1 files changed, 218 insertions, 0 deletions
diff --git a/include/opkele/basic_rp.h b/include/opkele/basic_rp.h
new file mode 100644
index 0000000..3f17fd9
--- a/dev/null
+++ b/include/opkele/basic_rp.h
@@ -0,0 +1,218 @@
+#ifndef __OPKELE_BASIC_RP_H
+#define __OPKELE_BASIC_RP_H
+#include <cstring>
+#include <string>
+#include <opkele/types.h>
+#include <opkele/extension.h>
+namespace opkele {
+    using std::string;
+    struct openid_endpoint_t {
+        string uri;
+        string claimed_id;
+        string local_id;
+        openid_endpoint_t() { }
+        openid_endpoint_t(const string& u,const string& cid,const string& lid)
+            : uri(u), claimed_id(cid), local_id(lid) { }
+        bool operator==(const openid_endpoint_t& x) const {
+            return uri==x.uri && local_id==x.local_id; }
+        bool operator<(const openid_endpoint_t& x) const {
+            int c;
+            return (c=strcmp(uri.c_str(),x.uri.c_str()))
+                ? (c<0) : (strcmp(local_id.c_str(),x.local_id.c_str())<0); }
+    };
+    class basic_RP {
+        public:
+            virtual ~basic_RP() { }
+            /**
+             * @name Global persistent store API
+             * These are functions related to the associations with OP storage
+             * and retrieval and nonce records. They provide an interface to
+             * the persistent storage which is shared by all sessions. If the
+             * implementor prefers the dumb mode instead, the function should
+             * throw dumb_RP exception instead.
+             * @see opkele::dumb_RP
+             * @{
+             */
+            /**
+             * Store association and return allocated association object.
+             * @param OP OP endpoint
+             * @param handle association handle
+             * @param type association type
+             * @param secret association secret
+             * @params expires_in the number of seconds association expires in
+             * @return the association object
+             * @throw dumb_RP for dumb RP
+             */
+            virtual assoc_t store_assoc(
+                    const string& OP,const string& handle,
+                    const string& type,const secret_t& secret,
+                    int expires_in) = 0;
+            /**
+             * Find valid unexpired association with an OP.
+             * @param OP OP endpoint URL
+             * @return association found
+             * @throw failed_lookup if no association found
+             * @throw dumb_RP for dumb RP
+             */
+            virtual assoc_t find_assoc(
+                    const string& OP) = 0;
+            /**
+             * Retrieve valid association handle for an OP by handle.
+             * @param OP OP endpoint URL
+             * @param handle association handle
+             * @return association found
+             * @throw failed_lookup if no association found
+             * @throw dumb_RP for dumb RP
+             */
+            virtual assoc_t retrieve_assoc(
+                    const string& OP,const string& handle) = 0;
+            /**
+             * Invalidate association with OP
+             * @param OP OP endpoint URL
+             * @param handle association handle
+             * @throw dumb_RP for dumb RP
+             */
+            virtual void invalidate_assoc(const string& OP,const string& handle) = 0;
+            /**
+             * Check the nonce validity. That is, check that we haven't
+             * accepted request with this nonce from this OP, yet. May involve
+             * cutting off by the timestamp and checking the rest against the
+             * store of seen nonces.
+             * @param OP OP endpoint URL
+             * @param nonce nonce value
+             * @throw id_res_bad_nonce if the nonce is not to be accepted, i.e.
+             * either too old or seen.
+             */
+            virtual void check_nonce(const string& OP,const string& nonce) = 0;
+            /**
+             * @}
+             */
+            /**
+             * @name Session persistent store API
+             * @{
+             */
+            /**
+             * Retrieve OpenID endpoint being currently used for
+             * authentication. If there is no endpoint available, throw a
+             * no_endpoint exception.
+             * @return reference to the service endpoint object
+             * @see next_endpoint
+             * @throw no_endpoint if no endpoint available
+             */
+            virtual const openid_endpoint_t& get_endpoint() const = 0;
+            /**
+             * Advance to the next endpoint to try.
+             * @see get_endpoint()
+             * @throw no_endpoint if there are no more endpoints
+             */
+            virtual void next_endpoint() = 0;
+            /**
+             * @}
+             */
+            /**
+             * @name Site particulars API
+             * @{
+             */
+            /**
+             * Return an absolute URL of the page being processed, includining
+             * query parameters. It is used to validate return_to URL on
+             * positive assertions.
+             * @return fully qualified url of the page being processed.
+             */
+            virtual const string get_this_url() const = 0;
+            /**
+             * @}
+             */
+            /**
+             * @name OpenID actions
+             * @{
+             */
+            /**
+             * Initiates authentication session, doing discovery, normalization
+             * and whatever implementor wants to do at this point.
+             * @param usi User-supplied identity
+             */
+            virtual void initiate(const string& usi) = 0;
+            /**
+             * Prepare checkid_request.
+             * @param rv reference to the openid message to prepare
+             * @param mode checkid_setup or checkid_immediate
+             * @param return_to the URL OP should redirect to after completion
+             * @param realm authentication realm to pass to OP
+             * @param ext pointer to extension to use in request preparation
+             * @return reference to the openid message
+             */
+            basic_openid_message& checkid_(
+                    basic_openid_message& rv,
+                    mode_t mode,
+                    const string& return_to,const string& realm,
+                    extension_t *ext=0);
+            /**
+             * Verify assertion at the end of round-trip.
+             * @param om incoming openid message
+             * @param ext pointer to extention to use in parsing assertion
+             * @throw id_res_setup if checkid_immediate request could not be
+             * completed
+             * @throw id_res_cancel if authentication request was canceled
+             * @throw id_res_mismatch in case of signature mismatch
+             * @throw id_res_bad_return_to if return_to url seems to be
+             * tampered with
+             * @throw id_res_unauthorized if OP is not authorized to make
+             * assertions regarding the identity
+             */
+            void id_res(const basic_openid_message& om,extension_t *ext=0);
+            /**
+             * Establish association with OP
+             * @param OP OP to establish association with
+             * @throw dumb_RP if for a dumb RP
+             */
+            virtual assoc_t associate(const string& OP);
+            /**
+             * Check authentication with OP and invalidate handle if requested
+             * and confirmed
+             * @param OP OP to check with
+             * @param om message to check
+             * @throw failed_check_authentication if OP fails to confirm
+             * authenticity of the assertion
+             */
+            void check_authentication(const string& OP,const basic_openid_message& om);
+            /**
+             * @}
+             */
+            /**
+             * @name Miscellanea
+             * @{
+             */
+            /**
+             * Verify OP authority. Return normally if OP is authorized to make
+             * an assertion, throw an exception otherwise.
+             * @param OP OP endpoint
+             * @param claimed_id claimed identity
+             * @param identity OP-Local identifier
+             * @throw id_res_unauthorized if OP is not authorized to make
+             * assertion regarding this identity.
+             */
+            virtual void verify_OP(const string& OP,
+                    const string& claimed_id,const string& identity) const = 0;
+            /**
+             * @}
+             */
+    };
+}
+#endif /* __OPKELE_BASIC_RP_H */

diff --git a/include/opkele/basic_rp.h b/include/opkele/basic_rp.h new file mode 100644 index 0000000..3f17fd9 --- a/dev/null +++ b/include/opkele/basic_rp.h
@@ -0,0 +1,218 @@
	1	#ifndef __OPKELE_BASIC_RP_H
	2	#define __OPKELE_BASIC_RP_H
	3
	4	#include <cstring>
	5	#include <string>
	6	#include <opkele/types.h>
	7	#include <opkele/extension.h>
	8
	9	namespace opkele {
	10	using std::string;
	11
	12	struct openid_endpoint_t {
	13	string uri;
	14	string claimed_id;
	15	string local_id;
	16
	17	openid_endpoint_t() { }
	18	openid_endpoint_t(const string& u,const string& cid,const string& lid)
	19	: uri(u), claimed_id(cid), local_id(lid) { }
	20
	21	bool operator==(const openid_endpoint_t& x) const {
	22	return uri==x.uri && local_id==x.local_id; }
	23	bool operator<(const openid_endpoint_t& x) const {
	24	int c;
	25	return (c=strcmp(uri.c_str(),x.uri.c_str()))
	26	? (c<0) : (strcmp(local_id.c_str(),x.local_id.c_str())<0); }
	27	};
	28
	29	class basic_RP {
	30	public:
	31
	32	virtual ~basic_RP() { }
	33
	34	/**
	35	* @name Global persistent store API
	36	* These are functions related to the associations with OP storage
	37	* and retrieval and nonce records. They provide an interface to
	38	* the persistent storage which is shared by all sessions. If the
	39	* implementor prefers the dumb mode instead, the function should
	40	* throw dumb_RP exception instead.
	41	* @see opkele::dumb_RP
	42	* @{
	43	*/
	44	/**
	45	* Store association and return allocated association object.
	46	* @param OP OP endpoint
	47	* @param handle association handle
	48	* @param type association type
	49	* @param secret association secret
	50	* @params expires_in the number of seconds association expires in
	51	* @return the association object
	52	* @throw dumb_RP for dumb RP
	53	*/
	54	virtual assoc_t store_assoc(
	55	const string& OP,const string& handle,
	56	const string& type,const secret_t& secret,
	57	int expires_in) = 0;
	58	/**
	59	* Find valid unexpired association with an OP.
	60	* @param OP OP endpoint URL
	61	* @return association found
	62	* @throw failed_lookup if no association found
	63	* @throw dumb_RP for dumb RP
	64	*/
	65	virtual assoc_t find_assoc(
	66	const string& OP) = 0;
	67	/**
	68	* Retrieve valid association handle for an OP by handle.
	69	* @param OP OP endpoint URL
	70	* @param handle association handle
	71	* @return association found
	72	* @throw failed_lookup if no association found
	73	* @throw dumb_RP for dumb RP
	74	*/
	75	virtual assoc_t retrieve_assoc(
	76	const string& OP,const string& handle) = 0;
	77	/**
	78	* Invalidate association with OP
	79	* @param OP OP endpoint URL
	80	* @param handle association handle
	81	* @throw dumb_RP for dumb RP
	82	*/
	83	virtual void invalidate_assoc(const string& OP,const string& handle) = 0;
	84
	85	/**
	86	* Check the nonce validity. That is, check that we haven't
	87	* accepted request with this nonce from this OP, yet. May involve
	88	* cutting off by the timestamp and checking the rest against the
	89	* store of seen nonces.
	90	* @param OP OP endpoint URL
	91	* @param nonce nonce value
	92	* @throw id_res_bad_nonce if the nonce is not to be accepted, i.e.
	93	* either too old or seen.
	94	*/
	95	virtual void check_nonce(const string& OP,const string& nonce) = 0;
	96	/**
	97	* @}
	98	*/
	99
	100	/**
	101	* @name Session persistent store API
	102	* @{
	103	*/
	104	/**
	105	* Retrieve OpenID endpoint being currently used for
	106	* authentication. If there is no endpoint available, throw a
	107	* no_endpoint exception.
	108	* @return reference to the service endpoint object
	109	* @see next_endpoint
	110	* @throw no_endpoint if no endpoint available
	111	*/
	112	virtual const openid_endpoint_t& get_endpoint() const = 0;
	113	/**
	114	* Advance to the next endpoint to try.
	115	* @see get_endpoint()
	116	* @throw no_endpoint if there are no more endpoints
	117	*/
	118	virtual void next_endpoint() = 0;
	119	/**
	120	* @}
	121	*/
	122
	123	/**
	124	* @name Site particulars API
	125	* @{
	126	*/
	127	/**
	128	* Return an absolute URL of the page being processed, includining
	129	* query parameters. It is used to validate return_to URL on
	130	* positive assertions.
	131	* @return fully qualified url of the page being processed.
	132	*/
	133	virtual const string get_this_url() const = 0;
	134	/**
	135	* @}
	136	*/
	137
	138	/**
	139	* @name OpenID actions
	140	* @{
	141	*/
	142	/**
	143	* Initiates authentication session, doing discovery, normalization
	144	* and whatever implementor wants to do at this point.
	145	* @param usi User-supplied identity
	146	*/
	147	virtual void initiate(const string& usi) = 0;
	148	/**
	149	* Prepare checkid_request.
	150	* @param rv reference to the openid message to prepare
	151	* @param mode checkid_setup or checkid_immediate
	152	* @param return_to the URL OP should redirect to after completion
	153	* @param realm authentication realm to pass to OP
	154	* @param ext pointer to extension to use in request preparation
	155	* @return reference to the openid message
	156	*/
	157	basic_openid_message& checkid_(
	158	basic_openid_message& rv,
	159	mode_t mode,
	160	const string& return_to,const string& realm,
	161	extension_t *ext=0);
	162	/**
	163	* Verify assertion at the end of round-trip.
	164	* @param om incoming openid message
	165	* @param ext pointer to extention to use in parsing assertion
	166	* @throw id_res_setup if checkid_immediate request could not be
	167	* completed
	168	* @throw id_res_cancel if authentication request was canceled
	169	* @throw id_res_mismatch in case of signature mismatch
	170	* @throw id_res_bad_return_to if return_to url seems to be
	171	* tampered with
	172	* @throw id_res_unauthorized if OP is not authorized to make
	173	* assertions regarding the identity
	174	*/
	175	void id_res(const basic_openid_message& om,extension_t *ext=0);
	176
	177	/**
	178	* Establish association with OP
	179	* @param OP OP to establish association with
	180	* @throw dumb_RP if for a dumb RP
	181	*/
	182	virtual assoc_t associate(const string& OP);
	183	/**
	184	* Check authentication with OP and invalidate handle if requested
	185	* and confirmed
	186	* @param OP OP to check with
	187	* @param om message to check
	188	* @throw failed_check_authentication if OP fails to confirm
	189	* authenticity of the assertion
	190	*/
	191	void check_authentication(const string& OP,const basic_openid_message& om);
	192	/**
	193	* @}
	194	*/
	195
	196	/**
	197	* @name Miscellanea
	198	* @{
	199	*/
	200	/**
	201	* Verify OP authority. Return normally if OP is authorized to make
	202	* an assertion, throw an exception otherwise.
	203	* @param OP OP endpoint
	204	* @param claimed_id claimed identity
	205	* @param identity OP-Local identifier
	206	* @throw id_res_unauthorized if OP is not authorized to make
	207	* assertion regarding this identity.
	208	*/
	209	virtual void verify_OP(const string& OP,
	210	const string& claimed_id,const string& identity) const = 0;
	211	/**
	212	* @}
	213	*/
	214	};
	215
	216	}
	217
	218	#endif /* __OPKELE_BASIC_RP_H */