-rw-r--r-- | include/Makefile.am | 3 | ||||
-rw-r--r-- | include/opkele/consumer.h | 25 | ||||
-rw-r--r-- | include/opkele/exception.h | 10 | ||||
-rw-r--r-- | include/opkele/extension.h | 59 | ||||
-rw-r--r-- | include/opkele/server.h | 10 | ||||
-rw-r--r-- | lib/Makefile.am | 3 | ||||
-rw-r--r-- | lib/consumer.cc | 16 | ||||
-rw-r--r-- | lib/extension.cc | 15 | ||||
-rw-r--r-- | lib/server.cc | 14 |
9 files changed, 127 insertions, 28 deletions
diff --git a/include/Makefile.am b/include/Makefile.am index b014752..72931eb 100644 --- a/include/Makefile.am +++ b/include/Makefile.am | |||
@@ -1,11 +1,12 @@ | |||
1 | nobase_include_HEADERS = \ | 1 | nobase_include_HEADERS = \ |
2 | opkele/acconfig.h \ | 2 | opkele/acconfig.h \ |
3 | opkele/opkele-config.h \ | 3 | opkele/opkele-config.h \ |
4 | opkele/types.h \ | 4 | opkele/types.h \ |
5 | opkele/association.h \ | 5 | opkele/association.h \ |
6 | opkele/exception.h \ | 6 | opkele/exception.h \ |
7 | opkele/server.h \ | 7 | opkele/server.h \ |
8 | opkele/consumer.h | 8 | opkele/consumer.h \ |
9 | opkele/extension.h | ||
9 | EXTRA_DIST = \ | 10 | EXTRA_DIST = \ |
10 | opkele/data.h \ | 11 | opkele/data.h \ |
11 | opkele/util.h | 12 | opkele/util.h |
diff --git a/include/opkele/consumer.h b/include/opkele/consumer.h index 9932315..f9939cf 100644 --- a/include/opkele/consumer.h +++ b/include/opkele/consumer.h | |||
@@ -1,16 +1,17 @@ | |||
1 | #ifndef __OPKELE_CONSUMER_H | 1 | #ifndef __OPKELE_CONSUMER_H |
2 | #define __OPKELE_CONSUMER_H | 2 | #define __OPKELE_CONSUMER_H |
3 | 3 | ||
4 | #include <opkele/types.h> | 4 | #include <opkele/types.h> |
5 | #include <opkele/extension.h> | ||
5 | 6 | ||
6 | /** | 7 | /** |
7 | * @file | 8 | * @file |
8 | * @brief OpenID consumer-side functionality | 9 | * @brief OpenID consumer-side functionality |
9 | */ | 10 | */ |
10 | 11 | ||
11 | /** | 12 | /** |
12 | * @brief the main opkele namespace | 13 | * @brief the main opkele namespace |
13 | */ | 14 | */ |
14 | namespace opkele { | 15 | namespace opkele { |
15 | 16 | ||
16 | /** | 17 | /** |
@@ -73,63 +74,65 @@ namespace opkele { | |||
73 | * @param server the OpenID server | 74 | * @param server the OpenID server |
74 | * @return the auto_ptr<> for the newly allocated association_t | 75 | * @return the auto_ptr<> for the newly allocated association_t |
75 | * object, representing established association | 76 | * object, representing established association |
76 | * @throw exception in case of error | 77 | * @throw exception in case of error |
77 | */ | 78 | */ |
78 | assoc_t associate(const string& server); | 79 | assoc_t associate(const string& server); |
79 | /** | 80 | /** |
80 | * prepare the parameters for the checkid_immediate | 81 | * prepare the parameters for the checkid_immediate |
81 | * request. | 82 | * request. |
82 | * @param identity the identity to verify | 83 | * @param identity the identity to verify |
83 | * @param return_to the return_to url to pass with the request | 84 | * @param return_to the return_to url to pass with the request |
84 | * @param trust_root the trust root to advertise with the request | 85 | * @param trust_root the trust root to advertise with the request |
86 | * @param ext pointer to an extension(s) hooks object | ||
85 | * @return the location string | 87 | * @return the location string |
86 | * @throw exception in case of error | 88 | * @throw exception in case of error |
87 | */ | 89 | */ |
88 | string checkid_immediate(const string& identity,const string& return_to,const string& trust_root=""); | 90 | string checkid_immediate(const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0); |
89 | /** | 91 | /** |
90 | * prepare the parameters for the checkid_setup | 92 | * prepare the parameters for the checkid_setup |
91 | * request. | 93 | * request. |
92 | * @param identity the identity to verify | 94 | * @param identity the identity to verify |
93 | * @param return_to the return_to url to pass with the request | 95 | * @param return_to the return_to url to pass with the request |
94 | * @param trust_root the trust root to advertise with the request | 96 | * @param trust_root the trust root to advertise with the request |
97 | * @param ext pointer to an extension(s) hooks object | ||
95 | * @return the location string | 98 | * @return the location string |
96 | * @throw exception in case of error | 99 | * @throw exception in case of error |
97 | */ | 100 | */ |
98 | string checkid_setup(const string& identity,const string& return_to,const string& trust_root=""); | 101 | string checkid_setup(const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0); |
99 | /** | 102 | /** |
100 | * the actual implementation behind checkid_immediate() and | 103 | * the actual implementation behind checkid_immediate() and |
101 | * checkid_setup() functions. | 104 | * checkid_setup() functions. |
102 | * @param mode checkid_* mode - either mode_checkid_immediate or mode_checkid_setup | 105 | * @param mode checkid_* mode - either mode_checkid_immediate or mode_checkid_setup |
103 | * @param identity the identity to verify | 106 | * @param identity the identity to verify |
104 | * @param return_to the return_to url to pass with the request | 107 | * @param return_to the return_to url to pass with the request |
105 | * @param trust_root the trust root to advertise with the request | 108 | * @param trust_root the trust root to advertise with the request |
109 | * @param ext pointer to an extension(s) hooks object | ||
106 | * @return the location string | 110 | * @return the location string |
107 | * @throw exception in case of error | 111 | * @throw exception in case of error |
108 | */ | 112 | */ |
109 | string checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root=""); | 113 | string checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0); |
110 | /** | 114 | /** |
111 | * verify the id_res response | 115 | * verify the id_res response |
112 | * @param pin the response parameters | 116 | * @param pin the response parameters |
113 | * @param identity the identity being checked (if not specified, extracted | 117 | * @param identity the identity being checked (if not specified, |
114 | * from the openid.identity parameter | 118 | * @param ext pointer to an extension(s) hooks object |
115 | * @throw id_res_mismatch in case of signature | 119 | * extracted from the openid.identity parameter |
116 | * mismatch | 120 | * @throw id_res_mismatch in case of signature mismatch |
117 | * @throw id_res_setup in case of | 121 | * @throw id_res_setup in case of openid.user_setup_url failure |
118 | * openid.user_setup_url failure (supposedly | 122 | * (supposedly checkid_immediate only) |
119 | * checkid_immediate only) | ||
120 | * @throw id_res_failed in case of failure | 123 | * @throw id_res_failed in case of failure |
121 | * @throw exception in case of other failures | 124 | * @throw exception in case of other failures |
122 | */ | 125 | */ |
123 | void id_res(const params_t& pin,const string& identity=""); | 126 | void id_res(const params_t& pin,const string& identity="",extension_t *ext=0); |
124 | /** | 127 | /** |
125 | * perform a check_authentication request. | 128 | * perform a check_authentication request. |
126 | * @param server the OpenID server | 129 | * @param server the OpenID server |
127 | * @param p request parameters | 130 | * @param p request parameters |
128 | */ | 131 | */ |
129 | void check_authentication(const string& server,const params_t& p); | 132 | void check_authentication(const string& server,const params_t& p); |
130 | 133 | ||
131 | /** | 134 | /** |
132 | * make URL canonical, by adding http:// and trailing slash, if needed. | 135 | * make URL canonical, by adding http:// and trailing slash, if needed. |
133 | * @param url | 136 | * @param url |
134 | * @return canonicalized url | 137 | * @return canonicalized url |
135 | */ | 138 | */ |
diff --git a/include/opkele/exception.h b/include/opkele/exception.h index c5f5811..9fc9bd3 100644 --- a/include/opkele/exception.h +++ b/include/opkele/exception.h | |||
@@ -196,15 +196,25 @@ namespace opkele { | |||
196 | * network operation related error occured, specifically, related to | 196 | * network operation related error occured, specifically, related to |
197 | * libcurl | 197 | * libcurl |
198 | */ | 198 | */ |
199 | class exception_curl : public exception_network { | 199 | class exception_curl : public exception_network { |
200 | public: | 200 | public: |
201 | CURLcode _error; | 201 | CURLcode _error; |
202 | string _curl_string; | 202 | string _curl_string; |
203 | exception_curl(OPKELE_E_PARS); | 203 | exception_curl(OPKELE_E_PARS); |
204 | exception_curl(OPKELE_E_PARS,CURLcode e); | 204 | exception_curl(OPKELE_E_PARS,CURLcode e); |
205 | ~exception_curl() throw() { } | 205 | ~exception_curl() throw() { } |
206 | }; | 206 | }; |
207 | 207 | ||
208 | /** | ||
209 | * not implemented (think pure virtual) member function executed, signfies | ||
210 | * programmer error | ||
211 | */ | ||
212 | class not_implemented : public exception { | ||
213 | public: | ||
214 | not_implemented(OPKELE_E_PARS) | ||
215 | : exception(OPKELE_E_CONS) { } | ||
216 | }; | ||
217 | |||
208 | } | 218 | } |
209 | 219 | ||
210 | #endif /* __OPKELE_EXCEPTION_H */ | 220 | #endif /* __OPKELE_EXCEPTION_H */ |
diff --git a/include/opkele/extension.h b/include/opkele/extension.h new file mode 100644 index 0000000..3fb5f6e --- a/dev/null +++ b/include/opkele/extension.h | |||
@@ -0,0 +1,59 @@ | |||
1 | #ifndef __OPKELE_EXTENSIONS_H | ||
2 | #define __OPKELE_EXTENSIONS_H | ||
3 | |||
4 | /** | ||
5 | * @file | ||
6 | * @brief extensions framework basics | ||
7 | */ | ||
8 | |||
9 | #include <opkele/types.h> | ||
10 | |||
11 | /** | ||
12 | * @brief the main opkele namespace | ||
13 | */ | ||
14 | namespace opkele { | ||
15 | |||
16 | /** | ||
17 | * OpenID consumer extension hooks base class | ||
18 | */ | ||
19 | class extension_t { | ||
20 | public: | ||
21 | /** | ||
22 | * hook called by consumer before submitting data to OpenID server. | ||
23 | * It is supposed to manipulate parameters list. | ||
24 | * @param p parameters about to be submitted to server | ||
25 | * @param identity identity being verified. It may differ from the | ||
26 | * one available in parameters list in case of delegation | ||
27 | */ | ||
28 | virtual void checkid_hook(params_t& p,const string& identity); | ||
29 | /** | ||
30 | * hook called by consumer after identity information received from | ||
31 | * OpenID server is verified. | ||
32 | * @param p parameters received from server | ||
33 | * @param sp signed parameters received from server with 'openid.' | ||
34 | * leader stripped | ||
35 | * @param identity identity confirmed. May differ from the one | ||
36 | * available in parameters list in case of delegation. May also be | ||
37 | * empty which means - extract one from parameters | ||
38 | */ | ||
39 | virtual void id_res_hook(const params_t& p,const params_t& sp,const string& identity); | ||
40 | |||
41 | /** | ||
42 | * hook called by server before returning information to consumer. | ||
43 | * The hook may manipulate output parameters. It is important to | ||
44 | * note that modified pout["signed"] is used for signing response. | ||
45 | * @param pin request parameters list | ||
46 | * @param put response parameters list | ||
47 | */ | ||
48 | virtual void checkid_hook(const params_t& pin,params_t& pout); | ||
49 | |||
50 | /** | ||
51 | * Casts the object to pointer to itself. For convenient passing | ||
52 | * of pointer. | ||
53 | */ | ||
54 | operator extension_t*(void) { return this; } | ||
55 | }; | ||
56 | |||
57 | } | ||
58 | |||
59 | #endif /* __OPKELE_EXTENSIONS_H */ | ||
diff --git a/include/opkele/server.h b/include/opkele/server.h index fe07448..bf131d8 100644 --- a/include/opkele/server.h +++ b/include/opkele/server.h | |||
@@ -1,21 +1,22 @@ | |||
1 | #ifndef __OPKELE_SERVER_H | 1 | #ifndef __OPKELE_SERVER_H |
2 | #define __OPKELE_SERVER_H | 2 | #define __OPKELE_SERVER_H |
3 | 3 | ||
4 | /** | 4 | /** |
5 | * @file | 5 | * @file |
6 | * @brief OpenID server-side functionality | 6 | * @brief OpenID server-side functionality |
7 | */ | 7 | */ |
8 | 8 | ||
9 | #include <opkele/types.h> | 9 | #include <opkele/types.h> |
10 | #include <opkele/extension.h> | ||
10 | 11 | ||
11 | /** | 12 | /** |
12 | * @brief the main opkele namespace | 13 | * @brief the main opkele namespace |
13 | */ | 14 | */ |
14 | namespace opkele { | 15 | namespace opkele { |
15 | 16 | ||
16 | /** | 17 | /** |
17 | * implementation of basic server functionality | 18 | * implementation of basic server functionality |
18 | */ | 19 | */ |
19 | class server_t { | 20 | class server_t { |
20 | public: | 21 | public: |
21 | 22 | ||
@@ -51,45 +52,48 @@ namespace opkele { | |||
51 | 52 | ||
52 | /** | 53 | /** |
53 | * process the associate request. | 54 | * process the associate request. |
54 | * @param pin the incoming request parameters | 55 | * @param pin the incoming request parameters |
55 | * @param pout the store for the response parameters | 56 | * @param pout the store for the response parameters |
56 | */ | 57 | */ |
57 | void associate(const params_t& pin,params_t& pout); | 58 | void associate(const params_t& pin,params_t& pout); |
58 | /** | 59 | /** |
59 | * process the checkid_immediate request. | 60 | * process the checkid_immediate request. |
60 | * @param pin the incoming request parameters | 61 | * @param pin the incoming request parameters |
61 | * @param return_to reference to the object to store return_to url to | 62 | * @param return_to reference to the object to store return_to url to |
62 | * @param pout the response parameters | 63 | * @param pout the response parameters |
64 | * @param ext pointer to the extension hooks object | ||
63 | * @throw exception in case of errors or negative reply | 65 | * @throw exception in case of errors or negative reply |
64 | */ | 66 | */ |
65 | void checkid_immediate(const params_t& pin,string& return_to,params_t& pout); | 67 | void checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0); |
66 | /** | 68 | /** |
67 | * process the checkid_setup request. | 69 | * process the checkid_setup request. |
68 | * @param pin the incoming request parameters | 70 | * @param pin the incoming request parameters |
69 | * @param return_to reference to the object to store return_to url to | 71 | * @param return_to reference to the object to store return_to url to |
70 | * @param pout the response parameters | 72 | * @param pout the response parameters |
73 | * @param ext pointer to the extension hooks object | ||
71 | * @throw exception in case of errors or negative reply | 74 | * @throw exception in case of errors or negative reply |
72 | */ | 75 | */ |
73 | void checkid_setup(const params_t& pin,string& return_to,params_t& pout); | 76 | void checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0); |
74 | /** | 77 | /** |
75 | * the actual functionality behind checkid_immediate() and | 78 | * the actual functionality behind checkid_immediate() and |
76 | * checkid_setup() | 79 | * checkid_setup() |
77 | * @param mode the request being processed (either | 80 | * @param mode the request being processed (either |
78 | * mode_checkid_immediate or mode_checkid_setup) | 81 | * mode_checkid_immediate or mode_checkid_setup) |
79 | * @param pin the incoming request parameters | 82 | * @param pin the incoming request parameters |
80 | * @param return_to reference to the object to store return_to url to | 83 | * @param return_to reference to the object to store return_to url to |
81 | * @param pout the response parameters | 84 | * @param pout the response parameters |
85 | * @param ext pointer to the extension hooks object | ||
82 | * @throw exception in case of errors or negative reply | 86 | * @throw exception in case of errors or negative reply |
83 | */ | 87 | */ |
84 | void checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout); | 88 | void checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0); |
85 | /** | 89 | /** |
86 | * process the check_authentication request. | 90 | * process the check_authentication request. |
87 | * @param pin incoming request parameters | 91 | * @param pin incoming request parameters |
88 | * @param pout response parameters | 92 | * @param pout response parameters |
89 | */ | 93 | */ |
90 | void check_authentication(const params_t& pin,params_t& pout); | 94 | void check_authentication(const params_t& pin,params_t& pout); |
91 | }; | 95 | }; |
92 | 96 | ||
93 | } | 97 | } |
94 | 98 | ||
95 | #endif /* __OPKELE_SERVER_H */ | 99 | #endif /* __OPKELE_SERVER_H */ |
diff --git a/lib/Makefile.am b/lib/Makefile.am index 6f3f9f3..69c749e 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am | |||
@@ -12,13 +12,14 @@ LDADD = \ | |||
12 | ${PCREPP_LIBS} \ | 12 | ${PCREPP_LIBS} \ |
13 | ${MIMETIC_LIBS} \ | 13 | ${MIMETIC_LIBS} \ |
14 | ${OPENSSL_LIBS} \ | 14 | ${OPENSSL_LIBS} \ |
15 | ${KONFORKA_LIBS} | 15 | ${KONFORKA_LIBS} |
16 | 16 | ||
17 | libopkele_la_SOURCES = \ | 17 | libopkele_la_SOURCES = \ |
18 | params.cc \ | 18 | params.cc \ |
19 | util.cc \ | 19 | util.cc \ |
20 | server.cc \ | 20 | server.cc \ |
21 | secret.cc \ | 21 | secret.cc \ |
22 | data.cc \ | 22 | data.cc \ |
23 | consumer.cc \ | 23 | consumer.cc \ |
24 | exception.cc | 24 | exception.cc \ |
25 | extension.cc | ||
diff --git a/lib/consumer.cc b/lib/consumer.cc index bb6358c..10c2fa0 100644 --- a/lib/consumer.cc +++ b/lib/consumer.cc | |||
@@ -114,81 +114,84 @@ namespace opkele { | |||
114 | secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key")); | 114 | secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key")); |
115 | } | 115 | } |
116 | int expires_in = 0; | 116 | int expires_in = 0; |
117 | if(p.has_param("expires_in")) { | 117 | if(p.has_param("expires_in")) { |
118 | expires_in = util::string_to_long(p.get_param("expires_in")); | 118 | expires_in = util::string_to_long(p.get_param("expires_in")); |
119 | }else if(p.has_param("issued") && p.has_param("expiry")) { | 119 | }else if(p.has_param("issued") && p.has_param("expiry")) { |
120 | expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued")); | 120 | expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued")); |
121 | }else | 121 | }else |
122 | throw bad_input(OPKELE_CP_ "no expiration information"); | 122 | throw bad_input(OPKELE_CP_ "no expiration information"); |
123 | return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in); | 123 | return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in); |
124 | } | 124 | } |
125 | 125 | ||
126 | string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root) { | 126 | string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { |
127 | return checkid_(mode_checkid_immediate,identity,return_to,trust_root); | 127 | return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext); |
128 | } | 128 | } |
129 | string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root) { | 129 | string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { |
130 | return checkid_(mode_checkid_setup,identity,return_to,trust_root); | 130 | return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext); |
131 | } | 131 | } |
132 | string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root) { | 132 | string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { |
133 | params_t p; | 133 | params_t p; |
134 | if(mode==mode_checkid_immediate) | 134 | if(mode==mode_checkid_immediate) |
135 | p["mode"]="checkid_immediate"; | 135 | p["mode"]="checkid_immediate"; |
136 | else if(mode==mode_checkid_setup) | 136 | else if(mode==mode_checkid_setup) |
137 | p["mode"]="checkid_setup"; | 137 | p["mode"]="checkid_setup"; |
138 | else | 138 | else |
139 | throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); | 139 | throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); |
140 | string iurl = canonicalize(identity); | 140 | string iurl = canonicalize(identity); |
141 | string server, delegate; | 141 | string server, delegate; |
142 | retrieve_links(iurl,server,delegate); | 142 | retrieve_links(iurl,server,delegate); |
143 | p["identity"] = delegate.empty()?iurl:delegate; | 143 | p["identity"] = delegate.empty()?iurl:delegate; |
144 | if(!trust_root.empty()) | 144 | if(!trust_root.empty()) |
145 | p["trust_root"] = trust_root; | 145 | p["trust_root"] = trust_root; |
146 | p["return_to"] = return_to; | 146 | p["return_to"] = return_to; |
147 | try { | 147 | try { |
148 | try { | 148 | try { |
149 | string ah = find_assoc(server)->handle(); | 149 | string ah = find_assoc(server)->handle(); |
150 | p["assoc_handle"] = ah; | 150 | p["assoc_handle"] = ah; |
151 | }catch(failed_lookup& fl) { | 151 | }catch(failed_lookup& fl) { |
152 | string ah = associate(server)->handle(); | 152 | string ah = associate(server)->handle(); |
153 | p["assoc_handle"] = ah; | 153 | p["assoc_handle"] = ah; |
154 | } | 154 | } |
155 | }catch(exception& e) { } | 155 | }catch(exception& e) { } |
156 | if(ext) ext->checkid_hook(p,identity); | ||
156 | return p.append_query(server); | 157 | return p.append_query(server); |
157 | } | 158 | } |
158 | 159 | ||
159 | void consumer_t::id_res(const params_t& pin,const string& identity) { | 160 | void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) { |
160 | if(pin.has_param("openid.user_setup_url")) | 161 | if(pin.has_param("openid.user_setup_url")) |
161 | throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); | 162 | throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); |
162 | string server,delegate; | 163 | string server,delegate; |
163 | retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); | 164 | retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); |
165 | params_t ps; | ||
164 | try { | 166 | try { |
165 | assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); | 167 | assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); |
166 | const string& sigenc = pin.get_param("openid.sig"); | 168 | const string& sigenc = pin.get_param("openid.sig"); |
167 | mimetic::Base64::Decoder b; | 169 | mimetic::Base64::Decoder b; |
168 | vector<unsigned char> sig; | 170 | vector<unsigned char> sig; |
169 | mimetic::decode( | 171 | mimetic::decode( |
170 | sigenc.begin(),sigenc.end(), b, | 172 | sigenc.begin(),sigenc.end(), b, |
171 | back_insert_iterator<vector<unsigned char> >(sig) ); | 173 | back_insert_iterator<vector<unsigned char> >(sig) ); |
172 | const string& slist = pin.get_param("openid.signed"); | 174 | const string& slist = pin.get_param("openid.signed"); |
173 | string kv; | 175 | string kv; |
174 | string::size_type p = 0; | 176 | string::size_type p = 0; |
175 | while(true) { | 177 | while(true) { |
176 | string::size_type co = slist.find(',',p); | 178 | string::size_type co = slist.find(',',p); |
177 | string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); | 179 | string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); |
178 | kv += f; | 180 | kv += f; |
179 | kv += ':'; | 181 | kv += ':'; |
180 | f.insert(0,"openid."); | 182 | f.insert(0,"openid."); |
181 | kv += pin.get_param(f); | 183 | kv += pin.get_param(f); |
182 | kv += '\n'; | 184 | kv += '\n'; |
185 | if(ext) ps[f.substr(sizeof("openid."))] = pin.get_param(f); | ||
183 | if(co==string::npos) | 186 | if(co==string::npos) |
184 | break; | 187 | break; |
185 | p = co+1; | 188 | p = co+1; |
186 | } | 189 | } |
187 | secret_t secret = assoc->secret(); | 190 | secret_t secret = assoc->secret(); |
188 | unsigned int md_len = 0; | 191 | unsigned int md_len = 0; |
189 | unsigned char *md = HMAC( | 192 | unsigned char *md = HMAC( |
190 | EVP_sha1(), | 193 | EVP_sha1(), |
191 | &(secret.front()),secret.size(), | 194 | &(secret.front()),secret.size(), |
192 | (const unsigned char *)kv.data(),kv.length(), | 195 | (const unsigned char *)kv.data(),kv.length(), |
193 | 0,&md_len); | 196 | 0,&md_len); |
194 | if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) | 197 | if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) |
@@ -210,24 +213,25 @@ namespace opkele { | |||
210 | p["openid.sig"] = pin.get_param("openid.sig"); | 213 | p["openid.sig"] = pin.get_param("openid.sig"); |
211 | p["openid.signed"] = pin.get_param("openid.signed"); | 214 | p["openid.signed"] = pin.get_param("openid.signed"); |
212 | try { | 215 | try { |
213 | string ih = pin.get_param("openid.invalidate_handle"); | 216 | string ih = pin.get_param("openid.invalidate_handle"); |
214 | p["openid.invalidate_handle"] = ih; | 217 | p["openid.invalidate_handle"] = ih; |
215 | }catch(failed_lookup& fl) { } | 218 | }catch(failed_lookup& fl) { } |
216 | try { | 219 | try { |
217 | check_authentication(server,p); | 220 | check_authentication(server,p); |
218 | }catch(failed_check_authentication& fca) { | 221 | }catch(failed_check_authentication& fca) { |
219 | throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); | 222 | throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); |
220 | } | 223 | } |
221 | } | 224 | } |
225 | if(ext) ext->id_res_hook(pin,ps,identity); | ||
222 | } | 226 | } |
223 | 227 | ||
224 | void consumer_t::check_authentication(const string& server,const params_t& p) { | 228 | void consumer_t::check_authentication(const string& server,const params_t& p) { |
225 | string request = "openid.mode=check_authentication"; | 229 | string request = "openid.mode=check_authentication"; |
226 | for(params_t::const_iterator i=p.begin();i!=p.end();++i) { | 230 | for(params_t::const_iterator i=p.begin();i!=p.end();++i) { |
227 | if(i->first!="openid.mode") { | 231 | if(i->first!="openid.mode") { |
228 | request += '&'; | 232 | request += '&'; |
229 | request += i->first; | 233 | request += i->first; |
230 | request += '='; | 234 | request += '='; |
231 | request += util::url_encode(i->second); | 235 | request += util::url_encode(i->second); |
232 | } | 236 | } |
233 | } | 237 | } |
diff --git a/lib/extension.cc b/lib/extension.cc new file mode 100644 index 0000000..bd2195d --- a/dev/null +++ b/lib/extension.cc | |||
@@ -0,0 +1,15 @@ | |||
1 | #include <opkele/exception.h> | ||
2 | #include <opkele/extension.h> | ||
3 | |||
4 | namespace opkele { | ||
5 | |||
6 | void extension_t::checkid_hook(params_t& p,const string& identity) { | ||
7 | throw not_implemented(OPKELE_CP_ "Consumer checkid_hook not implemented"); | ||
8 | } | ||
9 | void id_res_hook(const params_t& p,const params_t& sp,const string& identity) { | ||
10 | throw not_implemented(OPKELE_CP_ "Consumer id_res_hook not implemented"); | ||
11 | } | ||
12 | void checkid_hook(const params_t& pin,params_t& pout) { | ||
13 | throw not_implemented(OPKELE_CP_ "Server checkid_hook not implemented"); | ||
14 | } | ||
15 | } | ||
diff --git a/lib/server.cc b/lib/server.cc index 5eee1f3..8c29abb 100644 --- a/lib/server.cc +++ b/lib/server.cc | |||
@@ -58,33 +58,33 @@ namespace opkele { | |||
58 | switch(st) { | 58 | switch(st) { |
59 | case sess_dh_sha1: | 59 | case sess_dh_sha1: |
60 | pout["session_type"] = "DH-SHA1"; | 60 | pout["session_type"] = "DH-SHA1"; |
61 | pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); | 61 | pout["dh_server_public"] = util::bignum_to_base64(dh->pub_key); |
62 | secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); | 62 | secret.enxor_to_base64(key_sha1,pout["enc_mac_key"]); |
63 | break; | 63 | break; |
64 | default: | 64 | default: |
65 | secret.to_base64(pout["mac_key"]); | 65 | secret.to_base64(pout["mac_key"]); |
66 | break; | 66 | break; |
67 | } | 67 | } |
68 | } | 68 | } |
69 | 69 | ||
70 | void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout) { | 70 | void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { |
71 | checkid_(mode_checkid_immediate,pin,return_to,pout); | 71 | checkid_(mode_checkid_immediate,pin,return_to,pout,ext); |
72 | } | 72 | } |
73 | 73 | ||
74 | void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout) { | 74 | void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { |
75 | checkid_(mode_checkid_setup,pin,return_to,pout); | 75 | checkid_(mode_checkid_setup,pin,return_to,pout,ext); |
76 | } | 76 | } |
77 | 77 | ||
78 | void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout) { | 78 | void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { |
79 | if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) | 79 | if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) |
80 | throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); | 80 | throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); |
81 | pout.clear(); | 81 | pout.clear(); |
82 | assoc_t assoc; | 82 | assoc_t assoc; |
83 | try { | 83 | try { |
84 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); | 84 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); |
85 | }catch(failed_lookup& fl) { | 85 | }catch(failed_lookup& fl) { |
86 | // no handle specified or no valid handle found, going dumb | 86 | // no handle specified or no valid handle found, going dumb |
87 | assoc = alloc_assoc(mode_checkid_setup); | 87 | assoc = alloc_assoc(mode_checkid_setup); |
88 | if(pin.has_param("openid.assoc_handle")) | 88 | if(pin.has_param("openid.assoc_handle")) |
89 | pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); | 89 | pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); |
90 | } | 90 | } |
@@ -97,25 +97,27 @@ namespace opkele { | |||
97 | validate(*assoc,pin,identity,trust_root); | 97 | validate(*assoc,pin,identity,trust_root); |
98 | pout["mode"] = "id_res"; | 98 | pout["mode"] = "id_res"; |
99 | pout["assoc_handle"] = assoc->handle(); | 99 | pout["assoc_handle"] = assoc->handle(); |
100 | if(pin.has_param("openid.assoc_handle") && assoc->stateless()) | 100 | if(pin.has_param("openid.assoc_handle") && assoc->stateless()) |
101 | pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); | 101 | pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); |
102 | pout["identity"] = identity; | 102 | pout["identity"] = identity; |
103 | pout["return_to"] = return_to; | 103 | pout["return_to"] = return_to; |
104 | /* TODO: eventually remove deprecated stuff */ | 104 | /* TODO: eventually remove deprecated stuff */ |
105 | time_t now = time(0); | 105 | time_t now = time(0); |
106 | pout["issued"] = util::time_to_w3c(now); | 106 | pout["issued"] = util::time_to_w3c(now); |
107 | pout["valid_to"] = util::time_to_w3c(now+120); | 107 | pout["valid_to"] = util::time_to_w3c(now+120); |
108 | pout["exipres_in"] = "120"; | 108 | pout["exipres_in"] = "120"; |
109 | pout.sign(assoc->secret(),pout["sig"],pout["signed"]="mode,identity,return_to"); | 109 | pout["signed"]="mode,identity,return_to"; |
110 | if(ext) ext->checkid_hook(pin,pout); | ||
111 | pout.sign(assoc->secret(),pout["sig"],pout["signed"]); | ||
110 | } | 112 | } |
111 | 113 | ||
112 | void server_t::check_authentication(const params_t& pin,params_t& pout) { | 114 | void server_t::check_authentication(const params_t& pin,params_t& pout) { |
113 | vector<unsigned char> sig; | 115 | vector<unsigned char> sig; |
114 | mimetic::Base64::Decoder b; | 116 | mimetic::Base64::Decoder b; |
115 | const string& sigenc = pin.get_param("openid.sig"); | 117 | const string& sigenc = pin.get_param("openid.sig"); |
116 | mimetic::decode( | 118 | mimetic::decode( |
117 | sigenc.begin(),sigenc.end(), b, | 119 | sigenc.begin(),sigenc.end(), b, |
118 | back_insert_iterator<vector<unsigned char> >(sig)); | 120 | back_insert_iterator<vector<unsigned char> >(sig)); |
119 | assoc_t assoc; | 121 | assoc_t assoc; |
120 | try { | 122 | try { |
121 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); | 123 | assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); |