summaryrefslogtreecommitdiffabout
Unidiff
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--include/Makefile.am3
-rw-r--r--include/opkele/consumer.h25
-rw-r--r--include/opkele/exception.h10
-rw-r--r--include/opkele/extension.h59
-rw-r--r--include/opkele/server.h10
-rw-r--r--lib/Makefile.am3
-rw-r--r--lib/consumer.cc16
-rw-r--r--lib/extension.cc15
-rw-r--r--lib/server.cc14
9 files changed, 127 insertions, 28 deletions
diff --git a/include/Makefile.am b/include/Makefile.am
index b014752..72931eb 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -2,10 +2,11 @@ nobase_include_HEADERS = \
2 opkele/acconfig.h \ 2 opkele/acconfig.h \
3 opkele/opkele-config.h \ 3 opkele/opkele-config.h \
4 opkele/types.h \ 4 opkele/types.h \
5 opkele/association.h \ 5 opkele/association.h \
6 opkele/exception.h \ 6 opkele/exception.h \
7 opkele/server.h \ 7 opkele/server.h \
8 opkele/consumer.h 8 opkele/consumer.h \
9 opkele/extension.h
9EXTRA_DIST = \ 10EXTRA_DIST = \
10 opkele/data.h \ 11 opkele/data.h \
11 opkele/util.h 12 opkele/util.h
diff --git a/include/opkele/consumer.h b/include/opkele/consumer.h
index 9932315..f9939cf 100644
--- a/include/opkele/consumer.h
+++ b/include/opkele/consumer.h
@@ -1,10 +1,11 @@
1#ifndef __OPKELE_CONSUMER_H 1#ifndef __OPKELE_CONSUMER_H
2#define __OPKELE_CONSUMER_H 2#define __OPKELE_CONSUMER_H
3 3
4#include <opkele/types.h> 4#include <opkele/types.h>
5#include <opkele/extension.h>
5 6
6/** 7/**
7 * @file 8 * @file
8 * @brief OpenID consumer-side functionality 9 * @brief OpenID consumer-side functionality
9 */ 10 */
10 11
@@ -79,51 +80,53 @@ namespace opkele {
79 /** 80 /**
80 * prepare the parameters for the checkid_immediate 81 * prepare the parameters for the checkid_immediate
81 * request. 82 * request.
82 * @param identity the identity to verify 83 * @param identity the identity to verify
83 * @param return_to the return_to url to pass with the request 84 * @param return_to the return_to url to pass with the request
84 * @param trust_root the trust root to advertise with the request 85 * @param trust_root the trust root to advertise with the request
86 * @param ext pointer to an extension(s) hooks object
85 * @return the location string 87 * @return the location string
86 * @throw exception in case of error 88 * @throw exception in case of error
87 */ 89 */
88 string checkid_immediate(const string& identity,const string& return_to,const string& trust_root=""); 90 string checkid_immediate(const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0);
89 /** 91 /**
90 * prepare the parameters for the checkid_setup 92 * prepare the parameters for the checkid_setup
91 * request. 93 * request.
92 * @param identity the identity to verify 94 * @param identity the identity to verify
93 * @param return_to the return_to url to pass with the request 95 * @param return_to the return_to url to pass with the request
94 * @param trust_root the trust root to advertise with the request 96 * @param trust_root the trust root to advertise with the request
97 * @param ext pointer to an extension(s) hooks object
95 * @return the location string 98 * @return the location string
96 * @throw exception in case of error 99 * @throw exception in case of error
97 */ 100 */
98 string checkid_setup(const string& identity,const string& return_to,const string& trust_root=""); 101 string checkid_setup(const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0);
99 /** 102 /**
100 * the actual implementation behind checkid_immediate() and 103 * the actual implementation behind checkid_immediate() and
101 * checkid_setup() functions. 104 * checkid_setup() functions.
102 * @param mode checkid_* mode - either mode_checkid_immediate or mode_checkid_setup 105 * @param mode checkid_* mode - either mode_checkid_immediate or mode_checkid_setup
103 * @param identity the identity to verify 106 * @param identity the identity to verify
104 * @param return_to the return_to url to pass with the request 107 * @param return_to the return_to url to pass with the request
105 * @param trust_root the trust root to advertise with the request 108 * @param trust_root the trust root to advertise with the request
109 * @param ext pointer to an extension(s) hooks object
106 * @return the location string 110 * @return the location string
107 * @throw exception in case of error 111 * @throw exception in case of error
108 */ 112 */
109 string checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root=""); 113 string checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root="",extension_t *ext=0);
110 /** 114 /**
111 * verify the id_res response 115 * verify the id_res response
112 * @param pin the response parameters 116 * @param pin the response parameters
113 * @param identity the identity being checked (if not specified, extracted 117 * @param identity the identity being checked (if not specified,
114 * from the openid.identity parameter 118 * @param ext pointer to an extension(s) hooks object
115 * @throw id_res_mismatch in case of signature 119 * extracted from the openid.identity parameter
116 * mismatch 120 * @throw id_res_mismatch in case of signature mismatch
117 * @throw id_res_setup in case of 121 * @throw id_res_setup in case of openid.user_setup_url failure
118 * openid.user_setup_url failure (supposedly 122 * (supposedly checkid_immediate only)
119 * checkid_immediate only)
120 * @throw id_res_failed in case of failure 123 * @throw id_res_failed in case of failure
121 * @throw exception in case of other failures 124 * @throw exception in case of other failures
122 */ 125 */
123 void id_res(const params_t& pin,const string& identity=""); 126 void id_res(const params_t& pin,const string& identity="",extension_t *ext=0);
124 /** 127 /**
125 * perform a check_authentication request. 128 * perform a check_authentication request.
126 * @param server the OpenID server 129 * @param server the OpenID server
127 * @param p request parameters 130 * @param p request parameters
128 */ 131 */
129 void check_authentication(const string& server,const params_t& p); 132 void check_authentication(const string& server,const params_t& p);
diff --git a/include/opkele/exception.h b/include/opkele/exception.h
index c5f5811..9fc9bd3 100644
--- a/include/opkele/exception.h
+++ b/include/opkele/exception.h
@@ -202,9 +202,19 @@ namespace opkele {
202 string _curl_string; 202 string _curl_string;
203 exception_curl(OPKELE_E_PARS); 203 exception_curl(OPKELE_E_PARS);
204 exception_curl(OPKELE_E_PARS,CURLcode e); 204 exception_curl(OPKELE_E_PARS,CURLcode e);
205 ~exception_curl() throw() { } 205 ~exception_curl() throw() { }
206 }; 206 };
207 207
208 /**
209 * not implemented (think pure virtual) member function executed, signfies
210 * programmer error
211 */
212 class not_implemented : public exception {
213 public:
214 not_implemented(OPKELE_E_PARS)
215 : exception(OPKELE_E_CONS) { }
216 };
217
208} 218}
209 219
210#endif /* __OPKELE_EXCEPTION_H */ 220#endif /* __OPKELE_EXCEPTION_H */
diff --git a/include/opkele/extension.h b/include/opkele/extension.h
new file mode 100644
index 0000000..3fb5f6e
--- a/dev/null
+++ b/include/opkele/extension.h
@@ -0,0 +1,59 @@
1#ifndef __OPKELE_EXTENSIONS_H
2#define __OPKELE_EXTENSIONS_H
3
4/**
5 * @file
6 * @brief extensions framework basics
7 */
8
9#include <opkele/types.h>
10
11/**
12 * @brief the main opkele namespace
13 */
14namespace opkele {
15
16 /**
17 * OpenID consumer extension hooks base class
18 */
19 class extension_t {
20 public:
21 /**
22 * hook called by consumer before submitting data to OpenID server.
23 * It is supposed to manipulate parameters list.
24 * @param p parameters about to be submitted to server
25 * @param identity identity being verified. It may differ from the
26 * one available in parameters list in case of delegation
27 */
28 virtual void checkid_hook(params_t& p,const string& identity);
29 /**
30 * hook called by consumer after identity information received from
31 * OpenID server is verified.
32 * @param p parameters received from server
33 * @param sp signed parameters received from server with 'openid.'
34 * leader stripped
35 * @param identity identity confirmed. May differ from the one
36 * available in parameters list in case of delegation. May also be
37 * empty which means - extract one from parameters
38 */
39 virtual void id_res_hook(const params_t& p,const params_t& sp,const string& identity);
40
41 /**
42 * hook called by server before returning information to consumer.
43 * The hook may manipulate output parameters. It is important to
44 * note that modified pout["signed"] is used for signing response.
45 * @param pin request parameters list
46 * @param put response parameters list
47 */
48 virtual void checkid_hook(const params_t& pin,params_t& pout);
49
50 /**
51 * Casts the object to pointer to itself. For convenient passing
52 * of pointer.
53 */
54 operator extension_t*(void) { return this; }
55 };
56
57}
58
59#endif /* __OPKELE_EXTENSIONS_H */
diff --git a/include/opkele/server.h b/include/opkele/server.h
index fe07448..bf131d8 100644
--- a/include/opkele/server.h
+++ b/include/opkele/server.h
@@ -4,12 +4,13 @@
4/** 4/**
5 * @file 5 * @file
6 * @brief OpenID server-side functionality 6 * @brief OpenID server-side functionality
7 */ 7 */
8 8
9#include <opkele/types.h> 9#include <opkele/types.h>
10#include <opkele/extension.h>
10 11
11/** 12/**
12 * @brief the main opkele namespace 13 * @brief the main opkele namespace
13 */ 14 */
14namespace opkele { 15namespace opkele {
15 16
@@ -57,34 +58,37 @@ namespace opkele {
57 void associate(const params_t& pin,params_t& pout); 58 void associate(const params_t& pin,params_t& pout);
58 /** 59 /**
59 * process the checkid_immediate request. 60 * process the checkid_immediate request.
60 * @param pin the incoming request parameters 61 * @param pin the incoming request parameters
61 * @param return_to reference to the object to store return_to url to 62 * @param return_to reference to the object to store return_to url to
62 * @param pout the response parameters 63 * @param pout the response parameters
64 * @param ext pointer to the extension hooks object
63 * @throw exception in case of errors or negative reply 65 * @throw exception in case of errors or negative reply
64 */ 66 */
65 void checkid_immediate(const params_t& pin,string& return_to,params_t& pout); 67 void checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0);
66 /** 68 /**
67 * process the checkid_setup request. 69 * process the checkid_setup request.
68 * @param pin the incoming request parameters 70 * @param pin the incoming request parameters
69 * @param return_to reference to the object to store return_to url to 71 * @param return_to reference to the object to store return_to url to
70 * @param pout the response parameters 72 * @param pout the response parameters
73 * @param ext pointer to the extension hooks object
71 * @throw exception in case of errors or negative reply 74 * @throw exception in case of errors or negative reply
72 */ 75 */
73 void checkid_setup(const params_t& pin,string& return_to,params_t& pout); 76 void checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0);
74 /** 77 /**
75 * the actual functionality behind checkid_immediate() and 78 * the actual functionality behind checkid_immediate() and
76 * checkid_setup() 79 * checkid_setup()
77 * @param mode the request being processed (either 80 * @param mode the request being processed (either
78 * mode_checkid_immediate or mode_checkid_setup) 81 * mode_checkid_immediate or mode_checkid_setup)
79 * @param pin the incoming request parameters 82 * @param pin the incoming request parameters
80 * @param return_to reference to the object to store return_to url to 83 * @param return_to reference to the object to store return_to url to
81 * @param pout the response parameters 84 * @param pout the response parameters
85 * @param ext pointer to the extension hooks object
82 * @throw exception in case of errors or negative reply 86 * @throw exception in case of errors or negative reply
83 */ 87 */
84 void checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout); 88 void checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext=0);
85 /** 89 /**
86 * process the check_authentication request. 90 * process the check_authentication request.
87 * @param pin incoming request parameters 91 * @param pin incoming request parameters
88 * @param pout response parameters 92 * @param pout response parameters
89 */ 93 */
90 void check_authentication(const params_t& pin,params_t& pout); 94 void check_authentication(const params_t& pin,params_t& pout);
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 6f3f9f3..69c749e 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -18,7 +18,8 @@ libopkele_la_SOURCES = \
18 params.cc \ 18 params.cc \
19 util.cc \ 19 util.cc \
20 server.cc \ 20 server.cc \
21 secret.cc \ 21 secret.cc \
22 data.cc \ 22 data.cc \
23 consumer.cc \ 23 consumer.cc \
24 exception.cc 24 exception.cc \
25 extension.cc
diff --git a/lib/consumer.cc b/lib/consumer.cc
index bb6358c..10c2fa0 100644
--- a/lib/consumer.cc
+++ b/lib/consumer.cc
@@ -120,19 +120,19 @@ namespace opkele {
120 expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued")); 120 expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued"));
121 }else 121 }else
122 throw bad_input(OPKELE_CP_ "no expiration information"); 122 throw bad_input(OPKELE_CP_ "no expiration information");
123 return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in); 123 return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in);
124 } 124 }
125 125
126 string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root) { 126 string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
127 return checkid_(mode_checkid_immediate,identity,return_to,trust_root); 127 return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext);
128 } 128 }
129 string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root) { 129 string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
130 return checkid_(mode_checkid_setup,identity,return_to,trust_root); 130 return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext);
131 } 131 }
132 string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root) { 132 string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
133 params_t p; 133 params_t p;
134 if(mode==mode_checkid_immediate) 134 if(mode==mode_checkid_immediate)
135 p["mode"]="checkid_immediate"; 135 p["mode"]="checkid_immediate";
136 else if(mode==mode_checkid_setup) 136 else if(mode==mode_checkid_setup)
137 p["mode"]="checkid_setup"; 137 p["mode"]="checkid_setup";
138 else 138 else
@@ -150,20 +150,22 @@ namespace opkele {
150 p["assoc_handle"] = ah; 150 p["assoc_handle"] = ah;
151 }catch(failed_lookup& fl) { 151 }catch(failed_lookup& fl) {
152 string ah = associate(server)->handle(); 152 string ah = associate(server)->handle();
153 p["assoc_handle"] = ah; 153 p["assoc_handle"] = ah;
154 } 154 }
155 }catch(exception& e) { } 155 }catch(exception& e) { }
156 if(ext) ext->checkid_hook(p,identity);
156 return p.append_query(server); 157 return p.append_query(server);
157 } 158 }
158 159
159 void consumer_t::id_res(const params_t& pin,const string& identity) { 160 void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) {
160 if(pin.has_param("openid.user_setup_url")) 161 if(pin.has_param("openid.user_setup_url"))
161 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); 162 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url"));
162 string server,delegate; 163 string server,delegate;
163 retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); 164 retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate);
165 params_t ps;
164 try { 166 try {
165 assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); 167 assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle"));
166 const string& sigenc = pin.get_param("openid.sig"); 168 const string& sigenc = pin.get_param("openid.sig");
167 mimetic::Base64::Decoder b; 169 mimetic::Base64::Decoder b;
168 vector<unsigned char> sig; 170 vector<unsigned char> sig;
169 mimetic::decode( 171 mimetic::decode(
@@ -177,12 +179,13 @@ namespace opkele {
177 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); 179 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
178 kv += f; 180 kv += f;
179 kv += ':'; 181 kv += ':';
180 f.insert(0,"openid."); 182 f.insert(0,"openid.");
181 kv += pin.get_param(f); 183 kv += pin.get_param(f);
182 kv += '\n'; 184 kv += '\n';
185 if(ext) ps[f.substr(sizeof("openid."))] = pin.get_param(f);
183 if(co==string::npos) 186 if(co==string::npos)
184 break; 187 break;
185 p = co+1; 188 p = co+1;
186 } 189 }
187 secret_t secret = assoc->secret(); 190 secret_t secret = assoc->secret();
188 unsigned int md_len = 0; 191 unsigned int md_len = 0;
@@ -216,12 +219,13 @@ namespace opkele {
216 try { 219 try {
217 check_authentication(server,p); 220 check_authentication(server,p);
218 }catch(failed_check_authentication& fca) { 221 }catch(failed_check_authentication& fca) {
219 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); 222 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
220 } 223 }
221 } 224 }
225 if(ext) ext->id_res_hook(pin,ps,identity);
222 } 226 }
223 227
224 void consumer_t::check_authentication(const string& server,const params_t& p) { 228 void consumer_t::check_authentication(const string& server,const params_t& p) {
225 string request = "openid.mode=check_authentication"; 229 string request = "openid.mode=check_authentication";
226 for(params_t::const_iterator i=p.begin();i!=p.end();++i) { 230 for(params_t::const_iterator i=p.begin();i!=p.end();++i) {
227 if(i->first!="openid.mode") { 231 if(i->first!="openid.mode") {
diff --git a/lib/extension.cc b/lib/extension.cc
new file mode 100644
index 0000000..bd2195d
--- a/dev/null
+++ b/lib/extension.cc
@@ -0,0 +1,15 @@
1#include <opkele/exception.h>
2#include <opkele/extension.h>
3
4namespace opkele {
5
6 void extension_t::checkid_hook(params_t& p,const string& identity) {
7 throw not_implemented(OPKELE_CP_ "Consumer checkid_hook not implemented");
8 }
9 void id_res_hook(const params_t& p,const params_t& sp,const string& identity) {
10 throw not_implemented(OPKELE_CP_ "Consumer id_res_hook not implemented");
11 }
12 void checkid_hook(const params_t& pin,params_t& pout) {
13 throw not_implemented(OPKELE_CP_ "Server checkid_hook not implemented");
14 }
15}
diff --git a/lib/server.cc b/lib/server.cc
index 5eee1f3..8c29abb 100644
--- a/lib/server.cc
+++ b/lib/server.cc
@@ -64,21 +64,21 @@ namespace opkele {
64 default: 64 default:
65 secret.to_base64(pout["mac_key"]); 65 secret.to_base64(pout["mac_key"]);
66 break; 66 break;
67 } 67 }
68 } 68 }
69 69
70 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout) { 70 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
71 checkid_(mode_checkid_immediate,pin,return_to,pout); 71 checkid_(mode_checkid_immediate,pin,return_to,pout,ext);
72 } 72 }
73 73
74 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout) { 74 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
75 checkid_(mode_checkid_setup,pin,return_to,pout); 75 checkid_(mode_checkid_setup,pin,return_to,pout,ext);
76 } 76 }
77 77
78 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout) { 78 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
79 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) 79 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
80 throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); 80 throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
81 pout.clear(); 81 pout.clear();
82 assoc_t assoc; 82 assoc_t assoc;
83 try { 83 try {
84 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); 84 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
@@ -103,13 +103,15 @@ namespace opkele {
103 pout["return_to"] = return_to; 103 pout["return_to"] = return_to;
104 /* TODO: eventually remove deprecated stuff */ 104 /* TODO: eventually remove deprecated stuff */
105 time_t now = time(0); 105 time_t now = time(0);
106 pout["issued"] = util::time_to_w3c(now); 106 pout["issued"] = util::time_to_w3c(now);
107 pout["valid_to"] = util::time_to_w3c(now+120); 107 pout["valid_to"] = util::time_to_w3c(now+120);
108 pout["exipres_in"] = "120"; 108 pout["exipres_in"] = "120";
109 pout.sign(assoc->secret(),pout["sig"],pout["signed"]="mode,identity,return_to"); 109 pout["signed"]="mode,identity,return_to";
110 if(ext) ext->checkid_hook(pin,pout);
111 pout.sign(assoc->secret(),pout["sig"],pout["signed"]);
110 } 112 }
111 113
112 void server_t::check_authentication(const params_t& pin,params_t& pout) { 114 void server_t::check_authentication(const params_t& pin,params_t& pout) {
113 vector<unsigned char> sig; 115 vector<unsigned char> sig;
114 mimetic::Base64::Decoder b; 116 mimetic::Base64::Decoder b;
115 const string& sigenc = pin.get_param("openid.sig"); 117 const string& sigenc = pin.get_param("openid.sig");