db/migrate/015_upgrade_open_id_authentication_tables.rb vendor/plugins/open_id_authentication/generators/open_id_authentication_tables/open_id_authentication_tables_generator.rb vendor/plugins/open_id_authentication/generators/open_id_authentication_tables/templates/migration.rb vendor/plugins/open_id_authentication/generators/upgrade_open_id_authentication_tables/templates/migration.rb vendor/plugins/open_id_authentication/generators/upgrade_open_id_authentication_tables/upgrade_open_id_authentication_tables_generator.rb vendor/plugins/open_id_authentication/test/test_helper.rb @@ -9,7 +9,7 @@ # # It's strongly recommended to check this file into your version control system. -ActiveRecord::Schema.define(:version => 14) do +ActiveRecord::Schema.define(:version => 15) do create_table "attachments", :force => true do |t| t.integer "size" @@ -51,13 +51,9 @@ ActiveRecord::Schema.define(:version => 14) do end create_table "open_id_authentication_nonces", :force => true do |t| - t.string "nonce" - t.integer "created" - end - - create_table "open_id_authentication_settings", :force => true do |t| - t.string "setting" - t.binary "value" + t.integer "timestamp", :null => false + t.string "server_url" + t.string "salt", :null => false end create_table "page_versions", :force => true do |t| db/schema.rb @@ -1,3 +1,7 @@ +* Updated plugin to use Ruby OpenID 2.x.x [Josh Peek] + +* Tied plugin to ruby-openid 1.1.4 gem until we can make it compatible with 2.x [DHH] + * Use URI instead of regexps to normalize the URL and gain free, better matching #8136 [dkubb] * Allow -'s in #normalize_url [Rick] vendor/plugins/open_id_authentication/CHANGELOG @@ -8,7 +8,7 @@ Provides a thin wrapper around the excellent ruby-openid gem from JanRan. Be sur To understand what OpenID is about and how it works, it helps to read the documentation for lib/openid/consumer.rb from that gem. -The specification used is http://openid.net/specs/openid-authentication-1_1.html (not the 2.0 draft). +The specification used is http://openid.net/specs/openid-authentication-2_0.html. Prerequisites @@ -95,7 +95,7 @@ app/controllers/sessions_controller.rb if @current_user = @account.users.find_by_identity_url(identity_url) successful_login else - failed_login "Sorry, no user by that identity URL exists (#{identity_url})") + failed_login "Sorry, no user by that identity URL exists (#{identity_url})" end else failed_login result.message vendor/plugins/open_id_authentication/README @@ -1,12 +1,11 @@ begin - require 'openid' + require 'openid' rescue LoadError begin - gem 'ruby-openid' - require 'openid' - rescue LoadError + gem 'ruby-openid', '>=2.0.4' + rescue Gem::LoadError puts "Install the ruby-openid gem to enable OpenID support" end end -ActionController::Base.send :include, OpenIdAuthentication \ No newline at end of file +ActionController::Base.send :include, OpenIdAuthentication vendor/plugins/open_id_authentication/init.rb @@ -1,16 +1,20 @@ +require 'uri' +require 'openid/extensions/sreg' +require 'openid/store/filesystem' + module OpenIdAuthentication OPEN_ID_AUTHENTICATION_DIR = RAILS_ROOT + "/tmp/openids" - + def self.store @@store end - + def self.store=(value) @@store = value end - + self.store = :db - + def store OpenIdAuthentication.store end @@ -20,19 +24,20 @@ module OpenIdAuthentication class Result ERROR_MESSAGES = { - :missing => "Sorry, the OpenID server couldn't be found", - :canceled => "OpenID verification was canceled", - :failed => "Sorry, the OpenID verification failed" + :missing => "Sorry, the OpenID server couldn't be found", + :canceled => "OpenID verification was canceled", + :failed => "Sorry, the OpenID verification failed", + :setup_needed => "OpenID verification needs setup" } - + def self.[](code) new(code) end - + def initialize(code) @code = code end - + def ===(code) if code == :unsuccessful && unsuccessful? true @@ -40,7 +45,7 @@ module OpenIdAuthentication @code == code end end - + ERROR_MESSAGES.keys.each { |state| define_method("#{state}?") { @code == state } } def successful? @@ -50,24 +55,21 @@ module OpenIdAuthentication def unsuccessful? ERROR_MESSAGES.keys.include?(@code) end - + def message ERROR_MESSAGES[@code] end end def self.normalize_url(url) - begin - uri = URI.parse(url) - uri = URI.parse("http://#{uri}") unless uri.scheme - uri.scheme = uri.scheme.downcase # URI should do this - uri.normalize.to_s - rescue URI::InvalidURIError - raise InvalidOpenId.new("#{url} is not an OpenID URL") - end + uri = URI.parse(url.to_s.strip) + uri = URI.parse("http://#{uri}") unless uri.scheme + uri.scheme = uri.scheme.downcase # URI should do this + uri.normalize.to_s + rescue URI::InvalidURIError + raise InvalidOpenId.new("#{url} is not an OpenID URL") end - protected def normalize_url(url) OpenIdAuthentication.normalize_url(url) @@ -87,59 +89,63 @@ module OpenIdAuthentication end end - private def begin_open_id_authentication(identity_url, fields = {}) - open_id_response = timeout_protection_from_identity_server { open_id_consumer.begin(identity_url) } - - case open_id_response.status - when OpenID::FAILURE - yield Result[:missing], identity_url, nil - when OpenID::SUCCESS - add_simple_registration_fields(open_id_response, fields) - redirect_to(open_id_redirect_url(open_id_response)) - end + open_id_request = open_id_consumer.begin(identity_url) + add_simple_registration_fields(open_id_request, fields) + redirect_to(open_id_redirect_url(open_id_request)) + rescue OpenID::OpenIDError, Timeout::Error => e + logger.error("[OPENID] #{e}") + yield Result[:missing], identity_url, nil end - + def complete_open_id_authentication - open_id_response = timeout_protection_from_identity_server { open_id_consumer.complete(params) } - identity_url = normalize_url(open_id_response.identity_url) if open_id_response.identity_url + params_with_path = params.reject { |key, value| request.path_parameters[key] } + open_id_response = timeout_protection_from_identity_server { open_id_consumer.complete(params_with_path, requested_url) } + identity_url = normalize_url(open_id_response.endpoint.claimed_id) if open_id_response.endpoint.claimed_id case open_id_response.status - when OpenID::CANCEL + when OpenID::Consumer::SUCCESS + yield Result[:successful], identity_url, OpenID::SReg::Response.from_success_response(open_id_response) + when OpenID::Consumer::CANCEL yield Result[:canceled], identity_url, nil - when OpenID::FAILURE - logger.info "OpenID authentication failed: #{open_id_response.msg}" + when OpenID::Consumer::FAILURE yield Result[:failed], identity_url, nil - when OpenID::SUCCESS - yield Result[:successful], identity_url, open_id_response.extension_response('sreg') - end + when OpenID::Consumer::SETUP_NEEDED + yield Result[:setup_needed], open_id_response.setup_url, nil + end end def open_id_consumer OpenID::Consumer.new(session, open_id_store) end - + def open_id_store case store - when :db : OpenIdAuthentication::DbStore.new - when :file: OpenID::FilesystemStore.new(OPEN_ID_AUTHENTICATION_DIR) + when :db + OpenIdAuthentication::DbStore.new + when :file + OpenID::FilesystemStore.new(OPEN_ID_AUTHENTICATION_DIR) else raise "Unknown store: #{store}" end end + def add_simple_registration_fields(open_id_request, fields) + sreg_request = OpenID::SReg::Request.new + sreg_request.request_fields(Array(fields[:required]).map(&:to_s), true) if fields[:required] + sreg_request.request_fields(Array(fields[:optional]).map(&:to_s), false) if fields[:optional] + sreg_request.policy_url = fields[:policy_url] if fields[:policy_url] + open_id_request.add_extension(sreg_request) + end - def add_simple_registration_fields(open_id_response, fields) - open_id_response.add_extension_arg('sreg', 'required', [ fields[:required] ].flatten * ',') if fields[:required] - open_id_response.add_extension_arg('sreg', 'optional', [ fields[:optional] ].flatten * ',') if fields[:optional] + def open_id_redirect_url(open_id_request) + open_id_request.return_to_args['open_id_complete'] = '1' + open_id_request.redirect_url(root_url, requested_url) end - - def open_id_redirect_url(open_id_response) - open_id_response.redirect_url( - request.protocol + request.host_with_port + "/", - open_id_response.return_to("#{request.protocol + request.host_with_port + request.relative_url_root + request.path}?open_id_complete=1") - ) + + def requested_url + "#{request.protocol + request.host_with_port + request.relative_url_root + request.path}" end def timeout_protection_from_identity_server @@ -149,10 +155,10 @@ module OpenIdAuthentication def status OpenID::FAILURE end - + def msg "Identity server timed out" end end.new end -end \ No newline at end of file +end vendor/plugins/open_id_authentication/lib/open_id_authentication.rb @@ -6,4 +6,4 @@ module OpenIdAuthentication OpenID::Association.new(handle, secret, issued, lifetime, assoc_type) end end -end \ No newline at end of file +end vendor/plugins/open_id_authentication/lib/open_id_authentication/association.rb @@ -1,29 +1,19 @@ +require 'openid/store/interface' + module OpenIdAuthentication - class DbStore < OpenID::Store - def self.gc + class DbStore < OpenID::Store::Interface + def self.cleanup_nonces now = Time.now.to_i - - # remove old nonces - nonces = Nonce.find(:all) - nonces.each {|n| n.destroy if now - n.created > 6.hours} unless nonces.nil? - - # remove expired assocs - assocs = Association.find(:all) - assocs.each { |a| a.destroy if a.from_record.expired? } unless assocs.nil? + Nonce.delete_all(["timestamp > ? OR timestamp < ?", now + OpenID::Nonce.skew, now - OpenID::Nonce.skew]) end - - def get_auth_key - unless setting = Setting.find_by_setting('auth_key') - auth_key = OpenID::Util.random_string(20) - setting = Setting.create(:setting => 'auth_key', :value => auth_key) - end - - setting.value + def self.cleanup_associations + now = Time.now.to_i + Association.delete_all(['issued + lifetime > ?',now]) end def store_association(server_url, assoc) - remove_association(server_url, assoc.handle) + remove_association(server_url, assoc.handle) Association.create(:server_url => server_url, :handle => assoc.handle, :secret => assoc.secret, @@ -32,49 +22,34 @@ module OpenIdAuthentication :assoc_type => assoc.assoc_type) end - def get_association(server_url, handle=nil) - assocs = handle.blank? ? - Association.find_all_by_server_url(server_url) : + def get_association(server_url, handle = nil) + assocs = if handle.blank? + Association.find_all_by_server_url(server_url) + else Association.find_all_by_server_url_and_handle(server_url, handle) - + end + assocs.reverse.each do |assoc| - a = assoc.from_record - if a.expired? + a = assoc.from_record + if a.expires_in == 0 assoc.destroy else return a end end if assocs.any? - + return nil end - + def remove_association(server_url, handle) - assoc = Association.find_by_server_url_and_handle(server_url, handle) - unless assoc.nil? - assoc.destroy - return true - end - false - end - - def store_nonce(nonce) - use_nonce(nonce) - Nonce.create :nonce => nonce, :created => Time.now.to_i + Association.delete_all(['server_url = ? AND handle = ?', server_url, handle]) > 0 end - - def use_nonce(nonce) - nonce = Nonce.find_by_nonce(nonce) - return false if nonce.nil? - - age = Time.now.to_i - nonce.created - nonce.destroy - age < 6.hours # max nonce age of 6 hours - end - - def dumb? - false + def use_nonce(server_url, timestamp, salt) + return false if Nonce.find_by_server_url_and_timestamp_and_salt(server_url, timestamp, salt) + return false if (timestamp - Time.now.to_i).abs > OpenID::Nonce.skew + Nonce.create(:server_url => server_url, :timestamp => timestamp, :salt => salt) + return true end end -end \ No newline at end of file +end vendor/plugins/open_id_authentication/lib/open_id_authentication/db_store.rb @@ -2,4 +2,4 @@ module OpenIdAuthentication class Nonce < ActiveRecord::Base set_table_name :open_id_authentication_nonces end -end \ No newline at end of file +end vendor/plugins/open_id_authentication/lib/open_id_authentication/nonce.rb @@ -2,15 +2,29 @@ namespace :open_id_authentication do namespace :db do desc "Creates authentication tables for use with OpenIdAuthentication" task :create => :environment do - raise "Task unavailable to this database (no migration support)" unless ActiveRecord::Base.connection.supports_migrations? + generate_migration(["open_id_authentication_tables", "add_open_id_authentication_tables"]) + end + + desc "Upgrade authentication tables from ruby-openid 1.x.x to 2.x.x" + task :upgrade => :environment do + generate_migration(["upgrade_open_id_authentication_tables", "upgrade_open_id_authentication_tables"]) + end + + def generate_migration(args) require 'rails_generator' require 'rails_generator/scripts/generate' - Rails::Generator::Scripts::Generate.new.run([ "open_id_authentication_tables", "add_open_id_authentication_tables" ]) + + if ActiveRecord::Base.connection.supports_migrations? + Rails::Generator::Scripts::Generate.new.run(args) + else + raise "Task unavailable to this database (no migration support)" + end end desc "Clear the authentication tables" task :clear => :environment do - OpenIdAuthentication::DbStore.gc + OpenIdAuthentication::DbStore.cleanup_nonces + OpenIdAuthentication::DbStore.cleanup_associations end end -end \ No newline at end of file +end vendor/plugins/open_id_authentication/tasks/open_id_authentication_tasks.rake @@ -1,9 +1,4 @@ -require 'test/unit' -require 'rubygems' -require 'active_support' - -RAILS_ROOT = File.dirname(__FILE__) -require File.dirname(__FILE__) + "/../lib/open_id_authentication" +require File.dirname(__FILE__) + '/test_helper' class NormalizeTest < Test::Unit::TestCase include OpenIdAuthentication @@ -20,7 +15,8 @@ class NormalizeTest < Test::Unit::TestCase "https://loudthinking.com:443" => "https://loudthinking.com/", "http://loudthinking.com:8080" => "http://loudthinking.com:8080/", "techno-weenie.net" => "http://techno-weenie.net/", - "http://techno-weenie.net" => "http://techno-weenie.net/" + "http://techno-weenie.net" => "http://techno-weenie.net/", + "http://techno-weenie.net " => "http://techno-weenie.net/" } def test_normalizations @@ -30,6 +26,7 @@ class NormalizeTest < Test::Unit::TestCase end def test_broken_open_id + assert_raises(InvalidOpenId) { normalize_url(nil) } assert_raises(InvalidOpenId) { normalize_url("=name") } end -end \ No newline at end of file +end vendor/plugins/open_id_authentication/test/normalize_test.rb @@ -1,14 +1,4 @@ -require 'test/unit' - -require 'rubygems' -gem 'mocha' -require 'mocha' - -gem 'ruby-openid' -require 'openid' - -RAILS_ROOT = File.dirname(__FILE__) -require File.dirname(__FILE__) + "/../lib/open_id_authentication" +require File.dirname(__FILE__) + '/test_helper' class OpenIdAuthenticationTest < Test::Unit::TestCase def setup @@ -19,8 +9,10 @@ class OpenIdAuthenticationTest < Test::Unit::TestCase end def test_authentication_should_fail_when_the_identity_server_is_missing - @controller.stubs(:open_id_consumer).returns(stub(:begin => stub(:status => OpenID::FAILURE))) - + open_id_consumer = mock() + open_id_consumer.expects(:begin).raises(OpenID::OpenIDError) + @controller.stubs(:open_id_consumer).returns(open_id_consumer) + @controller.send(:authenticate_with_open_id, "http://someone.example.com") do |result, identity_url| assert result.missing? assert_equal "Sorry, the OpenID server couldn't be found", result.message @@ -28,7 +20,9 @@ class OpenIdAuthenticationTest < Test::Unit::TestCase end def test_authentication_should_fail_when_the_identity_server_times_out - @controller.stubs(:open_id_consumer).returns(stub(:begin => Proc.new { raise Timeout::Error, "Identity Server took too long." })) + open_id_consumer = mock() + open_id_consumer.expects(:begin).raises(Timeout::Error, "Identity Server took too long.") + @controller.stubs(:open_id_consumer).returns(open_id_consumer) @controller.send(:authenticate_with_open_id, "http://someone.example.com") do |result, identity_url| assert result.missing? @@ -37,8 +31,8 @@ class OpenIdAuthenticationTest < Test::Unit::TestCase end def test_authentication_should_begin_when_the_identity_server_is_present - @controller.stubs(:open_id_consumer).returns(stub(:begin => stub(:status => OpenID::SUCCESS))) - @controller.expects(:begin_open_id_authentication) + @controller.stubs(:open_id_consumer).returns(stub(:begin => true)) + @controller.expects(:begin_open_id_authentication) @controller.send(:authenticate_with_open_id, "http://someone.example.com") end -end \ No newline at end of file +end vendor/plugins/open_id_authentication/test/open_id_authentication_test.rb @@ -1,7 +1,4 @@ -require 'test/unit' - -RAILS_ROOT = File.dirname(__FILE__) -require File.dirname(__FILE__) + "/../lib/open_id_authentication" +require File.dirname(__FILE__) + '/test_helper' class StatusTest < Test::Unit::TestCase include OpenIdAuthentication vendor/plugins/open_id_authentication/test/status_test.rb vendor/plugins/open_id_authentication/lib/generators/open_id_authentication_tables/open_id_authentication_tables_generator.rb vendor/plugins/open_id_authentication/lib/generators/open_id_authentication_tables/templates/migration.rb vendor/plugins/open_id_authentication/lib/open_id_authentication/setting.rb be2ffa0157392387109bb638979198be5dd16abe Josh Owens joshua.owens@gmail.com http://github.com/queso/signal-wiki/commit/cc9cebc43a91094c72ae9e6a4538034dc56d3808 cc9cebc43a91094c72ae9e6a4538034dc56d3808 2008-03-31T00:23:36-07:00 2008-03-31T00:23:36-07:00 Adding the new openid plugin and migrations to support it. 636130fd5c9a9be015c5ab4d09855a80e52a89d2 Josh Owens joshua.owens@gmail.com