author | Michael Krelin <hacker@klever.net> | 2008-02-19 10:52:09 (UTC) |
---|---|---|
committer | Michael Krelin <hacker@klever.net> | 2008-02-19 10:52:09 (UTC) |
commit | 42e4fb613d190508b3e8b8993d233044eeea4d20 (patch) (unidiff) | |
tree | 9b8ebc420942554f927a777e03c70a7c65305a88 | |
parent | a3db32747e8370cab8cfdcc382fee875613b7b77 (diff) | |
download | libopkele-42e4fb613d190508b3e8b8993d233044eeea4d20.zip libopkele-42e4fb613d190508b3e8b8993d233044eeea4d20.tar.gz libopkele-42e4fb613d190508b3e8b8993d233044eeea4d20.tar.bz2 |
basic_RP: add methods for accessing identity information passed from OP.
Signed-off-by: Michael Krelin <hacker@klever.net>
-rw-r--r-- | include/opkele/basic_rp.h | 36 | ||||
-rw-r--r-- | lib/basic_rp.cc | 29 |
2 files changed, 63 insertions, 2 deletions
diff --git a/include/opkele/basic_rp.h b/include/opkele/basic_rp.h index d5356aa..d096e0a 100644 --- a/include/opkele/basic_rp.h +++ b/include/opkele/basic_rp.h | |||
@@ -5,19 +5,55 @@ | |||
5 | #include <opkele/types.h> | 5 | #include <opkele/types.h> |
6 | #include <opkele/extension.h> | 6 | #include <opkele/extension.h> |
7 | 7 | ||
8 | namespace opkele { | 8 | namespace opkele { |
9 | using std::string; | 9 | using std::string; |
10 | 10 | ||
11 | class basic_RP { | 11 | class basic_RP { |
12 | public: | 12 | public: |
13 | /** | ||
14 | * Claimed identifier from a parsed id_res message. | ||
15 | */ | ||
16 | string claimed_id; | ||
17 | /** | ||
18 | * OP-Local identifier from a parsed id_res message. | ||
19 | */ | ||
20 | string identity; | ||
13 | 21 | ||
14 | virtual ~basic_RP() { } | 22 | virtual ~basic_RP() { } |
15 | 23 | ||
24 | void reset_vars(); | ||
25 | |||
26 | /** | ||
27 | * @name Assertion information retrieval | ||
28 | * Retrieval of the information passed with openid message | ||
29 | * @{ | ||
30 | */ | ||
31 | /** | ||
32 | * Find out if the assertion is about identity | ||
33 | * @return true if so | ||
34 | */ | ||
35 | bool has_identity() const; | ||
36 | /** | ||
37 | * Get claimed identifier supplied with the request | ||
38 | * @return claimed identifier | ||
39 | * @throw non_identity if request is not about identity | ||
40 | */ | ||
41 | const string& get_claimed_id() const; | ||
42 | /** | ||
43 | * Get the identity (OP-Local identifier) confirmed | ||
44 | * @return identity | ||
45 | * @throw non_identity if request is not about identity | ||
46 | */ | ||
47 | const string& get_identity() const; | ||
48 | /** | ||
49 | * @} | ||
50 | */ | ||
51 | |||
16 | /** | 52 | /** |
17 | * @name Global persistent store API | 53 | * @name Global persistent store API |
18 | * These are functions related to the associations with OP storage | 54 | * These are functions related to the associations with OP storage |
19 | * and retrieval and nonce records. They provide an interface to | 55 | * and retrieval and nonce records. They provide an interface to |
20 | * the persistent storage which is shared by all sessions. If the | 56 | * the persistent storage which is shared by all sessions. If the |
21 | * implementor prefers the dumb mode instead, the function should | 57 | * implementor prefers the dumb mode instead, the function should |
22 | * throw dumb_RP exception instead. | 58 | * throw dumb_RP exception instead. |
23 | * @see opkele::dumb_RP | 59 | * @see opkele::dumb_RP |
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc index e65d9fb..3357d0b 100644 --- a/lib/basic_rp.cc +++ b/lib/basic_rp.cc | |||
@@ -3,19 +3,38 @@ | |||
3 | #include <openssl/hmac.h> | 3 | #include <openssl/hmac.h> |
4 | #include <opkele/basic_rp.h> | 4 | #include <opkele/basic_rp.h> |
5 | #include <opkele/exception.h> | 5 | #include <opkele/exception.h> |
6 | #include <opkele/uris.h> | 6 | #include <opkele/uris.h> |
7 | #include <opkele/data.h> | 7 | #include <opkele/data.h> |
8 | #include <opkele/util.h> | 8 | #include <opkele/util.h> |
9 | #include <opkele/util-internal.h> | 9 | #include <opkele/util-internal.h> |
10 | #include <opkele/curl.h> | 10 | #include <opkele/curl.h> |
11 | #include <opkele/debug.h> | ||
11 | 12 | ||
12 | namespace opkele { | 13 | namespace opkele { |
13 | 14 | ||
15 | void basic_RP::reset_vars() { | ||
16 | claimed_id.clear(); identity.clear(); | ||
17 | } | ||
18 | |||
19 | const string& basic_RP::get_claimed_id() const { | ||
20 | if(claimed_id.empty()) | ||
21 | throw non_identity(OPKELE_CP_ "attempting to retreive claimed_id of non-identity assertion"); | ||
22 | assert(!identity.empty()); | ||
23 | return claimed_id; | ||
24 | } | ||
25 | |||
26 | const string& basic_RP::get_identity() const { | ||
27 | if(identity.empty()) | ||
28 | throw non_identity(OPKELE_CP_ "attempting to retrieve identity of non-identity related assertion"); | ||
29 | assert(!claimed_id.empty()); | ||
30 | return identity; | ||
31 | } | ||
32 | |||
14 | static void dh_get_secret( | 33 | static void dh_get_secret( |
15 | secret_t& secret, const basic_openid_message& om, | 34 | secret_t& secret, const basic_openid_message& om, |
16 | const char *exp_assoc, const char *exp_sess, | 35 | const char *exp_assoc, const char *exp_sess, |
17 | util::dh_t& dh, | 36 | util::dh_t& dh, |
18 | size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*), | 37 | size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*), |
19 | size_t exp_s_len) try { | 38 | size_t exp_s_len) try { |
20 | if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess) | 39 | if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess) |
21 | throw bad_input(OPKELE_CP_ "Unexpected associate response"); | 40 | throw bad_input(OPKELE_CP_ "Unexpected associate response"); |
@@ -191,16 +210,17 @@ namespace opkele { | |||
191 | p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1); | 210 | p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1); |
192 | } | 211 | } |
193 | q = ++am; | 212 | q = ++am; |
194 | } | 213 | } |
195 | } | 214 | } |
196 | } | 215 | } |
197 | 216 | ||
198 | void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) { | 217 | void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) { |
218 | reset_vars(); | ||
199 | bool o2 = om.has_field("ns") | 219 | bool o2 = om.has_field("ns") |
200 | && om.get_field("ns")==OIURI_OPENID20; | 220 | && om.get_field("ns")==OIURI_OPENID20; |
201 | if( (!o2) && om.has_field("user_setup_url")) | 221 | if( (!o2) && om.has_field("user_setup_url")) |
202 | throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided", | 222 | throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided", |
203 | om.get_field("user_setup_url")); | 223 | om.get_field("user_setup_url")); |
204 | string m = om.get_field("mode"); | 224 | string m = om.get_field("mode"); |
205 | if(o2 && m=="setup_needed") | 225 | if(o2 && m=="setup_needed") |
206 | throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided"); | 226 | throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided"); |
@@ -266,22 +286,27 @@ namespace opkele { | |||
266 | map<string,string>::const_iterator tpi = tp.find(rpi->first); | 286 | map<string,string>::const_iterator tpi = tp.find(rpi->first); |
267 | if(tpi==tp.end()) | 287 | if(tpi==tp.end()) |
268 | throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request"); | 288 | throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request"); |
269 | if(tpi->second!=rpi->second) | 289 | if(tpi->second!=rpi->second) |
270 | throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request"); | 290 | throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request"); |
271 | } | 291 | } |
272 | 292 | ||
273 | if(om.has_field("claimed_id")) { | 293 | if(om.has_field("claimed_id")) { |
294 | claimed_id = om.get_field("claimed_id"); | ||
295 | identity = om.get_field("identity"); | ||
274 | verify_OP( | 296 | verify_OP( |
275 | om.get_field("op_endpoint"), | 297 | om.get_field("op_endpoint"), |
276 | om.get_field("claimed_id"), | 298 | claimed_id, identity ); |
277 | om.get_field("identity") ); | ||
278 | } | 299 | } |
279 | 300 | ||
301 | }else{ | ||
302 | claimed_id = get_endpoint().claimed_id; | ||
303 | /* TODO: check if this is the identity we asked for */ | ||
304 | identity = om.get_field("identity"); | ||
280 | } | 305 | } |
281 | if(ext) ext->rp_id_res_hook(om,signeds); | 306 | if(ext) ext->rp_id_res_hook(om,signeds); |
282 | } | 307 | } |
283 | 308 | ||
284 | void basic_RP::check_authentication(const string& OP, | 309 | void basic_RP::check_authentication(const string& OP, |
285 | const basic_openid_message& om){ | 310 | const basic_openid_message& om){ |
286 | openid_message_t res; | 311 | openid_message_t res; |
287 | static const string checkauthmode = "check_authentication"; | 312 | static const string checkauthmode = "check_authentication"; |