script/destroy
- examples/rails_openid/script/generate
- examples/rails_openid/script/plugin
- examples/rails_openid/script/runner
- examples/rails_openid/script/server
- examples/rails_openid/script/performance/benchmarker
- examples/rails_openid/script/performance/profiler
- examples/rails_openid/script/process/spawner
- examples/rails_openid/script/process/reaper
- examples/rails_openid/script/process/spinner
- examples/rails_openid/test/fixtures
- examples/rails_openid/test/functional
- examples/rails_openid/test/mocks
- examples/rails_openid/test/unit
- examples/rails_openid/test/test_helper.rb
- examples/rails_openid/test/functional/login_controller_test.rb
- examples/rails_openid/test/functional/server_controller_test.rb
- examples/rails_openid/test/mocks/development
- examples/rails_openid/test/mocks/test
- lib/openid
- lib/hmac
- lib/openid.rb
- lib/openid/cryptutil.rb
- lib/openid/extras.rb
- lib/openid/urinorm.rb
- lib/openid/util.rb
- lib/openid/trustroot.rb
- lib/openid/message.rb
- lib/openid/yadis
- lib/openid/consumer
- lib/openid/fetchers.rb
- lib/openid/dh.rb
- lib/openid/kvform.rb
- lib/openid/association.rb
- lib/openid/store
- lib/openid/kvpost.rb
- lib/openid/extensions
- lib/openid/protocolerror.rb
- lib/openid/server.rb
- lib/openid/extension.rb
- lib/openid/consumer.rb
- lib/openid/yadis/htmltokenizer.rb
- lib/openid/yadis/parsehtml.rb
- lib/openid/yadis/filters.rb
- lib/openid/yadis/xrds.rb
- lib/openid/yadis/accept.rb
- lib/openid/yadis/constants.rb
- lib/openid/yadis/discovery.rb
- lib/openid/yadis/xri.rb
- lib/openid/yadis/xrires.rb
- lib/openid/yadis/services.rb
- lib/openid/consumer/html_parse.rb
- lib/openid/consumer/idres.rb
- lib/openid/consumer/associationmanager.rb
- lib/openid/consumer/discovery.rb
- lib/openid/consumer/discovery_manager.rb
- lib/openid/consumer/checkid_request.rb
- lib/openid/consumer/responses.rb
- lib/openid/store/filesystem.rb
- lib/openid/store/interface.rb
- lib/openid/store/nonce.rb
- lib/openid/store/memory.rb
- lib/openid/extensions/sreg.rb
- lib/openid/extensions/ax.rb
- lib/openid/extensions/pape.rb
- lib/hmac/hmac.rb
- lib/hmac/sha1.rb
- lib/hmac/sha2.rb
- test/data
- test/test_association.rb
- test/test_urinorm.rb
- test/testutil.rb
- test/test_util.rb
- test/test_message.rb
- test/test_cryptutil.rb
- test/test_extras.rb
- test/util.rb
- test/test_trustroot.rb
- test/test_parsehtml.rb
- test/test_fetchers.rb
- test/test_dh.rb
- test/test_kvform.rb
- test/test_openid_yadis.rb
- test/test_linkparse.rb
- test/test_stores.rb
- test/test_filters.rb
- test/test_xrds.rb
- test/test_nonce.rb
- test/test_accept.rb
- test/test_kvpost.rb
- test/test_associationmanager.rb
- test/discoverdata.rb
- test/test_server.rb
- test/test_yadis_discovery.rb
- test/test_sreg.rb
- test/test_idres.rb
- test/test_ax.rb
- test/test_xri.rb
- test/test_xrires.rb
- test/test_discover.rb
- test/test_consumer.rb
- test/test_pape.rb
- test/test_checkid_request.rb
- test/test_discovery_manager.rb
- test/test_responses.rb
- test/test_extension.rb
- test/data/test_xrds
- test/data/urinorm.txt
- test/data/n2b64
- test/data/trustroot.txt
- test/data/dh.txt
- test/data/test1-parsehtml.txt
- test/data/linkparse.txt
- test/data/accept.txt
- test/data/test_discover
- test/data/example-xrds.xml
- test/data/test1-discover.txt
- test/data/test_xrds/ref.xrds
- test/data/test_xrds/README
- test/data/test_xrds/delegated-20060809-r1.xrds
- test/data/test_xrds/delegated-20060809-r2.xrds
- test/data/test_xrds/delegated-20060809.xrds
- test/data/test_xrds/no-xrd.xml
- test/data/test_xrds/not-xrds.xml
- test/data/test_xrds/prefixsometimes.xrds
- test/data/test_xrds/sometimesprefix.xrds
- test/data/test_xrds/spoof1.xrds
- test/data/test_xrds/spoof2.xrds
- test/data/test_xrds/spoof3.xrds
- test/data/test_xrds/status222.xrds
- test/data/test_xrds/valid-populated-xrds.xml
- test/data/test_xrds/=j3h.2007.11.14.xrds
- test/data/test_xrds/subsegments.xrds
- test/data/test_discover/openid2_xrds.xml
- test/data/test_discover/openid.html
- test/data/test_discover/openid2.html
- test/data/test_discover/openid2_xrds_no_local_id.xml
- test/data/test_discover/openid_1_and_2.html
- test/data/test_discover/openid_1_and_2_xrds.xml
- test/data/test_discover/openid_and_yadis.html
- test/data/test_discover/openid_1_and_2_xrds_bad_delegate.xml
- test/data/test_discover/openid_no_delegate.html
- test/data/test_discover/yadis_0entries.xml
- test/data/test_discover/yadis_2_bad_local_id.xml
- test/data/test_discover/yadis_2entries_delegate.xml
- test/data/test_discover/yadis_2entries_idp.xml
- test/data/test_discover/yadis_another_delegate.xml
- test/data/test_discover/yadis_idp.xml
- test/data/test_discover/yadis_idp_delegate.xml
- test/data/test_discover/yadis_no_delegate.xml
- test/data/test_discover/malformed_meta_tag.html
- NOTICE
- CHANGELOG
- README
- INSTALL
- LICENSE
- UPGRADE
- admin/runtests.rb
has_rdoc: true
homepage: http://openidenabled.com/ruby-openid/
post_install_message:
rdoc_options:
- --main
- README
require_paths:
- lib
required_ruby_version: !ruby/object:Gem::Requirement
requirements:
- - ">"
- !ruby/object:Gem::Version
version: 0.0.0
version:
required_rubygems_version: !ruby/object:Gem::Requirement
requirements:
- - ">="
- !ruby/object:Gem::Version
version: "0"
version:
requirements: []
rubyforge_project:
rubygems_version: 1.3.1
signing_key:
specification_version: 1
summary: A library for consuming and serving OpenID identities.
test_files:
- admin/runtests.rb

@ -0,0 +1,11 @@
Fri Dec 19 11:50:10 PST 2008 cygnus@janrain.com
tagged 2.1.4
Fri Dec 19 11:48:25 PST 2008 cygnus@janrain.com
* Version: 2.1.4
Fri Dec 19 11:42:47 PST 2008 cygnus@janrain.com
* Normalize XRIs when doing discovery in accordance with the OpenID 2 spec
Tue Dec 16 13:14:07 PST 2008 cygnus@janrain.com
tagged 2.1.3

@ -0,0 +1,47 @@
= Ruby OpenID Library Installation
== Rubygems Installation
Rubygems is a tool for installing ruby libraries and their
dependancies. If you have rubygems installed, simply:
gem install ruby-openid
== Manual Installation
Unpack the archive and run setup.rb to install:
ruby setup.rb
setup.rb installs the library into your system ruby. If don't want to
add openid to you system ruby, you may instead add the *lib* directory of
the extracted tarball to your RUBYLIB environment variable:
$ export RUBYLIB=${RUBYLIB}:/path/to/ruby-openid/lib
== Testing the Installation
Make sure everything installed ok:
$> irb
irb$> require "openid"
=> true
Or, if you installed via rubygems:
$> irb
irb$> require "rubygems"
=> true
irb$> require_gem "ruby-openid"
=> true
== Run the test suite
Go into the test directory and execute the *runtests.rb* script.
== Next steps
* Run consumer.rb in the examples directory.
* Get started writing your own consumer using OpenID::Consumer
* Write your own server with OpenID::Server
* Use the OpenIDLoginGenerator! Read example/README for more info.

@ -0,0 +1,210 @@
The code in lib/hmac/ is Copyright 2001 by Daiki Ueno, and distributed under
the terms of the Ruby license. See http://www.ruby-lang.org/en/LICENSE.txt
lib/openid/yadis/htmltokenizer.rb is Copyright 2004 by Ben Giddings and
distributed under the terms of the Ruby license.
The remainder of this package is Copyright 2006-2008 by JanRain, Inc. and
distributed under the terms of license below:
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

@ -0,0 +1,2 @@
This product includes software developed by JanRain,
available from http://openidenabled.com/

@ -0,0 +1,82 @@
=Ruby OpenID
A Ruby library for verifying and serving OpenID identities.
==Features
* Easy to use API for verifying OpenID identites - OpenID::Consumer
* Support for serving OpenID identites - OpenID::Server
* Does not depend on underlying web framework
* Supports multiple storage mechanisms (Filesystem, ActiveRecord, Memory)
* Example code to help you get started, including:
* Ruby on Rails based consumer and server
* OpenIDLoginGenerator for quickly getting creating a rails app that uses
OpenID for authentication
* ActiveRecordOpenIDStore plugin
* Comprehensive test suite
* Supports both OpenID 1 and OpenID 2 transparently
==Installing
Before running the examples or writing your own code you'll need to install
the library. See the INSTALL file or use rubygems:
gem install ruby-openid
Check the installation:
$ irb
irb> require 'rubygems'
irb> require_gem 'ruby-openid'
=> true
The library is known to work with Ruby 1.8.4 on Unix, Max OSX and
Win32. Examples have been tested with Rails 1.1 and 1.2, and 2.0.
==Getting Started
The best way to start is to look at the rails_openid example.
You can run it with:
cd examples/rails_openid
script/server
If you are writing an OpenID Relying Party, a good place to start is:
examples/rails_openid/app/controllers/consumer_controller.rb
And if you are writing an OpenID provider:
examples/rails_openid/app/controllers/server_controller.rb
The library code is quite well documented, so don't be squeamish, and
look at the library itself if there's anything you don't understand in
the examples.
==Homepage
http://openidenabled.com/ruby-openid/
See also:
http://openid.net/
http://openidenabled.com/
==Community
Discussion regarding the Ruby OpenID library and other JanRain OpenID
libraries takes place on the the OpenID mailing list on
openidenabled.com.
http://lists.openidenabled.com/mailman/listinfo/dev
Please join this list to discuss, ask implementation questions, report
bugs, etc. Also check out the openid channel on the freenode IRC
network.
If you have a bugfix or feature you'd like to contribute, don't
hesitate to send it to us. For more detailed information on how to
contribute, see
http://openidenabled.com/contribute/
==Author
Copyright 2006-2008, JanRain, Inc.
Contact openid@janrain.com or visit the OpenID channel on pibb.com:
http://pibb.com/go/openid
==License
Apache Software License. For more information see the LICENSE file.

@ -0,0 +1,127 @@
= Upgrading from the OpenID 1.x series library
== Consumer Upgrade
The flow is largely the same, however there are a number of significant
changes. The consumer example is helpful to look at:
examples/rails_openid/app/controllers/consumer_controller.rb
=== Stores
You will need to require the file for the store that you are using.
For the filesystem store, this is 'openid/stores/filesystem'
They are also now in modules. The filesystem store is
OpenID::Store::Filesystem
The format has changed, and you should remove your old store directory.
The ActiveRecord store ( examples/active_record_openid_store ) still needs
to be put in a plugin directory for your rails app. There's a migration
that needs to be run; examine the README in that directory.
Also, note that the stores now can be garbage collected with the method
store.cleanup
=== Starting the OpenID transaction
The OpenIDRequest object no longer has status codes. Instead,
consumer.begin raises an OpenID::OpenIDError if there is a problem
initiating the transaction, so you'll want something along the lines of:
begin
openid_request = consumer.begin(params[:openid_identifier])
rescue OpenID::OpenIDError => e
# display error e
return
end
#success case
Data regarding the OpenID server once lived in
openid_request.service
The corresponding object in the 2.0 lib can be retrieved with
openid_request.endpoint
Getting the unverified identifier: Where you once had
openid_request.identity_url
you will now want
openid_request.endpoint.claimed_id
which might be different from what you get at the end of the transaction,
since it is now possible for users to enter their server's url directly.
Arguments on the return_to URL are now verified, so if you want to add
additional arguments to the return_to url, use
openid_request.return_to_args['param'] = value
Generating the redirect is the same as before, but add any extensions
first.
If you need to set up an SSL certificate authority list for the fetcher,
use the 'ca_file' attr_accessor on the OpenID::StandardFetcher. This has
changed from 'ca_path' in the 1.x.x series library. That is, set
OpenID.fetcher.ca_file = '/path/to/ca.list'
before calling consumer.begin.
=== Requesting Simple Registration Data
You'll need to require the code for the extension
require 'openid/extensions/sreg'
The new code for adding an SReg request now looks like:
sreg_request = OpenID::SReg::Request.new
sreg_request.request_fields(['email', 'dob'], true) # required
sreg_request.request_fields(['nickname', 'fullname'], false) # optional
sreg_request.policy_url = policy_url
openid_request.add_extension(sreg_request)
The code for adding other extensions is similar. Code for the Attribute
Exchange (AX) and Provider Authentication Policy Extension (PAPE) are
included with the library, and additional extensions can be implemented
subclassing OpenID::Extension.
=== Completing the transaction
The return_to and its arguments are verified, so you need to pass in
the base URL and the arguments. With Rails, the params method mashes
together parameters from GET, POST, and the path, so you'll need to pull
off the path "parameters" with something like
return_to = url_for(:only_path => false,
:controller => 'openid',
:action => 'complete')
parameters = params.reject{|k,v| request.path_parameters[k] }
openid_response = consumer.complete(parameters, return_to)
The response still uses the status codes, but they are now namespaced
slightly differently, for example OpenID::Consumer::SUCCESS
In the case of failure, the error message is now found in
openid_response.message
The identifier to display to the user can be found in
openid_response.endpoint.display_identifier
The Simple Registration response can be read from the OpenID response
with
sreg_response = OpenID::SReg::Response.from_success_response(openid_response)
nickname = sreg_response['nickname']
# etc.
== Server Upgrade
The server code is mostly the same as before, with the exception of
extensions. Also, you must pass in the endpoint URL to the server
constructor:
@server = OpenID::Server.new(store, server_url)
I recommend looking at
examples/rails_openid/app/controllers/server_controller.rb
for an example of the new way of doing extensions.
--
Dag Arneson, JanRain Inc.
Please direct questions to openid@janrain.com

@ -0,0 +1,36 @@
#!/usr/bin/ruby
require "logger"
require "stringio"
require "pathname"
require 'test/unit/collector/dir'
require 'test/unit/ui/console/testrunner'
def main
old_verbose = $VERBOSE
$VERBOSE = true
tests_dir = Pathname.new(__FILE__).dirname.dirname.join('test')
# Collect tests from everything named test_*.rb.
c = Test::Unit::Collector::Dir.new
if c.respond_to?(:base=)
# In order to supress warnings from ruby 1.8.6 about accessing
# undefined member
c.base = tests_dir
suite = c.collect
else
# Because base is not defined in ruby < 1.8.6
suite = c.collect(tests_dir)
end
result = Test::Unit::UI::Console::TestRunner.run(suite)
result.passed?
ensure
$VERBOSE = old_verbose
end
exit(main)

@ -0,0 +1,32 @@
This directory contains several examples that demonstrate use of the
OpenID library. Make sure you have properly installed the library
before running the examples. These examples are a great place to
start in integrating OpenID into your application.
==Rails example
The rails_openid contains a fully functional OpenID server and relying
party, and acts as a starting point for implementing your own
production rails server. You'll need the latest version of Ruby on
Rails installed, and then:
cd rails_openid
./script/server
Open a web browser to http://localhost:3000/ and follow the instructions.
The relevant code to work from when writing your Rails OpenID Relying
Party is:
rails_openid/app/controllers/consumer_controller.rb
If you are working on an OpenID provider, check out
rails_openid/app/controllers/server_controller.rb
Since the library and examples are Apache-licensed, don't be shy about
copy-and-paste.
==Rails ActiveRecord OpenIDStore plugin
For various reasons you may want or need to deploy your ruby openid
consumer/server using an SQL based store. The active_record_openid_store
is a plugin that makes using an SQL based store simple. Follow the
README inside the plugin's dir for usage.

@ -0,0 +1,58 @@
=Active Record OpenID Store Plugin
A store is required by an OpenID server and optionally by the consumer
to store associations, nonces, and auth key information across
requests and processes. If rails is distributed across several
machines, they must must all have access to the same OpenID store
data, so the FilesystemStore won't do.
This directory contains a plugin for connecting your
OpenID enabled rails app to an ActiveRecord based OpenID store.
==Install
1) Copy this directory and all it's contents into your
RAILS_ROOT/vendor/plugins directory. You structure should look like
this:
RAILS_ROOT/vendor/plugins/active_record_openid_store/
2) Copy the migration, XXX_add_open_id_store_to_db.rb to your
RAILS_ROOT/db/migrate directory. Rename the XXX portion of the
file to next sequential migration number.
3) Run the migration:
rake migrate
4) Change your app to use the ActiveRecordOpenIDStore:
store = ActiveRecordOpenIDStore.new
consumer = OpenID::Consumer.new(session, store)
5) That's it! All your OpenID state will now be stored in the database.
==Upgrade
If you are upgrading from the 1.x ActiveRecord store, replace your old
RAILS_ROOT/vendor/plugins/active_record_openid_store/ directory with
the new one and run the migration XXX_upgrade_open_id_store.rb.
==What about garbage collection?
You may garbage collect unused nonces and expired associations using
the gc instance method of ActiveRecordOpenIDStore. Hook it up to a
task in your app's Rakefile like so:
desc 'GC OpenID store'
task :gc_openid_store => :environment do
ActiveRecordOpenIDStore.new.cleanup
end
Run it by typing:
rake gc_openid_store
==Questions?
Contact Dag Arneson: dag at janrain dot com

@ -0,0 +1,24 @@
# Use this migration to create the tables for the ActiveRecord store
class AddOpenIdStoreToDb < ActiveRecord::Migration
def self.up
create_table "open_id_associations", :force => true do |t|
t.column "server_url", :binary, :null => false
t.column "handle", :string, :null => false
t.column "secret", :binary, :null => false
t.column "issued", :integer, :null => false
t.column "lifetime", :integer, :null => false
t.column "assoc_type", :string, :null => false
end
create_table "open_id_nonces", :force => true do |t|
t.column :server_url, :string, :null => false
t.column :timestamp, :integer, :null => false
t.column :salt, :string, :null => false
end
end
def self.down
drop_table "open_id_associations"
drop_table "open_id_nonces"
end
end

@ -0,0 +1,26 @@
# Use this migration to upgrade the old 1.1 ActiveRecord store schema
# to the new 2.0 schema.
class UpgradeOpenIdStore < ActiveRecord::Migration
def self.up
drop_table "open_id_settings"
drop_table "open_id_nonces"
create_table "open_id_nonces", :force => true do |t|
t.column :server_url, :string, :null => false
t.column :timestamp, :integer, :null => false
t.column :salt, :string, :null => false
end
end
def self.down
drop_table "open_id_nonces"
create_table "open_id_nonces", :force => true do |t|
t.column "nonce", :string
t.column "created", :integer
end
create_table "open_id_settings", :force => true do |t|
t.column "setting", :string
t.column "value", :binary
end
end
end

@ -0,0 +1,8 @@
# might using the ruby-openid gem
begin
require 'rubygems'
rescue LoadError
nil
end
require 'openid'
require 'openid_ar_store'

@ -0,0 +1,10 @@
require 'openid/association'
require 'time'
class Association < ActiveRecord::Base
set_table_name 'open_id_associations'
def from_record
OpenID::Association.new(handle, secret, Time.at(issued), lifetime, assoc_type)
end
end

@ -0,0 +1,3 @@
class Nonce < ActiveRecord::Base
set_table_name 'open_id_nonces'
end

@ -0,0 +1,4 @@
class OpenIdSetting < ActiveRecord::Base
validates_uniqueness_of :setting
end

@ -0,0 +1,57 @@
require 'association'
require 'nonce'
require 'openid/store/interface'
# not in OpenID module to avoid namespace conflict
class ActiveRecordStore < OpenID::Store::Interface
def store_association(server_url, assoc)
remove_association(server_url, assoc.handle)
Association.create!(:server_url => server_url,
:handle => assoc.handle,
:secret => assoc.secret,
:issued => assoc.issued.to_i,
:lifetime => assoc.lifetime,
:assoc_type => assoc.assoc_type)
end
def get_association(server_url, handle=nil)
assocs = if handle.blank?
Association.find_all_by_server_url(server_url)
else
Association.find_all_by_server_url_and_handle(server_url, handle)
end
assocs.reverse.each do |assoc|
a = assoc.from_record
if a.expires_in == 0
assoc.destroy
else
return a
end
end if assocs.any?
return nil
end
def remove_association(server_url, handle)
Association.delete_all(['server_url = ? AND handle = ?', server_url, handle]) > 0
end
def use_nonce(server_url, timestamp, salt)
return false if Nonce.find_by_server_url_and_timestamp_and_salt(server_url, timestamp, salt)
return false if (timestamp - Time.now.to_i).abs > OpenID::Nonce.skew
Nonce.create!(:server_url => server_url, :timestamp => timestamp, :salt => salt)
return true
end
def cleanup_nonces
now = Time.now.to_i
Nonce.delete_all(["timestamp > ? OR timestamp < ?", now + OpenID::Nonce.skew, now - OpenID::Nonce.skew])
end
def cleanup_associations
now = Time.now.to_i
Association.delete_all(['issued + lifetime > ?',now])
end
end

@ -0,0 +1,212 @@
$:.unshift(File.dirname(__FILE__) + '/../lib')
require 'test/unit'
RAILS_ENV = "test"
require File.expand_path(File.join(File.dirname(__FILE__), '../../../../config/environment.rb'))
module StoreTestCase
@@allowed_handle = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
@@allowed_nonce = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
def _gen_nonce
OpenID::CryptUtil.random_string(8, @@allowed_nonce)
end
def _gen_handle(n)
OpenID::CryptUtil.random_string(n, @@allowed_handle)
end
def _gen_secret(n, chars=nil)
OpenID::CryptUtil.random_string(n, chars)
end
def _gen_assoc(issued, lifetime=600)
secret = _gen_secret(20)
handle = _gen_handle(128)
OpenID::Association.new(handle, secret, Time.now + issued, lifetime,
'HMAC-SHA1')
end
def _check_retrieve(url, handle=nil, expected=nil)
ret_assoc = @store.get_association(url, handle)
if expected.nil?
assert_nil(ret_assoc)
else
assert_equal(expected, ret_assoc)
assert_equal(expected.handle, ret_assoc.handle)
assert_equal(expected.secret, ret_assoc.secret)
end
end
def _check_remove(url, handle, expected)
present = @store.remove_association(url, handle)
assert_equal(expected, present)
end
def test_store
server_url = "http://www.myopenid.com/openid"
assoc = _gen_assoc(issued=0)
# Make sure that a missing association returns no result
_check_retrieve(server_url)
# Check that after storage, getting returns the same result
@store.store_association(server_url, assoc)
_check_retrieve(server_url, nil, assoc)
# more than once
_check_retrieve(server_url, nil, assoc)
# Storing more than once has no ill effect
@store.store_association(server_url, assoc)
_check_retrieve(server_url, nil, assoc)
# Removing an association that does not exist returns not present
_check_remove(server_url, assoc.handle + 'x', false)
# Removing an association that does not exist returns not present
_check_remove(server_url + 'x', assoc.handle, false)
# Removing an association that is present returns present
_check_remove(server_url, assoc.handle, true)
# but not present on subsequent calls
_check_remove(server_url, assoc.handle, false)
# Put assoc back in the store
@store.store_association(server_url, assoc)
# More recent and expires after assoc
assoc2 = _gen_assoc(issued=1)
@store.store_association(server_url, assoc2)
# After storing an association with a different handle, but the
# same server_url, the handle with the later expiration is returned.
_check_retrieve(server_url, nil, assoc2)
# We can still retrieve the older association
_check_retrieve(server_url, assoc.handle, assoc)
# Plus we can retrieve the association with the later expiration
# explicitly
_check_retrieve(server_url, assoc2.handle, assoc2)
# More recent, and expires earlier than assoc2 or assoc. Make sure
# that we're picking the one with the latest issued date and not
# taking into account the expiration.
assoc3 = _gen_assoc(issued=2, lifetime=100)
@store.store_association(server_url, assoc3)
_check_retrieve(server_url, nil, assoc3)
_check_retrieve(server_url, assoc.handle, assoc)
_check_retrieve(server_url, assoc2.handle, assoc2)
_check_retrieve(server_url, assoc3.handle, assoc3)
_check_remove(server_url, assoc2.handle, true)
_check_retrieve(server_url, nil, assoc3)
_check_retrieve(server_url, assoc.handle, assoc)
_check_retrieve(server_url, assoc2.handle, nil)
_check_retrieve(server_url, assoc3.handle, assoc3)
_check_remove(server_url, assoc2.handle, false)
_check_remove(server_url, assoc3.handle, true)
_check_retrieve(server_url, nil, assoc)
_check_retrieve(server_url, assoc.handle, assoc)
_check_retrieve(server_url, assoc2.handle, nil)
_check_retrieve(server_url, assoc3.handle, nil)
_check_remove(server_url, assoc2.handle, false)
_check_remove(server_url, assoc.handle, true)
_check_remove(server_url, assoc3.handle, false)
_check_retrieve(server_url, nil, nil)
_check_retrieve(server_url, assoc.handle, nil)
_check_retrieve(server_url, assoc2.handle, nil)
_check_retrieve(server_url, assoc3.handle, nil)
_check_remove(server_url, assoc2.handle, false)
_check_remove(server_url, assoc.handle, false)
_check_remove(server_url, assoc3.handle, false)
assocValid1 = _gen_assoc(-3600, 7200)
assocValid2 = _gen_assoc(-5)
assocExpired1 = _gen_assoc(-7200, 3600)
assocExpired2 = _gen_assoc(-7200, 3600)
@store.cleanup_associations
@store.store_association(server_url + '1', assocValid1)
@store.store_association(server_url + '1', assocExpired1)
@store.store_association(server_url + '2', assocExpired2)
@store.store_association(server_url + '3', assocValid2)
cleaned = @store.cleanup_associations()
assert_equal(2, cleaned, "cleaned up associations")
end
def _check_use_nonce(nonce, expected, server_url, msg='')
stamp, salt = OpenID::Nonce::split_nonce(nonce)
actual = @store.use_nonce(server_url, stamp, salt)
assert_equal(expected, actual, msg)
end
def test_nonce
server_url = "http://www.myopenid.com/openid"
[server_url, ''].each{|url|
nonce1 = OpenID::Nonce::mk_nonce
_check_use_nonce(nonce1, true, url, "#{url}: nonce allowed by default")
_check_use_nonce(nonce1, false, url, "#{url}: nonce not allowed twice")
_check_use_nonce(nonce1, false, url, "#{url}: nonce not allowed third time")
# old nonces shouldn't pass
old_nonce = OpenID::Nonce::mk_nonce(3600)
_check_use_nonce(old_nonce, false, url, "Old nonce #{old_nonce.inspect} passed")
}
now = Time.now.to_i
old_nonce1 = OpenID::Nonce::mk_nonce(now - 20000)
old_nonce2 = OpenID::Nonce::mk_nonce(now - 10000)
recent_nonce = OpenID::Nonce::mk_nonce(now - 600)
orig_skew = OpenID::Nonce.skew
OpenID::Nonce.skew = 0
count = @store.cleanup_nonces
OpenID::Nonce.skew = 1000000
ts, salt = OpenID::Nonce::split_nonce(old_nonce1)
assert(@store.use_nonce(server_url, ts, salt), "oldnonce1")
ts, salt = OpenID::Nonce::split_nonce(old_nonce2)
assert(@store.use_nonce(server_url, ts, salt), "oldnonce2")
ts, salt = OpenID::Nonce::split_nonce(recent_nonce)
assert(@store.use_nonce(server_url, ts, salt), "recent_nonce")
OpenID::Nonce.skew = 1000
cleaned = @store.cleanup_nonces
assert_equal(2, cleaned, "Cleaned #{cleaned} nonces")
OpenID::Nonce.skew = 100000
ts, salt = OpenID::Nonce::split_nonce(old_nonce1)
assert(@store.use_nonce(server_url, ts, salt), "oldnonce1 after cleanup")
ts, salt = OpenID::Nonce::split_nonce(old_nonce2)
assert(@store.use_nonce(server_url, ts, salt), "oldnonce2 after cleanup")
ts, salt = OpenID::Nonce::split_nonce(recent_nonce)
assert(!@store.use_nonce(server_url, ts, salt), "recent_nonce after cleanup")
OpenID::Nonce.skew = orig_skew
end
end
class TestARStore < Test::Unit::TestCase
include StoreTestCase
def setup
@store = ActiveRecordStore.new
end
end

@ -0,0 +1,49 @@
#!/usr/bin/env ruby
require "openid/consumer/discovery"
require 'openid/fetchers'
OpenID::fetcher_use_env_http_proxy
$names = [[:server_url, "Server URL "],
[:local_id, "Local ID "],
[:canonical_id, "Canonical ID"],
]
def show_services(user_input, normalized, services)
puts " Claimed identifier: #{normalized}"
if services.empty?
puts " No OpenID services found"
puts
else
puts " Discovered services:"
n = 0
services.each do |service|
n += 1
puts " #{n}."
$names.each do |meth, name|
val = service.send(meth)
if val
printf(" %s: %s\n", name, val)
end
end
puts " Type URIs:"
for type_uri in service.type_uris
puts " * #{type_uri}"
end
puts
end
end
end
ARGV.each do |openid_identifier|
puts "=" * 50
puts "Running discovery on #{openid_identifier}"
begin
normalized_identifier, services = OpenID.discover(openid_identifier)
rescue OpenID::DiscoveryFailure => why
puts "Discovery failed: #{why.message}"
puts
else
show_services(openid_identifier, normalized_identifier, services)
end
end

@ -0,0 +1,153 @@
== Welcome to Rails
Rails is a web-application and persistence framework that includes everything
needed to create database-backed web-applications according to the
Model-View-Control pattern of separation. This pattern splits the view (also
called the presentation) into "dumb" templates that are primarily responsible
for inserting pre-built data in between HTML tags. The model contains the
"smart" domain objects (such as Account, Product, Person, Post) that holds all
the business logic and knows how to persist themselves to a database. The
controller handles the incoming requests (such as Save New Account, Update
Product, Show Post) by manipulating the model and directing data to the view.
In Rails, the model is handled by what's called an object-relational mapping
layer entitled Active Record. This layer allows you to present the data from
database rows as objects and embellish these data objects with business logic
methods. You can read more about Active Record in
link:files/vendor/rails/activerecord/README.html.
The controller and view are handled by the Action Pack, which handles both
layers by its two parts: Action View and Action Controller. These two layers
are bundled in a single package due to their heavy interdependence. This is
unlike the relationship between the Active Record and Action Pack that is much
more separate. Each of these packages can be used independently outside of
Rails. You can read more about Action Pack in
link:files/vendor/rails/actionpack/README.html.
== Getting started
1. Run the WEBrick servlet: <tt>ruby script/server</tt> (run with --help for options)
...or if you have lighttpd installed: <tt>ruby script/lighttpd</tt> (it's faster)
2. Go to http://localhost:3000/ and get "Congratulations, you've put Ruby on Rails!"
3. Follow the guidelines on the "Congratulations, you've put Ruby on Rails!" screen
== Example for Apache conf
<VirtualHost *:80>
ServerName rails
DocumentRoot /path/application/public/
ErrorLog /path/application/log/server.log
<Directory /path/application/public/>
Options ExecCGI FollowSymLinks
AllowOverride all
Allow from all
Order allow,deny
</Directory>
</VirtualHost>
NOTE: Be sure that CGIs can be executed in that directory as well. So ExecCGI
should be on and ".cgi" should respond. All requests from 127.0.0.1 go
through CGI, so no Apache restart is necessary for changes. All other requests
go through FCGI (or mod_ruby), which requires a restart to show changes.
== Debugging Rails
Have "tail -f" commands running on both the server.log, production.log, and
test.log files. Rails will automatically display debugging and runtime
information to these files. Debugging info will also be shown in the browser
on requests from 127.0.0.1.
== Breakpoints
Breakpoint support is available through the script/breakpointer client. This
means that you can break out of execution at any point in the code, investigate
and change the model, AND then resume execution! Example:
class WeblogController < ActionController::Base
def index
@posts = Post.find_all
breakpoint "Breaking out from the list"
end
end
So the controller will accept the action, run the first line, then present you
with a IRB prompt in the breakpointer window. Here you can do things like:
Executing breakpoint "Breaking out from the list" at .../webrick_server.rb:16 in 'breakpoint'
>> @posts.inspect
=> "[#<Post:0x14a6be8 @attributes={\"title\"=>nil, \"body\"=>nil, \"id\"=>\"1\"}>,
#<Post:0x14a6620 @attributes={\"title\"=>\"Rails you know!\", \"body\"=>\"Only ten..\", \"id\"=>\"2\"}>]"
>> @posts.first.title = "hello from a breakpoint"
=> "hello from a breakpoint"
...and even better is that you can examine how your runtime objects actually work:
>> f = @posts.first
=> #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
>> f.
Display all 152 possibilities? (y or n)
Finally, when you're ready to resume execution, you press CTRL-D
== Console
You can interact with the domain model by starting the console through script/console.
Here you'll have all parts of the application configured, just like it is when the
application is running. You can inspect domain models, change values, and save to the
database. Starting the script without arguments will launch it in the development environment.
Passing an argument will specify a different environment, like <tt>console production</tt>.
== Description of contents
app
Holds all the code that's specific to this particular application.
app/controllers
Holds controllers that should be named like weblog_controller.rb for
automated URL mapping. All controllers should descend from
ActionController::Base.
app/models
Holds models that should be named like post.rb.
Most models will descend from ActiveRecord::Base.
app/views
Holds the template files for the view that should be named like
weblog/index.rhtml for the WeblogController#index action. All views use eRuby
syntax. This directory can also be used to keep stylesheets, images, and so on
that can be symlinked to public.
app/helpers
Holds view helpers that should be named like weblog_helper.rb.
config
Configuration files for the Rails environment, the routing map, the database, and other dependencies.
components
Self-contained mini-applications that can bundle together controllers, models, and views.
lib
Application specific libraries. Basically, any kind of custom code that doesn't
belong under controllers, models, or helpers. This directory is in the load path.
public
The directory available for the web server. Contains subdirectories for images, stylesheets,
and javascripts. Also contains the dispatchers and the default HTML files.
script
Helper scripts for automation and generation.
test
Unit and functional tests along with fixtures.
vendor
External libraries that the application depends on. Also includes the plugins subdirectory.
This directory is in the load path.

@ -0,0 +1,10 @@
# Add your own tasks in files placed in lib/tasks ending in .rake,
# for example lib/tasks/switchtower.rake, and they will automatically be available to Rake.
require(File.join(File.dirname(__FILE__), 'config', 'boot'))
require 'rake'
require 'rake/testtask'
require 'rake/rdoctask'
require 'tasks/rails'

@ -0,0 +1,4 @@
# Filters added to this controller will be run for all controllers in the application.
# Likewise, all the methods added will be available for all controllers.
class ApplicationController < ActionController::Base
end

@ -0,0 +1,122 @@
require 'pathname'
require "openid"
require 'openid/extensions/sreg'
require 'openid/extensions/pape'
require 'openid/store/filesystem'
class ConsumerController < ApplicationController
layout nil
def index
# render an openid form
end
def start
begin
identifier = params[:openid_identifier]
if identifier.nil?
flash[:error] = "Enter an OpenID identifier"
redirect_to :action => 'index'
return
end
oidreq = consumer.begin(identifier)
rescue OpenID::OpenIDError => e
flash[:error] = "Discovery failed for #{identifier}: #{e}"
redirect_to :action => 'index'
return
end
if params[:use_sreg]
sregreq = OpenID::SReg::Request.new
# required fields
sregreq.request_fields(['email','nickname'], true)
# optional fields
sregreq.request_fields(['dob', 'fullname'], false)
oidreq.add_extension(sregreq)
oidreq.return_to_args['did_sreg'] = 'y'
end
if params[:use_pape]
papereq = OpenID::PAPE::Request.new
papereq.add_policy_uri(OpenID::PAPE::AUTH_PHISHING_RESISTANT)
papereq.max_auth_age = 2*60*60
oidreq.add_extension(papereq)
oidreq.return_to_args['did_pape'] = 'y'
end
if params[:force_post]
oidreq.return_to_args['force_post']='x'*2048
end
return_to = url_for :action => 'complete', :only_path => false
realm = url_for :action => 'index', :only_path => false
if oidreq.send_redirect?(realm, return_to, params[:immediate])
redirect_to oidreq.redirect_url(realm, return_to, params[:immediate])
else
render :text => oidreq.html_markup(realm, return_to, params[:immediate], {'id' => 'openid_form'})
end
end
def complete
# FIXME - url_for some action is not necessarily the current URL.
current_url = url_for(:action => 'complete', :only_path => false)
parameters = params.reject{|k,v|request.path_parameters[k]}
oidresp = consumer.complete(parameters, current_url)
case oidresp.status
when OpenID::Consumer::FAILURE
if oidresp.display_identifier
flash[:error] = ("Verification of #{oidresp.display_identifier}"\
" failed: #{oidresp.message}")
else
flash[:error] = "Verification failed: #{oidresp.message}"
end
when OpenID::Consumer::SUCCESS
flash[:success] = ("Verification of #{oidresp.display_identifier}"\
" succeeded.")
if params[:did_sreg]
sreg_resp = OpenID::SReg::Response.from_success_response(oidresp)
sreg_message = "Simple Registration data was requested"
if sreg_resp.empty?
sreg_message << ", but none was returned."
else
sreg_message << ". The following data were sent:"
sreg_resp.data.each {|k,v|
sreg_message << "<br/><b>#{k}</b>: #{v}"
}
end
flash[:sreg_results] = sreg_message
end
if params[:did_pape]
pape_resp = OpenID::PAPE::Response.from_success_response(oidresp)
pape_message = "A phishing resistant authentication method was requested"
if pape_resp.auth_policies.member? OpenID::PAPE::AUTH_PHISHING_RESISTANT
pape_message << ", and the server reported one."
else
pape_message << ", but the server did not report one."
end
if pape_resp.auth_time
pape_message << "<br><b>Authentication time:</b> #{pape_resp.auth_time} seconds"
end
if pape_resp.nist_auth_level
pape_message << "<br><b>NIST Auth Level:</b> #{pape_resp.nist_auth_level}"
end
flash[:pape_results] = pape_message
end
when OpenID::Consumer::SETUP_NEEDED
flash[:alert] = "Immediate request failed - Setup Needed"
when OpenID::Consumer::CANCEL
flash[:alert] = "OpenID transaction cancelled."
else
end
redirect_to :action => 'index'
end
private
def consumer
if @consumer.nil?
dir = Pathname.new(RAILS_ROOT).join('db').join('cstore')
store = OpenID::Store::Filesystem.new(dir)
@consumer = OpenID::Consumer.new(session, store)
end
return @consumer
end
end

@ -0,0 +1,45 @@
# Controller for handling the login, logout process for "users" of our
# little server. Users have no password. This is just an example.
require 'openid'
class LoginController < ApplicationController
layout 'server'
def base_url
url_for(:controller => 'login', :action => nil, :only_path => false)
end
def index
response.headers['X-XRDS-Location'] = url_for(:controller => "server",
:action => "idp_xrds",
:only_path => false)
@base_url = base_url
# just show the login page
end
def submit
user = params[:username]
# if we get a user, log them in by putting their username in
# the session hash.
unless user.nil?
session[:username] = user unless user.nil?
session[:approvals] = []
flash[:notice] = "Your OpenID URL is <b>#{base_url}user/#{user}</b><br/><br/>Proceed to step 2 below."
else
flash[:error] = "Sorry, couldn't log you in. Try again."
end
redirect_to :action => 'index'
end
def logout
# delete the username from the session hash
session[:username] = nil
session[:approvals] = nil
redirect_to :action => 'index'
end
end

@ -0,0 +1,265 @@
require 'pathname'
# load the openid library, first trying rubygems
#begin
# require "rubygems"
# require_gem "ruby-openid", ">= 1.0"
#rescue LoadError
require "openid"
require "openid/consumer/discovery"
require 'openid/extensions/sreg'
require 'openid/extensions/pape'
require 'openid/store/filesystem'
#end
class ServerController < ApplicationController
include ServerHelper
include OpenID::Server
layout nil
def index
begin
oidreq = server.decode_request(params)
rescue ProtocolError => e
# invalid openid request, so just display a page with an error message
render :text => e.to_s, :status => 500
return
end
# no openid.mode was given
unless oidreq
render :text => "This is an OpenID server endpoint."
return
end
oidresp = nil
if oidreq.kind_of?(CheckIDRequest)
identity = oidreq.identity
if oidreq.id_select
if oidreq.immediate
oidresp = oidreq.answer(false)
elsif session[:username].nil?
# The user hasn't logged in.
show_decision_page(oidreq)
return
else
# Else, set the identity to the one the user is using.
identity = url_for_user
end
end
if oidresp
nil
elsif self.is_authorized(identity, oidreq.trust_root)
oidresp = oidreq.answer(true, nil, identity)
# add the sreg response if requested
add_sreg(oidreq, oidresp)
# ditto pape
add_pape(oidreq, oidresp)
elsif oidreq.immediate
server_url = url_for :action => 'index'
oidresp = oidreq.answer(false, server_url)
else
show_decision_page(oidreq)
return
end
else
oidresp = server.handle_request(oidreq)
end
self.render_response(oidresp)
end
def show_decision_page(oidreq, message="Do you trust this site with your identity?")
session[:last_oidreq] = oidreq
@oidreq = oidreq
if message
flash[:notice] = message
end
render :template => 'server/decide', :layout => 'server'
end
def user_page
# Yadis content-negotiation: we want to return the xrds if asked for.
accept = request.env['HTTP_ACCEPT']
# This is not technically correct, and should eventually be updated
# to do real Accept header parsing and logic. Though I expect it will work
# 99% of the time.
if accept and accept.include?('application/xrds+xml')
user_xrds
return
end
# content negotiation failed, so just render the user page
xrds_url = url_for(:controller=>'user',:action=>params[:username])+'/xrds'
identity_page = <<EOS
<html><head>
<meta http-equiv="X-XRDS-Location" content="#{xrds_url}" />
<link rel="openid.server" href="#{url_for :action => 'index'}" />
</head><body><p>OpenID identity page for #{params[:username]}</p>
</body></html>
EOS
# Also add the Yadis location header, so that they don't have
# to parse the html unless absolutely necessary.
response.headers['X-XRDS-Location'] = xrds_url
render :text => identity_page
end
def user_xrds
types = [
OpenID::OPENID_2_0_TYPE,
OpenID::OPENID_1_0_TYPE,
OpenID::SREG_URI,
]
render_xrds(types)
end
def idp_xrds
types = [
OpenID::OPENID_IDP_2_0_TYPE,
]
render_xrds(types)
end
def decision
oidreq = session[:last_oidreq]
session[:last_oidreq] = nil
if params[:yes].nil?
redirect_to oidreq.cancel_url
return
else
id_to_send = params[:id_to_send]
identity = oidreq.identity
if oidreq.id_select
if id_to_send and id_to_send != ""
session[:username] = id_to_send
session[:approvals] = []
identity = url_for_user
else
msg = "You must enter a username to in order to send " +
"an identifier to the Relying Party."
show_decision_page(oidreq, msg)
return
end
end
if session[:approvals]
session[:approvals] << oidreq.trust_root
else
session[:approvals] = [oidreq.trust_root]
end
oidresp = oidreq.answer(true, nil, identity)
add_sreg(oidreq, oidresp)
add_pape(oidreq, oidresp)
return self.render_response(oidresp)
end
end
protected
def server
if @server.nil?
server_url = url_for :action => 'index', :only_path => false
dir = Pathname.new(RAILS_ROOT).join('db').join('openid-store')
store = OpenID::Store::Filesystem.new(dir)
@server = Server.new(store, server_url)
end
return @server
end
def approved(trust_root)
return false if session[:approvals].nil?
return session[:approvals].member?(trust_root)
end
def is_authorized(identity_url, trust_root)
return (session[:username] and (identity_url == url_for_user) and self.approved(trust_root))
end
def render_xrds(types)
type_str = ""
types.each { |uri|
type_str += "<Type>#{uri}</Type>\n "
}
yadis = <<EOS
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
#{type_str}
<URI>#{url_for(:controller => 'server', :only_path => false)}</URI>
</Service>
</XRD>
</xrds:XRDS>
EOS
response.headers['content-type'] = 'application/xrds+xml'
render :text => yadis
end
def add_sreg(oidreq, oidresp)
# check for Simple Registration arguments and respond
sregreq = OpenID::SReg::Request.from_openid_request(oidreq)
return if sregreq.nil?
# In a real application, this data would be user-specific,
# and the user should be asked for permission to release
# it.
sreg_data = {
'nickname' => session[:username],
'fullname' => 'Mayor McCheese',
'email' => 'mayor@example.com'
}
sregresp = OpenID::SReg::Response.extract_response(sregreq, sreg_data)
oidresp.add_extension(sregresp)
end
def add_pape(oidreq, oidresp)
papereq = OpenID::PAPE::Request.from_openid_request(oidreq)
return if papereq.nil?
paperesp = OpenID::PAPE::Response.new
paperesp.nist_auth_level = 0 # we don't even do auth at all!
oidresp.add_extension(paperesp)
end
def render_response(oidresp)
if oidresp.needs_signing
signed_response = server.signatory.sign(oidresp)
end
web_response = server.encode_response(oidresp)
case web_response.code
when HTTP_OK
render :text => web_response.body, :status => 200
when HTTP_REDIRECT
redirect_to web_response.headers['location']
else
render :text => web_response.body, :status => 400
end
end
end

@ -0,0 +1,3 @@
# Methods added to this helper will be available to all templates in the application.
module ApplicationHelper
end

@ -0,0 +1,9 @@
module ServerHelper
def url_for_user
url_for :controller => 'user', :action => session[:username]
end
end

@ -0,0 +1,81 @@
<html>
<head>
<title>Rails OpenID Example Relying Party</title>
</head>
<style type="text/css">
* {
font-family: verdana,sans-serif;
}
body {
width: 50em;
margin: 1em;
}
div {
padding: .5em;
}
.alert {
border: 1px solid #e7dc2b;
background: #fff888;
}
.error {
border: 1px solid #ff0000;
background: #ffaaaa;
}
.success {
border: 1px solid #00ff00;
background: #aaffaa;
}
#verify-form {
border: 1px solid #777777;
background: #dddddd;
margin-top: 1em;
padding-bottom: 0em;
}
input.openid {
background: url( /images/openid_login_bg.gif ) no-repeat;
background-position: 0 50%;
background-color: #fff;
padding-left: 18px;
}
</style>
<body>
<h1>Rails OpenID Example Relying Party</h1>
<% if flash[:alert] %>
<div class='alert'>
<%= h(flash[:alert]) %>
</div>
<% end %>
<% if flash[:error] %>
<div class='error'>
<%= h(flash[:error]) %>
</div>
<% end %>
<% if flash[:success] %>
<div class='success'>
<%= h(flash[:success]) %>
</div>
<% end %>
<% if flash[:sreg_results] %>
<div class='alert'>
<%= flash[:sreg_results] %>
</div>
<% end %>
<% if flash[:pape_results] %>
<div class='alert'>
<%= flash[:pape_results] %>
</div>
<% end %>
<div id="verify-form">
<form method="get" accept-charset="UTF-8"
action='<%= url_for :action => 'start' %>'>
Identifier:
<input type="text" class="openid" name="openid_identifier" />
<input type="submit" value="Verify" /><br />
<input type="checkbox" name="immediate" id="immediate" /><label for="immediate">Use immediate mode</label><br/>
<input type="checkbox" name="use_sreg" id="use_sreg" /><label for="use_sreg">Request registration data</label><br/>
<input type="checkbox" name="use_pape" id="use_pape" /><label for="use_pape">Request phishing-resistent auth policy (PAPE)</label><br/>
<input type="checkbox" name="force_post" id="force_post" /><label for="force_post">Force the transaction to use POST by adding 2K of extra data</label>
</form>
</div>
</body>
</html>

@ -0,0 +1,68 @@
<html>
<head><title>OpenID Server Example</title></head>
<style type="text/css">
* {
font-family: verdana,sans-serif;
}
body {
width: 50em;
margin: 1em;
}
div {
padding: .5em;
}
table {
margin: none;
padding: none;
}
.notice {
border: 1px solid #60964f;
background: #b3dca7;
}
.error {
border: 1px solid #ff0000;
background: #ffaaaa;
}
#login-form {
border: 1px solid #777777;
background: #dddddd;
margin-top: 1em;
padding-bottom: 0em;
}
table {
padding: 1em;
}
li {margin-bottom: .5em;}
span.openid:before {
content: url(<%= @base_url %>images/openid_login_bg.gif) ;
}
span.openid {
font-size: smaller;
}
</style>
<body>
<% if session[:username] %>
<div style="float:right;">
Welcome, <%= session[:username] %> | <%= link_to('Log out', :controller => 'login', :action => 'logout') %><br />
<span class="openid"><%= @base_url %>user/<%= session[:username] %></span>
</div>
<% end %>
<h3>Ruby OpenID Server Example</h3>
<hr/>
<% if flash[:notice] or flash[:error] %>
<div class="<%= flash[:notice].nil? ? 'error' : 'notice' %>">
<%= flash[:error] or flash[:notice] %>
</div>
<% end %>
<%= @content_for_layout %>
</body>
</html>

@ -0,0 +1,56 @@
<% if session[:username].nil? %>
<div id="login-form">
<form method="get" action="<%= url_for :controller => 'login', :action => 'submit' %>">
Type a username:
<input type="text" name="username" />
<input type="submit" value="Log In" />
</form>
</div>
<% end %>
<p> Welcome to the Ruby OpenID example. This code is a starting point
for developers wishing to implement an OpenID provider or relying
party. We've used the <a href="http://rubyonrails.org/">Rails</a>
platform to demonstrate, but the library code is not Rails specific.</p>
<h2>To use the example provider</h2>
<p>
<ol>
<li>Enter a username in the form above. You will be "Logged In"
to the server, at which point you may authenticate using an OpenID
consumer. Your OpenID URL will be displayed after you log
in.<p>The server will automatically create an identity page for
you at <%= @base_url %>user/<i>name</i></p></li>
<li><p>Because WEBrick can only handle one thing at a time, you'll need to
run another instance of the example on another port if you want to use
a relying party to use with this example provider:</p>
<blockquote>
<code>script/server --port=3001</code>
</blockquote>
<p>(The RP needs to be able to access the provider, so unless you're
running this example on a public IP, you can't use the live example
at <a href="http://openidenabled.com/">openidenabled.com</a> on
your local provider.)</p>
</li>
<li>Point your browser to this new instance and follow the directions
below.</li>
<!-- Fun fact: 'url_for :port => 3001' doesn't work very well. -->
</ol>
</p>
<h2>To use the example relying party</h2>
<p>Visit <a href="<%= url_for :controller => 'consumer' %>">/consumer</a>
and enter your OpenID.</p>
</p>

@ -0,0 +1,26 @@
<form method="post" action="<%= url_for :controller => 'server', :action => 'decision' %>">
<table>
<tr><td>Site:</td><td><%= @oidreq.trust_root %></td></tr>
<% if @oidreq.id_select %>
<tr>
<td colspan="2">
You entered the server identifier at the relying party.
You'll need to send an identifier of your choosing. Enter a
username below.
</td>
</tr>
<tr>
<td>Identity to send:</td>
<td><input type="text" name="id_to_send" size="25" /></td>
</tr>
<% else %>
<tr><td>Identity:</td><td><%= @oidreq.identity %></td></tr>
<% end %>
</table>
<input type="submit" name="yes" value="yes" />
<input type="submit" name="no" value="no" />
</form>

@ -0,0 +1,19 @@
# Don't change this file. Configuration is done in config/environment.rb and config/environments/*.rb
unless defined?(RAILS_ROOT)
root_path = File.join(File.dirname(__FILE__), '..')
unless RUBY_PLATFORM =~ /mswin32/
require 'pathname'
root_path = Pathname.new(root_path).cleanpath(true).to_s
end
RAILS_ROOT = root_path
end
if File.directory?("#{RAILS_ROOT}/vendor/rails")
require "#{RAILS_ROOT}/vendor/rails/railties/lib/initializer"
else
require 'rubygems'
require 'initializer'
end
Rails::Initializer.run(:set_load_path)

@ -0,0 +1,54 @@
# Be sure to restart your web server when you modify this file.
# Uncomment below to force Rails into production mode when
# you don't control web/app server and can't set it the proper way
# ENV['RAILS_ENV'] ||= 'production'
# Bootstrap the Rails environment, frameworks, and default configuration
require File.join(File.dirname(__FILE__), 'boot')
Rails::Initializer.run do |config|
# Settings in config/environments/* take precedence those specified here
# Skip frameworks you're not going to use
# config.frameworks -= [ :action_web_service, :action_mailer ]
# Add additional load paths for your own custom dirs
# config.load_paths += %W( #{RAILS_ROOT}/extras )
# Force all environments to use the same logger level
# (by default production uses :info, the others :debug)
# config.log_level = :debug
# Use the database for sessions instead of the file system
# (create the session table with 'rake create_sessions_table')
# config.action_controller.session_store = :active_record_store
# Enable page/fragment caching by setting a file-based store
# (remember to create the caching directory and make it readable to the application)
# config.action_controller.fragment_cache_store = :file_store, "#{RAILS_ROOT}/cache"
# Activate observers that should always be running
# config.active_record.observers = :cacher, :garbage_collector
# Make Active Record use UTC-base instead of local time
# config.active_record.default_timezone = :utc
# Use Active Record's schema dumper instead of SQL when creating the test database
# (enables use of different database adapters for development and test environments)
# config.active_record.schema_format = :ruby
# See Rails::Configuration for more options
end
# Add new inflection rules using the following format
# (all these examples are active by default):
# Inflector.inflections do |inflect|
# inflect.plural /^(ox)$/i, '\1en'
# inflect.singular /^(ox)en/i, '\1'
# inflect.irregular 'person', 'people'
# inflect.uncountable %w( fish sheep )
# end
# Include your application configuration below
ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_key] = '_session_id_2'

@ -0,0 +1,19 @@
# Settings specified here will take precedence over those in config/environment.rb
# In the development environment your application's code is reloaded on
# every request. This slows down response time but is perfect for development
# since you don't have to restart the webserver when you make code changes.
config.cache_classes = false
# Log error messages when you accidentally call methods on nil.
config.whiny_nils = true
# Enable the breakpoint server that script/breakpointer connects to
config.breakpoint_server = true
# Show full error reports and disable caching
config.action_controller.consider_all_requests_local = true
config.action_controller.perform_caching = false
# Don't care if the mailer can't send
config.action_mailer.raise_delivery_errors = false

@ -0,0 +1,19 @@
# Settings specified here will take precedence over those in config/environment.rb
# The production environment is meant for finished, "live" apps.
# Code is not reloaded between requests
config.cache_classes = true
# Use a different logger for distributed setups
# config.logger = SyslogLogger.new
# Full error reports are disabled and caching is turned on
config.action_controller.consider_all_requests_local = false
config.action_controller.perform_caching = true
# Enable serving of images, stylesheets, and javascripts from an asset server
# config.action_controller.asset_host = "http://assets.example.com"
# Disable delivery errors if you bad email addresses should just be ignored
# config.action_mailer.raise_delivery_errors = false

@ -0,0 +1,19 @@
# Settings specified here will take precedence over those in config/environment.rb
# The test environment is used exclusively to run your application's
# test suite. You never need to work with it otherwise. Remember that
# your test database is "scratch space" for the test suite and is wiped
# and recreated between test runs. Don't rely on the data there!
config.cache_classes = true
# Log error messages when you accidentally call methods on nil.
config.whiny_nils = true
# Show full error reports and disable caching
config.action_controller.consider_all_requests_local = true
config.action_controller.perform_caching = false
# Tell ActionMailer not to deliver emails to the real world.
# The :test delivery method accumulates sent emails in the
# ActionMailer::Base.deliveries array.
config.action_mailer.delivery_method = :test

@ -0,0 +1,24 @@
ActionController::Routing::Routes.draw do |map|
# Add your own custom routes here.
# The priority is based upon order of creation: first created -> highest priority.
# Here's a sample route:
# map.connect 'products/:id', :controller => 'catalog', :action => 'view'
# Keep in mind you can assign values other than :controller and :action
# You can have the root of your site routed by hooking up ''
# -- just remember to delete public/index.html.
# map.connect '', :controller => "welcome"
map.connect '', :controller => 'login'
map.connect 'server/xrds', :controller => 'server', :action => 'idp_xrds'
map.connect 'user/:username', :controller => 'server', :action => 'user_page'
map.connect 'user/:username/xrds', :controller => 'server', :action => 'user_xrds'
# Allow downloading Web Service WSDL as a file with an extension
# instead of a file named 'wsdl'
map.connect ':controller/service.wsdl', :action => 'wsdl'
# Install the default route as the lowest priority.
map.connect ':controller/:action/:id'
end

@ -0,0 +1,2 @@
Use this README file to introduce your application and point to useful places in the API for learning more.
Run "rake appdoc" to generate API documentation for your models and controllers.

@ -0,0 +1,8 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<body>
<h1>File not found</h1>
<p>Change this error message for pages not found in public/404.html</p>
</body>
</html>

@ -0,0 +1,8 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<body>
<h1>Application error (Apache)</h1>
<p>Change this error message for exceptions thrown outside of an action (like in Dispatcher setups or broken Ruby code) in public/500.html</p>
</body>
</html>

@ -0,0 +1,12 @@
#!/usr/bin/ruby1.8
#!/usr/local/bin/ruby
require File.dirname(__FILE__) + "/../config/environment" unless defined?(RAILS_ROOT)
# If you're using RubyGems and mod_ruby, this require should be changed to an absolute path one, like:
# "/usr/local/lib/ruby/gems/1.8/gems/rails-0.8.0/lib/dispatcher" -- otherwise performance is severely impaired
require "dispatcher"
ADDITIONAL_LOAD_PATHS.reverse.each { |dir| $:.unshift(dir) if File.directory?(dir) } if defined?(Apache::RubyRun)
Dispatcher.dispatch

@ -0,0 +1,26 @@
#!/usr/bin/ruby1.8
#!/usr/local/bin/ruby
#
# You may specify the path to the FastCGI crash log (a log of unhandled
# exceptions which forced the FastCGI instance to exit, great for debugging)
# and the number of requests to process before running garbage collection.
#
# By default, the FastCGI crash log is RAILS_ROOT/log/fastcgi.crash.log
# and the GC period is nil (turned off). A reasonable number of requests
# could range from 10-100 depending on the memory footprint of your app.
#
# Example:
# # Default log path, normal GC behavior.
# RailsFCGIHandler.process!
#
# # Default log path, 50 requests between GC.
# RailsFCGIHandler.process! nil, 50
#
# # Custom log path, normal GC behavior.
# RailsFCGIHandler.process! '/var/log/myapp_fcgi_crash.log'
#
require File.dirname(__FILE__) + "/../config/environment"
require 'fcgi_handler'
RailsFCGIHandler.process!

@ -0,0 +1,12 @@
#!/usr/bin/ruby1.8
#!/usr/local/bin/ruby
require File.dirname(__FILE__) + "/../config/environment" unless defined?(RAILS_ROOT)
# If you're using RubyGems and mod_ruby, this require should be changed to an absolute path one, like:
# "/usr/local/lib/ruby/gems/1.8/gems/rails-0.8.0/lib/dispatcher" -- otherwise performance is severely impaired
require "dispatcher"
ADDITIONAL_LOAD_PATHS.reverse.each { |dir| $:.unshift(dir) if File.directory?(dir) } if defined?(Apache::RubyRun)
Dispatcher.dispatch

Binary file not shown.

After

Width:  |  Height:  |  Size: 237 B

@ -0,0 +1,750 @@
// Copyright (c) 2005 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
// (c) 2005 Ivan Krstic (http://blogs.law.harvard.edu/ivan)
// (c) 2005 Jon Tirsen (http://www.tirsen.com)
// Contributors:
// Richard Livsey
// Rahul Bhargava
// Rob Wills
//
// See scriptaculous.js for full license.
// Autocompleter.Base handles all the autocompletion functionality
// that's independent of the data source for autocompletion. This
// includes drawing the autocompletion menu, observing keyboard
// and mouse events, and similar.
//
// Specific autocompleters need to provide, at the very least,
// a getUpdatedChoices function that will be invoked every time
// the text inside the monitored textbox changes. This method
// should get the text for which to provide autocompletion by
// invoking this.getToken(), NOT by directly accessing
// this.element.value. This is to allow incremental tokenized
// autocompletion. Specific auto-completion logic (AJAX, etc)
// belongs in getUpdatedChoices.
//
// Tokenized incremental autocompletion is enabled automatically
// when an autocompleter is instantiated with the 'tokens' option
// in the options parameter, e.g.:
// new Ajax.Autocompleter('id','upd', '/url/', { tokens: ',' });
// will incrementally autocomplete with a comma as the token.
// Additionally, ',' in the above example can be replaced with
// a token array, e.g. { tokens: [',', '\n'] } which
// enables autocompletion on multiple tokens. This is most
// useful when one of the tokens is \n (a newline), as it
// allows smart autocompletion after linebreaks.
var Autocompleter = {}
Autocompleter.Base = function() {};
Autocompleter.Base.prototype = {
baseInitialize: function(element, update, options) {
this.element = $(element);
this.update = $(update);
this.hasFocus = false;
this.changed = false;
this.active = false;
this.index = 0;
this.entryCount = 0;
if (this.setOptions)
this.setOptions(options);
else
this.options = options || {};
this.options.paramName = this.options.paramName || this.element.name;
this.options.tokens = this.options.tokens || [];
this.options.frequency = this.options.frequency || 0.4;
this.options.minChars = this.options.minChars || 1;
this.options.onShow = this.options.onShow ||
function(element, update){
if(!update.style.position || update.style.position=='absolute') {
update.style.position = 'absolute';
Position.clone(element, update, {setHeight: false, offsetTop: element.offsetHeight});
}
Effect.Appear(update,{duration:0.15});
};
this.options.onHide = this.options.onHide ||
function(element, update){ new Effect.Fade(update,{duration:0.15}) };
if (typeof(this.options.tokens) == 'string')
this.options.tokens = new Array(this.options.tokens);
this.observer = null;
this.element.setAttribute('autocomplete','off');
Element.hide(this.update);
Event.observe(this.element, "blur", this.onBlur.bindAsEventListener(this));
Event.observe(this.element, "keypress", this.onKeyPress.bindAsEventListener(this));
},
show: function() {
if(Element.getStyle(this.update, 'display')=='none') this.options.onShow(this.element, this.update);
if(!this.iefix &&
(navigator.appVersion.indexOf('MSIE')>0) &&
(navigator.userAgent.indexOf('Opera')<0) &&
(Element.getStyle(this.update, 'position')=='absolute')) {
new Insertion.After(this.update,
'<iframe id="' + this.update.id + '_iefix" '+
'style="display:none;position:absolute;filter:progid:DXImageTransform.Microsoft.Alpha(opacity=0);" ' +
'src="javascript:false;" frameborder="0" scrolling="no"></iframe>');
this.iefix = $(this.update.id+'_iefix');
}
if(this.iefix) setTimeout(this.fixIEOverlapping.bind(this), 50);
},
fixIEOverlapping: function() {
Position.clone(this.update, this.iefix);
this.iefix.style.zIndex = 1;
this.update.style.zIndex = 2;
Element.show(this.iefix);
},
hide: function() {
this.stopIndicator();
if(Element.getStyle(this.update, 'display')!='none') this.options.onHide(this.element, this.update);
if(this.iefix) Element.hide(this.iefix);
},
startIndicator: function() {
if(this.options.indicator) Element.show(this.options.indicator);
},
stopIndicator: function() {
if(this.options.indicator) Element.hide(this.options.indicator);
},
onKeyPress: function(event) {
if(this.active)
switch(event.keyCode) {
case Event.KEY_TAB:
case Event.KEY_RETURN:
this.selectEntry();
Event.stop(event);
case Event.KEY_ESC:
this.hide();
this.active = false;
Event.stop(event);
return;
case Event.KEY_LEFT:
case Event.KEY_RIGHT:
return;
case Event.KEY_UP:
this.markPrevious();
this.render();
if(navigator.appVersion.indexOf('AppleWebKit')>0) Event.stop(event);
return;
case Event.KEY_DOWN:
this.markNext();
this.render();
if(navigator.appVersion.indexOf('AppleWebKit')>0) Event.stop(event);
return;
}
else
if(event.keyCode==Event.KEY_TAB || event.keyCode==Event.KEY_RETURN)
return;
this.changed = true;
this.hasFocus = true;
if(this.observer) clearTimeout(this.observer);
this.observer =
setTimeout(this.onObserverEvent.bind(this), this.options.frequency*1000);
},
onHover: function(event) {
var element = Event.findElement(event, 'LI');
if(this.index != element.autocompleteIndex)
{
this.index = element.autocompleteIndex;
this.render();
}
Event.stop(event);
},
onClick: function(event) {
var element = Event.findElement(event, 'LI');
this.index = element.autocompleteIndex;
this.selectEntry();
this.hide();
},
onBlur: function(event) {
// needed to make click events working
setTimeout(this.hide.bind(this), 250);
this.hasFocus = false;
this.active = false;
},
render: function() {
if(this.entryCount > 0) {
for (var i = 0; i < this.entryCount; i++)
this.index==i ?
Element.addClassName(this.getEntry(i),"selected") :
Element.removeClassName(this.getEntry(i),"selected");
if(this.hasFocus) {
this.show();
this.active = true;
}
} else {
this.active = false;
this.hide();
}
},
markPrevious: function() {
if(this.index > 0) this.index--
else this.index = this.entryCount-1;
},
markNext: function() {
if(this.index < this.entryCount-1) this.index++
else this.index = 0;
},
getEntry: function(index) {
return this.update.firstChild.childNodes[index];
},
getCurrentEntry: function() {
return this.getEntry(this.index);
},
selectEntry: function() {
this.active = false;
this.updateElement(this.getCurrentEntry());
},
updateElement: function(selectedElement) {
if (this.options.updateElement) {
this.options.updateElement(selectedElement);
return;
}
var value = Element.collectTextNodesIgnoreClass(selectedElement, 'informal');
var lastTokenPos = this.findLastToken();
if (lastTokenPos != -1) {
var newValue = this.element.value.substr(0, lastTokenPos + 1);
var whitespace = this.element.value.substr(lastTokenPos + 1).match(/^\s+/);
if (whitespace)
newValue += whitespace[0];
this.element.value = newValue + value;
} else {
this.element.value = value;
}
this.element.focus();
if (this.options.afterUpdateElement)
this.options.afterUpdateElement(this.element, selectedElement);
},
updateChoices: function(choices) {
if(!this.changed && this.hasFocus) {
this.update.innerHTML = choices;
Element.cleanWhitespace(this.update);
Element.cleanWhitespace(this.update.firstChild);
if(this.update.firstChild && this.update.firstChild.childNodes) {
this.entryCount =
this.update.firstChild.childNodes.length;
for (var i = 0; i < this.entryCount; i++) {
var entry = this.getEntry(i);
entry.autocompleteIndex = i;
this.addObservers(entry);
}
} else {
this.entryCount = 0;
}
this.stopIndicator();
this.index = 0;
this.render();
}
},
addObservers: function(element) {
Event.observe(element, "mouseover", this.onHover.bindAsEventListener(this));
Event.observe(element, "click", this.onClick.bindAsEventListener(this));
},
onObserverEvent: function() {
this.changed = false;
if(this.getToken().length>=this.options.minChars) {
this.startIndicator();
this.getUpdatedChoices();
} else {
this.active = false;
this.hide();
}
},
getToken: function() {
var tokenPos = this.findLastToken();
if (tokenPos != -1)
var ret = this.element.value.substr(tokenPos + 1).replace(/^\s+/,'').replace(/\s+$/,'');
else
var ret = this.element.value;
return /\n/.test(ret) ? '' : ret;
},
findLastToken: function() {
var lastTokenPos = -1;
for (var i=0; i<this.options.tokens.length; i++) {
var thisTokenPos = this.element.value.lastIndexOf(this.options.tokens[i]);
if (thisTokenPos > lastTokenPos)
lastTokenPos = thisTokenPos;
}
return lastTokenPos;
}
}
Ajax.Autocompleter = Class.create();
Object.extend(Object.extend(Ajax.Autocompleter.prototype, Autocompleter.Base.prototype), {
initialize: function(element, update, url, options) {
this.baseInitialize(element, update, options);
this.options.asynchronous = true;
this.options.onComplete = this.onComplete.bind(this);
this.options.defaultParams = this.options.parameters || null;
this.url = url;
},
getUpdatedChoices: function() {
entry = encodeURIComponent(this.options.paramName) + '=' +
encodeURIComponent(this.getToken());
this.options.parameters = this.options.callback ?
this.options.callback(this.element, entry) : entry;
if(this.options.defaultParams)
this.options.parameters += '&' + this.options.defaultParams;
new Ajax.Request(this.url, this.options);
},
onComplete: function(request) {
this.updateChoices(request.responseText);
}
});
// The local array autocompleter. Used when you'd prefer to
// inject an array of autocompletion options into the page, rather
// than sending out Ajax queries, which can be quite slow sometimes.
//
// The constructor takes four parameters. The first two are, as usual,
// the id of the monitored textbox, and id of the autocompletion menu.
// The third is the array you want to autocomplete from, and the fourth
// is the options block.
//
// Extra local autocompletion options:
// - choices - How many autocompletion choices to offer
//
// - partialSearch - If false, the autocompleter will match entered
// text only at the beginning of strings in the
// autocomplete array. Defaults to true, which will
// match text at the beginning of any *word* in the
// strings in the autocomplete array. If you want to
// search anywhere in the string, additionally set
// the option fullSearch to true (default: off).
//
// - fullSsearch - Search anywhere in autocomplete array strings.
//
// - partialChars - How many characters to enter before triggering
// a partial match (unlike minChars, which defines
// how many characters are required to do any match
// at all). Defaults to 2.
//
// - ignoreCase - Whether to ignore case when autocompleting.
// Defaults to true.
//
// It's possible to pass in a custom function as the 'selector'
// option, if you prefer to write your own autocompletion logic.
// In that case, the other options above will not apply unless
// you support them.
Autocompleter.Local = Class.create();
Autocompleter.Local.prototype = Object.extend(new Autocompleter.Base(), {
initialize: function(element, update, array, options) {
this.baseInitialize(element, update, options);
this.options.array = array;
},
getUpdatedChoices: function() {
this.updateChoices(this.options.selector(this));
},
setOptions: function(options) {
this.options = Object.extend({
choices: 10,
partialSearch: true,
partialChars: 2,
ignoreCase: true,
fullSearch: false,
selector: function(instance) {
var ret = []; // Beginning matches
var partial = []; // Inside matches
var entry = instance.getToken();
var count = 0;
for (var i = 0; i < instance.options.array.length &&
ret.length < instance.options.choices ; i++) {
var elem = instance.options.array[i];
var foundPos = instance.options.ignoreCase ?
elem.toLowerCase().indexOf(entry.toLowerCase()) :
elem.indexOf(entry);
while (foundPos != -1) {
if (foundPos == 0 && elem.length != entry.length) {
ret.push("<li><strong>" + elem.substr(0, entry.length) + "</strong>" +
elem.substr(entry.length) + "</li>");
break;
} else if (entry.length >= instance.options.partialChars &&
instance.options.partialSearch && foundPos != -1) {
if (instance.options.fullSearch || /\s/.test(elem.substr(foundPos-1,1))) {
partial.push("<li>" + elem.substr(0, foundPos) + "<strong>" +
elem.substr(foundPos, entry.length) + "</strong>" + elem.substr(
foundPos + entry.length) + "</li>");
break;
}
}
foundPos = instance.options.ignoreCase ?
elem.toLowerCase().indexOf(entry.toLowerCase(), foundPos + 1) :
elem.indexOf(entry, foundPos + 1);
}
}
if (partial.length)
ret = ret.concat(partial.slice(0, instance.options.choices - ret.length))
return "<ul>" + ret.join('') + "</ul>";
}
}, options || {});
}
});
// AJAX in-place editor
//
// see documentation on http://wiki.script.aculo.us/scriptaculous/show/Ajax.InPlaceEditor
// Use this if you notice weird scrolling problems on some browsers,
// the DOM might be a bit confused when this gets called so do this
// waits 1 ms (with setTimeout) until it does the activation
Field.scrollFreeActivate = function(field) {
setTimeout(function() {
Field.activate(field);
}, 1);
}
Ajax.InPlaceEditor = Class.create();
Ajax.InPlaceEditor.defaultHighlightColor = "#FFFF99";
Ajax.InPlaceEditor.prototype = {
initialize: function(element, url, options) {
this.url = url;
this.element = $(element);
this.options = Object.extend({
okText: "ok",
cancelText: "cancel",
savingText: "Saving...",
clickToEditText: "Click to edit",
okText: "ok",
rows: 1,
onComplete: function(transport, element) {
new Effect.Highlight(element, {startcolor: this.options.highlightcolor});
},
onFailure: function(transport) {
alert("Error communicating with the server: " + transport.responseText.stripTags());
},
callback: function(form) {
return Form.serialize(form);
},
handleLineBreaks: true,
loadingText: 'Loading...',
savingClassName: 'inplaceeditor-saving',
loadingClassName: 'inplaceeditor-loading',
formClassName: 'inplaceeditor-form',
highlightcolor: Ajax.InPlaceEditor.defaultHighlightColor,
highlightendcolor: "#FFFFFF",
externalControl: null,
ajaxOptions: {}
}, options || {});
if(!this.options.formId && this.element.id) {
this.options.formId = this.element.id + "-inplaceeditor";
if ($(this.options.formId)) {
// there's already a form with that name, don't specify an id
this.options.formId = null;
}
}
if (this.options.externalControl) {
this.options.externalControl = $(this.options.externalControl);
}
this.originalBackground = Element.getStyle(this.element, 'background-color');
if (!this.originalBackground) {
this.originalBackground = "transparent";
}
this.element.title = this.options.clickToEditText;
this.onclickListener = this.enterEditMode.bindAsEventListener(this);
this.mouseoverListener = this.enterHover.bindAsEventListener(this);
this.mouseoutListener = this.leaveHover.bindAsEventListener(this);
Event.observe(this.element, 'click', this.onclickListener);
Event.observe(this.element, 'mouseover', this.mouseoverListener);
Event.observe(this.element, 'mouseout', this.mouseoutListener);
if (this.options.externalControl) {
Event.observe(this.options.externalControl, 'click', this.onclickListener);
Event.observe(this.options.externalControl, 'mouseover', this.mouseoverListener);
Event.observe(this.options.externalControl, 'mouseout', this.mouseoutListener);
}
},
enterEditMode: function(evt) {
if (this.saving) return;
if (this.editing) return;
this.editing = true;
this.onEnterEditMode();
if (this.options.externalControl) {
Element.hide(this.options.externalControl);
}
Element.hide(this.element);
this.createForm();
this.element.parentNode.insertBefore(this.form, this.element);
Field.scrollFreeActivate(this.editField);
// stop the event to avoid a page refresh in Safari
if (evt) {
Event.stop(evt);
}
return false;
},
createForm: function() {
this.form = document.createElement("form");
this.form.id = this.options.formId;
Element.addClassName(this.form, this.options.formClassName)
this.form.onsubmit = this.onSubmit.bind(this);
this.createEditField();
if (this.options.textarea) {
var br = document.createElement("br");
this.form.appendChild(br);
}
okButton = document.createElement("input");
okButton.type = "submit";
okButton.value = this.options.okText;
this.form.appendChild(okButton);
cancelLink = document.createElement("a");
cancelLink.href = "#";
cancelLink.appendChild(document.createTextNode(this.options.cancelText));
cancelLink.onclick = this.onclickCancel.bind(this);
this.form.appendChild(cancelLink);
},
hasHTMLLineBreaks: function(string) {
if (!this.options.handleLineBreaks) return false;
return string.match(/<br/i) || string.match(/<p>/i);
},
convertHTMLLineBreaks: function(string) {
return string.replace(/<br>/gi, "\n").replace(/<br\/>/gi, "\n").replace(/<\/p>/gi, "\n").replace(/<p>/gi, "");
},
createEditField: function() {
var text;
if(this.options.loadTextURL) {
text = this.options.loadingText;
} else {
text = this.getText();
}
if (this.options.rows == 1 && !this.hasHTMLLineBreaks(text)) {
this.options.textarea = false;
var textField = document.createElement("input");
textField.type = "text";
textField.name = "value";
textField.value = text;
textField.style.backgroundColor = this.options.highlightcolor;
var size = this.options.size || this.options.cols || 0;
if (size != 0) textField.size = size;
this.editField = textField;
} else {
this.options.textarea = true;
var textArea = document.createElement("textarea");
textArea.name = "value";
textArea.value = this.convertHTMLLineBreaks(text);
textArea.rows = this.options.rows;
textArea.cols = this.options.cols || 40;
this.editField = textArea;
}
if(this.options.loadTextURL) {
this.loadExternalText();
}
this.form.appendChild(this.editField);
},
getText: function() {
return this.element.innerHTML;
},
loadExternalText: function() {
Element.addClassName(this.form, this.options.loadingClassName);
this.editField.disabled = true;
new Ajax.Request(
this.options.loadTextURL,
Object.extend({
asynchronous: true,
onComplete: this.onLoadedExternalText.bind(this)
}, this.options.ajaxOptions)
);
},
onLoadedExternalText: function(transport) {
Element.removeClassName(this.form, this.options.loadingClassName);
this.editField.disabled = false;
this.editField.value = transport.responseText.stripTags();
},
onclickCancel: function() {
this.onComplete();
this.leaveEditMode();
return false;
},
onFailure: function(transport) {
this.options.onFailure(transport);
if (this.oldInnerHTML) {
this.element.innerHTML = this.oldInnerHTML;
this.oldInnerHTML = null;
}
return false;
},
onSubmit: function() {
// onLoading resets these so we need to save them away for the Ajax call
var form = this.form;
var value = this.editField.value;
// do this first, sometimes the ajax call returns before we get a chance to switch on Saving...
// which means this will actually switch on Saving... *after* we've left edit mode causing Saving...
// to be displayed indefinitely
this.onLoading();
new Ajax.Updater(
{
success: this.element,
// don't update on failure (this could be an option)
failure: null
},
this.url,
Object.extend({
parameters: this.options.callback(form, value),
onComplete: this.onComplete.bind(this),
onFailure: this.onFailure.bind(this)
}, this.options.ajaxOptions)
);
// stop the event to avoid a page refresh in Safari
if (arguments.length > 1) {
Event.stop(arguments[0]);
}
return false;
},
onLoading: function() {
this.saving = true;
this.removeForm();
this.leaveHover();
this.showSaving();
},
showSaving: function() {
this.oldInnerHTML = this.element.innerHTML;
this.element.innerHTML = this.options.savingText;
Element.addClassName(this.element, this.options.savingClassName);
this.element.style.backgroundColor = this.originalBackground;
Element.show(this.element);
},
removeForm: function() {
if(this.form) {
if (this.form.parentNode) Element.remove(this.form);
this.form = null;
}
},
enterHover: function() {
if (this.saving) return;
this.element.style.backgroundColor = this.options.highlightcolor;
if (this.effect) {
this.effect.cancel();
}
Element.addClassName(this.element, this.options.hoverClassName)
},
leaveHover: function() {
if (this.options.backgroundColor) {
this.element.style.backgroundColor = this.oldBackground;
}
Element.removeClassName(this.element, this.options.hoverClassName)
if (this.saving) return;
this.effect = new Effect.Highlight(this.element, {
startcolor: this.options.highlightcolor,
endcolor: this.options.highlightendcolor,
restorecolor: this.originalBackground
});
},
leaveEditMode: function() {
Element.removeClassName(this.element, this.options.savingClassName);
this.removeForm();
this.leaveHover();
this.element.style.backgroundColor = this.originalBackground;
Element.show(this.element);
if (this.options.externalControl) {
Element.show(this.options.externalControl);
}
this.editing = false;
this.saving = false;
this.oldInnerHTML = null;
this.onLeaveEditMode();
},
onComplete: function(transport) {
this.leaveEditMode();
this.options.onComplete.bind(this)(transport, this.element);
},
onEnterEditMode: function() {},
onLeaveEditMode: function() {},
dispose: function() {
if (this.oldInnerHTML) {
this.element.innerHTML = this.oldInnerHTML;
}
this.leaveEditMode();
Event.stopObserving(this.element, 'click', this.onclickListener);
Event.stopObserving(this.element, 'mouseover', this.mouseoverListener);
Event.stopObserving(this.element, 'mouseout', this.mouseoutListener);
if (this.options.externalControl) {
Event.stopObserving(this.options.externalControl, 'click', this.onclickListener);
Event.stopObserving(this.options.externalControl, 'mouseover', this.mouseoverListener);
Event.stopObserving(this.options.externalControl, 'mouseout', this.mouseoutListener);
}
}
};
// Delayed observer, like Form.Element.Observer,
// but waits for delay after last key input
// Ideal for live-search fields
Form.Element.DelayedObserver = Class.create();
Form.Element.DelayedObserver.prototype = {
initialize: function(element, delay, callback) {
this.delay = delay || 0.5;
this.element = $(element);
this.callback = callback;
this.timer = null;
this.lastValue = $F(this.element);
Event.observe(this.element,'keyup',this.delayedListener.bindAsEventListener(this));
},
delayedListener: function(event) {
if(this.lastValue == $F(this.element)) return;
if(this.timer) clearTimeout(this.timer);
this.timer = setTimeout(this.onTimerEvent.bind(this), this.delay * 1000);
this.lastValue = $F(this.element);
},
onTimerEvent: function() {
this.timer = null;
this.callback(this.element, $F(this.element));
}
};

@ -0,0 +1,584 @@
// Copyright (c) 2005 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
//
// See scriptaculous.js for full license.
/*--------------------------------------------------------------------------*/
var Droppables = {
drops: [],
remove: function(element) {
this.drops = this.drops.reject(function(d) { return d.element==$(element) });
},
add: function(element) {
element = $(element);
var options = Object.extend({
greedy: true,
hoverclass: null
}, arguments[1] || {});
// cache containers
if(options.containment) {
options._containers = [];
var containment = options.containment;
if((typeof containment == 'object') &&
(containment.constructor == Array)) {
containment.each( function(c) { options._containers.push($(c)) });
} else {
options._containers.push($(containment));
}
}
if(options.accept) options.accept = [options.accept].flatten();
Element.makePositioned(element); // fix IE
options.element = element;
this.drops.push(options);
},
isContained: function(element, drop) {
var parentNode = element.parentNode;
return drop._containers.detect(function(c) { return parentNode == c });
},
isAffected: function(point, element, drop) {
return (
(drop.element!=element) &&
((!drop._containers) ||
this.isContained(element, drop)) &&
((!drop.accept) ||
(Element.classNames(element).detect(
function(v) { return drop.accept.include(v) } ) )) &&
Position.within(drop.element, point[0], point[1]) );
},
deactivate: function(drop) {
if(drop.hoverclass)
Element.removeClassName(drop.element, drop.hoverclass);
this.last_active = null;
},
activate: function(drop) {
if(drop.hoverclass)
Element.addClassName(drop.element, drop.hoverclass);
this.last_active = drop;
},
show: function(point, element) {
if(!this.drops.length) return;
if(this.last_active) this.deactivate(this.last_active);
this.drops.each( function(drop) {
if(Droppables.isAffected(point, element, drop)) {
if(drop.onHover)
drop.onHover(element, drop.element, Position.overlap(drop.overlap, drop.element));
if(drop.greedy) {
Droppables.activate(drop);
throw $break;
}
}
});
},
fire: function(event, element) {
if(!this.last_active) return;
Position.prepare();
if (this.isAffected([Event.pointerX(event), Event.pointerY(event)], element, this.last_active))
if (this.last_active.onDrop)
this.last_active.onDrop(element, this.last_active.element, event);
},
reset: function() {
if(this.last_active)
this.deactivate(this.last_active);
}
}
var Draggables = {
drags: [],
observers: [],
register: function(draggable) {
if(this.drags.length == 0) {
this.eventMouseUp = this.endDrag.bindAsEventListener(this);
this.eventMouseMove = this.updateDrag.bindAsEventListener(this);
this.eventKeypress = this.keyPress.bindAsEventListener(this);
Event.observe(document, "mouseup", this.eventMouseUp);
Event.observe(document, "mousemove", this.eventMouseMove);
Event.observe(document, "keypress", this.eventKeypress);
}
this.drags.push(draggable);
},
unregister: function(draggable) {
this.drags = this.drags.reject(function(d) { return d==draggable });
if(this.drags.length == 0) {
Event.stopObserving(document, "mouseup", this.eventMouseUp);
Event.stopObserving(document, "mousemove", this.eventMouseMove);
Event.stopObserving(document, "keypress", this.eventKeypress);
}
},
activate: function(draggable) {
window.focus(); // allows keypress events if window isn't currently focused, fails for Safari
this.activeDraggable = draggable;
},
deactivate: function(draggbale) {
this.activeDraggable = null;
},
updateDrag: function(event) {
if(!this.activeDraggable) return;
var pointer = [Event.pointerX(event), Event.pointerY(event)];
// Mozilla-based browsers fire successive mousemove events with
// the same coordinates, prevent needless redrawing (moz bug?)
if(this._lastPointer && (this._lastPointer.inspect() == pointer.inspect())) return;
this._lastPointer = pointer;
this.activeDraggable.updateDrag(event, pointer);
},
endDrag: function(event) {
if(!this.activeDraggable) return;
this._lastPointer = null;
this.activeDraggable.endDrag(event);
},
keyPress: function(event) {
if(this.activeDraggable)
this.activeDraggable.keyPress(event);
},
addObserver: function(observer) {
this.observers.push(observer);
this._cacheObserverCallbacks();
},
removeObserver: function(element) { // element instead of observer fixes mem leaks
this.observers = this.observers.reject( function(o) { return o.element==element });
this._cacheObserverCallbacks();
},
notify: function(eventName, draggable, event) { // 'onStart', 'onEnd', 'onDrag'
if(this[eventName+'Count'] > 0)
this.observers.each( function(o) {
if(o[eventName]) o[eventName](eventName, draggable, event);
});
},
_cacheObserverCallbacks: function() {
['onStart','onEnd','onDrag'].each( function(eventName) {
Draggables[eventName+'Count'] = Draggables.observers.select(
function(o) { return o[eventName]; }
).length;
});
}
}
/*--------------------------------------------------------------------------*/
var Draggable = Class.create();
Draggable.prototype = {
initialize: function(element) {
var options = Object.extend({
handle: false,
starteffect: function(element) {
new Effect.Opacity(element, {duration:0.2, from:1.0, to:0.7});
},
reverteffect: function(element, top_offset, left_offset) {
var dur = Math.sqrt(Math.abs(top_offset^2)+Math.abs(left_offset^2))*0.02;
element._revert = new Effect.MoveBy(element, -top_offset, -left_offset, {duration:dur});
},
endeffect: function(element) {
new Effect.Opacity(element, {duration:0.2, from:0.7, to:1.0});
},
zindex: 1000,
revert: false,
snap: false // false, or xy or [x,y] or function(x,y){ return [x,y] }
}, arguments[1] || {});
this.element = $(element);
if(options.handle && (typeof options.handle == 'string'))
this.handle = Element.childrenWithClassName(this.element, options.handle)[0];
if(!this.handle) this.handle = $(options.handle);
if(!this.handle) this.handle = this.element;
Element.makePositioned(this.element); // fix IE
this.delta = this.currentDelta();
this.options = options;
this.dragging = false;
this.eventMouseDown = this.initDrag.bindAsEventListener(this);
Event.observe(this.handle, "mousedown", this.eventMouseDown);
Draggables.register(this);
},
destroy: function() {
Event.stopObserving(this.handle, "mousedown", this.eventMouseDown);
Draggables.unregister(this);
},
currentDelta: function() {
return([
parseInt(this.element.style.left || '0'),
parseInt(this.element.style.top || '0')]);
},
initDrag: function(event) {
if(Event.isLeftClick(event)) {
// abort on form elements, fixes a Firefox issue
var src = Event.element(event);
if(src.tagName && (
src.tagName=='INPUT' ||
src.tagName=='SELECT' ||
src.tagName=='BUTTON' ||
src.tagName=='TEXTAREA')) return;
if(this.element._revert) {
this.element._revert.cancel();
this.element._revert = null;
}
var pointer = [Event.pointerX(event), Event.pointerY(event)];
var pos = Position.cumulativeOffset(this.element);
this.offset = [0,1].map( function(i) { return (pointer[i] - pos[i]) });
Draggables.activate(this);
Event.stop(event);
}
},
startDrag: function(event) {
this.dragging = true;
if(this.options.zindex) {
this.originalZ = parseInt(Element.getStyle(this.element,'z-index') || 0);
this.element.style.zIndex = this.options.zindex;
}
if(this.options.ghosting) {
this._clone = this.element.cloneNode(true);
Position.absolutize(this.element);
this.element.parentNode.insertBefore(this._clone, this.element);
}
Draggables.notify('onStart', this, event);
if(this.options.starteffect) this.options.starteffect(this.element);
},
updateDrag: function(event, pointer) {
if(!this.dragging) this.startDrag(event);
Position.prepare();
Droppables.show(pointer, this.element);
Draggables.notify('onDrag', this, event);
this.draw(pointer);
if(this.options.change) this.options.change(this);
// fix AppleWebKit rendering
if(navigator.appVersion.indexOf('AppleWebKit')>0) window.scrollBy(0,0);
Event.stop(event);
},
finishDrag: function(event, success) {
this.dragging = false;
if(this.options.ghosting) {
Position.relativize(this.element);
Element.remove(this._clone);
this._clone = null;
}
if(success) Droppables.fire(event, this.element);
Draggables.notify('onEnd', this, event);
var revert = this.options.revert;
if(revert && typeof revert == 'function') revert = revert(this.element);
var d = this.currentDelta();
if(revert && this.options.reverteffect) {
this.options.reverteffect(this.element,
d[1]-this.delta[1], d[0]-this.delta[0]);
} else {
this.delta = d;
}
if(this.options.zindex)
this.element.style.zIndex = this.originalZ;
if(this.options.endeffect)
this.options.endeffect(this.element);
Draggables.deactivate(this);
Droppables.reset();
},
keyPress: function(event) {
if(!event.keyCode==Event.KEY_ESC) return;
this.finishDrag(event, false);
Event.stop(event);
},
endDrag: function(event) {
if(!this.dragging) return;
this.finishDrag(event, true);
Event.stop(event);
},
draw: function(point) {
var pos = Position.cumulativeOffset(this.element);
var d = this.currentDelta();
pos[0] -= d[0]; pos[1] -= d[1];
var p = [0,1].map(function(i){ return (point[i]-pos[i]-this.offset[i]) }.bind(this));
if(this.options.snap) {
if(typeof this.options.snap == 'function') {
p = this.options.snap(p[0],p[1]);
} else {
if(this.options.snap instanceof Array) {
p = p.map( function(v, i) {
return Math.round(v/this.options.snap[i])*this.options.snap[i] }.bind(this))
} else {
p = p.map( function(v) {
return Math.round(v/this.options.snap)*this.options.snap }.bind(this))
}
}}
var style = this.element.style;
if((!this.options.constraint) || (this.options.constraint=='horizontal'))
style.left = p[0] + "px";
if((!this.options.constraint) || (this.options.constraint=='vertical'))
style.top = p[1] + "px";
if(style.visibility=="hidden") style.visibility = ""; // fix gecko rendering
}
}
/*--------------------------------------------------------------------------*/
var SortableObserver = Class.create();
SortableObserver.prototype = {
initialize: function(element, observer) {
this.element = $(element);
this.observer = observer;
this.lastValue = Sortable.serialize(this.element);
},
onStart: function() {
this.lastValue = Sortable.serialize(this.element);
},
onEnd: function() {
Sortable.unmark();
if(this.lastValue != Sortable.serialize(this.element))
this.observer(this.element)
}
}
var Sortable = {
sortables: new Array(),
options: function(element){
element = $(element);
return this.sortables.detect(function(s) { return s.element == element });
},
destroy: function(element){
element = $(element);
this.sortables.findAll(function(s) { return s.element == element }).each(function(s){
Draggables.removeObserver(s.element);
s.droppables.each(function(d){ Droppables.remove(d) });
s.draggables.invoke('destroy');
});
this.sortables = this.sortables.reject(function(s) { return s.element == element });
},
create: function(element) {
element = $(element);
var options = Object.extend({
element: element,
tag: 'li', // assumes li children, override with tag: 'tagname'
dropOnEmpty: false,
tree: false, // fixme: unimplemented
overlap: 'vertical', // one of 'vertical', 'horizontal'
constraint: 'vertical', // one of 'vertical', 'horizontal', false
containment: element, // also takes array of elements (or id's); or false
handle: false, // or a CSS class
only: false,
hoverclass: null,
ghosting: false,
format: null,
onChange: Prototype.emptyFunction,
onUpdate: Prototype.emptyFunction
}, arguments[1] || {});
// clear any old sortable with same element
this.destroy(element);
// build options for the draggables
var options_for_draggable = {
revert: true,
ghosting: options.ghosting,
constraint: options.constraint,
handle: options.handle };
if(options.starteffect)
options_for_draggable.starteffect = options.starteffect;
if(options.reverteffect)
options_for_draggable.reverteffect = options.reverteffect;
else
if(options.ghosting) options_for_draggable.reverteffect = function(element) {
element.style.top = 0;
element.style.left = 0;
};
if(options.endeffect)
options_for_draggable.endeffect = options.endeffect;
if(options.zindex)
options_for_draggable.zindex = options.zindex;
// build options for the droppables
var options_for_droppable = {
overlap: options.overlap,
containment: options.containment,
hoverclass: options.hoverclass,
onHover: Sortable.onHover,
greedy: !options.dropOnEmpty
}
// fix for gecko engine
Element.cleanWhitespace(element);
options.draggables = [];
options.droppables = [];
// make it so
// drop on empty handling
if(options.dropOnEmpty) {
Droppables.add(element,
{containment: options.containment, onHover: Sortable.onEmptyHover, greedy: false});
options.droppables.push(element);
}
(this.findElements(element, options) || []).each( function(e) {
// handles are per-draggable
var handle = options.handle ?
Element.childrenWithClassName(e, options.handle)[0] : e;
options.draggables.push(
new Draggable(e, Object.extend(options_for_draggable, { handle: handle })));
Droppables.add(e, options_for_droppable);
options.droppables.push(e);
});
// keep reference
this.sortables.push(options);
// for onupdate
Draggables.addObserver(new SortableObserver(element, options.onUpdate));
},
// return all suitable-for-sortable elements in a guaranteed order
findElements: function(element, options) {
if(!element.hasChildNodes()) return null;
var elements = [];
$A(element.childNodes).each( function(e) {
if(e.tagName && e.tagName.toUpperCase()==options.tag.toUpperCase() &&
(!options.only || (Element.hasClassName(e, options.only))))
elements.push(e);
if(options.tree) {
var grandchildren = this.findElements(e, options);
if(grandchildren) elements.push(grandchildren);
}
});
return (elements.length>0 ? elements.flatten() : null);
},
onHover: function(element, dropon, overlap) {
if(overlap>0.5) {
Sortable.mark(dropon, 'before');
if(dropon.previousSibling != element) {
var oldParentNode = element.parentNode;
element.style.visibility = "hidden"; // fix gecko rendering
dropon.parentNode.insertBefore(element, dropon);
if(dropon.parentNode!=oldParentNode)
Sortable.options(oldParentNode).onChange(element);
Sortable.options(dropon.parentNode).onChange(element);
}
} else {
Sortable.mark(dropon, 'after');
var nextElement = dropon.nextSibling || null;
if(nextElement != element) {
var oldParentNode = element.parentNode;
element.style.visibility = "hidden"; // fix gecko rendering
dropon.parentNode.insertBefore(element, nextElement);
if(dropon.parentNode!=oldParentNode)
Sortable.options(oldParentNode).onChange(element);
Sortable.options(dropon.parentNode).onChange(element);
}
}
},
onEmptyHover: function(element, dropon) {
if(element.parentNode!=dropon) {
var oldParentNode = element.parentNode;
dropon.appendChild(element);
Sortable.options(oldParentNode).onChange(element);
Sortable.options(dropon).onChange(element);
}
},
unmark: function() {
if(Sortable._marker) Element.hide(Sortable._marker);
},
mark: function(dropon, position) {
// mark on ghosting only
var sortable = Sortable.options(dropon.parentNode);
if(sortable && !sortable.ghosting) return;
if(!Sortable._marker) {
Sortable._marker = $('dropmarker') || document.createElement('DIV');
Element.hide(Sortable._marker);
Element.addClassName(Sortable._marker, 'dropmarker');
Sortable._marker.style.position = 'absolute';
document.getElementsByTagName("body").item(0).appendChild(Sortable._marker);
}
var offsets = Position.cumulativeOffset(dropon);
Sortable._marker.style.left = offsets[0] + 'px';
Sortable._marker.style.top = offsets[1] + 'px';
if(position=='after')
if(sortable.overlap == 'horizontal')
Sortable._marker.style.left = (offsets[0]+dropon.clientWidth) + 'px';
else
Sortable._marker.style.top = (offsets[1]+dropon.clientHeight) + 'px';
Element.show(Sortable._marker);
},
serialize: function(element) {
element = $(element);
var sortableOptions = this.options(element);
var options = Object.extend({
tag: sortableOptions.tag,
only: sortableOptions.only,
name: element.id,
format: sortableOptions.format || /^[^_]*_(.*)$/
}, arguments[1] || {});
return $(this.findElements(element, options) || []).map( function(item) {
return (encodeURIComponent(options.name) + "[]=" +
encodeURIComponent(item.id.match(options.format) ? item.id.match(options.format)[1] : ''));
}).join("&");
}
}

@ -0,0 +1,854 @@
// Copyright (c) 2005 Thomas Fuchs (http://script.aculo.us, http://mir.aculo.us)
// Contributors:
// Justin Palmer (http://encytemedia.com/)
// Mark Pilgrim (http://diveintomark.org/)
// Martin Bialasinki
//
// See scriptaculous.js for full license.
/* ------------- element ext -------------- */
// converts rgb() and #xxx to #xxxxxx format,
// returns self (or first argument) if not convertable
String.prototype.parseColor = function() {
var color = '#';
if(this.slice(0,4) == 'rgb(') {
var cols = this.slice(4,this.length-1).split(',');
var i=0; do { color += parseInt(cols[i]).toColorPart() } while (++i<3);
} else {
if(this.slice(0,1) == '#') {
if(this.length==4) for(var i=1;i<4;i++) color += (this.charAt(i) + this.charAt(i)).toLowerCase();
if(this.length==7) color = this.toLowerCase();
}
}
return(color.length==7 ? color : (arguments[0] || this));
}
Element.collectTextNodesIgnoreClass = function(element, ignoreclass) {
var children = $(element).childNodes;
var text = '';
var classtest = new RegExp('^([^ ]+ )*' + ignoreclass+ '( [^ ]+)*$','i');
for (var i = 0; i < children.length; i++) {
if(children[i].nodeType==3) {
text+=children[i].nodeValue;
} else {
if((!children[i].className.match(classtest)) && children[i].hasChildNodes())
text += Element.collectTextNodesIgnoreClass(children[i], ignoreclass);
}
}
return text;
}
Element.setStyle = function(element, style) {
element = $(element);
for(k in style) element.style[k.camelize()] = style[k];
}
Element.setContentZoom = function(element, percent) {
Element.setStyle(element, {fontSize: (percent/100) + 'em'});
if(navigator.appVersion.indexOf('AppleWebKit')>0) window.scrollBy(0,0);
}
Element.getOpacity = function(element){
var opacity;
if (opacity = Element.getStyle(element, 'opacity'))
return parseFloat(opacity);
if (opacity = (Element.getStyle(element, 'filter') || '').match(/alpha\(opacity=(.*)\)/))
if(opacity[1]) return parseFloat(opacity[1]) / 100;
return 1.0;
}
Element.setOpacity = function(element, value){
element= $(element);
if (value == 1){
Element.setStyle(element, { opacity:
(/Gecko/.test(navigator.userAgent) && !/Konqueror|Safari|KHTML/.test(navigator.userAgent)) ?
0.999999 : null });
if(/MSIE/.test(navigator.userAgent))
Element.setStyle(element, {filter: Element.getStyle(element,'filter').replace(/alpha\([^\)]*\)/gi,'')});
} else {
if(value < 0.00001) value = 0;
Element.setStyle(element, {opacity: value});
if(/MSIE/.test(navigator.userAgent))
Element.setStyle(element,
{ filter: Element.getStyle(element,'filter').replace(/alpha\([^\)]*\)/gi,'') +
'alpha(opacity='+value*100+')' });
}
}
Element.getInlineOpacity = function(element){
return $(element).style.opacity || '';
}
Element.childrenWithClassName = function(element, className) {
return $A($(element).getElementsByTagName('*')).select(
function(c) { return Element.hasClassName(c, className) });
}
Array.prototype.call = function() {
var args = arguments;
this.each(function(f){ f.apply(this, args) });
}
/*--------------------------------------------------------------------------*/
var Effect = {
tagifyText: function(element) {
var tagifyStyle = 'position:relative';
if(/MSIE/.test(navigator.userAgent)) tagifyStyle += ';zoom:1';
element = $(element);
$A(element.childNodes).each( function(child) {
if(child.nodeType==3) {
child.nodeValue.toArray().each( function(character) {
element.insertBefore(
Builder.node('span',{style: tagifyStyle},
character == ' ' ? String.fromCharCode(160) : character),
child);
});
Element.remove(child);
}
});
},
multiple: function(element, effect) {
var elements;
if(((typeof element == 'object') ||
(typeof element == 'function')) &&
(element.length))
elements = element;
else
elements = $(element).childNodes;
var options = Object.extend({
speed: 0.1,
delay: 0.0
}, arguments[2] || {});
var masterDelay = options.delay;
$A(elements).each( function(element, index) {
new effect(element, Object.extend(options, { delay: index * options.speed + masterDelay }));
});
}
};
var Effect2 = Effect; // deprecated
/* ------------- transitions ------------- */
Effect.Transitions = {}
Effect.Transitions.linear = function(pos) {
return pos;
}
Effect.Transitions.sinoidal = function(pos) {
return (-Math.cos(pos*Math.PI)/2) + 0.5;
}
Effect.Transitions.reverse = function(pos) {
return 1-pos;
}
Effect.Transitions.flicker = function(pos) {
return ((-Math.cos(pos*Math.PI)/4) + 0.75) + Math.random()/4;
}
Effect.Transitions.wobble = function(pos) {
return (-Math.cos(pos*Math.PI*(9*pos))/2) + 0.5;
}
Effect.Transitions.pulse = function(pos) {
return (Math.floor(pos*10) % 2 == 0 ?
(pos*10-Math.floor(pos*10)) : 1-(pos*10-Math.floor(pos*10)));
}
Effect.Transitions.none = function(pos) {
return 0;
}
Effect.Transitions.full = function(pos) {
return 1;
}
/* ------------- core effects ------------- */
Effect.Queue = {
effects: [],
_each: function(iterator) {
this.effects._each(iterator);
},
interval: null,
add: function(effect) {
var timestamp = new Date().getTime();
switch(effect.options.queue) {
case 'front':
// move unstarted effects after this effect
this.effects.findAll(function(e){ return e.state=='idle' }).each( function(e) {
e.startOn += effect.finishOn;
e.finishOn += effect.finishOn;
});
break;
case 'end':
// start effect after last queued effect has finished
timestamp = this.effects.pluck('finishOn').max() || timestamp;
break;
}
effect.startOn += timestamp;
effect.finishOn += timestamp;
this.effects.push(effect);
if(!this.interval)
this.interval = setInterval(this.loop.bind(this), 40);
},
remove: function(effect) {
this.effects = this.effects.reject(function(e) { return e==effect });
if(this.effects.length == 0) {
clearInterval(this.interval);
this.interval = null;
}
},
loop: function() {
var timePos = new Date().getTime();
this.effects.invoke('loop', timePos);
}
}
Object.extend(Effect.Queue, Enumerable);
Effect.Base = function() {};
Effect.Base.prototype = {
position: null,
setOptions: function(options) {
this.options = Object.extend({
transition: Effect.Transitions.sinoidal,
duration: 1.0, // seconds
fps: 25.0, // max. 25fps due to Effect.Queue implementation
sync: false, // true for combining
from: 0.0,
to: 1.0,
delay: 0.0,
queue: 'parallel'
}, options || {});
},
start: function(options) {
this.setOptions(options || {});
this.currentFrame = 0;
this.state = 'idle';
this.startOn = this.options.delay*1000;
this.finishOn = this.startOn + (this.options.duration*1000);
this.event('beforeStart');
if(!this.options.sync) Effect.Queue.add(this);
},
loop: function(timePos) {
if(timePos >= this.startOn) {
if(timePos >= this.finishOn) {
this.render(1.0);
this.cancel();
this.event('beforeFinish');
if(this.finish) this.finish();
this.event('afterFinish');
return;
}
var pos = (timePos - this.startOn) / (this.finishOn - this.startOn);
var frame = Math.round(pos * this.options.fps * this.options.duration);
if(frame > this.currentFrame) {
this.render(pos);
this.currentFrame = frame;
}
}
},
render: function(pos) {
if(this.state == 'idle') {
this.state = 'running';
this.event('beforeSetup');
if(this.setup) this.setup();
this.event('afterSetup');
}
if(this.state == 'running') {
if(this.options.transition) pos = this.options.transition(pos);
pos *= (this.options.to-this.options.from);
pos += this.options.from;
this.position = pos;
this.event('beforeUpdate');
if(this.update) this.update(pos);
this.event('afterUpdate');
}
},
cancel: function() {
if(!this.options.sync) Effect.Queue.remove(this);
this.state = 'finished';
},
event: function(eventName) {
if(this.options[eventName + 'Internal']) this.options[eventName + 'Internal'](this);
if(this.options[eventName]) this.options[eventName](this);
},
inspect: function() {
return '#<Effect:' + $H(this).inspect() + ',options:' + $H(this.options).inspect() + '>';
}
}
Effect.Parallel = Class.create();
Object.extend(Object.extend(Effect.Parallel.prototype, Effect.Base.prototype), {
initialize: function(effects) {
this.effects = effects || [];
this.start(arguments[1]);
},
update: function(position) {
this.effects.invoke('render', position);
},
finish: function(position) {
this.effects.each( function(effect) {
effect.render(1.0);
effect.cancel();
effect.event('beforeFinish');
if(effect.finish) effect.finish(position);
effect.event('afterFinish');
});
}
});
Effect.Opacity = Class.create();
Object.extend(Object.extend(Effect.Opacity.prototype, Effect.Base.prototype), {
initialize: function(element) {
this.element = $(element);
// make this work on IE on elements without 'layout'
if(/MSIE/.test(navigator.userAgent) && (!this.element.hasLayout))
Element.setStyle(this.element, {zoom: 1});
var options = Object.extend({
from: Element.getOpacity(this.element) || 0.0,
to: 1.0
}, arguments[1] || {});
this.start(options);
},
update: function(position) {
Element.setOpacity(this.element, position);
}
});
Effect.MoveBy = Class.create();
Object.extend(Object.extend(Effect.MoveBy.prototype, Effect.Base.prototype), {
initialize: function(element, toTop, toLeft) {
this.element = $(element);
this.toTop = toTop;
this.toLeft = toLeft;
this.start(arguments[3]);
},
setup: function() {
// Bug in Opera: Opera returns the "real" position of a static element or
// relative element that does not have top/left explicitly set.
// ==> Always set top and left for position relative elements in your stylesheets
// (to 0 if you do not need them)
Element.makePositioned(this.element);
this.originalTop = parseFloat(Element.getStyle(this.element,'top') || '0');
this.originalLeft = parseFloat(Element.getStyle(this.element,'left') || '0');
},
update: function(position) {
Element.setStyle(this.element, {
top: this.toTop * position + this.originalTop + 'px',
left: this.toLeft * position + this.originalLeft + 'px'
});
}
});
Effect.Scale = Class.create();
Object.extend(Object.extend(Effect.Scale.prototype, Effect.Base.prototype), {
initialize: function(element, percent) {
this.element = $(element)
var options = Object.extend({
scaleX: true,
scaleY: true,
scaleContent: true,
scaleFromCenter: false,
scaleMode: 'box', // 'box' or 'contents' or {} with provided values
scaleFrom: 100.0,
scaleTo: percent
}, arguments[2] || {});
this.start(options);
},
setup: function() {
this.restoreAfterFinish = this.options.restoreAfterFinish || false;
this.elementPositioning = Element.getStyle(this.element,'position');
this.originalStyle = {};
['top','left','width','height','fontSize'].each( function(k) {
this.originalStyle[k] = this.element.style[k];
}.bind(this));
this.originalTop = this.element.offsetTop;
this.originalLeft = this.element.offsetLeft;
var fontSize = Element.getStyle(this.element,'font-size') || '100%';
['em','px','%'].each( function(fontSizeType) {
if(fontSize.indexOf(fontSizeType)>0) {
this.fontSize = parseFloat(fontSize);
this.fontSizeType = fontSizeType;
}
}.bind(this));
this.factor = (this.options.scaleTo - this.options.scaleFrom)/100;
this.dims = null;
if(this.options.scaleMode=='box')
this.dims = [this.element.offsetHeight, this.element.offsetWidth];
if(/^content/.test(this.options.scaleMode))
this.dims = [this.element.scrollHeight, this.element.scrollWidth];
if(!this.dims)
this.dims = [this.options.scaleMode.originalHeight,
this.options.scaleMode.originalWidth];
},
update: function(position) {
var currentScale = (this.options.scaleFrom/100.0) + (this.factor * position);
if(this.options.scaleContent && this.fontSize)
Element.setStyle(this.element, {fontSize: this.fontSize * currentScale + this.fontSizeType });
this.setDimensions(this.dims[0] * currentScale, this.dims[1] * currentScale);
},
finish: function(position) {
if (this.restoreAfterFinish) Element.setStyle(this.element, this.originalStyle);
},
setDimensions: function(height, width) {
var d = {};
if(this.options.scaleX) d.width = width + 'px';
if(this.options.scaleY) d.height = height + 'px';
if(this.options.scaleFromCenter) {
var topd = (height - this.dims[0])/2;
var leftd = (width - this.dims[1])/2;
if(this.elementPositioning == 'absolute') {
if(this.options.scaleY) d.top = this.originalTop-topd + 'px';
if(this.options.scaleX) d.left = this.originalLeft-leftd + 'px';
} else {
if(this.options.scaleY) d.top = -topd + 'px';
if(this.options.scaleX) d.left = -leftd + 'px';
}
}
Element.setStyle(this.element, d);
}
});
Effect.Highlight = Class.create();
Object.extend(Object.extend(Effect.Highlight.prototype, Effect.Base.prototype), {
initialize: function(element) {
this.element = $(element);
var options = Object.extend({ startcolor: '#ffff99' }, arguments[1] || {});
this.start(options);
},
setup: function() {
// Prevent executing on elements not in the layout flow
if(Element.getStyle(this.element, 'display')=='none') { this.cancel(); return; }
// Disable background image during the effect
this.oldStyle = {
backgroundImage: Element.getStyle(this.element, 'background-image') };
Element.setStyle(this.element, {backgroundImage: 'none'});
if(!this.options.endcolor)
this.options.endcolor = Element.getStyle(this.element, 'background-color').parseColor('#ffffff');
if(!this.options.restorecolor)
this.options.restorecolor = Element.getStyle(this.element, 'background-color');
// init color calculations
this._base = $R(0,2).map(function(i){ return parseInt(this.options.startcolor.slice(i*2+1,i*2+3),16) }.bind(this));
this._delta = $R(0,2).map(function(i){ return parseInt(this.options.endcolor.slice(i*2+1,i*2+3),16)-this._base[i] }.bind(this));
},
update: function(position) {
Element.setStyle(this.element,{backgroundColor: $R(0,2).inject('#',function(m,v,i){
return m+(Math.round(this._base[i]+(this._delta[i]*position)).toColorPart()); }.bind(this)) });
},
finish: function() {
Element.setStyle(this.element, Object.extend(this.oldStyle, {
backgroundColor: this.options.restorecolor
}));
}
});
Effect.ScrollTo = Class.create();
Object.extend(Object.extend(Effect.ScrollTo.prototype, Effect.Base.prototype), {
initialize: function(element) {
this.element = $(element);
this.start(arguments[1] || {});
},
setup: function() {
Position.prepare();
var offsets = Position.cumulativeOffset(this.element);
if(this.options.offset) offsets[1] += this.options.offset;
var max = window.innerHeight ?
window.height - window.innerHeight :
document.body.scrollHeight -
(document.documentElement.clientHeight ?
document.documentElement.clientHeight : document.body.clientHeight);
this.scrollStart = Position.deltaY;
this.delta = (offsets[1] > max ? max : offsets[1]) - this.scrollStart;
},
update: function(position) {
Position.prepare();
window.scrollTo(Position.deltaX,
this.scrollStart + (position*this.delta));
}
});
/* ------------- combination effects ------------- */
Effect.Fade = function(element) {
var oldOpacity = Element.getInlineOpacity(element);
var options = Object.extend({
from: Element.getOpacity(element) || 1.0,
to: 0.0,
afterFinishInternal: function(effect) { with(Element) {
if(effect.options.to!=0) return;
hide(effect.element);
setStyle(effect.element, {opacity: oldOpacity}); }}
}, arguments[1] || {});
return new Effect.Opacity(element,options);
}
Effect.Appear = function(element) {
var options = Object.extend({
from: (Element.getStyle(element, 'display') == 'none' ? 0.0 : Element.getOpacity(element) || 0.0),
to: 1.0,
beforeSetup: function(effect) { with(Element) {
setOpacity(effect.element, effect.options.from);
show(effect.element); }}
}, arguments[1] || {});
return new Effect.Opacity(element,options);
}
Effect.Puff = function(element) {
element = $(element);
var oldStyle = { opacity: Element.getInlineOpacity(element), position: Element.getStyle(element, 'position') };
return new Effect.Parallel(
[ new Effect.Scale(element, 200,
{ sync: true, scaleFromCenter: true, scaleContent: true, restoreAfterFinish: true }),
new Effect.Opacity(element, { sync: true, to: 0.0 } ) ],
Object.extend({ duration: 1.0,
beforeSetupInternal: function(effect) { with(Element) {
setStyle(effect.effects[0].element, {position: 'absolute'}); }},
afterFinishInternal: function(effect) { with(Element) {
hide(effect.effects[0].element);
setStyle(effect.effects[0].element, oldStyle); }}
}, arguments[1] || {})
);
}
Effect.BlindUp = function(element) {
element = $(element);
Element.makeClipping(element);
return new Effect.Scale(element, 0,
Object.extend({ scaleContent: false,
scaleX: false,
restoreAfterFinish: true,
afterFinishInternal: function(effect) { with(Element) {
[hide, undoClipping].call(effect.element); }}
}, arguments[1] || {})
);
}
Effect.BlindDown = function(element) {
element = $(element);
var oldHeight = Element.getStyle(element, 'height');
var elementDimensions = Element.getDimensions(element);
return new Effect.Scale(element, 100,
Object.extend({ scaleContent: false,
scaleX: false,
scaleFrom: 0,
scaleMode: {originalHeight: elementDimensions.height, originalWidth: elementDimensions.width},
restoreAfterFinish: true,
afterSetup: function(effect) { with(Element) {
makeClipping(effect.element);
setStyle(effect.element, {height: '0px'});
show(effect.element);
}},
afterFinishInternal: function(effect) { with(Element) {
undoClipping(effect.element);
setStyle(effect.element, {height: oldHeight});
}}
}, arguments[1] || {})
);
}
Effect.SwitchOff = function(element) {
element = $(element);
var oldOpacity = Element.getInlineOpacity(element);
return new Effect.Appear(element, {
duration: 0.4,
from: 0,
transition: Effect.Transitions.flicker,
afterFinishInternal: function(effect) {
new Effect.Scale(effect.element, 1, {
duration: 0.3, scaleFromCenter: true,
scaleX: false, scaleContent: false, restoreAfterFinish: true,
beforeSetup: function(effect) { with(Element) {
[makePositioned,makeClipping].call(effect.element);
}},
afterFinishInternal: function(effect) { with(Element) {
[hide,undoClipping,undoPositioned].call(effect.element);
setStyle(effect.element, {opacity: oldOpacity});
}}
})
}
});
}
Effect.DropOut = function(element) {
element = $(element);
var oldStyle = {
top: Element.getStyle(element, 'top'),
left: Element.getStyle(element, 'left'),
opacity: Element.getInlineOpacity(element) };
return new Effect.Parallel(
[ new Effect.MoveBy(element, 100, 0, { sync: true }),
new Effect.Opacity(element, { sync: true, to: 0.0 }) ],
Object.extend(
{ duration: 0.5,
beforeSetup: function(effect) { with(Element) {
makePositioned(effect.effects[0].element); }},
afterFinishInternal: function(effect) { with(Element) {
[hide, undoPositioned].call(effect.effects[0].element);
setStyle(effect.effects[0].element, oldStyle); }}
}, arguments[1] || {}));
}
Effect.Shake = function(element) {
element = $(element);
var oldStyle = {
top: Element.getStyle(element, 'top'),
left: Element.getStyle(element, 'left') };
return new Effect.MoveBy(element, 0, 20,
{ duration: 0.05, afterFinishInternal: function(effect) {
new Effect.MoveBy(effect.element, 0, -40,
{ duration: 0.1, afterFinishInternal: function(effect) {
new Effect.MoveBy(effect.element, 0, 40,
{ duration: 0.1, afterFinishInternal: function(effect) {
new Effect.MoveBy(effect.element, 0, -40,
{ duration: 0.1, afterFinishInternal: function(effect) {
new Effect.MoveBy(effect.element, 0, 40,
{ duration: 0.1, afterFinishInternal: function(effect) {
new Effect.MoveBy(effect.element, 0, -20,
{ duration: 0.05, afterFinishInternal: function(effect) { with(Element) {
undoPositioned(effect.element);
setStyle(effect.element, oldStyle);
}}}) }}) }}) }}) }}) }});
}
Effect.SlideDown = function(element) {
element = $(element);
Element.cleanWhitespace(element);
// SlideDown need to have the content of the element wrapped in a container element with fixed height!
var oldInnerBottom = Element.getStyle(element.firstChild, 'bottom');
var elementDimensions = Element.getDimensions(element);
return new Effect.Scale(element, 100, Object.extend({
scaleContent: false,
scaleX: false,
scaleFrom: 0,
scaleMode: {originalHeight: elementDimensions.height, originalWidth: elementDimensions.width},
restoreAfterFinish: true,
afterSetup: function(effect) { with(Element) {
makePositioned(effect.element);
makePositioned(effect.element.firstChild);
if(window.opera) setStyle(effect.element, {top: ''});
makeClipping(effect.element);
setStyle(effect.element, {height: '0px'});
show(element); }},
afterUpdateInternal: function(effect) { with(Element) {
setStyle(effect.element.firstChild, {bottom:
(effect.dims[0] - effect.element.clientHeight) + 'px' }); }},
afterFinishInternal: function(effect) { with(Element) {
undoClipping(effect.element);
undoPositioned(effect.element.firstChild);
undoPositioned(effect.element);
setStyle(effect.element.firstChild, {bottom: oldInnerBottom}); }}
}, arguments[1] || {})
);
}
Effect.SlideUp = function(element) {
element = $(element);
Element.cleanWhitespace(element);
var oldInnerBottom = Element.getStyle(element.firstChild, 'bottom');
return new Effect.Scale(element, 0,
Object.extend({ scaleContent: false,
scaleX: false,
scaleMode: 'box',
scaleFrom: 100,
restoreAfterFinish: true,
beforeStartInternal: function(effect) { with(Element) {
makePositioned(effect.element);
makePositioned(effect.element.firstChild);
if(window.opera) setStyle(effect.element, {top: ''});
makeClipping(effect.element);
show(element); }},
afterUpdateInternal: function(effect) { with(Element) {
setStyle(effect.element.firstChild, {bottom:
(effect.dims[0] - effect.element.clientHeight) + 'px' }); }},
afterFinishInternal: function(effect) { with(Element) {
[hide, undoClipping].call(effect.element);
undoPositioned(effect.element.firstChild);
undoPositioned(effect.element);
setStyle(effect.element.firstChild, {bottom: oldInnerBottom}); }}
}, arguments[1] || {})
);
}
// Bug in opera makes the TD containing this element expand for a instance after finish
Effect.Squish = function(element) {
return new Effect.Scale(element, window.opera ? 1 : 0,
{ restoreAfterFinish: true,
beforeSetup: function(effect) { with(Element) {
makeClipping(effect.element); }},
afterFinishInternal: function(effect) { with(Element) {
hide(effect.element);
undoClipping(effect.element); }}
});
}
Effect.Grow = function(element) {
element = $(element);
var options = Object.extend({
direction: 'center',
moveTransistion: Effect.Transitions.sinoidal,
scaleTransition: Effect.Transitions.sinoidal,
opacityTransition: Effect.Transitions.full
}, arguments[1] || {});
var oldStyle = {
top: element.style.top,
left: element.style.left,
height: element.style.height,
width: element.style.width,
opacity: Element.getInlineOpacity(element) };
var dims = Element.getDimensions(element);
var initialMoveX, initialMoveY;
var moveX, moveY;
switch (options.direction) {
case 'top-left':
initialMoveX = initialMoveY = moveX = moveY = 0;
break;
case 'top-right':
initialMoveX = dims.width;
initialMoveY = moveY = 0;
moveX = -dims.width;
break;
case 'bottom-left':
initialMoveX = moveX = 0;
initialMoveY = dims.height;
moveY = -dims.height;
break;
case 'bottom-right':
initialMoveX = dims.width;
initialMoveY = dims.height;
moveX = -dims.width;
moveY = -dims.height;
break;
case 'center':
initialMoveX = dims.width / 2;
initialMoveY = dims.height / 2;
moveX = -dims.width / 2;
moveY = -dims.height / 2;
break;
}
return new Effect.MoveBy(element, initialMoveY, initialMoveX, {
duration: 0.01,
beforeSetup: function(effect) { with(Element) {
hide(effect.element);
makeClipping(effect.element);
makePositioned(effect.element);
}},
afterFinishInternal: function(effect) {
new Effect.Parallel(
[ new Effect.Opacity(effect.element, { sync: true, to: 1.0, from: 0.0, transition: options.opacityTransition }),
new Effect.MoveBy(effect.element, moveY, moveX, { sync: true, transition: options.moveTransition }),
new Effect.Scale(effect.element, 100, {
scaleMode: { originalHeight: dims.height, originalWidth: dims.width },
sync: true, scaleFrom: window.opera ? 1 : 0, transition: options.scaleTransition, restoreAfterFinish: true})
], Object.extend({
beforeSetup: function(effect) { with(Element) {
setStyle(effect.effects[0].element, {height: '0px'});
show(effect.effects[0].element); }},
afterFinishInternal: function(effect) { with(Element) {
[undoClipping, undoPositioned].call(effect.effects[0].element);
setStyle(effect.effects[0].element, oldStyle); }}
}, options)
)
}
});
}
Effect.Shrink = function(element) {
element = $(element);
var options = Object.extend({
direction: 'center',
moveTransistion: Effect.Transitions.sinoidal,
scaleTransition: Effect.Transitions.sinoidal,
opacityTransition: Effect.Transitions.none
}, arguments[1] || {});
var oldStyle = {
top: element.style.top,
left: element.style.left,
height: element.style.height,
width: element.style.width,
opacity: Element.getInlineOpacity(element) };
var dims = Element.getDimensions(element);
var moveX, moveY;
switch (options.direction) {
case 'top-left':
moveX = moveY = 0;
break;
case 'top-right':
moveX = dims.width;
moveY = 0;
break;
case 'bottom-left':
moveX = 0;
moveY = dims.height;
break;
case 'bottom-right':
moveX = dims.width;
moveY = dims.height;
break;
case 'center':
moveX = dims.width / 2;
moveY = dims.height / 2;
break;
}
return new Effect.Parallel(
[ new Effect.Opacity(element, { sync: true, to: 0.0, from: 1.0, transition: options.opacityTransition }),
new Effect.Scale(element, window.opera ? 1 : 0, { sync: true, transition: options.scaleTransition, restoreAfterFinish: true}),
new Effect.MoveBy(element, moveY, moveX, { sync: true, transition: options.moveTransition })
], Object.extend({
beforeStartInternal: function(effect) { with(Element) {
[makePositioned, makeClipping].call(effect.effects[0].element) }},
afterFinishInternal: function(effect) { with(Element) {
[hide, undoClipping, undoPositioned].call(effect.effects[0].element);
setStyle(effect.effects[0].element, oldStyle); }}
}, options)
);
}
Effect.Pulsate = function(element) {
element = $(element);
var options = arguments[1] || {};
var oldOpacity = Element.getInlineOpacity(element);
var transition = options.transition || Effect.Transitions.sinoidal;
var reverser = function(pos){ return transition(1-Effect.Transitions.pulse(pos)) };
reverser.bind(transition);
return new Effect.Opacity(element,
Object.extend(Object.extend({ duration: 3.0, from: 0,
afterFinishInternal: function(effect) { Element.setStyle(effect.element, {opacity: oldOpacity}); }
}, options), {transition: reverser}));
}
Effect.Fold = function(element) {
element = $(element);
var oldStyle = {
top: element.style.top,
left: element.style.left,
width: element.style.width,
height: element.style.height };
Element.makeClipping(element);
return new Effect.Scale(element, 5, Object.extend({
scaleContent: false,
scaleX: false,
afterFinishInternal: function(effect) {
new Effect.Scale(element, 1, {
scaleContent: false,
scaleY: false,
afterFinishInternal: function(effect) { with(Element) {
[hide, undoClipping].call(effect.element);
setStyle(effect.element, oldStyle);
}} });
}}, arguments[1] || {}));
}

@ -0,0 +1 @@
# See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../config/boot'
require 'commands/about'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../config/boot'
require 'commands/breakpointer'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../config/boot'
require 'commands/console'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../config/boot'
require 'commands/destroy'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../config/boot'
require 'commands/generate'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../../config/boot'
require 'commands/performance/benchmarker'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../../config/boot'
require 'commands/performance/profiler'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../config/boot'
require 'commands/plugin'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../../config/boot'
require 'commands/process/reaper'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../../config/boot'
require 'commands/process/spawner'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../../config/boot'
require 'commands/process/spinner'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../config/boot'
require 'commands/runner'

@ -0,0 +1,3 @@
#!/usr/bin/env ruby
require File.dirname(__FILE__) + '/../config/boot'
require 'commands/server'

@ -0,0 +1,18 @@
require File.dirname(__FILE__) + '/../test_helper'
require 'login_controller'
# Re-raise errors caught by the controller.
class LoginController; def rescue_action(e) raise e end; end
class LoginControllerTest < Test::Unit::TestCase
def setup
@controller = LoginController.new
@request = ActionController::TestRequest.new
@response = ActionController::TestResponse.new
end
# Replace this with your real tests.
def test_truth
assert true
end
end

@ -0,0 +1,18 @@
require File.dirname(__FILE__) + '/../test_helper'
require 'server_controller'
# Re-raise errors caught by the controller.
class ServerController; def rescue_action(e) raise e end; end
class ServerControllerTest < Test::Unit::TestCase
def setup
@controller = ServerController.new
@request = ActionController::TestRequest.new
@response = ActionController::TestResponse.new
end
# Replace this with your real tests.
def test_truth
assert true
end
end

@ -0,0 +1,28 @@
ENV["RAILS_ENV"] = "test"
require File.expand_path(File.dirname(__FILE__) + "/../config/environment")
require 'test_help'
class Test::Unit::TestCase
# Transactional fixtures accelerate your tests by wrapping each test method
# in a transaction that's rolled back on completion. This ensures that the
# test database remains unchanged so your fixtures don't have to be reloaded
# between every test method. Fewer database queries means faster tests.
#
# Read Mike Clark's excellent walkthrough at
# http://clarkware.com/cgi/blosxom/2005/10/24#Rails10FastTesting
#
# Every Active Record database supports transactions except MyISAM tables
# in MySQL. Turn off transactional fixtures in this case; however, if you
# don't care one way or the other, switching from MyISAM to InnoDB tables
# is recommended.
self.use_transactional_fixtures = true
# Instantiated fixtures are slow, but give you @david where otherwise you
# would need people(:david). If you don't want to migrate your existing
# test cases which use the @david style and don't mind the speed hit (each
# instantiated fixtures translates to a database query per test method),
# then set this back to true.
self.use_instantiated_fixtures = false
# Add more helper methods to be used by all tests here...
end

@ -0,0 +1,112 @@
# Copyright (C) 2001 Daiki Ueno <ueno@unixuser.org>
# This library is distributed under the terms of the Ruby license.
# This module provides common interface to HMAC engines.
# HMAC standard is documented in RFC 2104:
#
# H. Krawczyk et al., "HMAC: Keyed-Hashing for Message Authentication",
# RFC 2104, February 1997
#
# These APIs are inspired by JCE 1.2's javax.crypto.Mac interface.
#
# <URL:http://java.sun.com/security/JCE1.2/spec/apidoc/javax/crypto/Mac.html>
module HMAC
class Base
def initialize(algorithm, block_size, output_length, key)
@algorithm = algorithm
@block_size = block_size
@output_length = output_length
@status = STATUS_UNDEFINED
@key_xor_ipad = ''
@key_xor_opad = ''
set_key(key) unless key.nil?
end
private
def check_status
unless @status == STATUS_INITIALIZED
raise RuntimeError,
"The underlying hash algorithm has not yet been initialized."
end
end
public
def set_key(key)
# If key is longer than the block size, apply hash function
# to key and use the result as a real key.
key = @algorithm.digest(key) if key.size > @block_size
key_xor_ipad = "\x36" * @block_size
key_xor_opad = "\x5C" * @block_size
for i in 0 .. key.size - 1
key_xor_ipad[i] ^= key[i]
key_xor_opad[i] ^= key[i]
end
@key_xor_ipad = key_xor_ipad
@key_xor_opad = key_xor_opad
@md = @algorithm.new
@status = STATUS_INITIALIZED
end
def reset_key
@key_xor_ipad.gsub!(/./, '?')
@key_xor_opad.gsub!(/./, '?')
@key_xor_ipad[0..-1] = ''
@key_xor_opad[0..-1] = ''
@status = STATUS_UNDEFINED
end
def update(text)
check_status
# perform inner H
md = @algorithm.new
md.update(@key_xor_ipad)
md.update(text)
str = md.digest
# perform outer H
md = @algorithm.new
md.update(@key_xor_opad)
md.update(str)
@md = md
end
alias << update
def digest
check_status
@md.digest
end
def hexdigest
check_status
@md.hexdigest
end
alias to_s hexdigest
# These two class methods below are safer than using above
# instance methods combinatorially because an instance will have
# held a key even if it's no longer in use.
def Base.digest(key, text)
begin
hmac = self.new(key)
hmac.update(text)
hmac.digest
ensure
hmac.reset_key
end
end
def Base.hexdigest(key, text)
begin
hmac = self.new(key)
hmac.update(text)
hmac.hexdigest
ensure
hmac.reset_key
end
end
private_class_method :new, :digest, :hexdigest
end
STATUS_UNDEFINED, STATUS_INITIALIZED = 0, 1
end

@ -0,0 +1,11 @@
require 'hmac/hmac'
require 'digest/sha1'
module HMAC
class SHA1 < Base
def initialize(key = nil)
super(Digest::SHA1, 64, 20, key)
end
public_class_method :new, :digest, :hexdigest
end
end

@ -0,0 +1,25 @@
require 'hmac/hmac'
require 'digest/sha2'
module HMAC
class SHA256 < Base
def initialize(key = nil)
super(Digest::SHA256, 64, 32, key)
end
public_class_method :new, :digest, :hexdigest
end
class SHA384 < Base
def initialize(key = nil)
super(Digest::SHA384, 128, 48, key)
end
public_class_method :new, :digest, :hexdigest
end
class SHA512 < Base
def initialize(key = nil)
super(Digest::SHA512, 128, 64, key)
end
public_class_method :new, :digest, :hexdigest
end
end

@ -0,0 +1,20 @@
# Copyright 2006-2007 JanRain, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you
# may not use this file except in compliance with the License. You may
# obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied. See the License for the specific language governing
# permissions and limitations under the License.
module OpenID
VERSION = "2.1.4"
end
require "openid/consumer"
require 'openid/server'

@ -0,0 +1,249 @@
require "openid/kvform"
require "openid/util"
require "openid/cryptutil"
require "openid/message"
module OpenID
def self.get_secret_size(assoc_type)
if assoc_type == 'HMAC-SHA1'
return 20
elsif assoc_type == 'HMAC-SHA256'
return 32
else
raise ArgumentError("Unsupported association type: #{assoc_type}")
end
end
# An Association holds the shared secret between a relying party and
# an OpenID provider.
class Association
attr_reader :handle, :secret, :issued, :lifetime, :assoc_type
FIELD_ORDER =
[:version, :handle, :secret, :issued, :lifetime, :assoc_type,]
# Load a serialized Association
def self.deserialize(serialized)
parsed = Util.kv_to_seq(serialized)
parsed_fields = parsed.map{|k, v| k.to_sym}
if parsed_fields != FIELD_ORDER
raise ProtocolError, 'Unexpected fields in serialized association'\
" (Expected #{FIELD_ORDER.inspect}, got #{parsed_fields.inspect})"
end
version, handle, secret64, issued_s, lifetime_s, assoc_type =
parsed.map {|field, value| value}
if version != '2'
raise ProtocolError, "Attempted to deserialize unsupported version "\
"(#{parsed[0][1].inspect})"
end
self.new(handle,
Util.from_base64(secret64),
Time.at(issued_s.to_i),
lifetime_s.to_i,
assoc_type)
end
# Create an Association with an issued time of now
def self.from_expires_in(expires_in, handle, secret, assoc_type)
issued = Time.now
self.new(handle, secret, issued, expires_in, assoc_type)
end
def initialize(handle, secret, issued, lifetime, assoc_type)
@handle = handle
@secret = secret
@issued = issued
@lifetime = lifetime
@assoc_type = assoc_type
end
# Serialize the association to a form that's consistent across
# JanRain OpenID libraries.
def serialize
data = {
:version => '2',
:handle => handle,
:secret => Util.to_base64(secret),
:issued => issued.to_i.to_s,
:lifetime => lifetime.to_i.to_s,
:assoc_type => assoc_type,
}
Util.assert(data.length == FIELD_ORDER.length)
pairs = FIELD_ORDER.map{|field| [field.to_s, data[field]]}
return Util.seq_to_kv(pairs, strict=true)
end
# The number of seconds until this association expires
def expires_in(now=nil)
if now.nil?
now = Time.now.to_i
else
now = now.to_i
end
time_diff = (issued.to_i + lifetime) - now
if time_diff < 0
return 0
else
return time_diff
end
end
# Generate a signature for a sequence of [key, value] pairs
def sign(pairs)
kv = Util.seq_to_kv(pairs)
case assoc_type
when 'HMAC-SHA1'
CryptUtil.hmac_sha1(@secret, kv)
when 'HMAC-SHA256'
CryptUtil.hmac_sha256(@secret, kv)
else
raise ProtocolError, "Association has unknown type: "\
"#{assoc_type.inspect}"
end
end
# Generate the list of pairs that form the signed elements of the
# given message
def make_pairs(message)
signed = message.get_arg(OPENID_NS, 'signed')
if signed.nil?
raise ProtocolError, 'Missing signed list'
end
signed_fields = signed.split(',', -1)
data = message.to_post_args
signed_fields.map {|field| [field, data.fetch('openid.'+field,'')] }
end
# Return whether the message's signature passes
def check_message_signature(message)
message_sig = message.get_arg(OPENID_NS, 'sig')
if message_sig.nil?
raise ProtocolError, "#{message} has no sig."
end
calculated_sig = get_message_signature(message)
return calculated_sig == message_sig
end
# Get the signature for this message
def get_message_signature(message)
Util.to_base64(sign(make_pairs(message)))
end
def ==(other)
(other.class == self.class and
other.handle == self.handle and
other.secret == self.secret and
# The internals of the time objects seemed to differ
# in an opaque way when serializing/unserializing.
# I don't think this will be a problem.
other.issued.to_i == self.issued.to_i and
other.lifetime == self.lifetime and
other.assoc_type == self.assoc_type)
end
# Add a signature (and a signed list) to a message.
def sign_message(message)
if (message.has_key?(OPENID_NS, 'sig') or
message.has_key?(OPENID_NS, 'signed'))
raise ArgumentError, 'Message already has signed list or signature'
end
extant_handle = message.get_arg(OPENID_NS, 'assoc_handle')
if extant_handle and extant_handle != self.handle
raise ArgumentError, "Message has a different association handle"
end
signed_message = message.copy()
signed_message.set_arg(OPENID_NS, 'assoc_handle', self.handle)
message_keys = signed_message.to_post_args.keys()
signed_list = []
message_keys.each { |k|
if k.starts_with?('openid.')
signed_list << k[7..-1]
end
}
signed_list << 'signed'
signed_list.sort!
signed_message.set_arg(OPENID_NS, 'signed', signed_list.join(','))
sig = get_message_signature(signed_message)
signed_message.set_arg(OPENID_NS, 'sig', sig)
return signed_message
end
end
class AssociationNegotiator
attr_reader :allowed_types
def self.get_session_types(assoc_type)
case assoc_type
when 'HMAC-SHA1'
['DH-SHA1', 'no-encryption']
when 'HMAC-SHA256'
['DH-SHA256', 'no-encryption']
else
raise ProtocolError, "Unknown association type #{assoc_type.inspect}"
end
end
def self.check_session_type(assoc_type, session_type)
if !get_session_types(assoc_type).include?(session_type)
raise ProtocolError, "Session type #{session_type.inspect} not "\
"valid for association type #{assoc_type.inspect}"
end
end
def initialize(allowed_types)
self.allowed_types=(allowed_types)
end
def copy
Marshal.load(Marshal.dump(self))
end
def allowed_types=(allowed_types)
allowed_types.each do |assoc_type, session_type|
self.class.check_session_type(assoc_type, session_type)
end
@allowed_types = allowed_types
end
def add_allowed_type(assoc_type, session_type=nil)
if session_type.nil?
session_types = self.class.get_session_types(assoc_type)
else
self.class.check_session_type(assoc_type, session_type)
session_types = [session_type]
end
for session_type in session_types do
@allowed_types << [assoc_type, session_type]
end
end
def allowed?(assoc_type, session_type)
@allowed_types.include?([assoc_type, session_type])
end
def get_allowed_type
@allowed_types.empty? ? nil : @allowed_types[0]
end
end
DefaultNegotiator =
AssociationNegotiator.new([['HMAC-SHA1', 'DH-SHA1'],
['HMAC-SHA1', 'no-encryption'],
['HMAC-SHA256', 'DH-SHA256'],
['HMAC-SHA256', 'no-encryption']])
EncryptedNegotiator =
AssociationNegotiator.new([['HMAC-SHA1', 'DH-SHA1'],
['HMAC-SHA256', 'DH-SHA256']])
end

@ -0,0 +1,395 @@
require "openid/consumer/idres.rb"
require "openid/consumer/checkid_request.rb"
require "openid/consumer/associationmanager.rb"
require "openid/consumer/responses.rb"
require "openid/consumer/discovery_manager"
require "openid/consumer/discovery"
require "openid/message"
require "openid/yadis/discovery"
require "openid/store/nonce"
module OpenID
# OpenID support for Relying Parties (aka Consumers).
#
# This module documents the main interface with the OpenID consumer
# library. The only part of the library which has to be used and
# isn't documented in full here is the store required to create an
# Consumer instance.
#
# = OVERVIEW
#
# The OpenID identity verification process most commonly uses the
# following steps, as visible to the user of this library:
#
# 1. The user enters their OpenID into a field on the consumer's
# site, and hits a login button.
#
# 2. The consumer site discovers the user's OpenID provider using
# the Yadis protocol.
#
# 3. The consumer site sends the browser a redirect to the OpenID
# provider. This is the authentication request as described in
# the OpenID specification.
#
# 4. The OpenID provider's site sends the browser a redirect back to
# the consumer site. This redirect contains the provider's
# response to the authentication request.
#
# The most important part of the flow to note is the consumer's site
# must handle two separate HTTP requests in order to perform the
# full identity check.
#
# = LIBRARY DESIGN
#
# This consumer library is designed with that flow in mind. The
# goal is to make it as easy as possible to perform the above steps
# securely.
#
# At a high level, there are two important parts in the consumer
# library. The first important part is this module, which contains
# the interface to actually use this library. The second is
# openid/store/interface.rb, which describes the interface to use if
# you need to create a custom method for storing the state this
# library needs to maintain between requests.
#
# In general, the second part is less important for users of the
# library to know about, as several implementations are provided
# which cover a wide variety of situations in which consumers may
# use the library.
#
# The Consumer class has methods corresponding to the actions
# necessary in each of steps 2, 3, and 4 described in the overview.
# Use of this library should be as easy as creating an Consumer
# instance and calling the methods appropriate for the action the
# site wants to take.
#
# This library automatically detects which version of the OpenID
# protocol should be used for a transaction and constructs the
# proper requests and responses. Users of this library do not need
# to worry about supporting multiple protocol versions; the library
# supports them implicitly. Depending on the version of the
# protocol in use, the OpenID transaction may be more secure. See
# the OpenID specifications for more information.
#
# = SESSIONS, STORES, AND STATELESS MODE
#
# The Consumer object keeps track of two types of state:
#
# 1. State of the user's current authentication attempt. Things
# like the identity URL, the list of endpoints discovered for
# that URL, and in case where some endpoints are unreachable, the
# list of endpoints already tried. This state needs to be held
# from Consumer.begin() to Consumer.complete(), but it is only
# applicable to a single session with a single user agent, and at
# the end of the authentication process (i.e. when an OP replies
# with either <tt>id_res</tt>. or <tt>cancel</tt> it may be
# discarded.
#
# 2. State of relationships with servers, i.e. shared secrets
# (associations) with servers and nonces seen on signed messages.
# This information should persist from one session to the next
# and should not be bound to a particular user-agent.
#
# These two types of storage are reflected in the first two
# arguments of Consumer's constructor, <tt>session</tt> and
# <tt>store</tt>. <tt>session</tt> is a dict-like object and we
# hope your web framework provides you with one of these bound to
# the user agent. <tt>store</tt> is an instance of Store.
#
# Since the store does hold secrets shared between your application
# and the OpenID provider, you should be careful about how you use
# it in a shared hosting environment. If the filesystem or database
# permissions of your web host allow strangers to read from them, do
# not store your data there! If you have no safe place to store
# your data, construct your consumer with nil for the store, and it
# will operate only in stateless mode. Stateless mode may be
# slower, put more load on the OpenID provider, and trusts the
# provider to keep you safe from replay attacks.
#
# Several store implementation are provided, and the interface is
# fully documented so that custom stores can be used as well. See
# the documentation for the Consumer class for more information on
# the interface for stores. The implementations that are provided
# allow the consumer site to store the necessary data in several
# different ways, including several SQL databases and normal files
# on disk.
#
# = IMMEDIATE MODE
#
# In the flow described above, the user may need to confirm to the
# OpenID provider that it's ok to disclose his or her identity. The
# provider may draw pages asking for information from the user
# before it redirects the browser back to the consumer's site. This
# is generally transparent to the consumer site, so it is typically
# ignored as an implementation detail.
#
# There can be times, however, where the consumer site wants to get
# a response immediately. When this is the case, the consumer can
# put the library in immediate mode. In immediate mode, there is an
# extra response possible from the server, which is essentially the
# server reporting that it doesn't have enough information to answer
# the question yet.
#
# = USING THIS LIBRARY
#
# Integrating this library into an application is usually a
# relatively straightforward process. The process should basically
# follow this plan:
#
# Add an OpenID login field somewhere on your site. When an OpenID
# is entered in that field and the form is submitted, it should make
# a request to the your site which includes that OpenID URL.
#
# First, the application should instantiate a Consumer with a
# session for per-user state and store for shared state using the
# store of choice.
#
# Next, the application should call the <tt>begin</tt> method of
# Consumer instance. This method takes the OpenID URL as entered by
# the user. The <tt>begin</tt> method returns a CheckIDRequest
# object.
#
# Next, the application should call the redirect_url method on the
# CheckIDRequest object. The parameter <tt>return_to</tt> is the
# URL that the OpenID server will send the user back to after
# attempting to verify his or her identity. The <tt>realm</tt>
# parameter is the URL (or URL pattern) that identifies your web
# site to the user when he or she is authorizing it. Send a
# redirect to the resulting URL to the user's browser.
#
# That's the first half of the authentication process. The second
# half of the process is done after the user's OpenID Provider sends
# the user's browser a redirect back to your site to complete their
# login.
#
# When that happens, the user will contact your site at the URL
# given as the <tt>return_to</tt> URL to the redirect_url call made
# above. The request will have several query parameters added to
# the URL by the OpenID provider as the information necessary to
# finish the request.
#
# Get a Consumer instance with the same session and store as before
# and call its complete() method, passing in all the received query
# arguments and URL currently being handled.
#
# There are multiple possible return types possible from that
# method. These indicate the whether or not the login was
# successful, and include any additional information appropriate for
# their type.
class Consumer
attr_accessor :session_key_prefix
# Initialize a Consumer instance.
#
# You should create a new instance of the Consumer object with
# every HTTP request that handles OpenID transactions.
#
# session: the session object to use to store request information.
# The session should behave like a hash.
#
# store: an object that implements the interface in Store.
def initialize(session, store)
@session = session
@store = store
@session_key_prefix = 'OpenID::Consumer::'
end
# Start the OpenID authentication process. See steps 1-2 in the
# overview for the Consumer class.
#
# user_url: Identity URL given by the user. This method performs a
# textual transformation of the URL to try and make sure it is
# normalized. For example, a user_url of example.com will be
# normalized to http://example.com/ normalizing and resolving any
# redirects the server might issue.
#
# anonymous: A boolean value. Whether to make an anonymous
# request of the OpenID provider. Such a request does not ask for
# an authorization assertion for an OpenID identifier, but may be
# used with extensions to pass other data. e.g. "I don't care who
# you are, but I'd like to know your time zone."
#
# Returns a CheckIDRequest object containing the discovered
# information, with a method for building a redirect URL to the
# server, as described in step 3 of the overview. This object may
# also be used to add extension arguments to the request, using
# its add_extension_arg method.
#
# Raises DiscoveryFailure when no OpenID server can be found for
# this URL.
def begin(openid_identifier, anonymous=false)
manager = discovery_manager(openid_identifier)
service = manager.get_next_service(&method(:discover))
if service.nil?
raise DiscoveryFailure.new("No usable OpenID services were found "\
"for #{openid_identifier.inspect}", nil)
else
begin_without_discovery(service, anonymous)
end
end
# Start OpenID verification without doing OpenID server
# discovery. This method is used internally by Consumer.begin()
# after discovery is performed, and exists to provide an interface
# for library users needing to perform their own discovery.
#
# service: an OpenID service endpoint descriptor. This object and
# factories for it are found in the openid/consumer/discovery.rb
# module.
#
# Returns an OpenID authentication request object.
def begin_without_discovery(service, anonymous)
assoc = association_manager(service).get_association
checkid_request = CheckIDRequest.new(assoc, service)
checkid_request.anonymous = anonymous
if service.compatibility_mode
rt_args = checkid_request.return_to_args
rt_args[Consumer.openid1_return_to_nonce_name] = Nonce.mk_nonce
rt_args[Consumer.openid1_return_to_claimed_id_name] =
service.claimed_id
end
self.last_requested_endpoint = service
return checkid_request
end
# Called to interpret the server's response to an OpenID
# request. It is called in step 4 of the flow described in the
# Consumer overview.
#
# query: A hash of the query parameters for this HTTP request.
# Note that in rails, this is <b>not</b> <tt>params</tt> but
# <tt>params.reject{|k,v|request.path_parameters[k]}</tt>
# because <tt>controller</tt> and <tt>action</tt> and other
# "path parameters" are included in params.
#
# current_url: Extract the URL of the current request from your
# application's web request framework and specify it here to have it
# checked against the openid.return_to value in the response. Do not
# just pass <tt>args['openid.return_to']</tt> here; that will defeat the
# purpose of this check. (See OpenID Authentication 2.0 section 11.1.)
#
# If the return_to URL check fails, the status of the completion will be
# FAILURE.
#
# Returns a subclass of Response. The type of response is
# indicated by the status attribute, which will be one of
# SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED.
def complete(query, current_url)
message = Message.from_post_args(query)
mode = message.get_arg(OPENID_NS, 'mode', 'invalid')
begin
meth = method('complete_' + mode)
rescue NameError
meth = method(:complete_invalid)
end
response = meth.call(message, current_url)
cleanup_last_requested_endpoint
if [SUCCESS, CANCEL].member?(response.status)
cleanup_session
end
return response
end
protected
def session_get(name)
@session[session_key(name)]
end
def session_set(name, val)
@session[session_key(name)] = val
end
def session_key(suffix)
@session_key_prefix + suffix
end
def last_requested_endpoint
session_get('last_requested_endpoint')
end
def last_requested_endpoint=(endpoint)
session_set('last_requested_endpoint', endpoint)
end
def cleanup_last_requested_endpoint
@session[session_key('last_requested_endpoint')] = nil
end
def discovery_manager(openid_identifier)
DiscoveryManager.new(@session, openid_identifier, @session_key_prefix)
end
def cleanup_session
discovery_manager(nil).cleanup(true)
end
def discover(identifier)
OpenID.discover(identifier)
end
def negotiator
DefaultNegotiator
end
def association_manager(service)
AssociationManager.new(@store, service.server_url,
service.compatibility_mode, negotiator)
end
def handle_idres(message, current_url)
IdResHandler.new(message, current_url, @store, last_requested_endpoint)
end
def complete_invalid(message, unused_return_to)
mode = message.get_arg(OPENID_NS, 'mode', '<No mode set>')
return FailureResponse.new(last_requested_endpoint,
"Invalid openid.mode: #{mode}")
end
def complete_cancel(unused_message, unused_return_to)
return CancelResponse.new(last_requested_endpoint)
end
def complete_error(message, unused_return_to)
error = message.get_arg(OPENID_NS, 'error')
contact = message.get_arg(OPENID_NS, 'contact')
reference = message.get_arg(OPENID_NS, 'reference')
return FailureResponse.new(last_requested_endpoint,
error, contact, reference)
end
def complete_setup_needed(message, unused_return_to)
if message.is_openid1
return complete_invalid(message, nil)
else
setup_url = message.get_arg(OPENID2_NS, 'user_setup_url')
return SetupNeededResponse.new(last_requested_endpoint, setup_url)
end
end
def complete_id_res(message, current_url)
if message.is_openid1
setup_url = message.get_arg(OPENID1_NS, 'user_setup_url')
if !setup_url.nil?
return SetupNeededResponse.new(last_requested_endpoint, setup_url)
end
end
begin
idres = handle_idres(message, current_url)
rescue OpenIDError => why
return FailureResponse.new(last_requested_endpoint, why.message)
else
return SuccessResponse.new(idres.endpoint, message,
idres.signed_fields)
end
end
end
end

@ -0,0 +1,340 @@
require "openid/dh"
require "openid/util"
require "openid/kvpost"
require "openid/cryptutil"
require "openid/protocolerror"
require "openid/association"
module OpenID
class Consumer
# A superclass for implementing Diffie-Hellman association sessions.
class DiffieHellmanSession
class << self
attr_reader :session_type, :secret_size, :allowed_assoc_types,
:hashfunc
end
def initialize(dh=nil)
if dh.nil?
dh = DiffieHellman.from_defaults
end
@dh = dh
end
# Return the query parameters for requesting an association
# using this Diffie-Hellman association session
def get_request
args = {'dh_consumer_public' => CryptUtil.num_to_base64(@dh.public)}
if (!@dh.using_default_values?)
args['dh_modulus'] = CryptUtil.num_to_base64(@dh.modulus)
args['dh_gen'] = CryptUtil.num_to_base64(@dh.generator)
end
return args
end
# Process the response from a successful association request and
# return the shared secret for this association
def extract_secret(response)
dh_server_public64 = response.get_arg(OPENID_NS, 'dh_server_public',
NO_DEFAULT)
enc_mac_key64 = response.get_arg(OPENID_NS, 'enc_mac_key', NO_DEFAULT)
dh_server_public = CryptUtil.base64_to_num(dh_server_public64)
enc_mac_key = Util.from_base64(enc_mac_key64)
return @dh.xor_secret(self.class.hashfunc,
dh_server_public, enc_mac_key)
end
end
# A Diffie-Hellman association session that uses SHA1 as its hash
# function
class DiffieHellmanSHA1Session < DiffieHellmanSession
@session_type = 'DH-SHA1'
@secret_size = 20
@allowed_assoc_types = ['HMAC-SHA1']
@hashfunc = CryptUtil.method(:sha1)
end
# A Diffie-Hellman association session that uses SHA256 as its hash
# function
class DiffieHellmanSHA256Session < DiffieHellmanSession
@session_type = 'DH-SHA256'
@secret_size = 32
@allowed_assoc_types = ['HMAC-SHA256']
@hashfunc = CryptUtil.method(:sha256)
end
# An association session that does not use encryption
class NoEncryptionSession
class << self
attr_reader :session_type, :allowed_assoc_types
end
@session_type = 'no-encryption'
@allowed_assoc_types = ['HMAC-SHA1', 'HMAC-SHA256']
def get_request
return {}
end
def extract_secret(response)
mac_key64 = response.get_arg(OPENID_NS, 'mac_key', NO_DEFAULT)
return Util.from_base64(mac_key64)
end
end
# An object that manages creating and storing associations for an
# OpenID provider endpoint
class AssociationManager
def self.create_session(session_type)
case session_type
when 'no-encryption'
NoEncryptionSession.new
when 'DH-SHA1'
DiffieHellmanSHA1Session.new
when 'DH-SHA256'
DiffieHellmanSHA256Session.new
else
raise ArgumentError, "Unknown association session type: "\
"#{session_type.inspect}"
end
end
def initialize(store, server_url, compatibility_mode=false,
negotiator=nil)
@store = store
@server_url = server_url
@compatibility_mode = compatibility_mode
@negotiator = negotiator || DefaultNegotiator
end
def get_association
if @store.nil?
return nil
end
assoc = @store.get_association(@server_url)
if assoc.nil? || assoc.expires_in <= 0
assoc = negotiate_association
if !assoc.nil?
@store.store_association(@server_url, assoc)
end
end
return assoc
end
def negotiate_association
assoc_type, session_type = @negotiator.get_allowed_type
begin
return request_association(assoc_type, session_type)
rescue ServerError => why
supported_types = extract_supported_association_type(why, assoc_type)
if !supported_types.nil?
# Attempt to create an association from the assoc_type and
# session_type that the server told us it supported.
assoc_type, session_type = supported_types
begin
return request_association(assoc_type, session_type)
rescue ServerError => why
Util.log("Server #{@server_url} refused its suggested " \
"association type: session_type=#{session_type}, " \
"assoc_type=#{assoc_type}")
return nil
end
end
end
end
protected
def extract_supported_association_type(server_error, assoc_type)
# Any error message whose code is not 'unsupported-type' should
# be considered a total failure.
if (server_error.error_code != 'unsupported-type' or
server_error.message.is_openid1)
Util.log("Server error when requesting an association from "\
"#{@server_url}: #{server_error.error_text}")
return nil
end
# The server didn't like the association/session type that we
# sent, and it sent us back a message that might tell us how to
# handle it.
Util.log("Unsupported association type #{assoc_type}: "\
"#{server_error.error_text}")
# Extract the session_type and assoc_type from the error message
assoc_type = server_error.message.get_arg(OPENID_NS, 'assoc_type')
session_type = server_error.message.get_arg(OPENID_NS, 'session_type')
if assoc_type.nil? or session_type.nil?
Util.log("Server #{@server_url} responded with unsupported "\
"association session but did not supply a fallback.")
return nil
elsif !@negotiator.allowed?(assoc_type, session_type)
Util.log("Server sent unsupported session/association type: "\
"session_type=#{session_type}, assoc_type=#{assoc_type}")
return nil
else
return [assoc_type, session_type]
end
end
# Make and process one association request to this endpoint's OP
# endpoint URL. Returns an association object or nil if the
# association processing failed. Raises ServerError when the
# remote OpenID server returns an error.
def request_association(assoc_type, session_type)
assoc_session, args = create_associate_request(assoc_type, session_type)
begin
response = OpenID.make_kv_post(args, @server_url)
return extract_association(response, assoc_session)
rescue HTTPStatusError => why
Util.log("Got HTTP status error when requesting association: #{why}")
return nil
rescue Message::KeyNotFound => why
Util.log("Missing required parameter in response from "\
"#{@server_url}: #{why}")
return nil
rescue ProtocolError => why
Util.log("Protocol error processing response from #{@server_url}: "\
"#{why}")
return nil
end
end
# Create an association request for the given assoc_type and
# session_type. Returns a pair of the association session object
# and the request message that will be sent to the server.
def create_associate_request(assoc_type, session_type)
assoc_session = self.class.create_session(session_type)
args = {
'mode' => 'associate',
'assoc_type' => assoc_type,
}
if !@compatibility_mode
args['ns'] = OPENID2_NS
end
# Leave out the session type if we're in compatibility mode
# *and* it's no-encryption.
if !@compatibility_mode ||
assoc_session.class.session_type != 'no-encryption'
args['session_type'] = assoc_session.class.session_type
end
args.merge!(assoc_session.get_request)
message = Message.from_openid_args(args)
return assoc_session, message
end
# Given an association response message, extract the OpenID 1.X
# session type. Returns the association type for this message
#
# This function mostly takes care of the 'no-encryption' default
# behavior in OpenID 1.
#
# If the association type is plain-text, this function will
# return 'no-encryption'
def get_openid1_session_type(assoc_response)
# If it's an OpenID 1 message, allow session_type to default
# to nil (which signifies "no-encryption")
session_type = assoc_response.get_arg(OPENID1_NS, 'session_type')
# Handle the differences between no-encryption association
# respones in OpenID 1 and 2:
# no-encryption is not really a valid session type for
# OpenID 1, but we'll accept it anyway, while issuing a
# warning.
if session_type == 'no-encryption'
Util.log("WARNING: #{@server_url} sent 'no-encryption'"\
"for OpenID 1.X")
# Missing or empty session type is the way to flag a
# 'no-encryption' response. Change the session type to
# 'no-encryption' so that it can be handled in the same
# way as OpenID 2 'no-encryption' respones.
elsif session_type == '' || session_type.nil?
session_type = 'no-encryption'
end
return session_type
end
def self.extract_expires_in(message)
# expires_in should be a base-10 string.
expires_in_str = message.get_arg(OPENID_NS, 'expires_in', NO_DEFAULT)
if !(/\A\d+\Z/ =~ expires_in_str)
raise ProtocolError, "Invalid expires_in field: #{expires_in_str}"
end
expires_in_str.to_i
end
# Attempt to extract an association from the response, given the
# association response message and the established association
# session.
def extract_association(assoc_response, assoc_session)
# Extract the common fields from the response, raising an
# exception if they are not found
assoc_type = assoc_response.get_arg(OPENID_NS, 'assoc_type',
NO_DEFAULT)
assoc_handle = assoc_response.get_arg(OPENID_NS, 'assoc_handle',
NO_DEFAULT)
expires_in = self.class.extract_expires_in(assoc_response)
# OpenID 1 has funny association session behaviour.
if assoc_response.is_openid1
session_type = get_openid1_session_type(assoc_response)
else
session_type = assoc_response.get_arg(OPENID2_NS, 'session_type',
NO_DEFAULT)
end
# Session type mismatch
if assoc_session.class.session_type != session_type
if (assoc_response.is_openid1 and session_type == 'no-encryption')
# In OpenID 1, any association request can result in a
# 'no-encryption' association response. Setting
# assoc_session to a new no-encryption session should
# make the rest of this function work properly for
# that case.
assoc_session = NoEncryptionSession.new
else
# Any other mismatch, regardless of protocol version
# results in the failure of the association session
# altogether.
raise ProtocolError, "Session type mismatch. Expected "\
"#{assoc_session.class.session_type}, got "\
"#{session_type}"
end
end
# Make sure assoc_type is valid for session_type
if !assoc_session.class.allowed_assoc_types.member?(assoc_type)
raise ProtocolError, "Unsupported assoc_type for session "\
"#{assoc_session.class.session_type} "\
"returned: #{assoc_type}"
end
# Delegate to the association session to extract the secret
# from the response, however is appropriate for that session
# type.
begin
secret = assoc_session.extract_secret(assoc_response)
rescue Message::KeyNotFound, ArgumentError => why
raise ProtocolError, "Malformed response for "\
"#{assoc_session.class.session_type} "\
"session: #{why.message}"
end
return Association.from_expires_in(expires_in, assoc_handle, secret,
assoc_type)
end
end
end
end

@ -0,0 +1,186 @@
require "openid/message"
require "openid/util"
module OpenID
class Consumer
# An object that holds the state necessary for generating an
# OpenID authentication request. This object holds the association
# with the server and the discovered information with which the
# request will be made.
#
# It is separate from the consumer because you may wish to add
# things to the request before sending it on its way to the
# server. It also has serialization options that let you encode
# the authentication request as a URL or as a form POST.
class CheckIDRequest
attr_accessor :return_to_args, :message
attr_reader :endpoint
# Users of this library should not create instances of this
# class. Instances of this class are created by the library
# when needed.
def initialize(assoc, endpoint)
@assoc = assoc
@endpoint = endpoint
@return_to_args = {}
@message = Message.new(endpoint.preferred_namespace)
@anonymous = false
end
attr_reader :anonymous
# Set whether this request should be made anonymously. If a
# request is anonymous, the identifier will not be sent in the
# request. This is only useful if you are making another kind of
# request with an extension in this request.
#
# Anonymous requests are not allowed when the request is made
# with OpenID 1.
def anonymous=(is_anonymous)
if is_anonymous && @message.is_openid1
raise ArgumentError, ("OpenID1 requests MUST include the "\
"identifier in the request")
end
@anonymous = is_anonymous
end
# Add an object that implements the extension interface for
# adding arguments to an OpenID message to this checkid request.
#
# extension_request: an OpenID::Extension object.
def add_extension(extension_request)
extension_request.to_message(@message)
end
# Add an extension argument to this OpenID authentication
# request. You probably want to use add_extension and the
# OpenID::Extension interface.
#
# Use caution when adding arguments, because they will be
# URL-escaped and appended to the redirect URL, which can easily
# get quite long.
def add_extension_arg(namespace, key, value)
@message.set_arg(namespace, key, value)
end
# Produce a OpenID::Message representing this request.
#
# Not specifying a return_to URL means that the user will not be
# returned to the site issuing the request upon its completion.
#
# If immediate mode is requested, the OpenID provider is to send
# back a response immediately, useful for behind-the-scenes
# authentication attempts. Otherwise the OpenID provider may
# engage the user before providing a response. This is the
# default case, as the user may need to provide credentials or
# approve the request before a positive response can be sent.
def get_message(realm, return_to=nil, immediate=false)
if !return_to.nil?
return_to = Util.append_args(return_to, @return_to_args)
elsif immediate
raise ArgumentError, ('"return_to" is mandatory when using '\
'"checkid_immediate"')
elsif @message.is_openid1
raise ArgumentError, ('"return_to" is mandatory for OpenID 1 '\
'requests')
elsif @return_to_args.empty?
raise ArgumentError, ('extra "return_to" arguments were specified, '\
'but no return_to was specified')
end
message = @message.copy
mode = immediate ? 'checkid_immediate' : 'checkid_setup'
message.set_arg(OPENID_NS, 'mode', mode)
realm_key = message.is_openid1 ? 'trust_root' : 'realm'
message.set_arg(OPENID_NS, realm_key, realm)
if !return_to.nil?
message.set_arg(OPENID_NS, 'return_to', return_to)
end
if not @anonymous
if @endpoint.is_op_identifier
# This will never happen when we're in OpenID 1
# compatibility mode, as long as is_op_identifier()
# returns false whenever preferred_namespace returns
# OPENID1_NS.
claimed_id = request_identity = IDENTIFIER_SELECT
else
request_identity = @endpoint.get_local_id
claimed_id = @endpoint.claimed_id
end
# This is true for both OpenID 1 and 2
message.set_arg(OPENID_NS, 'identity', request_identity)
if message.is_openid2
message.set_arg(OPENID2_NS, 'claimed_id', claimed_id)
end
end
if @assoc
message.set_arg(OPENID_NS, 'assoc_handle', @assoc.handle)
assoc_log_msg = "with assocication #{@assoc.handle}"
else
assoc_log_msg = 'using stateless mode.'
end
Util.log("Generated #{mode} request to #{@endpoint.server_url} "\
"#{assoc_log_msg}")
return message
end
# Returns a URL with an encoded OpenID request.
#
# The resulting URL is the OpenID provider's endpoint URL with
# parameters appended as query arguments. You should redirect
# the user agent to this URL.
#
# OpenID 2.0 endpoints also accept POST requests, see
# 'send_redirect?' and 'form_markup'.
def redirect_url(realm, return_to=nil, immediate=false)
message = get_message(realm, return_to, immediate)
return message.to_url(@endpoint.server_url)
end
# Get html for a form to submit this request to the IDP.
#
# form_tag_attrs is a hash of attributes to be added to the form
# tag. 'accept-charset' and 'enctype' have defaults that can be
# overridden. If a value is supplied for 'action' or 'method',
# it will be replaced.
def form_markup(realm, return_to=nil, immediate=false,
form_tag_attrs=nil)
message = get_message(realm, return_to, immediate)
return message.to_form_markup(@endpoint.server_url, form_tag_attrs)
end
# Get a complete HTML document that autosubmits the request to the IDP
# with javascript. This method wraps form_markup - see that method's
# documentation for help with the parameters.
def html_markup(realm, return_to=nil, immediate=false,
form_tag_attrs=nil)
Util.auto_submit_html(form_markup(realm,
return_to,
immediate,
form_tag_attrs))
end
# Should this OpenID authentication request be sent as a HTTP
# redirect or as a POST (form submission)?
#
# This takes the same parameters as redirect_url or form_markup
def send_redirect?(realm, return_to=nil, immediate=false)
if @endpoint.compatibility_mode
return true
else
url = redirect_url(realm, return_to, immediate)
return url.length <= OPENID1_URL_LIMIT
end
end
end
end
end

@ -0,0 +1,498 @@
# Functions to discover OpenID endpoints from identifiers.
require 'uri'
require 'openid/util'
require 'openid/fetchers'
require 'openid/urinorm'
require 'openid/message'
require 'openid/yadis/discovery'
require 'openid/yadis/xrds'
require 'openid/yadis/xri'
require 'openid/yadis/services'
require 'openid/yadis/filters'
require 'openid/consumer/html_parse'
require 'openid/yadis/xrires'
module OpenID
OPENID_1_0_NS = 'http://openid.net/xmlns/1.0'
OPENID_IDP_2_0_TYPE = 'http://specs.openid.net/auth/2.0/server'
OPENID_2_0_TYPE = 'http://specs.openid.net/auth/2.0/signon'
OPENID_1_1_TYPE = 'http://openid.net/signon/1.1'
OPENID_1_0_TYPE = 'http://openid.net/signon/1.0'
OPENID_1_0_MESSAGE_NS = OPENID1_NS
OPENID_2_0_MESSAGE_NS = OPENID2_NS
# Object representing an OpenID service endpoint.
class OpenIDServiceEndpoint
# OpenID service type URIs, listed in order of preference. The
# ordering of this list affects yadis and XRI service discovery.
OPENID_TYPE_URIS = [
OPENID_IDP_2_0_TYPE,
OPENID_2_0_TYPE,
OPENID_1_1_TYPE,
OPENID_1_0_TYPE,
]
# the verified identifier.
attr_accessor :claimed_id
# For XRI, the persistent identifier.
attr_accessor :canonical_id
attr_accessor :server_url, :type_uris, :local_id, :used_yadis
def initialize
@claimed_id = nil
@server_url = nil
@type_uris = []
@local_id = nil
@canonical_id = nil
@used_yadis = false # whether this came from an XRDS
@display_identifier = nil
end
def display_identifier
return @display_identifier if @display_identifier
return @claimed_id if @claimed_id.nil?
begin
parsed_identifier = URI.parse(@claimed_id)
rescue URI::InvalidURIError
raise ProtocolError, "Claimed identifier #{claimed_id} is not a valid URI"
end
return @claimed_id if not parsed_identifier.fragment
disp = parsed_identifier
disp.fragment = nil
return disp.to_s
end
def display_identifier=(display_identifier)
@display_identifier = display_identifier
end
def uses_extension(extension_uri)
return @type_uris.member?(extension_uri)
end
def preferred_namespace
if (@type_uris.member?(OPENID_IDP_2_0_TYPE) or
@type_uris.member?(OPENID_2_0_TYPE))
return OPENID_2_0_MESSAGE_NS
else
return OPENID_1_0_MESSAGE_NS
end
end
def supports_type(type_uri)
# Does this endpoint support this type?
#
# I consider C{/server} endpoints to implicitly support C{/signon}.
(
@type_uris.member?(type_uri) or
(type_uri == OPENID_2_0_TYPE and is_op_identifier())
)
end
def compatibility_mode
return preferred_namespace() != OPENID_2_0_MESSAGE_NS
end
def is_op_identifier
return @type_uris.member?(OPENID_IDP_2_0_TYPE)
end
def parse_service(yadis_url, uri, type_uris, service_element)
# Set the state of this object based on the contents of the
# service element.
@type_uris = type_uris
@server_url = uri
@used_yadis = true
if !is_op_identifier()
# XXX: This has crappy implications for Service elements that
# contain both 'server' and 'signon' Types. But that's a
# pathological configuration anyway, so I don't think I care.
@local_id = OpenID.find_op_local_identifier(service_element,
@type_uris)
@claimed_id = yadis_url
end
end
def get_local_id
# Return the identifier that should be sent as the
# openid.identity parameter to the server.
if @local_id.nil? and @canonical_id.nil?
return @claimed_id
else
return (@local_id or @canonical_id)
end
end
def self.from_basic_service_endpoint(endpoint)
# Create a new instance of this class from the endpoint object
# passed in.
#
# @return: nil or OpenIDServiceEndpoint for this endpoint object"""
type_uris = endpoint.match_types(OPENID_TYPE_URIS)
# If any Type URIs match and there is an endpoint URI specified,
# then this is an OpenID endpoint
if (!type_uris.nil? and !type_uris.empty?) and !endpoint.uri.nil?
openid_endpoint = self.new
openid_endpoint.parse_service(
endpoint.yadis_url,
endpoint.uri,
endpoint.type_uris,
endpoint.service_element)
else
openid_endpoint = nil
end
return openid_endpoint
end
def self.from_html(uri, html)
# Parse the given document as HTML looking for an OpenID <link
# rel=...>
#
# @rtype: [OpenIDServiceEndpoint]
discovery_types = [
[OPENID_2_0_TYPE, 'openid2.provider', 'openid2.local_id'],
[OPENID_1_1_TYPE, 'openid.server', 'openid.delegate'],
]
link_attrs = OpenID.parse_link_attrs(html)
services = []
discovery_types.each { |type_uri, op_endpoint_rel, local_id_rel|
op_endpoint_url = OpenID.find_first_href(link_attrs, op_endpoint_rel)
if !op_endpoint_url
next
end
service = self.new
service.claimed_id = uri
service.local_id = OpenID.find_first_href(link_attrs, local_id_rel)
service.server_url = op_endpoint_url
service.type_uris = [type_uri]
services << service
}
return services
end
def self.from_xrds(uri, xrds)
# Parse the given document as XRDS looking for OpenID services.
#
# @rtype: [OpenIDServiceEndpoint]
#
# @raises L{XRDSError}: When the XRDS does not parse.
return Yadis::apply_filter(uri, xrds, self)
end
def self.from_discovery_result(discoveryResult)
# Create endpoints from a DiscoveryResult.
#
# @type discoveryResult: L{DiscoveryResult}
#
# @rtype: list of L{OpenIDServiceEndpoint}
#
# @raises L{XRDSError}: When the XRDS does not parse.
if discoveryResult.is_xrds()
meth = self.method('from_xrds')
else
meth = self.method('from_html')
end
return meth.call(discoveryResult.normalized_uri,
discoveryResult.response_text)
end
def self.from_op_endpoint_url(op_endpoint_url)
# Construct an OP-Identifier OpenIDServiceEndpoint object for
# a given OP Endpoint URL
#
# @param op_endpoint_url: The URL of the endpoint
# @rtype: OpenIDServiceEndpoint
service = self.new
service.server_url = op_endpoint_url
service.type_uris = [OPENID_IDP_2_0_TYPE]
return service
end
def to_s
return sprintf("<%s server_url=%s claimed_id=%s " +
"local_id=%s canonical_id=%s used_yadis=%s>",
self.class, @server_url, @claimed_id,
@local_id, @canonical_id, @used_yadis)
end
end
def self.find_op_local_identifier(service_element, type_uris)
# Find the OP-Local Identifier for this xrd:Service element.
#
# This considers openid:Delegate to be a synonym for xrd:LocalID
# if both OpenID 1.X and OpenID 2.0 types are present. If only
# OpenID 1.X is present, it returns the value of
# openid:Delegate. If only OpenID 2.0 is present, it returns the
# value of xrd:LocalID. If there is more than one LocalID tag and
# the values are different, it raises a DiscoveryFailure. This is
# also triggered when the xrd:LocalID and openid:Delegate tags are
# different.
# XXX: Test this function on its own!
# Build the list of tags that could contain the OP-Local
# Identifier
local_id_tags = []
if type_uris.member?(OPENID_1_1_TYPE) or
type_uris.member?(OPENID_1_0_TYPE)
# local_id_tags << Yadis::nsTag(OPENID_1_0_NS, 'openid', 'Delegate')
service_element.add_namespace('openid', OPENID_1_0_NS)
local_id_tags << "openid:Delegate"
end
if type_uris.member?(OPENID_2_0_TYPE)
# local_id_tags.append(Yadis::nsTag(XRD_NS_2_0, 'xrd', 'LocalID'))
service_element.add_namespace('xrd', Yadis::XRD_NS_2_0)
local_id_tags << "xrd:LocalID"
end
# Walk through all the matching tags and make sure that they all
# have the same value
local_id = nil
local_id_tags.each { |local_id_tag|
service_element.each_element(local_id_tag) { |local_id_element|
if local_id.nil?
local_id = local_id_element.text
elsif local_id != local_id_element.text
format = 'More than one %s tag found in one service element'
message = sprintf(format, local_id_tag)
raise DiscoveryFailure.new(message, nil)
end
}
}
return local_id
end
def self.normalize_xri(xri)
# Normalize an XRI, stripping its scheme if present
m = /^xri:\/\/(.*)/.match(xri)
xri = m[1] if m
return xri
end
def self.normalize_url(url)
# Normalize a URL, converting normalization failures to
# DiscoveryFailure
begin
normalized = URINorm.urinorm(url)
rescue URI::Error => why
raise DiscoveryFailure.new("Error normalizing #{url}: #{why.message}", nil)
else
defragged = URI::parse(normalized)
defragged.fragment = nil
return defragged.normalize.to_s
end
end
def self.best_matching_service(service, preferred_types)
# Return the index of the first matching type, or something higher
# if no type matches.
#
# This provides an ordering in which service elements that contain
# a type that comes earlier in the preferred types list come
# before service elements that come later. If a service element
# has more than one type, the most preferred one wins.
preferred_types.each_with_index { |value, index|
if service.type_uris.member?(value)
return index
end
}
return preferred_types.length
end
def self.arrange_by_type(service_list, preferred_types)
# Rearrange service_list in a new list so services are ordered by
# types listed in preferred_types. Return the new list.
# Build a list with the service elements in tuples whose
# comparison will prefer the one with the best matching service
prio_services = []
service_list.each_with_index { |s, index|
prio_services << [best_matching_service(s, preferred_types), index, s]
}
prio_services.sort!
# Now that the services are sorted by priority, remove the sort
# keys from the list.
(0...prio_services.length).each { |i|
prio_services[i] = prio_services[i][2]
}
return prio_services
end
def self.get_op_or_user_services(openid_services)
# Extract OP Identifier services. If none found, return the rest,
# sorted with most preferred first according to
# OpenIDServiceEndpoint.openid_type_uris.
#
# openid_services is a list of OpenIDServiceEndpoint objects.
#
# Returns a list of OpenIDServiceEndpoint objects.
op_services = arrange_by_type(openid_services, [OPENID_IDP_2_0_TYPE])
openid_services = arrange_by_type(openid_services,
OpenIDServiceEndpoint::OPENID_TYPE_URIS)
if !op_services.empty?
return op_services
else
return openid_services
end
end
def self.discover_yadis(uri)
# Discover OpenID services for a URI. Tries Yadis and falls back
# on old-style <link rel='...'> discovery if Yadis fails.
#
# @param uri: normalized identity URL
# @type uri: str
#
# @return: (claimed_id, services)
# @rtype: (str, list(OpenIDServiceEndpoint))
#
# @raises DiscoveryFailure: when discovery fails.
# Might raise a yadis.discover.DiscoveryFailure if no document
# came back for that URI at all. I don't think falling back to
# OpenID 1.0 discovery on the same URL will help, so don't bother
# to catch it.
response = Yadis.discover(uri)
yadis_url = response.normalized_uri
body = response.response_text
begin
openid_services = OpenIDServiceEndpoint.from_xrds(yadis_url, body)
rescue Yadis::XRDSError
# Does not parse as a Yadis XRDS file
openid_services = []
end
if openid_services.empty?
# Either not an XRDS or there are no OpenID services.
if response.is_xrds
# if we got the Yadis content-type or followed the Yadis
# header, re-fetch the document without following the Yadis
# header, with no Accept header.
return self.discover_no_yadis(uri)
end
# Try to parse the response as HTML.
# <link rel="...">
openid_services = OpenIDServiceEndpoint.from_html(yadis_url, body)
end
return [yadis_url, self.get_op_or_user_services(openid_services)]
end
def self.discover_xri(iname)
endpoints = []
iname = self.normalize_xri(iname)
begin
canonical_id, services = Yadis::XRI::ProxyResolver.new().query(
iname, OpenIDServiceEndpoint::OPENID_TYPE_URIS)
if canonical_id.nil?
raise Yadis::XRDSError.new(sprintf('No CanonicalID found for XRI %s', iname))
end
flt = Yadis.make_filter(OpenIDServiceEndpoint)
services.each { |service_element|
endpoints += flt.get_service_endpoints(iname, service_element)
}
rescue Yadis::XRDSError => why
Util.log('xrds error on ' + iname + ': ' + why.to_s)
end
endpoints.each { |endpoint|
# Is there a way to pass this through the filter to the endpoint
# constructor instead of tacking it on after?
endpoint.canonical_id = canonical_id
endpoint.claimed_id = canonical_id
endpoint.display_identifier = iname
}
# FIXME: returned xri should probably be in some normal form
return [iname, self.get_op_or_user_services(endpoints)]
end
def self.discover_no_yadis(uri)
http_resp = OpenID.fetch(uri)
if http_resp.code != "200" and http_resp.code != "206"
raise DiscoveryFailure.new(
"HTTP Response status from identity URL host is not \"200\". "\
"Got status #{http_resp.code.inspect}", http_resp)
end
claimed_id = http_resp.final_url
openid_services = OpenIDServiceEndpoint.from_html(
claimed_id, http_resp.body)
return [claimed_id, openid_services]
end
def self.discover_uri(uri)
# Hack to work around URI parsing for URls with *no* scheme.
if uri.index("://").nil?
uri = 'http://' + uri
end
begin
parsed = URI::parse(uri)
rescue URI::InvalidURIError => why
raise DiscoveryFailure.new("URI is not valid: #{why.message}", nil)
end
if !parsed.scheme.nil? and !parsed.scheme.empty?
if !['http', 'https'].member?(parsed.scheme)
raise DiscoveryFailure.new(
"URI scheme #{parsed.scheme} is not HTTP or HTTPS", nil)
end
end
uri = self.normalize_url(uri)
claimed_id, openid_services = self.discover_yadis(uri)
claimed_id = self.normalize_url(claimed_id)
return [claimed_id, openid_services]
end
def self.discover(identifier)
if Yadis::XRI::identifier_scheme(identifier) == :xri
normalized_identifier, services = discover_xri(identifier)
else
return discover_uri(identifier)
end
end
end

@ -0,0 +1,123 @@
module OpenID
class Consumer
# A set of discovered services, for tracking which providers have
# been attempted for an OpenID identifier
class DiscoveredServices
attr_reader :current
def initialize(starting_url, yadis_url, services)
@starting_url = starting_url
@yadis_url = yadis_url
@services = services.dup
@current = nil
end
def next
@current = @services.shift
end
def for_url?(url)
[@starting_url, @yadis_url].member?(url)
end
def started?
!@current.nil?
end
def empty?
@services.empty?
end
end
# Manages calling discovery and tracking which endpoints have
# already been attempted.
class DiscoveryManager
def initialize(session, url, session_key_suffix=nil)
@url = url
@session = session
@session_key_suffix = session_key_suffix || 'auth'
end
def get_next_service
manager = get_manager
if !manager.nil? && manager.empty?
destroy_manager
manager = nil
end
if manager.nil?
yadis_url, services = yield @url
manager = create_manager(yadis_url, services)
end
if !manager.nil?
service = manager.next
store(manager)
else
service = nil
end
return service
end
def cleanup(force=false)
manager = get_manager(force)
if !manager.nil?
service = manager.current
destroy_manager(force)
else
service = nil
end
return service
end
protected
def get_manager(force=false)
manager = load
if force || manager.nil? || manager.for_url?(@url)
return manager
else
return nil
end
end
def create_manager(yadis_url, services)
manager = get_manager
if !manager.nil?
raise StandardError, "There is already a manager for #{yadis_url}"
end
if services.empty?
return nil
end
manager = DiscoveredServices.new(@url, yadis_url, services)
store(manager)
return manager
end
def destroy_manager(force=false)
if !get_manager(force).nil?
destroy!
end
end
def session_key
'OpenID::Consumer::DiscoveredServices::' + @session_key_suffix
end
def store(manager)
@session[session_key] = manager
end
def load
@session[session_key]
end
def destroy!
@session[session_key] = nil
end
end
end
end

@ -0,0 +1,134 @@
require "openid/yadis/htmltokenizer"
module OpenID
# Stuff to remove before we start looking for tags
REMOVED_RE = /
# Comments
<!--.*?-->
# CDATA blocks
| <!\[CDATA\[.*?\]\]>
# script blocks
| <script\b
# make sure script is not an XML namespace
(?!:)
[^>]*>.*?<\/script>
/mixu
def OpenID.openid_unescape(s)
s.gsub('&amp;','&').gsub('&lt;','<').gsub('&gt;','>').gsub('&quot;','"')
end
def OpenID.unescape_hash(h)
newh = {}
h.map{|k,v|
newh[k]=openid_unescape(v)
}
newh
end
def OpenID.parse_link_attrs(html)
stripped = html.gsub(REMOVED_RE,'')
parser = HTMLTokenizer.new(stripped)
links = []
# to keep track of whether or not we are in the head element
in_head = false
in_html = false
saw_head = false
begin
while el = parser.getTag('head', '/head', 'link', 'body', '/body',
'html', '/html')
# we are leaving head or have reached body, so we bail
return links if ['/head', 'body', '/body', '/html'].member?(el.tag_name)
# enforce html > head > link
if el.tag_name == 'html'
in_html = true
end
next unless in_html
if el.tag_name == 'head'
if saw_head
return links #only allow one head
end
saw_head = true
unless el.to_s[-2] == 47 # tag ends with a /: a short tag
in_head = true
end
end
next unless in_head
return links if el.tag_name == 'html'
if el.tag_name == 'link'
links << unescape_hash(el.attr_hash)
end
end
rescue Exception # just stop parsing if there's an error
end
return links
end
def OpenID.rel_matches(rel_attr, target_rel)
# Does this target_rel appear in the rel_str?
# XXX: TESTME
rels = rel_attr.strip().split()
rels.each { |rel|
rel = rel.downcase
if rel == target_rel
return true
end
}
return false
end
def OpenID.link_has_rel(link_attrs, target_rel)
# Does this link have target_rel as a relationship?
# XXX: TESTME
rel_attr = link_attrs['rel']
return (rel_attr and rel_matches(rel_attr, target_rel))
end
def OpenID.find_links_rel(link_attrs_list, target_rel)
# Filter the list of link attributes on whether it has target_rel
# as a relationship.
# XXX: TESTME
matchesTarget = lambda { |attrs| link_has_rel(attrs, target_rel) }
result = []
link_attrs_list.each { |item|
if matchesTarget.call(item)
result << item
end
}
return result
end
def OpenID.find_first_href(link_attrs_list, target_rel)
# Return the value of the href attribute for the first link tag in
# the list that has target_rel as a relationship.
# XXX: TESTME
matches = find_links_rel(link_attrs_list, target_rel)
if !matches or matches.empty?
return nil
end
first = matches[0]
return first['href']
end
end

@ -0,0 +1,523 @@
require "openid/message"
require "openid/protocolerror"
require "openid/kvpost"
require "openid/consumer/discovery"
require "openid/urinorm"
module OpenID
class TypeURIMismatch < ProtocolError
attr_reader :type_uri, :endpoint
def initialize(type_uri, endpoint)
@type_uri = type_uri
@endpoint = endpoint
end
end
class Consumer
@openid1_return_to_nonce_name = 'rp_nonce'
@openid1_return_to_claimed_id_name = 'openid1_claimed_id'
# Set the name of the query parameter that this library will use
# to thread a nonce through an OpenID 1 transaction. It will be
# appended to the return_to URL.
def self.openid1_return_to_nonce_name=(query_arg_name)
@openid1_return_to_nonce_name = query_arg_name
end
# See openid1_return_to_nonce_name= documentation
def self.openid1_return_to_nonce_name
@openid1_return_to_nonce_name
end
# Set the name of the query parameter that this library will use
# to thread the requested URL through an OpenID 1 transaction (for
# use when verifying discovered information). It will be appended
# to the return_to URL.
def self.openid1_return_to_claimed_id_name=(query_arg_name)
@openid1_return_to_claimed_id_name = query_arg_name
end
# See openid1_return_to_claimed_id_name=
def self.openid1_return_to_claimed_id_name
@openid1_return_to_claimed_id_name
end
# Handles an openid.mode=id_res response. This object is
# instantiated and used by the Consumer.
class IdResHandler
attr_reader :endpoint, :message
def initialize(message, current_url, store=nil, endpoint=nil)
@store = store # Fer the nonce and invalidate_handle
@message = message
@endpoint = endpoint
@current_url = current_url
@signed_list = nil
# Start the verification process
id_res
end
def signed_fields
signed_list.map {|x| 'openid.' + x}
end
protected
# This method will raise ProtocolError unless the request is a
# valid id_res response. Once it has been verified, the methods
# 'endpoint', 'message', and 'signed_fields' contain the
# verified information.
def id_res
check_for_fields
verify_return_to
verify_discovery_results
check_signature
check_nonce
end
def server_url
@endpoint.nil? ? nil : @endpoint.server_url
end
def openid_namespace
@message.get_openid_namespace
end
def fetch(field, default=NO_DEFAULT)
@message.get_arg(OPENID_NS, field, default)
end
def signed_list
if @signed_list.nil?
signed_list_str = fetch('signed', nil)
if signed_list_str.nil?
raise ProtocolError, 'Response missing signed list'
end
@signed_list = signed_list_str.split(',', -1)
end
@signed_list
end
def check_for_fields
# XXX: if a field is missing, we should not have to explicitly
# check that it's present, just make sure that the fields are
# actually being used by the rest of the code in
# tests. Although, which fields are signed does need to be
# checked somewhere.
basic_fields = ['return_to', 'assoc_handle', 'sig', 'signed']
basic_sig_fields = ['return_to', 'identity']
case openid_namespace
when OPENID2_NS
require_fields = basic_fields + ['op_endpoint']
require_sigs = basic_sig_fields +
['response_nonce', 'claimed_id', 'assoc_handle',]
when OPENID1_NS
require_fields = basic_fields + ['identity']
require_sigs = basic_sig_fields
else
raise RuntimeError, "check_for_fields doesn't know about "\
"namespace #{openid_namespace.inspect}"
end
require_fields.each do |field|
if !@message.has_key?(OPENID_NS, field)
raise ProtocolError, "Missing required field #{field}"
end
end
require_sigs.each do |field|
# Field is present and not in signed list
if @message.has_key?(OPENID_NS, field) && !signed_list.member?(field)
raise ProtocolError, "#{field.inspect} not signed"
end
end
end
def verify_return_to
begin
msg_return_to = URI.parse(URINorm::urinorm(fetch('return_to')))
rescue URI::InvalidURIError
raise ProtocolError, ("return_to is not a valid URI")
end
verify_return_to_args(msg_return_to)
if !@current_url.nil?
verify_return_to_base(msg_return_to)
end
end
def verify_return_to_args(msg_return_to)
return_to_parsed_query = {}
if !msg_return_to.query.nil?
CGI.parse(msg_return_to.query).each_pair do |k, vs|
return_to_parsed_query[k] = vs[0]
end
end
query = @message.to_post_args
return_to_parsed_query.each_pair do |rt_key, rt_val|
msg_val = query[rt_key]
if msg_val.nil?
raise ProtocolError, "Message missing return_to argument '#{rt_key}'"
elsif msg_val != rt_val
raise ProtocolError, ("Parameter '#{rt_key}' value "\
"#{msg_val.inspect} does not match "\
"return_to's value #{rt_val.inspect}")
end
end
@message.get_args(BARE_NS).each_pair do |bare_key, bare_val|
rt_val = return_to_parsed_query[bare_key]
if not return_to_parsed_query.has_key? bare_key
# This may be caused by your web framework throwing extra
# entries in to your parameters hash that were not GET or
# POST parameters. For example, Rails has been known to
# add "controller" and "action" keys; another server adds
# at least a "format" key.
raise ProtocolError, ("Unexpected parameter (not on return_to): "\
"'#{bare_key}'=#{rt_val.inspect})")
end
if rt_val != bare_val
raise ProtocolError, ("Parameter '#{bare_key}' value "\
"#{bare_val.inspect} does not match "\
"return_to's value #{rt_val.inspect}")
end
end
end
def verify_return_to_base(msg_return_to)
begin
app_parsed = URI.parse(URINorm::urinorm(@current_url))
rescue URI::InvalidURIError
raise ProtocolError, "current_url is not a valid URI: #{@current_url}"
end
[:scheme, :host, :port, :path].each do |meth|
if msg_return_to.send(meth) != app_parsed.send(meth)
raise ProtocolError, "return_to #{meth.to_s} does not match"
end
end
end
# Raises ProtocolError if the signature is bad
def check_signature
if @store.nil?
assoc = nil
else
assoc = @store.get_association(server_url, fetch('assoc_handle'))
end
if assoc.nil?
check_auth
else
if assoc.expires_in <= 0
# XXX: It might be a good idea sometimes to re-start the
# authentication with a new association. Doing it
# automatically opens the possibility for
# denial-of-service by a server that just returns expired
# associations (or really short-lived associations)
raise ProtocolError, "Association with #{server_url} expired"
elsif !assoc.check_message_signature(@message)
raise ProtocolError, "Bad signature in response from #{server_url}"
end
end
end
def check_auth
Util.log("Using 'check_authentication' with #{server_url}")
begin
request = create_check_auth_request
rescue Message::KeyNotFound => why
raise ProtocolError, "Could not generate 'check_authentication' "\
"request: #{why.message}"
end
response = OpenID.make_kv_post(request, server_url)
process_check_auth_response(response)
end
def create_check_auth_request
signed_list = @message.get_arg(OPENID_NS, 'signed', NO_DEFAULT).split(',')
# check that we got all the signed arguments
signed_list.each {|k|
@message.get_aliased_arg(k, NO_DEFAULT)
}
ca_message = @message.copy
ca_message.set_arg(OPENID_NS, 'mode', 'check_authentication')
return ca_message
end
# Process the response message from a check_authentication
# request, invalidating associations if requested.
def process_check_auth_response(response)
is_valid = response.get_arg(OPENID_NS, 'is_valid', 'false')
invalidate_handle = response.get_arg(OPENID_NS, 'invalidate_handle')
if !invalidate_handle.nil?
Util.log("Received 'invalidate_handle' from server #{server_url}")
if @store.nil?
Util.log('Unexpectedly got "invalidate_handle" without a store!')
else
@store.remove_association(server_url, invalidate_handle)
end
end
if is_valid != 'true'
raise ProtocolError, ("Server #{server_url} responds that the "\
"'check_authentication' call is not valid")
end
end
def check_nonce
case openid_namespace
when OPENID1_NS
nonce =
@message.get_arg(BARE_NS, Consumer.openid1_return_to_nonce_name)
# We generated the nonce, so it uses the empty string as the
# server URL
server_url = ''
when OPENID2_NS
nonce = @message.get_arg(OPENID2_NS, 'response_nonce')
server_url = self.server_url
else
raise StandardError, 'Not reached'
end
if nonce.nil?
raise ProtocolError, 'Nonce missing from response'
end
begin
time, extra = Nonce.split_nonce(nonce)
rescue ArgumentError => why
raise ProtocolError, "Malformed nonce: #{nonce.inspect}"
end
if !@store.nil? && !@store.use_nonce(server_url, time, extra)
raise ProtocolError, ("Nonce already used or out of range: "\
"#{nonce.inspect}")
end
end
def verify_discovery_results
begin
case openid_namespace
when OPENID1_NS
verify_discovery_results_openid1
when OPENID2_NS
verify_discovery_results_openid2
else
raise StandardError, "Not reached: #{openid_namespace}"
end
rescue Message::KeyNotFound => why
raise ProtocolError, "Missing required field: #{why.message}"
end
end
def verify_discovery_results_openid2
to_match = OpenIDServiceEndpoint.new
to_match.type_uris = [OPENID_2_0_TYPE]
to_match.claimed_id = fetch('claimed_id', nil)
to_match.local_id = fetch('identity', nil)
to_match.server_url = fetch('op_endpoint')
if to_match.claimed_id.nil? && !to_match.local_id.nil?
raise ProtocolError, ('openid.identity is present without '\
'openid.claimed_id')
elsif !to_match.claimed_id.nil? && to_match.local_id.nil?
raise ProtocolError, ('openid.claimed_id is present without '\
'openid.identity')
# This is a response without identifiers, so there's really no
# checking that we can do, so return an endpoint that's for
# the specified `openid.op_endpoint'
elsif to_match.claimed_id.nil?
@endpoint =
OpenIDServiceEndpoint.from_op_endpoint_url(to_match.server_url)
return
end
if @endpoint.nil?
Util.log('No pre-discovered information supplied')
discover_and_verify(to_match.claimed_id, [to_match])
else
begin
verify_discovery_single(@endpoint, to_match)
rescue ProtocolError => why
Util.log("Error attempting to use stored discovery "\
"information: #{why.message}")
Util.log("Attempting discovery to verify endpoint")
discover_and_verify(to_match.claimed_id, [to_match])
end
end
if @endpoint.claimed_id != to_match.claimed_id
@endpoint = @endpoint.dup
@endpoint.claimed_id = to_match.claimed_id
end
end
def verify_discovery_results_openid1
claimed_id =
@message.get_arg(BARE_NS, Consumer.openid1_return_to_claimed_id_name)
if claimed_id.nil?
if @endpoint.nil?
raise ProtocolError, ("When using OpenID 1, the claimed ID must "\
"be supplied, either by passing it through "\
"as a return_to parameter or by using a "\
"session, and supplied to the IdResHandler "\
"when it is constructed.")
else
claimed_id = @endpoint.claimed_id
end
end
to_match = OpenIDServiceEndpoint.new
to_match.type_uris = [OPENID_1_1_TYPE]
to_match.local_id = fetch('identity')
# Restore delegate information from the initiation phase
to_match.claimed_id = claimed_id
to_match_1_0 = to_match.dup
to_match_1_0.type_uris = [OPENID_1_0_TYPE]
if !@endpoint.nil?
begin
begin
verify_discovery_single(@endpoint, to_match)
rescue TypeURIMismatch
verify_discovery_single(@endpoint, to_match_1_0)
end
rescue ProtocolError => why
Util.log('Error attempting to use stored discovery information: ' +
why.message)
Util.log('Attempting discovery to verify endpoint')
else
return @endpoint
end
end
# Either no endpoint was supplied or OpenID 1.x verification
# of the information that's in the message failed on that
# endpoint.
discover_and_verify(to_match.claimed_id, [to_match, to_match_1_0])
end
# Given an endpoint object created from the information in an
# OpenID response, perform discovery and verify the discovery
# results, returning the matching endpoint that is the result of
# doing that discovery.
def discover_and_verify(claimed_id, to_match_endpoints)
Util.log("Performing discovery on #{claimed_id}")
_, services = OpenID.discover(claimed_id)
if services.length == 0
# XXX: this might want to be something other than
# ProtocolError. In Python, it's DiscoveryFailure
raise ProtocolError, ("No OpenID information found at "\
"#{claimed_id}")
end
verify_discovered_services(claimed_id, services, to_match_endpoints)
end
def verify_discovered_services(claimed_id, services, to_match_endpoints)
# Search the services resulting from discovery to find one
# that matches the information from the assertion
failure_messages = []
for endpoint in services
for to_match_endpoint in to_match_endpoints
begin
verify_discovery_single(endpoint, to_match_endpoint)
rescue ProtocolError => why
failure_messages << why.message
else
# It matches, so discover verification has
# succeeded. Return this endpoint.
@endpoint = endpoint
return
end
end
end
Util.log("Discovery verification failure for #{claimed_id}")
failure_messages.each do |failure_message|
Util.log(" * Endpoint mismatch: " + failure_message)
end
# XXX: is DiscoveryFailure in Python OpenID
raise ProtocolError, ("No matching endpoint found after "\
"discovering #{claimed_id}")
end
def verify_discovery_single(endpoint, to_match)
# Every type URI that's in the to_match endpoint has to be
# present in the discovered endpoint.
for type_uri in to_match.type_uris
if !endpoint.uses_extension(type_uri)
raise TypeURIMismatch.new(type_uri, endpoint)
end
end
# Fragments do not influence discovery, so we can't compare a
# claimed identifier with a fragment to discovered information.
defragged_claimed_id =
case Yadis::XRI.identifier_scheme(endpoint.claimed_id)
when :xri
endpoint.claimed_id
when :uri
begin
parsed = URI.parse(endpoint.claimed_id)
rescue URI::InvalidURIError
endpoint.claimed_id
else
parsed.fragment = nil
parsed.to_s
end
else
raise StandardError, 'Not reached'
end
if defragged_claimed_id != endpoint.claimed_id
raise ProtocolError, ("Claimed ID does not match (different "\
"subjects!), Expected "\
"#{defragged_claimed_id}, got "\
"#{endpoint.claimed_id}")
end
if to_match.get_local_id != endpoint.get_local_id
raise ProtocolError, ("local_id mismatch. Expected "\
"#{to_match.get_local_id}, got "\
"#{endpoint.get_local_id}")
end
# If the server URL is nil, this must be an OpenID 1
# response, because op_endpoint is a required parameter in
# OpenID 2. In that case, we don't actually care what the
# discovered server_url is, because signature checking or
# check_auth should take care of that check for us.
if to_match.server_url.nil?
if to_match.preferred_namespace != OPENID1_NS
raise StandardError,
"The code calling this must ensure that OpenID 2 "\
"responses have a non-none `openid.op_endpoint' and "\
"that it is set as the `server_url' attribute of the "\
"`to_match' endpoint."
end
elsif to_match.server_url != endpoint.server_url
raise ProtocolError, ("OP Endpoint mismatch. Expected"\
"#{to_match.server_url}, got "\
"#{endpoint.server_url}")
end
end
end
end
end

@ -0,0 +1,148 @@
module OpenID
class Consumer
# Code returned when either the of the
# OpenID::OpenIDConsumer.begin_auth or OpenID::OpenIDConsumer.complete_auth
# methods return successfully.
SUCCESS = :success
# Code OpenID::OpenIDConsumer.complete_auth
# returns when the value it received indicated an invalid login.
FAILURE = :failure
# Code returned by OpenIDConsumer.complete_auth when the user
# cancels the operation from the server.
CANCEL = :cancel
# Code returned by OpenID::OpenIDConsumer.complete_auth when the
# OpenIDConsumer instance is in immediate mode and ther server sends back a
# URL for the user to login with.
SETUP_NEEDED = :setup_needed
module Response
attr_reader :endpoint
def status
self.class::STATUS
end
# The identity URL that has been authenticated; the Claimed Identifier.
# See also display_identifier.
def identity_url
@endpoint ? @endpoint.claimed_id : nil
end
# The display identifier is related to the Claimed Identifier, but the
# two are not always identical. The display identifier is something the
# user should recognize as what they entered, whereas the response's
# claimed identifier (in the identity_url attribute) may have extra
# information for better persistence.
#
# URLs will be stripped of their fragments for display. XRIs will
# display the human-readable identifier (i-name) instead of the
# persistent identifier (i-number).
#
# Use the display identifier in your user interface. Use identity_url
# for querying your database or authorization server, or other
# identifier equality comparisons.
def display_identifier
@endpoint ? @endpoint.display_identifier : nil
end
end
# A successful acknowledgement from the OpenID server that the
# supplied URL is, indeed controlled by the requesting agent.
class SuccessResponse
include Response
STATUS = SUCCESS
attr_reader :message, :signed_fields
def initialize(endpoint, message, signed_fields)
# Don't use :endpoint=, because endpoint should never be nil
# for a successfull transaction.
@endpoint = endpoint
@identity_url = endpoint.claimed_id
@message = message
@signed_fields = signed_fields
end
# Was this authentication response an OpenID 1 authentication
# response?
def is_openid1
@message.is_openid1
end
# Return whether a particular key is signed, regardless of its
# namespace alias
def signed?(ns_uri, ns_key)
@signed_fields.member?(@message.get_key(ns_uri, ns_key))
end
# Return the specified signed field if available, otherwise
# return default
def get_signed(ns_uri, ns_key, default=nil)
if singed?(ns_uri, ns_key)
return @message.get_arg(ns_uri, ns_key, default)
else
return default
end
end
# Get signed arguments from the response message. Return a dict
# of all arguments in the specified namespace. If any of the
# arguments are not signed, return nil.
def get_signed_ns(ns_uri)
msg_args = @message.get_args(ns_uri)
msg_args.each_key do |key|
if !signed?(ns_uri, key)
return nil
end
end
return msg_args
end
# Return response arguments in the specified namespace.
# If require_signed is true and the arguments are not signed,
# return nil.
def extension_response(namespace_uri, require_signed)
if require_signed
get_signed_ns(namespace_uri)
else
@message.get_args(namespace_uri)
end
end
end
class FailureResponse
include Response
STATUS = FAILURE
attr_reader :message, :contact, :reference
def initialize(endpoint, message, contact=nil, reference=nil)
@endpoint = endpoint
@message = message
@contact = contact
@reference = reference
end
end
class CancelResponse
include Response
STATUS = CANCEL
def initialize(endpoint)
@endpoint = endpoint
end
end
class SetupNeededResponse
include Response
STATUS = SETUP_NEEDED
def initialize(endpoint, setup_url)
@endpoint = endpoint
@setup_url = setup_url
end
end
end
end

@ -0,0 +1,97 @@
require "openid/util"
require "digest/sha1"
require "digest/sha2"
begin
require "digest/hmac"
rescue LoadError
require "hmac/sha1"
require "hmac/sha2"
end
module OpenID
# This module contains everything needed to perform low-level
# cryptograph and data manipulation tasks.
module CryptUtil
# Generate a random number, doing a little extra work to make it
# more likely that it's suitable for cryptography. If your system
# doesn't have /dev/urandom then this number is not
# cryptographically safe. See
# <http://www.cosine.org/2007/08/07/security-ruby-kernel-rand/>
# for more information. max is the largest possible value of such
# a random number, where the result will be less than max.
def CryptUtil.rand(max)
Kernel.srand()
return Kernel.rand(max)
end
def CryptUtil.sha1(text)
return Digest::SHA1.digest(text)
end
def CryptUtil.hmac_sha1(key, text)
if Digest.const_defined? :HMAC
Digest::HMAC.new(key,Digest::SHA1).update(text).digest
else
return HMAC::SHA1.digest(key, text)
end
end
def CryptUtil.sha256(text)
return Digest::SHA256.digest(text)
end
def CryptUtil.hmac_sha256(key, text)
if Digest.const_defined? :HMAC
Digest::HMAC.new(key,Digest::SHA256).update(text).digest
else
return HMAC::SHA256.digest(key, text)
end
end
# Generate a random string of the given length, composed of the
# specified characters. If chars is nil, generate a string
# composed of characters in the range 0..255.
def CryptUtil.random_string(length, chars=nil)
s = ""
unless chars.nil?
length.times { s << chars[rand(chars.length)] }
else
length.times { s << rand(256).chr }
end
return s
end
# Convert a number to its binary representation; return a string
# of bytes.
def CryptUtil.num_to_binary(n)
bits = n.to_s(2)
prepend = (8 - bits.length % 8)
bits = ('0' * prepend) + bits
return [bits].pack('B*')
end
# Convert a string of bytes into a number.
def CryptUtil.binary_to_num(s)
# taken from openid-ruby 0.0.1
s = "\000" * (4 - (s.length % 4)) + s
num = 0
s.unpack('N*').each do |x|
num <<= 32
num |= x
end
return num
end
# Encode a number as a base64-encoded byte string.
def CryptUtil.num_to_base64(l)
return OpenID::Util.to_base64(num_to_binary(l))
end
# Decode a base64 byte string to a number.
def CryptUtil.base64_to_num(s)
return binary_to_num(OpenID::Util.from_base64(s))
end
end
end

@ -0,0 +1,89 @@
require "openid/util"
require "openid/cryptutil"
module OpenID
# Encapsulates a Diffie-Hellman key exchange. This class is used
# internally by both the consumer and server objects.
#
# Read more about Diffie-Hellman on wikipedia:
# http://en.wikipedia.org/wiki/Diffie-Hellman
class DiffieHellman
# From the OpenID specification
@@default_mod = 155172898181473697471232257763715539915724801966915404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443
@@default_gen = 2
attr_reader :modulus, :generator, :public
# A new DiffieHellman object, using the modulus and generator from
# the OpenID specification
def DiffieHellman.from_defaults
DiffieHellman.new(@@default_mod, @@default_gen)
end
def initialize(modulus=nil, generator=nil, priv=nil)
@modulus = modulus.nil? ? @@default_mod : modulus
@generator = generator.nil? ? @@default_gen : generator
set_private(priv.nil? ? OpenID::CryptUtil.rand(@modulus-2) + 1 : priv)
end
def get_shared_secret(composite)
DiffieHellman.powermod(composite, @private, @modulus)
end
def xor_secret(algorithm, composite, secret)
dh_shared = get_shared_secret(composite)
packed_dh_shared = OpenID::CryptUtil.num_to_binary(dh_shared)
hashed_dh_shared = algorithm.call(packed_dh_shared)
return DiffieHellman.strxor(secret, hashed_dh_shared)
end
def using_default_values?
@generator == @@default_gen && @modulus == @@default_mod
end
private
def set_private(priv)
@private = priv
@public = DiffieHellman.powermod(@generator, @private, @modulus)
end
def DiffieHellman.strxor(s, t)
if s.length != t.length
raise ArgumentError, "strxor: lengths don't match. " +
"Inputs were #{s.inspect} and #{t.inspect}"
end
if String.method_defined? :bytes
s.bytes.zip(t.bytes).map{|sb,tb| sb^tb}.pack('C*')
else
indices = 0...(s.length)
chrs = indices.collect {|i| (s[i]^t[i]).chr}
chrs.join("")
end
end
# This code is taken from this post:
# <http://blade.nagaokaut.ac.jp/cgi-bin/scat.\rb/ruby/ruby-talk/19098>
# by Eric Lee Green.
def DiffieHellman.powermod(x, n, q)
counter=0
n_p=n
y_p=1
z_p=x
while n_p != 0
if n_p[0]==1
y_p=(y_p*z_p) % q
end
n_p = n_p >> 1
z_p = (z_p * z_p) % q
counter += 1
end
return y_p
end
end
end

@ -0,0 +1,39 @@
require 'openid/message'
module OpenID
# An interface for OpenID extensions.
class Extension < Object
def initialize
@ns_uri = nil
@ns_alias = nil
end
# Get the string arguments that should be added to an OpenID
# message for this extension.
def get_extension_args
raise NotImplementedError
end
# Add the arguments from this extension to the provided
# message, or create a new message containing only those
# arguments. Returns the message with added extension args.
def to_message(message = nil)
if message.nil?
# warnings.warn('Passing None to Extension.toMessage is deprecated. '
# 'Creating a message assuming you want OpenID 2.',
# DeprecationWarning, stacklevel=2)
Message.new(OPENID2_NS)
end
message = Message.new if message.nil?
implicit = message.is_openid1()
message.namespaces.add_alias(@ns_uri, @ns_alias, implicit)
# XXX python ignores keyerror if m.ns.getAlias(uri) == alias
message.update_args(@ns_uri, get_extension_args)
return message
end
end
end

@ -0,0 +1,516 @@
# Implements the OpenID attribute exchange specification, version 1.0
require 'openid/extension'
require 'openid/trustroot'
require 'openid/message'
module OpenID
module AX
UNLIMITED_VALUES = "unlimited"
MINIMUM_SUPPORTED_ALIAS_LENGTH = 32
# check alias for invalid characters, raise AXError if found
def self.check_alias(name)
if name.match(/(,|\.)/)
raise Error, ("Alias #{name.inspect} must not contain a "\
"comma or period.")
end
end
# Raised when data does not comply with AX 1.0 specification
class Error < ArgumentError
end
# Abstract class containing common code for attribute exchange messages
class AXMessage < Extension
attr_accessor :ns_alias, :mode, :ns_uri
NS_URI = 'http://openid.net/srv/ax/1.0'
def initialize
@ns_alias = 'ax'
@ns_uri = NS_URI
@mode = nil
end
protected
# Raise an exception if the mode in the attribute exchange
# arguments does not match what is expected for this class.
def check_mode(ax_args)
actual_mode = ax_args['mode']
if actual_mode != @mode
raise Error, "Expected mode #{mode.inspect}, got #{actual_mode.inspect}"
end
end
def new_args
{'mode' => @mode}
end
end
# Represents a single attribute in an attribute exchange
# request. This should be added to an Request object in order to
# request the attribute.
#
# @ivar required: Whether the attribute will be marked as required
# when presented to the subject of the attribute exchange
# request.
# @type required: bool
#
# @ivar count: How many values of this type to request from the
# subject. Defaults to one.
# @type count: int
#
# @ivar type_uri: The identifier that determines what the attribute
# represents and how it is serialized. For example, one type URI
# representing dates could represent a Unix timestamp in base 10
# and another could represent a human-readable string.
# @type type_uri: str
#
# @ivar ns_alias: The name that should be given to this alias in the
# request. If it is not supplied, a generic name will be
# assigned. For example, if you want to call a Unix timestamp
# value 'tstamp', set its alias to that value. If two attributes
# in the same message request to use the same alias, the request
# will fail to be generated.
# @type alias: str or NoneType
class AttrInfo < Object
attr_reader :type_uri, :count, :ns_alias
attr_accessor :required
def initialize(type_uri, ns_alias=nil, required=false, count=1)
@type_uri = type_uri
@count = count
@required = required
@ns_alias = ns_alias
end
def wants_unlimited_values?
@count == UNLIMITED_VALUES
end
end
# Given a namespace mapping and a string containing a
# comma-separated list of namespace aliases, return a list of type
# URIs that correspond to those aliases.
# namespace_map: OpenID::NamespaceMap
def self.to_type_uris(namespace_map, alias_list_s)
return [] if alias_list_s.nil?
alias_list_s.split(',').inject([]) {|uris, name|
type_uri = namespace_map.get_namespace_uri(name)
raise IndexError, "No type defined for attribute name #{name.inspect}" if type_uri.nil?
uris << type_uri
}
end
# An attribute exchange 'fetch_request' message. This message is
# sent by a relying party when it wishes to obtain attributes about
# the subject of an OpenID authentication request.
class FetchRequest < AXMessage
attr_reader :requested_attributes
attr_accessor :update_url
def initialize(update_url = nil)
super()
@mode = 'fetch_request'
@requested_attributes = {}
@update_url = update_url
end
# Add an attribute to this attribute exchange request.
# attribute: AttrInfo, the attribute being requested
# Raises IndexError if the requested attribute is already present
# in this request.
def add(attribute)
if @requested_attributes[attribute.type_uri]
raise IndexError, "The attribute #{attribute.type_uri} has already been requested"
end
@requested_attributes[attribute.type_uri] = attribute
end
# Get the serialized form of this attribute fetch request.
# returns a hash of the arguments
def get_extension_args
aliases = NamespaceMap.new
required = []
if_available = []
ax_args = new_args
@requested_attributes.each{|type_uri, attribute|
if attribute.ns_alias
name = aliases.add_alias(type_uri, attribute.ns_alias)
else
name = aliases.add(type_uri)
end
if attribute.required
required << name
else
if_available << name
end
if attribute.count != 1
ax_args["count.#{name}"] = attribute.count.to_s
end
ax_args["type.#{name}"] = type_uri
}
unless required.empty?
ax_args['required'] = required.join(',')
end
unless if_available.empty?
ax_args['if_available'] = if_available.join(',')
end
return ax_args
end
# Get the type URIs for all attributes that have been marked
# as required.
def get_required_attrs
@requested_attributes.inject([]) {|required, (type_uri, attribute)|
if attribute.required
required << type_uri
else
required
end
}
end
# Extract a FetchRequest from an OpenID message
# message: OpenID::Message
# return a FetchRequest or nil if AX arguments are not present
def self.from_openid_request(oidreq)
message = oidreq.message
ax_args = message.get_args(NS_URI)
return nil if ax_args == {}
req = new
req.parse_extension_args(ax_args)
if req.update_url
realm = message.get_arg(OPENID_NS, 'realm',
message.get_arg(OPENID_NS, 'return_to'))
if realm.nil? or realm.empty?
raise Error, "Cannot validate update_url #{req.update_url.inspect} against absent realm"
end
tr = TrustRoot::TrustRoot.parse(realm)
unless tr.validate_url(req.update_url)
raise Error, "Update URL #{req.update_url.inspect} failed validation against realm #{realm.inspect}"
end
end
return req
end
def parse_extension_args(ax_args)
check_mode(ax_args)
aliases = NamespaceMap.new
ax_args.each{|k,v|
if k.index('type.') == 0
name = k[5..-1]
type_uri = v
aliases.add_alias(type_uri, name)
count_key = 'count.'+name
count_s = ax_args[count_key]
count = 1
if count_s
if count_s == UNLIMITED_VALUES
count = count_s
else
count = count_s.to_i
if count <= 0
raise Error, "Invalid value for count #{count_key.inspect}: #{count_s.inspect}"
end
end
end
add(AttrInfo.new(type_uri, name, false, count))
end
}
required = AX.to_type_uris(aliases, ax_args['required'])
required.each{|type_uri|
@requested_attributes[type_uri].required = true
}
if_available = AX.to_type_uris(aliases, ax_args['if_available'])
all_type_uris = required + if_available
aliases.namespace_uris.each{|type_uri|
unless all_type_uris.member? type_uri
raise Error, "Type URI #{type_uri.inspect} was in the request but not present in 'required' or 'if_available'"
end
}
@update_url = ax_args['update_url']
end
# return the list of AttrInfo objects contained in the FetchRequest
def attributes
@requested_attributes.values
end
# return the list of requested attribute type URIs
def requested_types
@requested_attributes.keys
end
def member?(type_uri)
! @requested_attributes[type_uri].nil?
end
end
# Abstract class that implements a message that has attribute
# keys and values. It contains the common code between
# fetch_response and store_request.
class KeyValueMessage < AXMessage
attr_reader :data
def initialize
super()
@mode = nil
@data = {}
@data.default = []
end
# Add a single value for the given attribute type to the
# message. If there are already values specified for this type,
# this value will be sent in addition to the values already
# specified.
def add_value(type_uri, value)
@data[type_uri] = @data[type_uri] << value
end
# Set the values for the given attribute type. This replaces
# any values that have already been set for this attribute.
def set_values(type_uri, values)
@data[type_uri] = values
end
# Get the extension arguments for the key/value pairs
# contained in this message.
def _get_extension_kv_args(aliases = nil)
aliases = NamespaceMap.new if aliases.nil?
ax_args = new_args
@data.each{|type_uri, values|
name = aliases.add(type_uri)
ax_args['type.'+name] = type_uri
ax_args['count.'+name] = values.size.to_s
values.each_with_index{|value, i|
key = "value.#{name}.#{i+1}"
ax_args[key] = value
}
}
return ax_args
end
# Parse attribute exchange key/value arguments into this object.
def parse_extension_args(ax_args)
check_mode(ax_args)
aliases = NamespaceMap.new
ax_args.each{|k, v|
if k.index('type.') == 0
type_uri = v
name = k[5..-1]
AX.check_alias(name)
aliases.add_alias(type_uri,name)
end
}
aliases.each{|type_uri, name|
count_s = ax_args['count.'+name]
count = count_s.to_i
if count_s.nil?
value = ax_args['value.'+name]
if value.nil?
raise IndexError, "Missing #{'value.'+name} in FetchResponse"
elsif value.empty?
values = []
else
values = [value]
end
elsif count_s.to_i == 0
values = []
else
values = (1..count).inject([]){|l,i|
key = "value.#{name}.#{i}"
v = ax_args[key]
raise IndexError, "Missing #{key} in FetchResponse" if v.nil?
l << v
}
end
@data[type_uri] = values
}
end
# Get a single value for an attribute. If no value was sent
# for this attribute, use the supplied default. If there is more
# than one value for this attribute, this method will fail.
def get_single(type_uri, default = nil)
values = @data[type_uri]
return default if values.empty?
if values.size != 1
raise Error, "More than one value present for #{type_uri.inspect}"
else
return values[0]
end
end
# retrieve the list of values for this attribute
def get(type_uri)
@data[type_uri]
end
# retrieve the list of values for this attribute
def [](type_uri)
@data[type_uri]
end
# get the number of responses for this attribute
def count(type_uri)
@data[type_uri].size
end
end
# A fetch_response attribute exchange message
class FetchResponse < KeyValueMessage
attr_reader :update_url
def initialize(update_url = nil)
super()
@mode = 'fetch_response'
@update_url = update_url
end
# Serialize this object into arguments in the attribute
# exchange namespace
# Takes an optional FetchRequest. If specified, the response will be
# validated against this request, and empty responses for requested
# fields with no data will be sent.
def get_extension_args(request = nil)
aliases = NamespaceMap.new
zero_value_types = []
if request
# Validate the data in the context of the request (the
# same attributes should be present in each, and the
# counts in the response must be no more than the counts
# in the request)
@data.keys.each{|type_uri|
unless request.member? type_uri
raise IndexError, "Response attribute not present in request: #{type_uri.inspect}"
end
}
request.attributes.each{|attr_info|
# Copy the aliases from the request so that reading
# the response in light of the request is easier
if attr_info.ns_alias.nil?
aliases.add(attr_info.type_uri)
else
aliases.add_alias(attr_info.type_uri, attr_info.ns_alias)
end
values = @data[attr_info.type_uri]
if values.empty? # @data defaults to []
zero_value_types << attr_info
end
if attr_info.count != UNLIMITED_VALUES and attr_info.count < values.size
raise Error, "More than the number of requested values were specified for #{attr_info.type_uri.inspect}"
end
}
end
kv_args = _get_extension_kv_args(aliases)
# Add the KV args into the response with the args that are
# unique to the fetch_response
ax_args = new_args
zero_value_types.each{|attr_info|
name = aliases.get_alias(attr_info.type_uri)
kv_args['type.' + name] = attr_info.type_uri
kv_args['count.' + name] = '0'
}
update_url = (request and request.update_url or @update_url)
ax_args['update_url'] = update_url unless update_url.nil?
ax_args.update(kv_args)
return ax_args
end
def parse_extension_args(ax_args)
super
@update_url = ax_args['update_url']
end
# Construct a FetchResponse object from an OpenID library
# SuccessResponse object.
def self.from_success_response(success_response, signed=true)
obj = self.new
if signed
ax_args = success_response.get_signed_ns(obj.ns_uri)
else
ax_args = success_response.message.get_args(obj.ns_uri)
end
begin
obj.parse_extension_args(ax_args)
return obj
rescue Error => e
return nil
end
end
end
# A store request attribute exchange message representation
class StoreRequest < KeyValueMessage
def initialize
super
@mode = 'store_request'
end
def get_extension_args(aliases=nil)
ax_args = new_args
kv_args = _get_extension_kv_args(aliases)
ax_args.update(kv_args)
return ax_args
end
end
# An indication that the store request was processed along with
# this OpenID transaction.
class StoreResponse < AXMessage
SUCCESS_MODE = 'store_response_success'
FAILURE_MODE = 'store_response_failure'
attr_reader :error_message
def initialize(succeeded = true, error_message = nil)
super()
if succeeded and error_message
raise Error, "Error message included in a success response"
end
if succeeded
@mode = SUCCESS_MODE
else
@mode = FAILURE_MODE
end
@error_message = error_message
end
def succeeded?
@mode == SUCCESS_MODE
end
def get_extension_args
ax_args = new_args
if !succeeded? and error_message
ax_args['error'] = @error_message
end
return ax_args
end
end
end
end

@ -0,0 +1,179 @@
# An implementation of the OpenID Provider Authentication Policy
# Extension 1.0
# see: http://openid.net/specs/
require 'openid/extension'
module OpenID
module PAPE
NS_URI = "http://specs.openid.net/extensions/pape/1.0"
AUTH_MULTI_FACTOR_PHYSICAL =
'http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical'
AUTH_MULTI_FACTOR =
'http://schemas.openid.net/pape/policies/2007/06/multi-factor'
AUTH_PHISHING_RESISTANT =
'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant'
TIME_VALIDATOR = /\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ/
# A Provider Authentication Policy request, sent from a relying
# party to a provider
class Request < Extension
attr_accessor :preferred_auth_policies, :max_auth_age, :ns_alias, :ns_uri
def initialize(preferred_auth_policies=[], max_auth_age=nil)
@ns_alias = 'pape'
@ns_uri = NS_URI
@preferred_auth_policies = preferred_auth_policies
@max_auth_age = max_auth_age
end
# Add an acceptable authentication policy URI to this request
# This method is intended to be used by the relying party to add
# acceptable authentication types to the request.
def add_policy_uri(policy_uri)
unless @preferred_auth_policies.member? policy_uri
@preferred_auth_policies << policy_uri
end
end
def get_extension_args
ns_args = {
'preferred_auth_policies' => @preferred_auth_policies.join(' ')
}
ns_args['max_auth_age'] = @max_auth_age.to_s if @max_auth_age
return ns_args
end
# Instantiate a Request object from the arguments in a
# checkid_* OpenID message
# return nil if the extension was not requested.
def self.from_openid_request(oid_req)
pape_req = new
args = oid_req.message.get_args(NS_URI)
if args == {}
return nil
end
pape_req.parse_extension_args(args)
return pape_req
end
# Set the state of this request to be that expressed in these
# PAPE arguments
def parse_extension_args(args)
@preferred_auth_policies = []
policies_str = args['preferred_auth_policies']
if policies_str
policies_str.split(' ').each{|uri|
add_policy_uri(uri)
}
end
max_auth_age_str = args['max_auth_age']
if max_auth_age_str
@max_auth_age = max_auth_age_str.to_i
else
@max_auth_age = nil
end
end
# Given a list of authentication policy URIs that a provider
# supports, this method returns the subset of those types
# that are preferred by the relying party.
def preferred_types(supported_types)
@preferred_auth_policies.select{|uri| supported_types.member? uri}
end
end
# A Provider Authentication Policy response, sent from a provider
# to a relying party
class Response < Extension
attr_accessor :ns_alias, :auth_policies, :auth_time, :nist_auth_level
def initialize(auth_policies=[], auth_time=nil, nist_auth_level=nil)
@ns_alias = 'pape'
@ns_uri = NS_URI
@auth_policies = auth_policies
@auth_time = auth_time
@nist_auth_level = nist_auth_level
end
# Add a policy URI to the response
# see http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#auth_policies
def add_policy_uri(policy_uri)
@auth_policies << policy_uri unless @auth_policies.member?(policy_uri)
end
# Create a Response object from an OpenID::Consumer::SuccessResponse
def self.from_success_response(success_response)
args = success_response.get_signed_ns(NS_URI)
return nil if args.nil?
pape_resp = new
pape_resp.parse_extension_args(args)
return pape_resp
end
# parse the provider authentication policy arguments into the
# internal state of this object
# if strict is specified, raise an exception when bad data is
# encountered
def parse_extension_args(args, strict=false)
policies_str = args['auth_policies']
if policies_str and policies_str != 'none'
@auth_policies = policies_str.split(' ')
end
nist_level_str = args['nist_auth_level']
if nist_level_str
# special handling of zero to handle to_i behavior
if nist_level_str.strip == '0'
nist_level = 0
else
nist_level = nist_level_str.to_i
# if it's zero here we have a bad value
if nist_level == 0
nist_level = nil
end
end
if nist_level and nist_level >= 0 and nist_level < 5
@nist_auth_level = nist_level
elsif strict
raise ArgumentError, "nist_auth_level must be an integer 0 through 4, not #{nist_level_str.inspect}"
end
end
auth_time_str = args['auth_time']
if auth_time_str
# validate time string
if auth_time_str =~ TIME_VALIDATOR
@auth_time = auth_time_str
elsif strict
raise ArgumentError, "auth_time must be in RFC3339 format"
end
end
end
def get_extension_args
ns_args = {}
if @auth_policies.empty?
ns_args['auth_policies'] = 'none'
else
ns_args['auth_policies'] = @auth_policies.join(' ')
end
if @nist_auth_level
unless (0..4).member? @nist_auth_level
raise ArgumentError, "nist_auth_level must be an integer 0 through 4, not #{@nist_auth_level.inspect}"
end
ns_args['nist_auth_level'] = @nist_auth_level.to_s
end
if @auth_time
unless @auth_time =~ TIME_VALIDATOR
raise ArgumentError, "auth_time must be in RFC3339 format"
end
ns_args['auth_time'] = @auth_time
end
return ns_args
end
end
end
end

@ -0,0 +1,277 @@
require 'openid/extension'
require 'openid/util'
require 'openid/message'
module OpenID
module SReg
DATA_FIELDS = {
'fullname'=>'Full Name',
'nickname'=>'Nickname',
'dob'=>'Date of Birth',
'email'=>'E-mail Address',
'gender'=>'Gender',
'postcode'=>'Postal Code',
'country'=>'Country',
'language'=>'Language',
'timezone'=>'Time Zone',
}
NS_URI_1_0 = 'http://openid.net/sreg/1.0'
NS_URI_1_1 = 'http://openid.net/extensions/sreg/1.1'
NS_URI = NS_URI_1_1
begin
Message.register_namespace_alias(NS_URI_1_1, 'sreg')
rescue NamespaceAliasRegistrationError => e
Util.log(e)
end
# raise ArgumentError if fieldname is not in the defined sreg fields
def OpenID.check_sreg_field_name(fieldname)
unless DATA_FIELDS.member? fieldname
raise ArgumentError, "#{fieldname} is not a defined simple registration field"
end
end
# Does the given endpoint advertise support for simple registration?
def OpenID.supports_sreg?(endpoint)
endpoint.uses_extension(NS_URI_1_1) || endpoint.uses_extension(NS_URI_1_0)
end
# Extract the simple registration namespace URI from the given
# OpenID message. Handles OpenID 1 and 2, as well as both sreg
# namespace URIs found in the wild, as well as missing namespace
# definitions (for OpenID 1)
def OpenID.get_sreg_ns(message)
[NS_URI_1_1, NS_URI_1_0].each{|ns|
if message.namespaces.get_alias(ns)
return ns
end
}
# try to add an alias, since we didn't find one
ns = NS_URI_1_1
begin
message.namespaces.add_alias(ns, 'sreg')
rescue IndexError
raise NamespaceError
end
return ns
end
# The simple registration namespace was not found and could not
# be created using the expected name (there's another extension
# using the name 'sreg')
#
# This is not <em>illegal</em>, for OpenID 2, although it probably
# indicates a problem, since it's not expected that other extensions
# will re-use the alias that is in use for OpenID 1.
#
# If this is an OpenID 1 request, then there is no recourse. This
# should not happen unless some code has modified the namespaces for
# the message that is being processed.
class NamespaceError < ArgumentError
end
# An object to hold the state of a simple registration request.
class Request < Extension
attr_reader :optional, :required, :ns_uri
attr_accessor :policy_url
def initialize(required = nil, optional = nil, policy_url = nil, ns_uri = NS_URI)
super()
@policy_url = policy_url
@ns_uri = ns_uri
@ns_alias = 'sreg'
@required = []
@optional = []
if required
request_fields(required, true, true)
end
if optional
request_fields(optional, false, true)
end
end
# Create a simple registration request that contains the
# fields that were requested in the OpenID request with the
# given arguments
# Takes an OpenID::CheckIDRequest, returns an OpenID::Sreg::Request
# return nil if the extension was not requested.
def self.from_openid_request(request)
# Since we're going to mess with namespace URI mapping, don't
# mutate the object that was passed in.
message = request.message.copy
ns_uri = OpenID::get_sreg_ns(message)
args = message.get_args(ns_uri)
return nil if args == {}
req = new(nil,nil,nil,ns_uri)
req.parse_extension_args(args)
return req
end
# Parse the unqualified simple registration request
# parameters and add them to this object.
#
# This method is essentially the inverse of
# getExtensionArgs. This method restores the serialized simple
# registration request fields.
#
# If you are extracting arguments from a standard OpenID
# checkid_* request, you probably want to use fromOpenIDRequest,
# which will extract the sreg namespace and arguments from the
# OpenID request. This method is intended for cases where the
# OpenID server needs more control over how the arguments are
# parsed than that method provides.
def parse_extension_args(args, strict = false)
required_items = args['required']
unless required_items.nil? or required_items.empty?
required_items.split(',').each{|field_name|
begin
request_field(field_name, true, strict)
rescue ArgumentError
raise if strict
end
}
end
optional_items = args['optional']
unless optional_items.nil? or optional_items.empty?
optional_items.split(',').each{|field_name|
begin
request_field(field_name, false, strict)
rescue ArgumentError
raise if strict
end
}
end
@policy_url = args['policy_url']
end
# A list of all of the simple registration fields that were
# requested, whether they were required or optional.
def all_requested_fields
@required + @optional
end
# Have any simple registration fields been requested?
def were_fields_requested?
!all_requested_fields.empty?
end
# Request the specified field from the OpenID user
# field_name: the unqualified simple registration field name
# required: whether the given field should be presented
# to the user as being a required to successfully complete
# the request
# strict: whether to raise an exception when a field is
# added to a request more than once
# Raises ArgumentError if the field_name is not a simple registration
# field, or if strict is set and a field is added more than once
def request_field(field_name, required=false, strict=false)
OpenID::check_sreg_field_name(field_name)
if strict
if (@required + @optional).member? field_name
raise ArgumentError, 'That field has already been requested'
end
else
return if @required.member? field_name
if @optional.member? field_name
if required
@optional.delete field_name
else
return
end
end
end
if required
@required << field_name
else
@optional << field_name
end
end
# Add the given list of fields to the request.
def request_fields(field_names, required = false, strict = false)
raise ArgumentError unless field_names.respond_to?(:each) and
field_names[0].is_a?(String)
field_names.each{|fn|request_field(fn, required, strict)}
end
# Get a hash of unqualified simple registration arguments
# representing this request.
# This method is essentially the inverse of parse_extension_args.
# This method serializes the simple registration request fields.
def get_extension_args
args = {}
args['required'] = @required.join(',') unless @required.empty?
args['optional'] = @optional.join(',') unless @optional.empty?
args['policy_url'] = @policy_url unless @policy_url.nil?
return args
end
def member?(field_name)
all_requested_fields.member?(field_name)
end
end
# Represents the data returned in a simple registration response
# inside of an OpenID id_res response. This object will be
# created by the OpenID server, added to the id_res response
# object, and then extracted from the id_res message by the Consumer.
class Response < Extension
attr_reader :ns_uri, :data
def initialize(data = {}, ns_uri=NS_URI)
@ns_alias = 'sreg'
@data = data
@ns_uri = ns_uri
end
# Take a Request and a hash of simple registration
# values and create a Response object containing that data.
def self.extract_response(request, data)
arf = request.all_requested_fields
resp_data = data.reject{|k,v| !arf.member?(k) || v.nil? }
new(resp_data, request.ns_uri)
end
# Create an Response object from an
# OpenID::Consumer::SuccessResponse from consumer.complete
# If you set the signed_only parameter to false, unsigned data from
# the id_res message from the server will be processed.
def self.from_success_response(success_response, signed_only = true)
ns_uri = OpenID::get_sreg_ns(success_response.message)
if signed_only
args = success_response.get_signed_ns(ns_uri)
return nil if args.nil? # No signed args, so fail
else
args = success_response.message.get_args(ns_uri)
end
args.reject!{|k,v| !DATA_FIELDS.member?(k) }
new(args, ns_uri)
end
# Get the fields to put in the simple registration namespace
# when adding them to an id_res message.
def get_extension_args
return @data
end
# Read-only hashlike interface.
# Raises an exception if the field name is bad
def [](field_name)
OpenID::check_sreg_field_name(field_name)
data[field_name]
end
def empty?
@data.empty?
end
# XXX is there more to a hashlike interface I should add?
end
end
end

@ -0,0 +1,11 @@
class String
def starts_with?(other)
head = self[0, other.length]
head == other
end
def ends_with?(other)
tail = self[-1 * other.length, other.length]
tail == other
end
end

@ -0,0 +1,238 @@
require 'net/http'
require 'openid'
require 'openid/util'
begin
require 'net/https'
rescue LoadError
OpenID::Util.log('WARNING: no SSL support found. Will not be able ' +
'to fetch HTTPS URLs!')
require 'net/http'
end
MAX_RESPONSE_KB = 1024
module Net
class HTTP
def post_connection_check(hostname)
check_common_name = true
cert = @socket.io.peer_cert
cert.extensions.each { |ext|
next if ext.oid != "subjectAltName"
ext.value.split(/,\s+/).each{ |general_name|
if /\ADNS:(.*)/ =~ general_name
check_common_name = false
reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
return true if /\A#{reg}\z/i =~ hostname
elsif /\AIP Address:(.*)/ =~ general_name
check_common_name = false
return true if $1 == hostname
end
}
}
if check_common_name
cert.subject.to_a.each{ |oid, value|
if oid == "CN"
reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
return true if /\A#{reg}\z/i =~ hostname
end
}
end
raise OpenSSL::SSL::SSLError, "hostname does not match"
end
end
end
module OpenID
# Our HTTPResponse class extends Net::HTTPResponse with an additional
# method, final_url.
class HTTPResponse
attr_accessor :final_url
attr_accessor :_response
def self._from_net_response(response, final_url, headers=nil)
me = self.new
me._response = response
me.final_url = final_url
return me
end
def method_missing(method, *args)
@_response.send(method, *args)
end
def body=(s)
@_response.instance_variable_set('@body', s)
# XXX Hack to work around ruby's HTTP library behavior. @body
# is only returned if it has been read from the response
# object's socket, but since we're not using a socket in this
# case, we need to set the @read flag to true to avoid a bug in
# Net::HTTPResponse.stream_check when @socket is nil.
@_response.instance_variable_set('@read', true)
end
end
class FetchingError < OpenIDError
end
class HTTPRedirectLimitReached < FetchingError
end
class SSLFetchingError < FetchingError
end
@fetcher = nil
def self.fetch(url, body=nil, headers=nil,
redirect_limit=StandardFetcher::REDIRECT_LIMIT)
return fetcher.fetch(url, body, headers, redirect_limit)
end
def self.fetcher
if @fetcher.nil?
@fetcher = StandardFetcher.new
end
return @fetcher
end
def self.fetcher=(fetcher)
@fetcher = fetcher
end
# Set the default fetcher to use the HTTP proxy defined in the environment
# variable 'http_proxy'.
def self.fetcher_use_env_http_proxy
proxy_string = ENV['http_proxy']
return unless proxy_string
proxy_uri = URI.parse(proxy_string)
@fetcher = StandardFetcher.new(proxy_uri.host, proxy_uri.port,
proxy_uri.user, proxy_uri.password)
end
class StandardFetcher
USER_AGENT = "ruby-openid/#{OpenID::VERSION} (#{RUBY_PLATFORM})"
REDIRECT_LIMIT = 5
TIMEOUT = 60
attr_accessor :ca_file
attr_accessor :timeout
# I can fetch through a HTTP proxy; arguments are as for Net::HTTP::Proxy.
def initialize(proxy_addr=nil, proxy_port=nil,
proxy_user=nil, proxy_pass=nil)
@ca_file = nil
@proxy = Net::HTTP::Proxy(proxy_addr, proxy_port, proxy_user, proxy_pass)
@timeout = TIMEOUT
end
def supports_ssl?(conn)
return conn.respond_to?(:use_ssl=)
end
def make_http(uri)
http = @proxy.new(uri.host, uri.port)
http.read_timeout = @timeout
http.open_timeout = @timeout
return http
end
def set_verified(conn, verify)
if verify
conn.verify_mode = OpenSSL::SSL::VERIFY_PEER
else
conn.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
end
def make_connection(uri)
conn = make_http(uri)
if !conn.is_a?(Net::HTTP)
raise RuntimeError, sprintf("Expected Net::HTTP object from make_http; got %s",
conn.class)
end
if uri.scheme == 'https'
if supports_ssl?(conn)
conn.use_ssl = true
if @ca_file
set_verified(conn, true)
conn.ca_file = @ca_file
else
Util.log("WARNING: making https request to #{uri} without verifying " +
"server certificate; no CA path was specified.")
set_verified(conn, false)
end
else
raise RuntimeError, "SSL support not found; cannot fetch #{uri}"
end
end
return conn
end
def fetch(url, body=nil, headers=nil, redirect_limit=REDIRECT_LIMIT)
unparsed_url = url.dup
url = URI::parse(url)
if url.nil?
raise FetchingError, "Invalid URL: #{unparsed_url}"
end
headers ||= {}
headers['User-agent'] ||= USER_AGENT
begin
conn = make_connection(url)
response = nil
response = conn.start {
# Check the certificate against the URL's hostname
if supports_ssl?(conn) and conn.use_ssl?
conn.post_connection_check(url.host)
end
if body.nil?
conn.request_get(url.request_uri, headers)
else
headers["Content-type"] ||= "application/x-www-form-urlencoded"
conn.request_post(url.request_uri, body, headers)
end
}
rescue RuntimeError => why
raise why
rescue OpenSSL::SSL::SSLError => why
raise SSLFetchingError, "Error connecting to SSL URL #{url}: #{why}"
rescue FetchingError => why
raise why
rescue Exception => why
# Things we've caught here include a Timeout::Error, which descends
# from SignalException.
raise FetchingError, "Error fetching #{url}: #{why}"
end
case response
when Net::HTTPRedirection
if redirect_limit <= 0
raise HTTPRedirectLimitReached.new(
"Too many redirects, not fetching #{response['location']}")
end
begin
return fetch(response['location'], body, headers, redirect_limit - 1)
rescue HTTPRedirectLimitReached => e
raise e
rescue FetchingError => why
raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
end
else
return HTTPResponse._from_net_response(response, unparsed_url)
end
end
end
end

@ -0,0 +1,136 @@
module OpenID
class KVFormError < Exception
end
module Util
def Util.seq_to_kv(seq, strict=false)
# Represent a sequence of pairs of strings as newline-terminated
# key:value pairs. The pairs are generated in the order given.
#
# @param seq: The pairs
#
# returns a string representation of the sequence
err = lambda { |msg|
msg = "seq_to_kv warning: #{msg}: #{seq.inspect}"
if strict
raise KVFormError, msg
else
Util.log(msg)
end
}
lines = []
seq.each { |k, v|
if !k.is_a?(String)
err.call("Converting key to string: #{k.inspect}")
k = k.to_s
end
if !k.index("\n").nil?
raise KVFormError, "Invalid input for seq_to_kv: key contains newline: #{k.inspect}"
end
if !k.index(":").nil?
raise KVFormError, "Invalid input for seq_to_kv: key contains colon: #{k.inspect}"
end
if k.strip() != k
err.call("Key has whitespace at beginning or end: #{k.inspect}")
end
if !v.is_a?(String)
err.call("Converting value to string: #{v.inspect}")
v = v.to_s
end
if !v.index("\n").nil?
raise KVFormError, "Invalid input for seq_to_kv: value contains newline: #{v.inspect}"
end
if v.strip() != v
err.call("Value has whitespace at beginning or end: #{v.inspect}")
end
lines << k + ":" + v + "\n"
}
return lines.join("")
end
def Util.kv_to_seq(data, strict=false)
# After one parse, seq_to_kv and kv_to_seq are inverses, with no
# warnings:
#
# seq = kv_to_seq(s)
# seq_to_kv(kv_to_seq(seq)) == seq
err = lambda { |msg|
msg = "kv_to_seq warning: #{msg}: #{data.inspect}"
if strict
raise KVFormError, msg
else
Util.log(msg)
end
}
lines = data.split("\n")
if data.length == 0
return []
end
if data[-1].chr != "\n"
err.call("Does not end in a newline")
# We don't expect the last element of lines to be an empty
# string because split() doesn't behave that way.
end
pairs = []
line_num = 0
lines.each { |line|
line_num += 1
# Ignore blank lines
if line.strip() == ""
next
end
pair = line.split(':', 2)
if pair.length == 2
k, v = pair
k_s = k.strip()
if k_s != k
msg = "In line #{line_num}, ignoring leading or trailing whitespace in key #{k.inspect}"
err.call(msg)
end
if k_s.length == 0
err.call("In line #{line_num}, got empty key")
end
v_s = v.strip()
if v_s != v
msg = "In line #{line_num}, ignoring leading or trailing whitespace in value #{v.inspect}"
err.call(msg)
end
pairs << [k_s, v_s]
else
err.call("Line #{line_num} does not contain a colon")
end
}
return pairs
end
def Util.dict_to_kv(d)
return seq_to_kv(d.entries.sort)
end
def Util.kv_to_dict(s)
seq = kv_to_seq(s)
return Hash[*seq.flatten]
end
end
end

@ -0,0 +1,58 @@
require "openid/message"
require "openid/fetchers"
module OpenID
# Exception that is raised when the server returns a 400 response
# code to a direct request.
class ServerError < OpenIDError
attr_reader :error_text, :error_code, :message
def initialize(error_text, error_code, message)
super(error_text)
@error_text = error_text
@error_code = error_code
@message = message
end
def self.from_message(msg)
error_text = msg.get_arg(OPENID_NS, 'error',
'<no error message supplied>')
error_code = msg.get_arg(OPENID_NS, 'error_code')
return self.new(error_text, error_code, msg)
end
end
class KVPostNetworkError < OpenIDError
end
class HTTPStatusError < OpenIDError
end
class Message
def self.from_http_response(response, server_url)
msg = self.from_kvform(response.body)
case response.code.to_i
when 200
return msg
when 206
return msg
when 400
raise ServerError.from_message(msg)
else
error_message = "bad status code from server #{server_url}: "\
"#{response.code}"
raise HTTPStatusError.new(error_message)
end
end
end
# Send the message to the server via HTTP POST and receive and parse
# a response in KV Form
def self.make_kv_post(request_message, server_url)
begin
http_response = self.fetch(server_url, request_message.to_url_encoded)
rescue Exception
raise KVPostNetworkError.new("Unable to contact OpenID server: #{$!.to_s}")
end
return Message.from_http_response(http_response, server_url)
end
end

@ -0,0 +1,553 @@
require 'openid/util'
require 'openid/kvform'
module OpenID
IDENTIFIER_SELECT = 'http://specs.openid.net/auth/2.0/identifier_select'
# URI for Simple Registration extension, the only commonly deployed
# OpenID 1.x extension, and so a special case.
SREG_URI = 'http://openid.net/sreg/1.0'
# The OpenID 1.x namespace URIs
OPENID1_NS = 'http://openid.net/signon/1.0'
OPENID11_NS = 'http://openid.net/signon/1.1'
OPENID1_NAMESPACES = [OPENID1_NS, OPENID11_NS]
# The OpenID 2.0 namespace URI
OPENID2_NS = 'http://specs.openid.net/auth/2.0'
# The namespace consisting of pairs with keys that are prefixed with
# "openid." but not in another namespace.
NULL_NAMESPACE = :null_namespace
# The null namespace, when it is an allowed OpenID namespace
OPENID_NS = :openid_namespace
# The top-level namespace, excluding all pairs with keys that start
# with "openid."
BARE_NS = :bare_namespace
# Limit, in bytes, of identity provider and return_to URLs,
# including response payload. See OpenID 1.1 specification,
# Appendix D.
OPENID1_URL_LIMIT = 2047
# All OpenID protocol fields. Used to check namespace aliases.
OPENID_PROTOCOL_FIELDS = [
'ns', 'mode', 'error', 'return_to',
'contact', 'reference', 'signed',
'assoc_type', 'session_type',
'dh_modulus', 'dh_gen',
'dh_consumer_public', 'claimed_id',
'identity', 'realm', 'invalidate_handle',
'op_endpoint', 'response_nonce', 'sig',
'assoc_handle', 'trust_root', 'openid',
]
# Sentinel used for Message implementation to indicate that getArg
# should raise an exception instead of returning a default.
NO_DEFAULT = :no_default
# Raised if the generic OpenID namespace is accessed when there
# is no OpenID namespace set for this message.
class UndefinedOpenIDNamespace < Exception; end
# Raised when an alias or namespace URI has already been registered.
class NamespaceAliasRegistrationError < Exception; end
# Raised if openid.ns is not a recognized value.
# See Message class variable @@allowed_openid_namespaces
class InvalidOpenIDNamespace < Exception; end
class Message
attr_reader :namespaces
# Raised when key lookup fails
class KeyNotFound < IndexError ; end
# Namespace / alias registration map. See
# register_namespace_alias.
@@registered_aliases = {}
# Registers a (namespace URI, alias) mapping in a global namespace
# alias map. Raises NamespaceAliasRegistrationError if either the
# namespace URI or alias has already been registered with a
# different value. This function is required if you want to use a
# namespace with an OpenID 1 message.
def Message.register_namespace_alias(namespace_uri, alias_)
if @@registered_aliases[alias_] == namespace_uri
return
end
if @@registered_aliases.values.include?(namespace_uri)
raise NamespaceAliasRegistrationError,
'Namespace uri #{namespace_uri} already registered'
end
if @@registered_aliases.member?(alias_)
raise NamespaceAliasRegistrationError,
'Alias #{alias_} already registered'
end
@@registered_aliases[alias_] = namespace_uri
end
@@allowed_openid_namespaces = [OPENID1_NS, OPENID2_NS, OPENID11_NS]
# Raises InvalidNamespaceError if you try to instantiate a Message
# with a namespace not in the above allowed list
def initialize(openid_namespace=nil)
@args = {}
@namespaces = NamespaceMap.new
if openid_namespace
implicit = OPENID1_NAMESPACES.member? openid_namespace
self.set_openid_namespace(openid_namespace, implicit)
else
@openid_ns_uri = nil
end
end
# Construct a Message containing a set of POST arguments.
# Raises InvalidNamespaceError if you try to instantiate a Message
# with a namespace not in the above allowed list
def Message.from_post_args(args)
m = Message.new
openid_args = {}
args.each do |key,value|
if value.is_a?(Array)
raise ArgumentError, "Query dict must have one value for each key, " +
"not lists of values. Query is #{args.inspect}"
end
prefix, rest = key.split('.', 2)
if prefix != 'openid' or rest.nil?
m.set_arg(BARE_NS, key, value)
else
openid_args[rest] = value
end
end
m._from_openid_args(openid_args)
return m
end
# Construct a Message from a parsed KVForm message.
# Raises InvalidNamespaceError if you try to instantiate a Message
# with a namespace not in the above allowed list
def Message.from_openid_args(openid_args)
m = Message.new
m._from_openid_args(openid_args)
return m
end
# Raises InvalidNamespaceError if you try to instantiate a Message
# with a namespace not in the above allowed list
def _from_openid_args(openid_args)
ns_args = []
# resolve namespaces
openid_args.each { |rest, value|
ns_alias, ns_key = rest.split('.', 2)
if ns_key.nil?
ns_alias = NULL_NAMESPACE
ns_key = rest
end
if ns_alias == 'ns'
@namespaces.add_alias(value, ns_key)
elsif ns_alias == NULL_NAMESPACE and ns_key == 'ns'
set_openid_namespace(value, false)
else
ns_args << [ns_alias, ns_key, value]
end
}
# implicitly set an OpenID 1 namespace
unless get_openid_namespace
set_openid_namespace(OPENID1_NS, true)
end
# put the pairs into the appropriate namespaces
ns_args.each { |ns_alias, ns_key, value|
ns_uri = @namespaces.get_namespace_uri(ns_alias)
unless ns_uri
ns_uri = _get_default_namespace(ns_alias)
unless ns_uri
ns_uri = get_openid_namespace
ns_key = "#{ns_alias}.#{ns_key}"
else
@namespaces.add_alias(ns_uri, ns_alias, true)
end
end
self.set_arg(ns_uri, ns_key, value)
}
end
def _get_default_namespace(mystery_alias)
# only try to map an alias to a default if it's an
# OpenID 1.x namespace
if is_openid1
@@registered_aliases[mystery_alias]
end
end
def set_openid_namespace(openid_ns_uri, implicit)
if !@@allowed_openid_namespaces.include?(openid_ns_uri)
raise InvalidOpenIDNamespace, "Invalid null namespace: #{openid_ns_uri}"
end
@namespaces.add_alias(openid_ns_uri, NULL_NAMESPACE, implicit)
@openid_ns_uri = openid_ns_uri
end
def get_openid_namespace
return @openid_ns_uri
end
def is_openid1
return OPENID1_NAMESPACES.member?(@openid_ns_uri)
end
def is_openid2
return @openid_ns_uri == OPENID2_NS
end
# Create a message from a KVForm string
def Message.from_kvform(kvform_string)
return Message.from_openid_args(Util.kv_to_dict(kvform_string))
end
def copy
return Marshal.load(Marshal.dump(self))
end
# Return all arguments with "openid." in from of namespaced arguments.
def to_post_args
args = {}
# add namespace defs to the output
@namespaces.each { |ns_uri, ns_alias|
if @namespaces.implicit?(ns_uri)
next
end
if ns_alias == NULL_NAMESPACE
ns_key = 'openid.ns'
else
ns_key = 'openid.ns.' + ns_alias
end
args[ns_key] = ns_uri
}
@args.each { |k, value|
ns_uri, ns_key = k
key = get_key(ns_uri, ns_key)
args[key] = value
}
return args
end
# Return all namespaced arguments, failing if any non-namespaced arguments
# exist.
def to_args
post_args = self.to_post_args
kvargs = {}
post_args.each { |k,v|
if !k.starts_with?('openid.')
raise ArgumentError, "This message can only be encoded as a POST, because it contains arguments that are not prefixed with 'openid.'"
else
kvargs[k[7..-1]] = v
end
}
return kvargs
end
# Generate HTML form markup that contains the values in this
# message, to be HTTP POSTed as x-www-form-urlencoded UTF-8.
def to_form_markup(action_url, form_tag_attrs=nil, submit_text='Continue')
form_tag_attr_map = {}
if form_tag_attrs
form_tag_attrs.each { |name, attr|
form_tag_attr_map[name] = attr
}
end
form_tag_attr_map['action'] = action_url
form_tag_attr_map['method'] = 'post'
form_tag_attr_map['accept-charset'] = 'UTF-8'
form_tag_attr_map['enctype'] = 'application/x-www-form-urlencoded'
markup = "<form "
form_tag_attr_map.each { |k, v|
markup += " #{k}=\"#{v}\""
}
markup += ">\n"
to_post_args.each { |k,v|
markup += "<input type='hidden' name='#{k}' value='#{v}' />\n"
}
markup += "<input type='submit' value='#{submit_text}' />\n"
markup += "\n</form>"
return markup
end
# Generate a GET URL with the paramters in this message attacked as
# query parameters.
def to_url(base_url)
return Util.append_args(base_url, self.to_post_args)
end
# Generate a KVForm string that contains the parameters in this message.
# This will fail is the message contains arguments outside of the
# "openid." prefix.
def to_kvform
return Util.dict_to_kv(to_args)
end
# Generate an x-www-urlencoded string.
def to_url_encoded
args = to_post_args.map.sort
return Util.urlencode(args)
end
# Convert an input value into the internally used values of this obejct.
def _fix_ns(namespace)
if namespace == OPENID_NS
unless @openid_ns_uri
raise UndefinedOpenIDNamespace, 'OpenID namespace not set'
else
namespace = @openid_ns_uri
end
end
if namespace == BARE_NS
return namespace
end
if !namespace.is_a?(String)
raise ArgumentError, ("Namespace must be BARE_NS, OPENID_NS or "\
"a string. Got #{namespace.inspect}")
end
if namespace.index(':').nil?
msg = ("OpenID 2.0 namespace identifiers SHOULD be URIs. "\
"Got #{namespace.inspect}")
Util.log(msg)
if namespace == 'sreg'
msg = "Using #{SREG_URI} instead of \"sreg\" as namespace"
Util.log(msg)
return SREG_URI
end
end
return namespace
end
def has_key?(namespace, ns_key)
namespace = _fix_ns(namespace)
return @args.member?([namespace, ns_key])
end
# Get the key for a particular namespaced argument
def get_key(namespace, ns_key)
namespace = _fix_ns(namespace)
return ns_key if namespace == BARE_NS
ns_alias = @namespaces.get_alias(namespace)
# no alias is defined, so no key can exist
return nil if ns_alias.nil?
if ns_alias == NULL_NAMESPACE
tail = ns_key
else
tail = "#{ns_alias}.#{ns_key}"
end
return 'openid.' + tail
end
# Get a value for a namespaced key.
def get_arg(namespace, key, default=nil)
namespace = _fix_ns(namespace)
@args.fetch([namespace, key]) {
if default == NO_DEFAULT
raise KeyNotFound, "<#{namespace}>#{key} not in this message"
else
default
end
}
end
# Get the arguments that are defined for this namespace URI.
def get_args(namespace)
namespace = _fix_ns(namespace)
args = {}
@args.each { |k,v|
pair_ns, ns_key = k
args[ns_key] = v if pair_ns == namespace
}
return args
end
# Set multiple key/value pairs in one call.
def update_args(namespace, updates)
namespace = _fix_ns(namespace)
updates.each {|k,v| set_arg(namespace, k, v)}
end
# Set a single argument in this namespace
def set_arg(namespace, key, value)
namespace = _fix_ns(namespace)
@args[[namespace, key].freeze] = value
if namespace != BARE_NS
@namespaces.add(namespace)
end
end
# Remove a single argument from this namespace.
def del_arg(namespace, key)
namespace = _fix_ns(namespace)
_key = [namespace, key]
@args.delete(_key)
end
def ==(other)
other.is_a?(self.class) && @args == other.instance_eval { @args }
end
def get_aliased_arg(aliased_key, default=nil)
if aliased_key == 'ns'
return get_openid_namespace()
end
ns_alias, key = aliased_key.split('.', 2)
if ns_alias == 'ns'
uri = @namespaces.get_namespace_uri(key)
if uri.nil? and default == NO_DEFAULT
raise KeyNotFound, "Namespace #{key} not defined when looking "\
"for #{aliased_key}"
else
return (uri.nil? ? default : uri)
end
end
if key.nil?
key = aliased_key
ns = nil
else
ns = @namespaces.get_namespace_uri(ns_alias)
end
if ns.nil?
key = aliased_key
ns = get_openid_namespace
end
return get_arg(ns, key, default)
end
end
# Maintains a bidirectional map between namespace URIs and aliases.
class NamespaceMap
def initialize
@alias_to_namespace = {}
@namespace_to_alias = {}
@implicit_namespaces = []
end
def get_alias(namespace_uri)
@namespace_to_alias[namespace_uri]
end
def get_namespace_uri(namespace_alias)
@alias_to_namespace[namespace_alias]
end
# Add an alias from this namespace URI to the alias.
def add_alias(namespace_uri, desired_alias, implicit=false)
# Check that desired_alias is not an openid protocol field as
# per the spec.
Util.assert(!OPENID_PROTOCOL_FIELDS.include?(desired_alias),
"#{desired_alias} is not an allowed namespace alias")
# check that there is not a namespace already defined for the
# desired alias
current_namespace_uri = @alias_to_namespace.fetch(desired_alias, nil)
if current_namespace_uri and current_namespace_uri != namespace_uri
raise IndexError, "Cannot map #{namespace_uri} to alias #{desired_alias}. #{current_namespace_uri} is already mapped to alias #{desired_alias}"
end
# Check that desired_alias does not contain a period as per the
# spec.
if desired_alias.is_a?(String)
Util.assert(desired_alias.index('.').nil?,
"#{desired_alias} must not contain a dot")
end
# check that there is not already a (different) alias for this
# namespace URI.
_alias = @namespace_to_alias[namespace_uri]
if _alias and _alias != desired_alias
raise IndexError, "Cannot map #{namespace_uri} to alias #{desired_alias}. It is already mapped to alias #{_alias}"
end
@alias_to_namespace[desired_alias] = namespace_uri
@namespace_to_alias[namespace_uri] = desired_alias
@implicit_namespaces << namespace_uri if implicit
return desired_alias
end
# Add this namespace URI to the mapping, without caring what alias
# it ends up with.
def add(namespace_uri)
# see if this namepace is already mapped to an alias
_alias = @namespace_to_alias[namespace_uri]
return _alias if _alias
# Fall back to generating a numberical alias
i = 0
while true
_alias = 'ext' + i.to_s
begin
add_alias(namespace_uri, _alias)
rescue IndexError
i += 1
else
return _alias
end
end
raise StandardError, 'Unreachable'
end
def member?(namespace_uri)
@namespace_to_alias.has_key?(namespace_uri)
end
def each
@namespace_to_alias.each {|k,v| yield k,v}
end
def namespace_uris
# Return an iterator over the namespace URIs
return @namespace_to_alias.keys()
end
def implicit?(namespace_uri)
return @implicit_namespaces.member?(namespace_uri)
end
def aliases
# Return an iterator over the aliases
return @alias_to_namespace.keys()
end
end
end

@ -0,0 +1,8 @@
require 'openid/util'
module OpenID
# An error in the OpenID protocol
class ProtocolError < OpenIDError
end
end

File diff suppressed because it is too large Load Diff

@ -0,0 +1,271 @@
require 'fileutils'
require 'pathname'
require 'tempfile'
require 'openid/util'
require 'openid/store/interface'
require 'openid/association'
module OpenID
module Store
class Filesystem < Interface
@@FILENAME_ALLOWED = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ.-".split("")
# Create a Filesystem store instance, putting all data in +directory+.
def initialize(directory)
p_dir = Pathname.new(directory)
@nonce_dir = p_dir.join('nonces')
@association_dir = p_dir.join('associations')
@temp_dir = p_dir.join('temp')
self.ensure_dir(@nonce_dir)
self.ensure_dir(@association_dir)
self.ensure_dir(@temp_dir)
end
# Create a unique filename for a given server url and handle. The
# filename that is returned will contain the domain name from the
# server URL for ease of human inspection of the data dir.
def get_association_filename(server_url, handle)
unless server_url.index('://')
raise ArgumentError, "Bad server URL: #{server_url}"
end
proto, rest = server_url.split('://', 2)
domain = filename_escape(rest.split('/',2)[0])
url_hash = safe64(server_url)
if handle
handle_hash = safe64(handle)
else
handle_hash = ''
end
filename = [proto,domain,url_hash,handle_hash].join('-')
@association_dir.join(filename)
end
# Store an association in the assoc directory
def store_association(server_url, association)
assoc_s = association.serialize
filename = get_association_filename(server_url, association.handle)
f, tmp = mktemp
begin
begin
f.write(assoc_s)
f.fsync
ensure
f.close
end
begin
File.rename(tmp, filename)
rescue Errno::EEXIST
begin
File.unlink(filename)
rescue Errno::ENOENT
# do nothing
end
File.rename(tmp, filename)
end
rescue
self.remove_if_present(tmp)
raise
end
end
# Retrieve an association
def get_association(server_url, handle=nil)
# the filename with empty handle is the prefix for the associations
# for a given server url
filename = get_association_filename(server_url, handle)
if handle
return _get_association(filename)
end
assoc_filenames = Dir.glob(filename.to_s + '*')
assocs = assoc_filenames.collect do |f|
_get_association(f)
end
assocs = assocs.find_all { |a| not a.nil? }
assocs = assocs.sort_by { |a| a.issued }
return nil if assocs.empty?
return assocs[-1]
end
def _get_association(filename)
begin
assoc_file = File.open(filename, "r")
rescue Errno::ENOENT
return nil
else
begin
assoc_s = assoc_file.read
ensure
assoc_file.close
end
begin
association = Association.deserialize(assoc_s)
rescue
self.remove_if_present(filename)
return nil
end
# clean up expired associations
if association.expires_in == 0
self.remove_if_present(filename)
return nil
else
return association
end
end
end
# Remove an association if it exists, otherwise do nothing.
def remove_association(server_url, handle)
assoc = get_association(server_url, handle)
if assoc.nil?
return false
else
filename = get_association_filename(server_url, handle)
return self.remove_if_present(filename)
end
end
# Return whether the nonce is valid
def use_nonce(server_url, timestamp, salt)
return false if (timestamp - Time.now.to_i).abs > Nonce.skew
if server_url and !server_url.empty?
proto, rest = server_url.split('://',2)
else
proto, rest = '',''
end
raise "Bad server URL" unless proto && rest
domain = filename_escape(rest.split('/',2)[0])
url_hash = safe64(server_url)
salt_hash = safe64(salt)
nonce_fn = '%08x-%s-%s-%s-%s'%[timestamp, proto, domain, url_hash, salt_hash]
filename = @nonce_dir.join(nonce_fn)
begin
fd = File.new(filename, File::CREAT | File::EXCL | File::WRONLY, 0200)
fd.close
return true
rescue Errno::EEXIST
return false
end
end
# Remove expired entries from the database. This is potentially expensive,
# so only run when it is acceptable to take time.
def cleanup
cleanup_associations
cleanup_nonces
end
def cleanup_associations
association_filenames = Dir[@association_dir.join("*").to_s]
count = 0
association_filenames.each do |af|
begin
f = File.open(af, 'r')
rescue Errno::ENOENT
next
else
begin
assoc_s = f.read
ensure
f.close
end
begin
association = OpenID::Association.deserialize(assoc_s)
rescue StandardError
self.remove_if_present(af)
next
else
if association.expires_in == 0
self.remove_if_present(af)
count += 1
end
end
end
end
return count
end
def cleanup_nonces
nonces = Dir[@nonce_dir.join("*").to_s]
now = Time.now.to_i
count = 0
nonces.each do |filename|
nonce = filename.split('/')[-1]
timestamp = nonce.split('-', 2)[0].to_i(16)
nonce_age = (timestamp - now).abs
if nonce_age > Nonce.skew
self.remove_if_present(filename)
count += 1
end
end
return count
end
protected
# Create a temporary file and return the File object and filename.
def mktemp
f = Tempfile.new('tmp', @temp_dir)
[f, f.path]
end
# create a safe filename from a url
def filename_escape(s)
s = '' if s.nil?
filename_chunks = []
s.split('').each do |c|
if @@FILENAME_ALLOWED.index(c)
filename_chunks << c
else
filename_chunks << sprintf("_%02X", c[0])
end
end
filename_chunks.join("")
end
def safe64(s)
s = OpenID::CryptUtil.sha1(s)
s = OpenID::Util.to_base64(s)
s.gsub!('+', '_')
s.gsub!('/', '.')
s.gsub!('=', '')
return s
end
# remove file if present in filesystem
def remove_if_present(filename)
begin
File.unlink(filename)
rescue Errno::ENOENT
return false
end
return true
end
# ensure that a path exists
def ensure_dir(dir_name)
FileUtils::mkdir_p(dir_name)
end
end
end
end

@ -0,0 +1,75 @@
require 'openid/util'
module OpenID
# Stores for Associations and nonces. Used by both the Consumer and
# the Server. If you have a database abstraction layer or other
# state storage in your application or framework already, you can
# implement the store interface.
module Store
# Abstract Store
# Changes in 2.0:
# * removed store_nonce, get_auth_key, is_dumb
# * changed use_nonce to support one-way nonces
# * added cleanup_nonces, cleanup_associations, cleanup
class Interface < Object
# Put a Association object into storage.
# When implementing a store, don't assume that there are any limitations
# on the character set of the server_url. In particular, expect to see
# unescaped non-url-safe characters in the server_url field.
def store_association(server_url, association)
raise NotImplementedError
end
# Returns a Association object from storage that matches
# the server_url. Returns nil if no such association is found or if
# the one matching association is expired. (Is allowed to GC expired
# associations when found.)
def get_association(server_url, handle=nil)
raise NotImplementedError
end
# If there is a matching association, remove it from the store and
# return true, otherwise return false.
def remove_association(server_url, handle)
raise NotImplementedError
end
# Return true if the nonce has not been used before, and store it
# for a while to make sure someone doesn't try to use the same value
# again. Return false if the nonce has already been used or if the
# timestamp is not current.
# You can use OpenID::Store::Nonce::SKEW for your timestamp window.
# server_url: URL of the server from which the nonce originated
# timestamp: time the nonce was created in seconds since unix epoch
# salt: A random string that makes two nonces issued by a server in
# the same second unique
def use_nonce(server_url, timestamp, salt)
raise NotImplementedError
end
# Remove expired nonces from the store
# Discards any nonce that is old enough that it wouldn't pass use_nonce
# Not called during normal library operation, this method is for store
# admins to keep their storage from filling up with expired data
def cleanup_nonces
raise NotImplementedError
end
# Remove expired associations from the store
# Not called during normal library operation, this method is for store
# admins to keep their storage from filling up with expired data
def cleanup_associations
raise NotImplementedError
end
# Remove expired nonces and associations from the store
# Not called during normal library operation, this method is for store
# admins to keep their storage from filling up with expired data
def cleanup
return cleanup_nonces, cleanup_associations
end
end
end
end

@ -0,0 +1,84 @@
require 'openid/store/interface'
module OpenID
module Store
# An in-memory implementation of Store. This class is mainly used
# for testing, though it may be useful for long-running single
# process apps. Note that this store is NOT thread-safe.
#
# You should probably be looking at OpenID::Store::Filesystem
class Memory < Interface
def initialize
@associations = {}
@associations.default = {}
@nonces = {}
end
def store_association(server_url, assoc)
assocs = @associations[server_url]
@associations[server_url] = assocs.merge({assoc.handle => deepcopy(assoc)})
end
def get_association(server_url, handle=nil)
assocs = @associations[server_url]
assoc = nil
if handle
assoc = assocs[handle]
else
assoc = assocs.values.sort{|a,b| a.issued <=> b.issued}[-1]
end
return assoc
end
def remove_association(server_url, handle)
assocs = @associations[server_url]
if assocs.delete(handle)
return true
else
return false
end
end
def use_nonce(server_url, timestamp, salt)
return false if (timestamp - Time.now.to_i).abs > Nonce.skew
nonce = [server_url, timestamp, salt].join('')
return false if @nonces[nonce]
@nonces[nonce] = timestamp
return true
end
def cleanup_associations
count = 0
@associations.each{|server_url, assocs|
assocs.each{|handle, assoc|
if assoc.expires_in == 0
assocs.delete(handle)
count += 1
end
}
}
return count
end
def cleanup_nonces
count = 0
now = Time.now.to_i
@nonces.each{|nonce, timestamp|
if (timestamp - now).abs > Nonce.skew
@nonces.delete(nonce)
count += 1
end
}
return count
end
protected
def deepcopy(o)
Marshal.load(Marshal.dump(o))
end
end
end
end

@ -0,0 +1,68 @@
require 'openid/cryptutil'
require 'date'
require 'time'
module OpenID
module Nonce
DEFAULT_SKEW = 60*60*5
TIME_FMT = '%Y-%m-%dT%H:%M:%SZ'
TIME_STR_LEN = '0000-00-00T00:00:00Z'.size
@@NONCE_CHRS = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
TIME_VALIDATOR = /\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ/
@skew = DEFAULT_SKEW
# The allowed nonce time skew in seconds. Defaults to 5 hours.
# Used for checking nonce validity, and by stores' cleanup methods.
def Nonce.skew
@skew
end
def Nonce.skew=(new_skew)
@skew = new_skew
end
# Extract timestamp from a nonce string
def Nonce.split_nonce(nonce_str)
timestamp_str = nonce_str[0...TIME_STR_LEN]
raise ArgumentError if timestamp_str.size < TIME_STR_LEN
raise ArgumentError unless timestamp_str.match(TIME_VALIDATOR)
ts = Time.parse(timestamp_str).to_i
raise ArgumentError if ts < 0
return ts, nonce_str[TIME_STR_LEN..-1]
end
# Is the timestamp that is part of the specified nonce string
# within the allowed clock-skew of the current time?
def Nonce.check_timestamp(nonce_str, allowed_skew=nil, now=nil)
allowed_skew = skew if allowed_skew.nil?
begin
stamp, foo = split_nonce(nonce_str)
rescue ArgumentError # bad timestamp
return false
end
now = Time.now.to_i unless now
# times before this are too old
past = now - allowed_skew
# times newer than this are too far in the future
future = now + allowed_skew
return (past <= stamp and stamp <= future)
end
# generate a nonce with the specified timestamp (defaults to now)
def Nonce.mk_nonce(time = nil)
salt = CryptUtil::random_string(6, @@NONCE_CHRS)
if time.nil?
t = Time.now.getutc
else
t = Time.at(time).getutc
end
time_str = t.strftime(TIME_FMT)
return time_str + salt
end
end
end

@ -0,0 +1,349 @@
require 'uri'
require 'openid/urinorm'
module OpenID
class RealmVerificationRedirected < Exception
# Attempting to verify this realm resulted in a redirect.
def initialize(relying_party_url, rp_url_after_redirects)
@relying_party_url = relying_party_url
@rp_url_after_redirects = rp_url_after_redirects
end
def to_s
return "Attempting to verify #{@relying_party_url} resulted in " +
"redirect to #{@rp_url_after_redirects}"
end
end
module TrustRoot
TOP_LEVEL_DOMAINS = %w'
ac ad ae aero af ag ai al am an ao aq ar arpa as asia at
au aw ax az ba bb bd be bf bg bh bi biz bj bm bn bo br bs bt
bv bw by bz ca cat cc cd cf cg ch ci ck cl cm cn co com coop
cr cu cv cx cy cz de dj dk dm do dz ec edu ee eg er es et eu
fi fj fk fm fo fr ga gb gd ge gf gg gh gi gl gm gn gov gp gq
gr gs gt gu gw gy hk hm hn hr ht hu id ie il im in info int
io iq ir is it je jm jo jobs jp ke kg kh ki km kn kp kr kw
ky kz la lb lc li lk lr ls lt lu lv ly ma mc md me mg mh mil
mk ml mm mn mo mobi mp mq mr ms mt mu museum mv mw mx my mz
na name nc ne net nf ng ni nl no np nr nu nz om org pa pe pf
pg ph pk pl pm pn pr pro ps pt pw py qa re ro rs ru rw sa sb
sc sd se sg sh si sj sk sl sm sn so sr st su sv sy sz tc td
tel tf tg th tj tk tl tm tn to tp tr travel tt tv tw tz ua
ug uk us uy uz va vc ve vg vi vn vu wf ws xn--0zwm56d
xn--11b5bs3a9aj6g xn--80akhbyknj4f xn--9t4b11yi5a
xn--deba0ad xn--g6w251d xn--hgbk6aj7f53bba
xn--hlcj6aya9esc7a xn--jxalpdlp xn--kgbechtv xn--zckzah ye
yt yu za zm zw'
ALLOWED_PROTOCOLS = ['http', 'https']
# The URI for relying party discovery, used in realm verification.
#
# XXX: This should probably live somewhere else (like in
# OpenID or OpenID::Yadis somewhere)
RP_RETURN_TO_URL_TYPE = 'http://specs.openid.net/auth/2.0/return_to'
# If the endpoint is a relying party OpenID return_to endpoint,
# return the endpoint URL. Otherwise, return None.
#
# This function is intended to be used as a filter for the Yadis
# filtering interface.
#
# endpoint: An XRDS BasicServiceEndpoint, as returned by
# performing Yadis dicovery.
#
# returns the endpoint URL or None if the endpoint is not a
# relying party endpoint.
def TrustRoot._extract_return_url(endpoint)
if endpoint.matchTypes([RP_RETURN_TO_URL_TYPE])
return endpoint.uri
else
return nil
end
end
# Is the return_to URL under one of the supplied allowed
# return_to URLs?
def TrustRoot.return_to_matches(allowed_return_to_urls, return_to)
allowed_return_to_urls.each { |allowed_return_to|
# A return_to pattern works the same as a realm, except that
# it's not allowed to use a wildcard. We'll model this by
# parsing it as a realm, and not trying to match it if it has
# a wildcard.
return_realm = TrustRoot.parse(allowed_return_to)
if (# Parses as a trust root
!return_realm.nil? and
# Does not have a wildcard
!return_realm.wildcard and
# Matches the return_to that we passed in with it
return_realm.validate_url(return_to)
)
return true
end
}
# No URL in the list matched
return false
end
# Given a relying party discovery URL return a list of return_to
# URLs.
def TrustRoot.get_allowed_return_urls(relying_party_url)
rp_url_after_redirects, return_to_urls = services.get_service_endpoints(
relying_party_url, _extract_return_url)
if rp_url_after_redirects != relying_party_url
# Verification caused a redirect
raise RealmVerificationRedirected.new(
relying_party_url, rp_url_after_redirects)
end
return return_to_urls
end
# Verify that a return_to URL is valid for the given realm.
#
# This function builds a discovery URL, performs Yadis discovery
# on it, makes sure that the URL does not redirect, parses out
# the return_to URLs, and finally checks to see if the current
# return_to URL matches the return_to.
#
# raises DiscoveryFailure when Yadis discovery fails returns
# true if the return_to URL is valid for the realm
def TrustRoot.verify_return_to(realm_str, return_to, _vrfy=nil)
# _vrfy parameter is there to make testing easier
if _vrfy.nil?
_vrfy = self.method('get_allowed_return_urls')
end
if !(_vrfy.is_a?(Proc) or _vrfy.is_a?(Method))
raise ArgumentError, "_vrfy must be a Proc or Method"
end
realm = TrustRoot.parse(realm_str)
if realm.nil?
# The realm does not parse as a URL pattern
return false
end
begin
allowable_urls = _vrfy.call(realm.build_discovery_url())
rescue RealmVerificationRedirected => err
Util.log(err.to_s)
return false
end
if return_to_matches(allowable_urls, return_to)
return true
else
Util.log("Failed to validate return_to #{return_to} for " +
"realm #{realm_str}, was not in #{allowable_urls}")
return false
end
end
class TrustRoot
attr_reader :unparsed, :proto, :wildcard, :host, :port, :path
@@empty_re = Regexp.new('^http[s]*:\/\/\*\/$')
def TrustRoot._build_path(path, query=nil, frag=nil)
s = path.dup
frag = nil if frag == ''
query = nil if query == ''
if query
s << "?" << query
end
if frag
s << "#" << frag
end
return s
end
def TrustRoot._parse_url(url)
begin
url = URINorm.urinorm(url)
rescue URI::InvalidURIError => err
nil
end
begin
parsed = URI::parse(url)
rescue URI::InvalidURIError
return nil
end
path = TrustRoot._build_path(parsed.path,
parsed.query,
parsed.fragment)
return [parsed.scheme || '', parsed.host || '',
parsed.port || '', path || '']
end
def TrustRoot.parse(trust_root)
trust_root = trust_root.dup
unparsed = trust_root.dup
# look for wildcard
wildcard = (not trust_root.index('://*.').nil?)
trust_root.sub!('*.', '') if wildcard
# handle http://*/ case
if not wildcard and @@empty_re.match(trust_root)
proto = trust_root.split(':')[0]
port = proto == 'http' ? 80 : 443
return new(unparsed, proto, true, '', port, '/')
end
parts = TrustRoot._parse_url(trust_root)
return nil if parts.nil?
proto, host, port, path = parts
# check for URI fragment
if path and !path.index('#').nil?
return nil
end
return nil unless ['http', 'https'].member?(proto)
return new(unparsed, proto, wildcard, host, port, path)
end
def TrustRoot.check_sanity(trust_root_string)
trust_root = TrustRoot.parse(trust_root_string)
if trust_root.nil?
return false
else
return trust_root.sane?
end
end
# quick func for validating a url against a trust root. See the
# TrustRoot class if you need more control.
def self.check_url(trust_root, url)
tr = self.parse(trust_root)
return (!tr.nil? and tr.validate_url(url))
end
# Return a discovery URL for this realm.
#
# This function does not check to make sure that the realm is
# valid. Its behaviour on invalid inputs is undefined.
#
# return_to:: The relying party return URL of the OpenID
# authentication request
#
# Returns the URL upon which relying party discovery should be
# run in order to verify the return_to URL
def build_discovery_url
if self.wildcard
# Use "www." in place of the star
www_domain = 'www.' + @host
port = (!@port.nil? and ![80, 443].member?(@port)) ? (":" + @port.to_s) : ''
return "#{@proto}://#{www_domain}#{port}#{@path}"
else
return @unparsed
end
end
def initialize(unparsed, proto, wildcard, host, port, path)
@unparsed = unparsed
@proto = proto
@wildcard = wildcard
@host = host
@port = port
@path = path
end
def sane?
return true if @host == 'localhost'
host_parts = @host.split('.')
# a note: ruby string split does not put an empty string at
# the end of the list if the split element is last. for
# example, 'foo.com.'.split('.') => ['foo','com']. Mentioned
# because the python code differs here.
return false if host_parts.length == 0
# no adjacent dots
return false if host_parts.member?('')
# last part must be a tld
tld = host_parts[-1]
return false unless TOP_LEVEL_DOMAINS.member?(tld)
return false if host_parts.length == 1
if @wildcard
if tld.length == 2 and host_parts[-2].length <= 3
# It's a 2-letter tld with a short second to last segment
# so there needs to be more than two segments specified
# (e.g. *.co.uk is insane)
return host_parts.length > 2
end
end
return true
end
def validate_url(url)
parts = TrustRoot._parse_url(url)
return false if parts.nil?
proto, host, port, path = parts
return false unless proto == @proto
return false unless port == @port
return false unless host.index('*').nil?
if !@wildcard
if host != @host
return false
end
elsif ((@host != '') and
(!host.ends_with?('.' + @host)) and
(host != @host))
return false
end
if path != @path
path_len = @path.length
trust_prefix = @path[0...path_len]
url_prefix = path[0...path_len]
# must be equal up to the length of the path, at least
if trust_prefix != url_prefix
return false
end
# These characters must be on the boundary between the end
# of the trust root's path and the start of the URL's path.
if !@path.index('?').nil?
allowed = '&'
else
allowed = '?/'
end
return (!allowed.index(@path[-1]).nil? or
!allowed.index(path[path_len]).nil?)
end
return true
end
end
end
end

@ -0,0 +1,75 @@
require 'uri'
require "openid/extras"
module OpenID
module URINorm
public
def URINorm.urinorm(uri)
uri = URI.parse(uri)
raise URI::InvalidURIError.new('no scheme') unless uri.scheme
uri.scheme = uri.scheme.downcase
unless ['http','https'].member?(uri.scheme)
raise URI::InvalidURIError.new('Not an HTTP or HTTPS URI')
end
raise URI::InvalidURIError.new('no host') unless uri.host
uri.host = uri.host.downcase
uri.path = remove_dot_segments(uri.path)
uri.path = '/' if uri.path.length == 0
uri = uri.normalize.to_s
uri = uri.gsub(PERCENT_ESCAPE_RE) {
sub = $&[1..2].to_i(16).chr
reserved(sub) ? $&.upcase : sub
}
return uri
end
private
RESERVED_RE = /[A-Za-z0-9._~-]/
PERCENT_ESCAPE_RE = /%[0-9a-zA-Z]{2}/
def URINorm.reserved(chr)
not RESERVED_RE =~ chr
end
def URINorm.remove_dot_segments(path)
result_segments = []
while path.length > 0
if path.starts_with?('../')
path = path[3..-1]
elsif path.starts_with?('./')
path = path[2..-1]
elsif path.starts_with?('/./')
path = path[2..-1]
elsif path == '/.'
path = '/'
elsif path.starts_with?('/../')
path = path[3..-1]
result_segments.pop if result_segments.length > 0
elsif path == '/..'
path = '/'
result_segments.pop if result_segments.length > 0
elsif path == '..' or path == '.'
path = ''
else
i = 0
i = 1 if path[0].chr == '/'
i = path.index('/', i)
i = path.length if i.nil?
result_segments << path[0...i]
path = path[i..-1]
end
end
return result_segments.join('')
end
end
end

Some files were not shown because too many files have changed in this diff Show More

Loading…
Cancel
Save