summaryrefslogtreecommitdiffabout
authorMichael Krelin <hacker@klever.net>2008-01-20 21:08:05 (UTC)
committer Michael Krelin <hacker@klever.net>2008-01-20 21:08:05 (UTC)
commit9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc (patch) (unidiff)
tree702473142242e80538c4801cc379ec98fba199dd
parent395a126cbf59b7a50f44da3096b68bab412ab33d (diff)
downloadlibopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.zip
libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.gz
libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.bz2
the whole library rewritten
Signed-off-by: Michael Krelin <hacker@klever.net>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--include/Makefile.am21
-rw-r--r--include/opkele/basic_rp.h218
-rw-r--r--include/opkele/discovery.h88
-rw-r--r--include/opkele/exception.h19
-rw-r--r--include/opkele/extension.h7
-rw-r--r--include/opkele/extension_chain.h6
-rw-r--r--include/opkele/prequeue_rp.h81
-rw-r--r--include/opkele/sreg.h8
-rw-r--r--include/opkele/types.h171
-rw-r--r--include/opkele/util.h8
-rw-r--r--lib/Makefile.am7
-rw-r--r--lib/basic_rp.cc311
-rw-r--r--lib/consumer.cc4
-rw-r--r--lib/discovery.cc161
-rw-r--r--lib/extension.cc6
-rw-r--r--lib/extension_chain.cc12
-rw-r--r--lib/openid_message.cc228
-rw-r--r--lib/params.cc101
-rw-r--r--lib/prequeue_rp.cc81
-rw-r--r--lib/server.cc2
-rw-r--r--lib/sreg.cc54
-rw-r--r--lib/util.cc71
22 files changed, 1366 insertions, 299 deletions
diff --git a/include/Makefile.am b/include/Makefile.am
index 51dcea1..50fcb62 100644
--- a/include/Makefile.am
+++ b/include/Makefile.am
@@ -1,21 +1,32 @@
1nobase_include_HEADERS = \ 1NODIST_HEADERS_ = \
2 opkele/acconfig.h \ 2 opkele/acconfig.h \
3 opkele/tr1-mem.h
4
5nobase_include_HEADERS = \
3 opkele/opkele-config.h \ 6 opkele/opkele-config.h \
4 opkele/types.h \ 7 opkele/types.h \
5 opkele/association.h \ 8 opkele/association.h \
6 opkele/exception.h \ 9 opkele/exception.h \
7 opkele/server.h \ 10 opkele/server.h \
8 opkele/consumer.h \ 11 opkele/consumer.h \
9 opkele/extension.h \ 12 opkele/extension.h \
10 opkele/sreg.h \ 13 opkele/sreg.h \
11 opkele/extension_chain.h \ 14 opkele/extension_chain.h \
12 opkele/xconsumer.h \ 15 opkele/xconsumer.h \
13 opkele/xserver.h \ 16 opkele/xserver.h \
14 opkele/discovery.h \
15 opkele/uris.h \ 17 opkele/uris.h \
16 opkele/tr1-mem.h 18 opkele/tr1-mem.h \
17EXTRA_DIST = \ 19 opkele/basic_rp.h \
20 opkele/prequeue_rp.h \
21 opkele/iterator.h \
22 ${NODIST_HEADERS_}
23
24noinst_HEADERS = \
18 opkele/data.h \ 25 opkele/data.h \
19 opkele/curl.h opkele/expat.h opkele/tidy.h \ 26 opkele/curl.h opkele/expat.h opkele/tidy.h \
20 opkele/util.h \ 27 opkele/util.h \
21 opkele/debug.h 28 opkele/debug.h \
29 opkele/discovery.h
30
31dist-hook:
32 rm -f $(addprefix ${distdir}/,${NODIST_HEADERS_})
diff --git a/include/opkele/basic_rp.h b/include/opkele/basic_rp.h
new file mode 100644
index 0000000..3f17fd9
--- a/dev/null
+++ b/include/opkele/basic_rp.h
@@ -0,0 +1,218 @@
1#ifndef __OPKELE_BASIC_RP_H
2#define __OPKELE_BASIC_RP_H
3
4#include <cstring>
5#include <string>
6#include <opkele/types.h>
7#include <opkele/extension.h>
8
9namespace opkele {
10 using std::string;
11
12 struct openid_endpoint_t {
13 string uri;
14 string claimed_id;
15 string local_id;
16
17 openid_endpoint_t() { }
18 openid_endpoint_t(const string& u,const string& cid,const string& lid)
19 : uri(u), claimed_id(cid), local_id(lid) { }
20
21 bool operator==(const openid_endpoint_t& x) const {
22 return uri==x.uri && local_id==x.local_id; }
23 bool operator<(const openid_endpoint_t& x) const {
24 int c;
25 return (c=strcmp(uri.c_str(),x.uri.c_str()))
26 ? (c<0) : (strcmp(local_id.c_str(),x.local_id.c_str())<0); }
27 };
28
29 class basic_RP {
30 public:
31
32 virtual ~basic_RP() { }
33
34 /**
35 * @name Global persistent store API
36 * These are functions related to the associations with OP storage
37 * and retrieval and nonce records. They provide an interface to
38 * the persistent storage which is shared by all sessions. If the
39 * implementor prefers the dumb mode instead, the function should
40 * throw dumb_RP exception instead.
41 * @see opkele::dumb_RP
42 * @{
43 */
44 /**
45 * Store association and return allocated association object.
46 * @param OP OP endpoint
47 * @param handle association handle
48 * @param type association type
49 * @param secret association secret
50 * @params expires_in the number of seconds association expires in
51 * @return the association object
52 * @throw dumb_RP for dumb RP
53 */
54 virtual assoc_t store_assoc(
55 const string& OP,const string& handle,
56 const string& type,const secret_t& secret,
57 int expires_in) = 0;
58 /**
59 * Find valid unexpired association with an OP.
60 * @param OP OP endpoint URL
61 * @return association found
62 * @throw failed_lookup if no association found
63 * @throw dumb_RP for dumb RP
64 */
65 virtual assoc_t find_assoc(
66 const string& OP) = 0;
67 /**
68 * Retrieve valid association handle for an OP by handle.
69 * @param OP OP endpoint URL
70 * @param handle association handle
71 * @return association found
72 * @throw failed_lookup if no association found
73 * @throw dumb_RP for dumb RP
74 */
75 virtual assoc_t retrieve_assoc(
76 const string& OP,const string& handle) = 0;
77 /**
78 * Invalidate association with OP
79 * @param OP OP endpoint URL
80 * @param handle association handle
81 * @throw dumb_RP for dumb RP
82 */
83 virtual void invalidate_assoc(const string& OP,const string& handle) = 0;
84
85 /**
86 * Check the nonce validity. That is, check that we haven't
87 * accepted request with this nonce from this OP, yet. May involve
88 * cutting off by the timestamp and checking the rest against the
89 * store of seen nonces.
90 * @param OP OP endpoint URL
91 * @param nonce nonce value
92 * @throw id_res_bad_nonce if the nonce is not to be accepted, i.e.
93 * either too old or seen.
94 */
95 virtual void check_nonce(const string& OP,const string& nonce) = 0;
96 /**
97 * @}
98 */
99
100 /**
101 * @name Session persistent store API
102 * @{
103 */
104 /**
105 * Retrieve OpenID endpoint being currently used for
106 * authentication. If there is no endpoint available, throw a
107 * no_endpoint exception.
108 * @return reference to the service endpoint object
109 * @see next_endpoint
110 * @throw no_endpoint if no endpoint available
111 */
112 virtual const openid_endpoint_t& get_endpoint() const = 0;
113 /**
114 * Advance to the next endpoint to try.
115 * @see get_endpoint()
116 * @throw no_endpoint if there are no more endpoints
117 */
118 virtual void next_endpoint() = 0;
119 /**
120 * @}
121 */
122
123 /**
124 * @name Site particulars API
125 * @{
126 */
127 /**
128 * Return an absolute URL of the page being processed, includining
129 * query parameters. It is used to validate return_to URL on
130 * positive assertions.
131 * @return fully qualified url of the page being processed.
132 */
133 virtual const string get_this_url() const = 0;
134 /**
135 * @}
136 */
137
138 /**
139 * @name OpenID actions
140 * @{
141 */
142 /**
143 * Initiates authentication session, doing discovery, normalization
144 * and whatever implementor wants to do at this point.
145 * @param usi User-supplied identity
146 */
147 virtual void initiate(const string& usi) = 0;
148 /**
149 * Prepare checkid_request.
150 * @param rv reference to the openid message to prepare
151 * @param mode checkid_setup or checkid_immediate
152 * @param return_to the URL OP should redirect to after completion
153 * @param realm authentication realm to pass to OP
154 * @param ext pointer to extension to use in request preparation
155 * @return reference to the openid message
156 */
157 basic_openid_message& checkid_(
158 basic_openid_message& rv,
159 mode_t mode,
160 const string& return_to,const string& realm,
161 extension_t *ext=0);
162 /**
163 * Verify assertion at the end of round-trip.
164 * @param om incoming openid message
165 * @param ext pointer to extention to use in parsing assertion
166 * @throw id_res_setup if checkid_immediate request could not be
167 * completed
168 * @throw id_res_cancel if authentication request was canceled
169 * @throw id_res_mismatch in case of signature mismatch
170 * @throw id_res_bad_return_to if return_to url seems to be
171 * tampered with
172 * @throw id_res_unauthorized if OP is not authorized to make
173 * assertions regarding the identity
174 */
175 void id_res(const basic_openid_message& om,extension_t *ext=0);
176
177 /**
178 * Establish association with OP
179 * @param OP OP to establish association with
180 * @throw dumb_RP if for a dumb RP
181 */
182 virtual assoc_t associate(const string& OP);
183 /**
184 * Check authentication with OP and invalidate handle if requested
185 * and confirmed
186 * @param OP OP to check with
187 * @param om message to check
188 * @throw failed_check_authentication if OP fails to confirm
189 * authenticity of the assertion
190 */
191 void check_authentication(const string& OP,const basic_openid_message& om);
192 /**
193 * @}
194 */
195
196 /**
197 * @name Miscellanea
198 * @{
199 */
200 /**
201 * Verify OP authority. Return normally if OP is authorized to make
202 * an assertion, throw an exception otherwise.
203 * @param OP OP endpoint
204 * @param claimed_id claimed identity
205 * @param identity OP-Local identifier
206 * @throw id_res_unauthorized if OP is not authorized to make
207 * assertion regarding this identity.
208 */
209 virtual void verify_OP(const string& OP,
210 const string& claimed_id,const string& identity) const = 0;
211 /**
212 * @}
213 */
214 };
215
216}
217
218#endif /* __OPKELE_BASIC_RP_H */
diff --git a/include/opkele/discovery.h b/include/opkele/discovery.h
index af4aa29..ab4b9d9 100644
--- a/include/opkele/discovery.h
+++ b/include/opkele/discovery.h
@@ -1,40 +1,104 @@
1#ifndef __OPKELE_DISCOVERY_H 1#ifndef __OPKELE_DISCOVERY_H
2#define __OPKELE_DISCOVERY_H 2#define __OPKELE_DISCOVERY_H
3 3
4#include <string> 4#include <string>
5#include <opkele/types.h> 5#include <opkele/types.h>
6#include <opkele/basic_rp.h>
6 7
7namespace opkele { 8namespace opkele {
8 using std::string; 9 using std::string;
9 10
10 struct idiscovery_t; 11 namespace xrd {
11 12
12 void idiscover(idiscovery_t& result,const string& identity); 13 struct priority_compare {
14 inline bool operator()(long a,long b) const {
15 return (a<0) ? false : (b<0) ? true : (a<b);
16 }
17 };
18
19 template <typename _DT>
20 class priority_map : public multimap<long,_DT,priority_compare> {
21 typedef multimap<long,_DT,priority_compare> map_type;
22 public:
23
24 inline _DT& add(long priority,const _DT& d) {
25 return insert(typename map_type::value_type(priority,d))->second;
26 }
27
28 bool has_value(const _DT& d) const {
29 for(typename map_type::const_iterator i=this->begin();i!=this->end();++i)
30 if(i->second==d) return true;
31 return false;
32 }
33 };
34
35 typedef priority_map<string> canonical_ids_t;
36 typedef priority_map<string> local_ids_t;
37 typedef set<string> types_t;
38 typedef priority_map<string> uris_t;
39
40 class service_t {
41 public:
42 types_t types;
43 uris_t uris;
44 local_ids_t local_ids;
45 string provider_id;
46
47 void clear() {
48 types.clear();
49 uris.clear(); local_ids.clear();
50 provider_id.clear();
51 }
52 };
53 typedef priority_map<service_t> services_t;
54
55 class XRD_t {
56 public:
57 time_t expires;
58
59 canonical_ids_t canonical_ids;
60 local_ids_t local_ids;
61 services_t services;
62 string provider_id;
63
64 void clear() {
65 expires = 0;
66 canonical_ids.clear(); local_ids.clear();
67 services.clear();
68 provider_id.clear();
69 }
70 bool empty() const {
71 return
72 canonical_ids.empty()
73 && local_ids.empty()
74 && services.empty();
75 }
76
77 };
78
79 }
80
81 typedef util::output_iterator_proxy<openid_endpoint_t>
82 endpoint_discovery_iterator;
83
84 string idiscover(
85 endpoint_discovery_iterator oi,
86 const string& identity);
13 87
14 struct idiscovery_t { 88 struct idiscovery_t {
15 bool xri_identity; 89 bool xri_identity;
16 string normalized_id; 90 string normalized_id;
17 string canonicalized_id; 91 string canonicalized_id;
18 xrd::XRD_t xrd; 92 xrd::XRD_t xrd;
19 93
20 idiscovery_t() { } 94 idiscovery_t() { }
21 idiscovery_t(const string& i) {
22 idiscover(*this,i);
23 }
24 idiscovery_t(const char *i) {
25 idiscover(*this,i);
26 }
27 95
28 void clear() { 96 void clear() {
29 normalized_id.clear(); canonicalized_id.clear(); 97 normalized_id.clear(); canonicalized_id.clear();
30 xrd.clear(); 98 xrd.clear();
31 } 99 }
32 100
33 idiscovery_t& operator=(const string& i) {
34 idiscover(*this,i); return *this; }
35 idiscovery_t& operator=(const char *i) {
36 idiscover(*this,i); return *this; }
37 }; 101 };
38} 102}
39 103
40#endif /* __OPKELE_DISCOVERY_H */ 104#endif /* __OPKELE_DISCOVERY_H */
diff --git a/include/opkele/exception.h b/include/opkele/exception.h
index a8c3339..ccb39d9 100644
--- a/include/opkele/exception.h
+++ b/include/opkele/exception.h
@@ -266,51 +266,70 @@ namespace opkele {
266 /** 266 /**
267 * exception thrown in case of failed discovery 267 * exception thrown in case of failed discovery
268 */ 268 */
269 class failed_discovery : public exception { 269 class failed_discovery : public exception {
270 public: 270 public:
271 failed_discovery(OPKELE_E_PARS) 271 failed_discovery(OPKELE_E_PARS)
272 : exception(OPKELE_E_CONS) { } 272 : exception(OPKELE_E_CONS) { }
273 }; 273 };
274 274
275 /** 275 /**
276 * unsuccessfull xri resolution 276 * unsuccessfull xri resolution
277 */ 277 */
278 class failed_xri_resolution : public failed_discovery { 278 class failed_xri_resolution : public failed_discovery {
279 public: 279 public:
280 long _code; 280 long _code;
281 failed_xri_resolution(OPKELE_E_PARS,long _c=-1) 281 failed_xri_resolution(OPKELE_E_PARS,long _c=-1)
282 : failed_discovery(OPKELE_E_CONS), _code(_c) { } 282 : failed_discovery(OPKELE_E_CONS), _code(_c) { }
283 }; 283 };
284 284
285 /** 285 /**
286 * not implemented (think pure virtual) member function executed, signfies 286 * not implemented (think pure virtual) member function executed, signfies
287 * programmer error 287 * programmer error
288 */ 288 */
289 class not_implemented : public exception { 289 class not_implemented : public exception {
290 public: 290 public:
291 not_implemented(OPKELE_E_PARS) 291 not_implemented(OPKELE_E_PARS)
292 : exception(OPKELE_E_CONS) { } 292 : exception(OPKELE_E_CONS) { }
293 }; 293 };
294 294
295 /** 295 /**
296 * internal error, indicates internal libopkele problem 296 * internal error, indicates internal libopkele problem
297 */ 297 */
298 class internal_error : public exception { 298 class internal_error : public exception {
299 public: 299 public:
300 internal_error(OPKELE_E_PARS) 300 internal_error(OPKELE_E_PARS)
301 : exception(OPKELE_E_CONS) { } 301 : exception(OPKELE_E_CONS) { }
302 }; 302 };
303 303
304 /** 304 /**
305 * thrown in case of unsupported parameter encountered (e.g. unsupported 305 * thrown in case of unsupported parameter encountered (e.g. unsupported
306 * association type). 306 * association type).
307 */ 307 */
308 class unsupported : public exception { 308 class unsupported : public exception {
309 public: 309 public:
310 unsupported(OPKELE_E_PARS) 310 unsupported(OPKELE_E_PARS)
311 : exception(OPKELE_E_CONS) { } 311 : exception(OPKELE_E_CONS) { }
312 }; 312 };
313 313
314 /**
315 * thrown by associations store related functions in case of dumb RP.
316 */
317 class dumb_RP : public exception {
318 public:
319 dumb_RP(OPKELE_E_PARS)
320 : exception(OPKELE_E_CONS) { }
321 };
322
323 /**
324 * thrown by endpoint-queue related function if endpoint is being
325 * accessed but there's no endpoint available.
326 */
327 class no_endpoint : public exception {
328 public:
329 no_endpoint(OPKELE_E_PARS)
330 : exception(OPKELE_E_CONS) { }
331 };
332
314} 333}
315 334
316#endif /* __OPKELE_EXCEPTION_H */ 335#endif /* __OPKELE_EXCEPTION_H */
diff --git a/include/opkele/extension.h b/include/opkele/extension.h
index 513672f..3ee25ee 100644
--- a/include/opkele/extension.h
+++ b/include/opkele/extension.h
@@ -1,65 +1,66 @@
1#ifndef __OPKELE_EXTENSION_H 1#ifndef __OPKELE_EXTENSION_H
2#define __OPKELE_EXTENSION_H 2#define __OPKELE_EXTENSION_H
3 3
4/** 4/**
5 * @file 5 * @file
6 * @brief extensions framework basics 6 * @brief extensions framework basics
7 */ 7 */
8 8
9#include <opkele/types.h> 9#include <opkele/types.h>
10 10
11namespace opkele { 11namespace opkele {
12 12
13 /** 13 /**
14 * OpenID extension hooks base class 14 * OpenID extension hooks base class
15 */ 15 */
16 class extension_t { 16 class extension_t {
17 public: 17 public:
18 18
19 virtual ~extension_t() { } 19 virtual ~extension_t() { }
20
20 /** 21 /**
21 * hook called by consumer before submitting data to OpenID server. 22 * hook called by consumer before submitting data to OpenID server.
22 * It is supposed to manipulate parameters list. 23 * It is supposed to manipulate parameters list.
23 * @param p parameters about to be submitted to server 24 * @param p parameters about to be submitted to server
24 * @param identity identity being verified. It may differ from the 25 * @param identity identity being verified. It may differ from the
25 * one available in parameters list in case of delegation 26 * one available in parameters list in case of delegation
26 * @see consumer_t::checkid_ 27 * @see consumer_t::checkid_
27 * @see consumer_t::checkid_immediate 28 * @see consumer_t::checkid_immediate
28 * @see consumer_t::checkid_setup 29 * @see consumer_t::checkid_setup
29 */ 30 */
30 virtual void checkid_hook(params_t& p,const string& identity); 31 virtual void checkid_hook(basic_openid_message& om);
31 /** 32 /**
32 * hook called by consumer after identity information received from 33 * hook called by consumer after identity information received from
33 * OpenID server is verified. 34 * OpenID server is verified.
34 * @param p parameters received from server 35 * @param p parameters received from server
35 * @param sp signed parameters received from server with 'openid.' 36 * @param sp signed parameters received from server with 'openid.'
36 * leader stripped 37 * leader stripped
37 * @param identity identity confirmed. May differ from the one 38 * @param identity identity confirmed. May differ from the one
38 * available in parameters list in case of delegation. May also be 39 * available in parameters list in case of delegation. May also be
39 * empty which means - extract one from parameters 40 * empty which means - extract one from parameters
40 * @see consumer_t::id_res 41 * @see consumer_t::id_res
41 */ 42 */
42 virtual void id_res_hook(const params_t& p,const params_t& sp,const string& identity); 43 virtual void id_res_hook(const basic_openid_message& om,const basic_openid_message& sp);
43 44
44 /** 45 /**
45 * hook called by server before returning information to consumer. 46 * hook called by server before returning information to consumer.
46 * The hook may manipulate output parameters. It is important to 47 * The hook may manipulate output parameters. It is important to
47 * note that modified pout["signed"] is used for signing response. 48 * note that modified pout["signed"] is used for signing response.
48 * @param pin request parameters list with "openid." prefix 49 * @param pin request parameters list with "openid." prefix
49 * @param pout response parameters list without "openid." prefix 50 * @param pout response parameters list without "openid." prefix
50 * @see server_t::checkid_ 51 * @see server_t::checkid_
51 * @see server_t::checkid_immediate 52 * @see server_t::checkid_immediate
52 * @see server_t::checkid_setup 53 * @see server_t::checkid_setup
53 */ 54 */
54 virtual void checkid_hook(const params_t& pin,params_t& pout); 55 virtual void checkid_hook(const basic_openid_message& inm,basic_openid_message& oum);
55 56
56 /** 57 /**
57 * Casts the object to pointer to itself. For convenient passing 58 * Casts the object to pointer to itself. For convenient passing
58 * of pointer. 59 * of pointer.
59 */ 60 */
60 operator extension_t*(void) { return this; } 61 operator extension_t*(void) { return this; }
61 }; 62 };
62 63
63} 64}
64 65
65#endif /* __OPKELE_EXTENSION_H */ 66#endif /* __OPKELE_EXTENSION_H */
diff --git a/include/opkele/extension_chain.h b/include/opkele/extension_chain.h
index f0eea94..fb9bc84 100644
--- a/include/opkele/extension_chain.h
+++ b/include/opkele/extension_chain.h
@@ -1,38 +1,38 @@
1#ifndef __OPKELE_EXTENSION_CHAIN_H 1#ifndef __OPKELE_EXTENSION_CHAIN_H
2#define __OPKELE_EXTENSION_CHAIN_H 2#define __OPKELE_EXTENSION_CHAIN_H
3 3
4/** 4/**
5 * @file 5 * @file
6 * @brief extension chain extension 6 * @brief extension chain extension
7 */ 7 */
8 8
9#include <list> 9#include <list>
10#include <opkele/extension.h> 10#include <opkele/extension.h>
11 11
12namespace opkele { 12namespace opkele {
13 using std::list; 13 using std::list;
14 14
15 /** 15 /**
16 * OpenID extensions chain used to combine extensions, it is actually an 16 * OpenID extensions chain used to combine extensions, it is actually an
17 * stl list of pointers to extensions. 17 * stl list of pointers to extensions.
18 */ 18 */
19 class extension_chain_t : public extension_t, public list<extension_t*> { 19 class extension_chain_t : public extension_t, public list<extension_t*> {
20 public: 20 public:
21 21
22 /** 22 /**
23 * Default constructor creates an empty chain 23 * Default constructor creates an empty chain
24 */ 24 */
25 extension_chain_t() { } 25 extension_chain_t() { }
26 /** 26 /**
27 * Create extension chain with a single extension in it 27 * Create extension chain with a single extension in it
28 */ 28 */
29 extension_chain_t(extension_t *e) { push_back(e); } 29 extension_chain_t(extension_t *e) { push_back(e); }
30 30
31 virtual void checkid_hook(params_t& p,const string& identity); 31 virtual void checkid_hook(basic_openid_message& om);
32 virtual void id_res_hook(const params_t& p,const params_t& sp,const string& identity); 32 virtual void id_res_hook(const basic_openid_message& om,const basic_openid_message& sp);
33 virtual void checkid_hook(const params_t& pin,params_t& pout); 33 virtual void checkid_hook(const basic_openid_message& inm,basic_openid_message& oum);
34 }; 34 };
35 35
36} 36}
37 37
38#endif /* __OPKELE_EXTENSION_CHAIN_H */ 38#endif /* __OPKELE_EXTENSION_CHAIN_H */
diff --git a/include/opkele/prequeue_rp.h b/include/opkele/prequeue_rp.h
new file mode 100644
index 0000000..b98dd5a
--- a/dev/null
+++ b/include/opkele/prequeue_rp.h
@@ -0,0 +1,81 @@
1#ifndef __OPKELE_RP_H
2#define __OPKELE_RP_H
3
4#include <string>
5#include <set>
6#include <iterator>
7#include <opkele/basic_rp.h>
8
9namespace opkele {
10 using std::string;
11 using std::set;
12 using std::iterator;
13 using std::output_iterator_tag;
14
15 class prequeue_RP : public basic_RP {
16 public:
17 /**
18 * @name Session persistent store API
19 * @{
20 */
21 /**
22 * Called before queueing discovered endpoints. Typically happens
23 * while initiating authentication session.
24 * @see queue_endpoint()
25 * @see end_queueing()
26 */
27 virtual void begin_queueing() { }
28 /**
29 * Used to queue discovered endpoint. It is implementors
30 * responsibility to store the endpoint wherever he choses to store
31 * it.
32 * @param oep the endpoint to queue
33 * @see begin_queueing()
34 * @see end_queueing()
35 */
36 virtual void queue_endpoint(const openid_endpoint_t& oep) = 0;
37 /**
38 * Called after all discovered endpoints were queued. Implementor
39 * may chose to use this virtual to commit endpoints queue to
40 * persistent store.
41 * @see begin_queueing()
42 * @see queue_endpoint()
43 */
44 virtual void end_queueing() { }
45
46 /**
47 * Used to store normalized id when initiating request.
48 * The default implementation does nothing, because implementor
49 * doesn't have to care.
50 * @param nid normalized id
51 * @see get_normalzied_id()
52 */
53 virtual void set_normalized_id(const string& nid);
54 /**
55 * Return the normalized id previously set by set_normalized_id().
56 * Provided for the sake of completeness because default
57 * implementation doesn't use it.
58 * @return the normalized identity
59 */
60 virtual const string get_normalized_id() const;
61 /**
62 * @}
63 */
64
65 /**
66 * @name Actions
67 * @{
68 */
69 void initiate(const string& usi);
70
71 /**
72 * @}
73 */
74
75 void verify_OP(const string& OP,
76 const string& claimed_id,const string& identity) const;
77 };
78
79}
80
81#endif /* __OPKELE_RP_H */
diff --git a/include/opkele/sreg.h b/include/opkele/sreg.h
index df37a86..24cb315 100644
--- a/include/opkele/sreg.h
+++ b/include/opkele/sreg.h
@@ -93,111 +93,111 @@ namespace opkele {
93 */ 93 */
94 long fields_required; 94 long fields_required;
95 /** 95 /**
96 * Bitmask for fields that will be used by the Consumer, but whose 96 * Bitmask for fields that will be used by the Consumer, but whose
97 * absence will not prevent the registration from completing. 97 * absence will not prevent the registration from completing.
98 */ 98 */
99 long fields_optional; 99 long fields_optional;
100 /** 100 /**
101 * A URL which the Consumer provides to give the End User a place 101 * A URL which the Consumer provides to give the End User a place
102 * to read about the how the profile data will be used. The 102 * to read about the how the profile data will be used. The
103 * Identity Provider SHOULD display this URL to the End User if it 103 * Identity Provider SHOULD display this URL to the End User if it
104 * is given. 104 * is given.
105 */ 105 */
106 string policy_url; 106 string policy_url;
107 107
108 /** 108 /**
109 * Bitmask for fields present in response 109 * Bitmask for fields present in response
110 */ 110 */
111 long has_fields; 111 long has_fields;
112 /** 112 /**
113 * Container type for response fields values 113 * Container type for response fields values
114 */ 114 */
115 typedef map<fieldbit_t,string> response_t; 115 typedef map<fieldbit_t,string> response_t;
116 /** 116 /**
117 * Response contents 117 * Response contents
118 */ 118 */
119 response_t response; 119 response_t response;
120 120
121 /** 121 /**
122 * Fields bitmask to send in response 122 * Fields bitmask to send in response
123 */ 123 */
124 long fields_response; 124 long fields_response;
125 125
126 /** 126 /**
127 * Consumer constructor. 127 * Consumer constructor.
128 * @param fr required fields 128 * @param fr required fields
129 * @see fields_required 129 * @see fields_required
130 * @param fo optional fields 130 * @param fo optional fields
131 * @see fields_optional 131 * @see fields_optional
132 * @param pu policy url 132 * @param pu policy url
133 * @see policy_url 133 * @see policy_url
134 */ 134 */
135 sreg_t(long fr=fields_NONE,long fo=fields_NONE,const string& pu="") 135 sreg_t(long fr=fields_NONE,long fo=fields_NONE,const string& pu="")
136 : fields_required(fr), fields_optional(fo), policy_url(pu), has_fields(0) { } 136 : fields_required(fr), fields_optional(fo), policy_url(pu), has_fields(0) { }
137 137
138 /** 138 /**
139 * Implementation of consumer's checkid hook 139 * Implementation of consumer's checkid hook
140 */ 140 */
141 virtual void checkid_hook(params_t& p,const string& identity); 141 virtual void checkid_hook(basic_openid_message& om);
142 /** 142 /**
143 * Implementation of consumer's id_res hook 143 * Implementation of consumer's id_res hook
144 */ 144 */
145 virtual void id_res_hook(const params_t& p,const params_t& sp,const string& identity); 145 virtual void id_res_hook(const basic_openid_message& om,const basic_openid_message& sp);
146 /** 146 /**
147 * Implementation of server's checkid_hook 147 * Implementation of server's checkid_hook
148 */ 148 */
149 virtual void checkid_hook(const params_t& pin,params_t& pout); 149 virtual void checkid_hook(const basic_openid_message& inm,basic_openid_message& oum);
150 150
151 /** 151 /**
152 * Check and see if we have value for some particular field. 152 * Check and see if we have value for some particular field.
153 * @param fb field in question 153 * @param fb field in question
154 * @see fieldbit_t 154 * @see fieldbit_t
155 * @return true if the value is available 155 * @return true if the value is available
156 */ 156 */
157 bool has_field(fieldbit_t fb) const { return has_fields&fb; } 157 bool has_field(fieldbit_t fb) const { return has_fields&fb; }
158 158
159 /** 159 /**
160 * Retrieve the value for a field. 160 * Retrieve the value for a field.
161 * @param fb field in question 161 * @param fb field in question
162 * @see fieldbit_t 162 * @see fieldbit_t
163 * @return field value 163 * @return field value
164 * @throw failed_lookup if no data avaialble 164 * @throw failed_lookup if no data avaialble
165 */ 165 */
166 const string& get_field(fieldbit_t fb) const; 166 const string& get_field(fieldbit_t fb) const;
167 167
168 /** 168 /**
169 * Set the value for a field. 169 * Set the value for a field.
170 * @param fb field in question 170 * @param fb field in question
171 * @see fieldbit_t 171 * @see fieldbit_t
172 * @param fv field value 172 * @param fv field value
173 */ 173 */
174 void set_field(fieldbit_t fb,const string& fv); 174 void set_field(fieldbit_t fb,const string& fv);
175 175
176 /** 176 /**
177 * Remove the value for a field. 177 * Remove the value for a field.
178 * @param fb field in question 178 * @param fb field in question
179 * @see fieldbit_t 179 * @see fieldbit_t
180 */ 180 */
181 void reset_field(fieldbit_t fb); 181 void reset_field(fieldbit_t fb);
182 182
183 /** 183 /**
184 * Reset field data 184 * Reset field data
185 */ 185 */
186 void clear(); 186 void clear();
187 187
188 /** 188 /**
189 * Function called after parsing sreg request to set up response 189 * Function called after parsing sreg request to set up response
190 * fields. The default implementation tries to send as much fields 190 * fields. The default implementation tries to send as much fields
191 * as we have. The function is supposed to set the data and 191 * as we have. The function is supposed to set the data and
192 * fields_response. 192 * fields_response.
193 * @see fields_response 193 * @see fields_response
194 * @param pin input request parameters with "openid." prefix 194 * @param pin input request parameters with "openid." prefix
195 * @param pout output request parameters without "openid." prefix. 195 * @param pout output request parameters without "openid." prefix.
196 * @see checkid_hook(const params_t&,params_t&) 196 * @see checkid_hook(const params_t&,params_t&)
197 */ 197 */
198 virtual void setup_response(const params_t& pin,params_t& pout); 198 virtual void setup_response(const basic_openid_message& inm,basic_openid_message& oum);
199 199
200 }; 200 };
201} 201}
202 202
203#endif /* __OPKELE_SREG_H */ 203#endif /* __OPKELE_SREG_H */
diff --git a/include/opkele/types.h b/include/opkele/types.h
index de44a5c..d5ad258 100644
--- a/include/opkele/types.h
+++ b/include/opkele/types.h
@@ -1,246 +1,207 @@
1#ifndef __OPKELE_TYPES_H 1#ifndef __OPKELE_TYPES_H
2#define __OPKELE_TYPES_H 2#define __OPKELE_TYPES_H
3 3
4/** 4/**
5 * @file 5 * @file
6 * @brief various types declarations 6 * @brief various types declarations
7 */ 7 */
8 8
9#include <ostream> 9#include <ostream>
10#include <vector> 10#include <vector>
11#include <string> 11#include <string>
12#include <map> 12#include <map>
13#include <set> 13#include <set>
14#include <list>
15#include <opkele/iterator.h>
14#include <opkele/tr1-mem.h> 16#include <opkele/tr1-mem.h>
15 17
16namespace opkele { 18namespace opkele {
17 using std::vector; 19 using std::vector;
18 using std::string; 20 using std::string;
19 using std::map; 21 using std::map;
20 using std::ostream; 22 using std::ostream;
21 using std::multimap; 23 using std::multimap;
22 using std::set; 24 using std::set;
25 using std::list;
26 using std::iterator;
27 using std::forward_iterator_tag;
23 28
24 /** 29 /**
25 * the OpenID operation mode 30 * the OpenID operation mode
26 */ 31 */
27 typedef enum _mode_t { 32 typedef enum _mode_t {
28 mode_associate, 33 mode_associate,
29 mode_checkid_immediate, 34 mode_checkid_immediate,
30 mode_checkid_setup, 35 mode_checkid_setup,
31 mode_check_association 36 mode_check_association
32 } mode_t; 37 } mode_t;
33 38
34 /** 39 /**
35 * the association secret container 40 * the association secret container
36 */ 41 */
37 class secret_t : public vector<unsigned char> { 42 class secret_t : public vector<unsigned char> {
38 public: 43 public:
39 44
40 /** 45 /**
41 * xor the secret and hmac together and encode, using base64 46 * xor the secret and hmac together and encode, using base64
42 * @param key_d pointer to the message digest 47 * @param key_d pointer to the message digest
43 * @param rv reference to the return value 48 * @param rv reference to the return value
44 */ 49 */
45 void enxor_to_base64(const unsigned char *key_d,string& rv) const; 50 void enxor_to_base64(const unsigned char *key_d,string& rv) const;
46 /** 51 /**
47 * decode base64-encoded secret and xor it with the message digest 52 * decode base64-encoded secret and xor it with the message digest
48 * @param key_d pointer to the message digest 53 * @param key_d pointer to the message digest
49 * @param b64 base64-encoded secret value 54 * @param b64 base64-encoded secret value
50 */ 55 */
51 void enxor_from_base64(const unsigned char *key_d,const string& b64); 56 void enxor_from_base64(const unsigned char *key_d,const string& b64);
52 /** 57 /**
53 * plainly encode to base64 representation 58 * plainly encode to base64 representation
54 * @param rv reference to the return value 59 * @param rv reference to the return value
55 */ 60 */
56 void to_base64(string& rv) const; 61 void to_base64(string& rv) const;
57 /** 62 /**
58 * decode cleartext secret from base64 63 * decode cleartext secret from base64
59 * @param b64 base64-encoded representation of the secret value 64 * @param b64 base64-encoded representation of the secret value
60 */ 65 */
61 void from_base64(const string& b64); 66 void from_base64(const string& b64);
62 }; 67 };
63 68
64 /** 69 /**
65 * Interface to the association. 70 * Interface to the association.
66 */ 71 */
67 class association_t { 72 class association_t {
68 public: 73 public:
69 74
70 virtual ~association_t() { } 75 virtual ~association_t() { }
71 76
72 /** 77 /**
73 * retrieve the server with which association was established. 78 * retrieve the server with which association was established.
74 * @return server name 79 * @return server name
75 */ 80 */
76 virtual string server() const = 0; 81 virtual string server() const = 0;
77 /** 82 /**
78 * retrieve the association handle. 83 * retrieve the association handle.
79 * @return handle 84 * @return handle
80 */ 85 */
81 virtual string handle() const = 0; 86 virtual string handle() const = 0;
82 /** 87 /**
83 * retrieve the association type. 88 * retrieve the association type.
84 * @return association type 89 * @return association type
85 */ 90 */
86 virtual string assoc_type() const = 0; 91 virtual string assoc_type() const = 0;
87 /** 92 /**
88 * retrieve the association secret. 93 * retrieve the association secret.
89 * @return association secret 94 * @return association secret
90 */ 95 */
91 virtual secret_t secret() const = 0; 96 virtual secret_t secret() const = 0;
92 /** 97 /**
93 * retrieve the number of seconds the association expires in. 98 * retrieve the number of seconds the association expires in.
94 * @return seconds till expiration 99 * @return seconds till expiration
95 */ 100 */
96 virtual int expires_in() const = 0; 101 virtual int expires_in() const = 0;
97 /** 102 /**
98 * check whether the association is stateless. 103 * check whether the association is stateless.
99 * @return true if stateless 104 * @return true if stateless
100 */ 105 */
101 virtual bool stateless() const = 0; 106 virtual bool stateless() const = 0;
102 /** 107 /**
103 * check whether the association is expired. 108 * check whether the association is expired.
104 * @return true if expired 109 * @return true if expired
105 */ 110 */
106 virtual bool is_expired() const = 0; 111 virtual bool is_expired() const = 0;
107 }; 112 };
108 113
109 /** 114 /**
110 * the shared_ptr<> for association_t object type 115 * the shared_ptr<> for association_t object type
111 */ 116 */
112 typedef tr1mem::shared_ptr<association_t> assoc_t; 117 typedef tr1mem::shared_ptr<association_t> assoc_t;
113 118
119 class basic_openid_message {
120 public:
121 typedef list<string> fields_t;
122 typedef util::forward_iterator_proxy<
123 string,const string&,const string*
124 > fields_iterator;
125
126 basic_openid_message() { }
127 basic_openid_message(const basic_openid_message& x);
128 void copy_to(basic_openid_message& x) const;
129
130 virtual bool has_field(const string& n) const = 0;
131 virtual const string& get_field(const string& n) const = 0;
132
133 virtual bool has_ns(const string& uri) const;
134 virtual string get_ns(const string& uri) const;
135
136 virtual fields_iterator fields_begin() const = 0;
137 virtual fields_iterator fields_end() const = 0;
138
139 virtual string append_query(const string& url) const;
140 virtual string query_string() const;
141
142
143 virtual void reset_fields();
144 virtual void set_field(const string& n,const string& v);
145 virtual void reset_field(const string& n);
146
147 virtual void from_keyvalues(const string& kv);
148
149 void add_to_signed(const string& fields);
150 string find_ns(const string& uri,const char *pfx) const;
151 string allocate_ns(const string& uri,const char *pfx);
152 };
153
154 class openid_message_t : public basic_openid_message, public map<string,string> {
155 public:
156 openid_message_t() { }
157 openid_message_t(const basic_openid_message& x)
158 : basic_openid_message(x) { }
159
160 void copy_to(basic_openid_message& x) const;
161
162 bool has_field(const string& n) const;
163 const string& get_field(const string& n) const;
164 virtual fields_iterator fields_begin() const;
165 virtual fields_iterator fields_end() const;
166
167 void reset_fields();
168 void set_field(const string& n,const string& v);
169 void reset_field(const string& n);
170 };
171
114 /** 172 /**
115 * request/response parameters map 173 * request/response parameters map
116 */ 174 */
117 class params_t : public map<string,string> { 175 class params_t : public openid_message_t {
118 public: 176 public:
119 177
120 /** 178 /**
121 * check whether the parameter is present. 179 * check whether the parameter is present.
122 * @param n the parameter name 180 * @param n the parameter name
123 * @return true if yes 181 * @return true if yes
124 */ 182 */
125 bool has_param(const string& n) const; 183 bool has_param(const string& n) const {
184 return has_field(n); }
126 /** 185 /**
127 * retrieve the parameter (const version) 186 * retrieve the parameter (const version)
128 * @param n the parameter name 187 * @param n the parameter name
129 * @return the parameter value 188 * @return the parameter value
130 * @throw failed_lookup if there is no such parameter 189 * @throw failed_lookup if there is no such parameter
131 */ 190 */
132 const string& get_param(const string& n) const; 191 const string& get_param(const string& n) const {
133 /** 192 return get_field(n); }
134 * retrieve the parameter.
135 * @param n the parameter name
136 * @return the parameter value
137 * @throw failed_lookup if there is no such parameter
138 */
139 string& get_param(const string& n);
140 193
141 /** 194 /**
142 * parse the OpenID key/value data. 195 * parse the OpenID key/value data.
143 * @param kv the OpenID key/value data 196 * @param kv the OpenID key/value data
144 */ 197 */
145 void parse_keyvalues(const string& kv); 198 void parse_keyvalues(const string& kv) {
146 /** 199 from_keyvalues(kv); }
147 * sign the fields.
148 * @param secret the secret used for signing
149 * @param sig reference to the string, containing base64-encoded
150 * result
151 * @param slist the comma-separated list of fields to sign
152 * @param prefix the string to prepend to parameter names
153 */
154 void sign(secret_t secret,string& sig,const string& slist,const char *prefix=0) const;
155 200
156 /** 201 string append_query(const string& url,const char *prefix="openid.") const;
157 * append parameters to the URL as a GET-request parameters.
158 * @param url the base URL
159 * @param prefix the string to prepend to parameter names
160 * @return the ready-to-use location
161 */
162 string append_query(const string& url,const char *prefix = "openid.") const;
163 202
164 /**
165 * make up a query string suitable for use in GET and POST
166 * requests.
167 * @param prefix string to prened to parameter names
168 * @return query string
169 */
170 string query_string(const char *prefix = "openid.") const;
171 }; 203 };
172 204
173 /**
174 * dump the key/value pairs for the parameters to the stream.
175 * @param o output stream
176 * @param p the parameters
177 */
178 ostream& operator << (ostream& o,const params_t& p);
179
180 namespace xrd {
181
182 struct priority_compare {
183 inline bool operator()(long a,long b) const {
184 return (a<0) ? false : (b<0) ? true : (a<b);
185 }
186 };
187
188 template <typename _DT>
189 class priority_map : public multimap<long,_DT,priority_compare> {
190 typedef multimap<long,_DT,priority_compare> map_type;
191 public:
192
193 inline _DT& add(long priority,const _DT& d) {
194 return insert(typename map_type::value_type(priority,d))->second;
195 }
196 };
197
198 typedef priority_map<string> canonical_ids_t;
199 typedef priority_map<string> local_ids_t;
200 typedef set<string> types_t;
201 typedef priority_map<string> uris_t;
202
203 class service_t {
204 public:
205 types_t types;
206 uris_t uris;
207 local_ids_t local_ids;
208 string provider_id;
209
210 void clear() {
211 types.clear();
212 uris.clear(); local_ids.clear();
213 provider_id.clear();
214 }
215 };
216 typedef priority_map<service_t> services_t;
217
218 class XRD_t {
219 public:
220 time_t expires;
221
222 canonical_ids_t canonical_ids;
223 local_ids_t local_ids;
224 services_t services;
225 string provider_id;
226
227 void clear() {
228 expires = 0;
229 canonical_ids.clear(); local_ids.clear();
230 services.clear();
231 provider_id.clear();
232 }
233 bool empty() const {
234 return
235 canonical_ids.empty()
236 && local_ids.empty()
237 && services.empty();
238 }
239
240 };
241
242 }
243
244} 205}
245 206
246#endif /* __OPKELE_TYPES_H */ 207#endif /* __OPKELE_TYPES_H */
diff --git a/include/opkele/util.h b/include/opkele/util.h
index 085c9e6..e9176b0 100644
--- a/include/opkele/util.h
+++ b/include/opkele/util.h
@@ -1,56 +1,57 @@
1#ifndef __OPKELE_UTIL_H 1#ifndef __OPKELE_UTIL_H
2#define __OPKELE_UTIL_H 2#define __OPKELE_UTIL_H
3 3
4#include <time.h> 4#include <time.h>
5#include <string> 5#include <string>
6#include <vector> 6#include <vector>
7#include <openssl/bn.h> 7#include <openssl/bn.h>
8#include <openssl/dh.h> 8#include <openssl/dh.h>
9#include <opkele/types.h>
9 10
10namespace opkele { 11namespace opkele {
11 using std::string; 12 using std::string;
12 using std::vector; 13 using std::vector;
13 14
14 /** 15 /**
15 * @brief opkele utils namespace 16 * @brief opkele utils namespace
16 */ 17 */
17 namespace util { 18 namespace util {
18 19
19 /** 20 /**
20 * Convenience class encapsulating SSL BIGNUM object for the purpose of 21 * Convenience class encapsulating SSL BIGNUM object for the purpose of
21 * automatical freeing. 22 * automatical freeing.
22 */ 23 */
23 class bignum_t { 24 class bignum_t {
24 public: 25 public:
25 BIGNUM *_bn; 26 BIGNUM *_bn;
26 27
27 bignum_t() : _bn(0) { } 28 bignum_t() : _bn(0) { }
28 bignum_t(BIGNUM *bn) : _bn(bn) { } 29 bignum_t(BIGNUM *bn) : _bn(bn) { }
29 ~bignum_t() throw() { if(_bn) BN_free(_bn); } 30 ~bignum_t() throw() { if(_bn) BN_free(_bn); }
30 31
31 bignum_t& operator=(BIGNUM *bn) { if(_bn) BN_free(_bn); _bn = bn; return *this; } 32 bignum_t& operator=(BIGNUM *bn) { if(_bn) BN_free(_bn); _bn = bn; return *this; }
32 33
33 operator const BIGNUM*(void) const { return _bn; } 34 operator const BIGNUM*(void) const { return _bn; }
34 operator BIGNUM*(void) { return _bn; } 35 operator BIGNUM*(void) { return _bn; }
35 }; 36 };
36 /** 37 /**
37 * Convenience clas encapsulating SSL DH object for the purpose of 38 * Convenience clas encapsulating SSL DH object for the purpose of
38 * automatic freeing. 39 * automatic freeing.
39 */ 40 */
40 class dh_t { 41 class dh_t {
41 public: 42 public:
42 DH *_dh; 43 DH *_dh;
43 44
44 dh_t() : _dh(0) { } 45 dh_t() : _dh(0) { }
45 dh_t(DH *dh) : _dh(dh) { } 46 dh_t(DH *dh) : _dh(dh) { }
46 ~dh_t() throw() { if(_dh) DH_free(_dh); } 47 ~dh_t() throw() { if(_dh) DH_free(_dh); }
47 48
48 dh_t& operator=(DH *dh) { if(_dh) DH_free(_dh); _dh = dh; return *this; } 49 dh_t& operator=(DH *dh) { if(_dh) DH_free(_dh); _dh = dh; return *this; }
49 50
50 operator const DH*(void) const { return _dh; } 51 operator const DH*(void) const { return _dh; }
51 operator DH*(void) { return _dh; } 52 operator DH*(void) { return _dh; }
52 53
53 DH* operator->() { return _dh; } 54 DH* operator->() { return _dh; }
54 const DH* operator->() const { return _dh; } 55 const DH* operator->() const { return _dh; }
55 }; 56 };
56 57
@@ -91,53 +92,60 @@ namespace opkele {
91 time_t w3c_to_time(const string& w); 92 time_t w3c_to_time(const string& w);
92 93
93 /** 94 /**
94 * Encode string to the representation suitable for using in URL. 95 * Encode string to the representation suitable for using in URL.
95 * @param str string to encode 96 * @param str string to encode
96 * @return encoded string 97 * @return encoded string
97 * @throw failed_conversion in case of failure 98 * @throw failed_conversion in case of failure
98 */ 99 */
99 string url_encode(const string& str); 100 string url_encode(const string& str);
100 101
101 /** 102 /**
102 * Convert number to string 103 * Convert number to string
103 * @param l number 104 * @param l number
104 * @return string representation 105 * @return string representation
105 * @throw failed_conversion in case of failure 106 * @throw failed_conversion in case of failure
106 */ 107 */
107 string long_to_string(long l); 108 string long_to_string(long l);
108 /** 109 /**
109 * Convert string to number 110 * Convert string to number
110 * @param s string, containing the number 111 * @param s string, containing the number
111 * @return the number 112 * @return the number
112 * @throw failed_conversion in case of failure 113 * @throw failed_conversion in case of failure
113 */ 114 */
114 long string_to_long(const string& s); 115 long string_to_long(const string& s);
115 116
116 /** 117 /**
117 * Encode binary data using base64. 118 * Encode binary data using base64.
118 * @param data pointer to binary data 119 * @param data pointer to binary data
119 * @param length length of data 120 * @param length length of data
120 * @return encoded data 121 * @return encoded data
121 */ 122 */
122 string encode_base64(const void *data,size_t length); 123 string encode_base64(const void *data,size_t length);
123 /** 124 /**
124 * Decode binary data from base64 representation. 125 * Decode binary data from base64 representation.
125 * @param data base64-encoded data 126 * @param data base64-encoded data
126 * @param rv container for decoded binary 127 * @param rv container for decoded binary
127 */ 128 */
128 void decode_base64(const string& data,vector<unsigned char>& rv); 129 void decode_base64(const string& data,vector<unsigned char>& rv);
129 130
130 /** 131 /**
131 * Normalize http(s) URI according to RFC3986, section 6. URI is 132 * Normalize http(s) URI according to RFC3986, section 6. URI is
132 * expected to have scheme: in front of it. 133 * expected to have scheme: in front of it.
133 * @param uri URI 134 * @param uri URI
134 * @return normalized URI 135 * @return normalized URI
135 * @throw not_implemented in case of non-httpi(s) URI 136 * @throw not_implemented in case of non-httpi(s) URI
136 * @throw bad_input in case of malformed URI 137 * @throw bad_input in case of malformed URI
137 */ 138 */
138 string rfc_3986_normalize_uri(const string& uri); 139 string rfc_3986_normalize_uri(const string& uri);
140
141 string& strip_uri_fragment_part(string& uri);
142
143 string abi_demangle(const char* mn);
144
145 string base64_signature(const assoc_t& assoc,const basic_openid_message& om);
146
139 } 147 }
140 148
141} 149}
142 150
143#endif /* __OPKELE_UTIL_H */ 151#endif /* __OPKELE_UTIL_H */
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 989de28..c58ec3f 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -1,31 +1,34 @@
1lib_LTLIBRARIES = libopkele.la 1lib_LTLIBRARIES = libopkele.la
2 2
3AM_CPPFLAGS = ${CPPFLAGS_DEBUG} 3AM_CPPFLAGS = ${CPPFLAGS_DEBUG}
4DEFAULT_INCLUDES = -I${top_builddir} 4DEFAULT_INCLUDES = -I${top_builddir}
5INCLUDES = \ 5INCLUDES = \
6 -I${top_srcdir}/include/ \ 6 -I${top_builddir}/include/ -I${top_srcdir}/include/ \
7 ${KONFORKA_CFLAGS} \ 7 ${KONFORKA_CFLAGS} \
8 ${OPENSSL_CFLAGS} \ 8 ${OPENSSL_CFLAGS} \
9 ${LIBCURL_CPPFLAGS} \ 9 ${LIBCURL_CPPFLAGS} \
10 ${PCRE_CFLAGS} ${EXPAT_CFLAGS} ${TIDY_CFLAGS} 10 ${PCRE_CFLAGS} ${EXPAT_CFLAGS} ${TIDY_CFLAGS}
11libopkele_la_LIBADD = \ 11libopkele_la_LIBADD = \
12 ${LIBCURL} \ 12 ${LIBCURL} \
13 ${PCRE_LIBS} ${EXPAT_LIBS} \ 13 ${PCRE_LIBS} ${EXPAT_LIBS} \
14 ${OPENSSL_LIBS} \ 14 ${OPENSSL_LIBS} \
15 ${KONFORKA_LIBS} ${TIDY_LIBS} 15 ${KONFORKA_LIBS} ${TIDY_LIBS}
16 16
17libopkele_la_SOURCES = \ 17libopkele_la_SOURCES = \
18 params.cc \ 18 params.cc \
19 util.cc \ 19 util.cc \
20 server.cc \ 20 server.cc \
21 secret.cc \ 21 secret.cc \
22 data.cc \ 22 data.cc \
23 consumer.cc \ 23 consumer.cc \
24 exception.cc \ 24 exception.cc \
25 extension.cc \ 25 extension.cc \
26 sreg.cc \ 26 sreg.cc \
27 extension_chain.cc \ 27 extension_chain.cc \
28 curl.cc expat.cc \ 28 curl.cc expat.cc \
29 discovery.cc 29 discovery.cc \
30 basic_rp.cc \
31 prequeue_rp.cc \
32 openid_message.cc
30libopkele_la_LDFLAGS = \ 33libopkele_la_LDFLAGS = \
31 -version-info 2:0:0 34 -version-info 2:0:0
diff --git a/lib/basic_rp.cc b/lib/basic_rp.cc
new file mode 100644
index 0000000..763a391
--- a/dev/null
+++ b/lib/basic_rp.cc
@@ -0,0 +1,311 @@
1#include <openssl/sha.h>
2#include <openssl/hmac.h>
3#include <opkele/basic_rp.h>
4#include <opkele/exception.h>
5#include <opkele/uris.h>
6#include <opkele/data.h>
7#include <opkele/util.h>
8#include <opkele/curl.h>
9
10namespace opkele {
11
12 static void dh_get_secret(
13 secret_t& secret, const basic_openid_message& om,
14 const char *exp_assoc, const char *exp_sess,
15 util::dh_t& dh,
16 size_t d_len, unsigned char *(*d_fun)(const unsigned char*,size_t,unsigned char*) ) try {
17 if(om.get_field("assoc_type")!=exp_assoc || om.get_field("session_type")!=exp_sess)
18 throw bad_input(OPKELE_CP_ "Unexpected associate response");
19 util::bignum_t s_pub = util::base64_to_bignum(om.get_field("dh_server_public"));
20 vector<unsigned char> ck(DH_size(dh)+1);
21 unsigned char *ckptr = &(ck.front())+1;
22 int cklen = DH_compute_key(ckptr,s_pub,dh);
23 if(cklen<0)
24 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
25 if(cklen && (*ckptr)&0x80) {
26 (*(--ckptr))=0; ++cklen; }
27 unsigned char key_digest[d_len];
28 secret.enxor_from_base64((*d_fun)(ckptr,cklen,key_digest),om.get_field("enc_mac_key"));
29 }catch(opkele::failed_lookup& ofl) {
30 throw bad_input(OPKELE_CP_ "Incoherent response from OP");
31 } OPKELE_RETHROW
32
33 static void direct_request(basic_openid_message& oum,const basic_openid_message& inm,const string& OP) {
34 util::curl_pick_t curl = util::curl_pick_t::easy_init();
35 if(!curl)
36 throw exception_curl(OPKELE_CP_ "failed to initialize curl");
37 string request = inm.query_string();
38 CURLcode r;
39 (r=curl.misc_sets())
40 || (r=curl.easy_setopt(CURLOPT_URL,OP.c_str()))
41 || (r=curl.easy_setopt(CURLOPT_POST,1))
42 || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data()))
43 || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length()))
44 || (r=curl.set_write());
45 if(r)
46 throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
47 if( (r=curl.easy_perform()) )
48 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
49 oum.from_keyvalues(curl.response);
50 }
51
52
53 assoc_t basic_RP::associate(const string& OP) {
54 util::dh_t dh = DH_new();
55 if(!dh)
56 throw exception_openssl(OPKELE_CP_ "failed to DH_new()");
57 dh->p = util::dec_to_bignum(data::_default_p);
58 dh->g = util::dec_to_bignum(data::_default_g);
59 if(!DH_generate_key(dh))
60 throw exception_openssl(OPKELE_CP_ "failed to DH_generate_key()");
61 openid_message_t req;
62 req.set_field("ns",OIURI_OPENID20);
63 req.set_field("mode","associate");
64 req.set_field("dh_modulus",util::bignum_to_base64(dh->p));
65 req.set_field("dh_gen",util::bignum_to_base64(dh->g));
66 req.set_field("dh_consumer_public",util::bignum_to_base64(dh->pub_key));
67 openid_message_t res;
68 req.set_field("assoc_type","HMAC-SHA256");
69 req.set_field("session_type","DH-SHA256");
70 secret_t secret;
71 int expires_in;
72 try {
73 direct_request(res,req,OP);
74 dh_get_secret( secret, res,
75 "HMAC-SHA256", "DH-SHA256",
76 dh, SHA256_DIGEST_LENGTH, SHA256 );
77 expires_in = util::string_to_long(res.get_field("expires_in"));
78 }catch(exception& e) {
79 try {
80 req.set_field("assoc_type","HMAC-SHA1");
81 req.set_field("session_type","DH-SHA1");
82 direct_request(res,req,OP);
83 dh_get_secret( secret, res,
84 "HMAC-SHA1", "DH-SHA1",
85 dh, SHA_DIGEST_LENGTH, SHA1 );
86 expires_in = util::string_to_long(res.get_field("expires_in"));
87 }catch(bad_input& e) {
88 throw dumb_RP(OPKELE_CP_ "OP failed to supply an association");
89 }
90 }
91 return store_assoc(
92 OP, res.get_field("assoc_handle"),
93 res.get_field("assoc_type"), secret,
94 expires_in );
95 }
96
97 basic_openid_message& basic_RP::checkid_(
98 basic_openid_message& rv,
99 mode_t mode,
100 const string& return_to,const string& realm,
101 extension_t *ext) {
102 rv.reset_fields();
103 rv.set_field("ns",OIURI_OPENID20);
104 if(mode==mode_checkid_immediate)
105 rv.set_field("mode","checkid_immediate");
106 else if(mode==mode_checkid_setup)
107 rv.set_field("mode","checkid_setup");
108 else
109 throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
110 if(realm.empty() && return_to.empty())
111 throw bad_input(OPKELE_CP_ "At least one of realm and return_to must be non-empty");
112 if(!realm.empty()) {
113 rv.set_field("realm",realm);
114 rv.set_field("trust_root",realm);
115 }
116 if(!return_to.empty())
117 rv.set_field("return_to",return_to);
118 const openid_endpoint_t& ep = get_endpoint();
119 rv.set_field("claimed_id",ep.claimed_id);
120 rv.set_field("identity",ep.local_id);
121 try {
122 rv.set_field("assoc_handle",find_assoc(ep.uri)->handle());
123 }catch(dumb_RP& drp) {
124 }catch(failed_lookup& fl) {
125 try {
126 rv.set_field("assoc_handle",associate(ep.uri)->handle());
127 }catch(dumb_RP& drp) { }
128 } OPKELE_RETHROW
129 if(ext) ext->checkid_hook(rv);
130 return rv;
131 }
132
133 class signed_part_message_proxy : public basic_openid_message {
134 public:
135 const basic_openid_message& x;
136 set<string> signeds;
137
138 signed_part_message_proxy(const basic_openid_message& xx) : x(xx) {
139 const string& slist = x.get_field("signed");
140 string::size_type p = 0;
141 while(true) {
142 string::size_type co = slist.find(',',p);
143 string f = (co==string::npos)
144 ?slist.substr(p):slist.substr(p,co-p);
145 signeds.insert(f);
146 if(co==string::npos) break;
147 p = co+1;
148 }
149 }
150
151 bool has_field(const string& n) const {
152 return signeds.find(n)!=signeds.end() && x.has_field(n); }
153 const string& get_field(const string& n) const {
154 if(signeds.find(n)==signeds.end())
155 throw failed_lookup(OPKELE_CP_ "The field isn't known to be signed");
156 return x.get_field(n); }
157
158 fields_iterator fields_begin() const {
159 return signeds.begin(); }
160 fields_iterator fields_end() const {
161 return signeds.end(); }
162 };
163
164 static void parse_query(const string& u,string::size_type q,
165 map<string,string>& p) {
166 if(q==string::npos)
167 return;
168 assert(u[q]=='?');
169 ++q;
170 string::size_type l = u.size();
171 while(q<l) {
172 string::size_type eq = u.find('=',q);
173 string::size_type am = u.find('&',q);
174 if(am==string::npos) {
175 if(eq==string::npos) {
176 p[""] = u.substr(q);
177 }else{
178 p[u.substr(q,eq-q)] = u.substr(eq+1);
179 }
180 break;
181 }else{
182 if(eq==string::npos || eq>am) {
183 p[""] = u.substr(q,eq-q);
184 }else{
185 p[u.substr(q,eq-q)] = u.substr(eq+1,am-eq-1);
186 }
187 q = ++am;
188 }
189 }
190 }
191
192 void basic_RP::id_res(const basic_openid_message& om,extension_t *ext) {
193 bool o2 = om.has_field("ns")
194 && om.get_field("ns")==OIURI_OPENID20;
195 if( (!o2) && om.has_field("user_setup_url"))
196 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",
197 om.get_field("user_setup_url"));
198 string m = om.get_field("mode");
199 if(o2 && m=="setup_needed")
200 throw id_res_setup(OPKELE_CP_ "setup needed, no setup url provided");
201 if(m=="cancel")
202 throw id_res_cancel(OPKELE_CP_ "authentication cancelled");
203 bool go_dumb=false;
204 try {
205 string OP = o2
206 ?om.get_field("op_endpoint")
207 :get_endpoint().uri;
208 assoc_t assoc = retrieve_assoc(
209 OP,om.get_field("assoc_handle"));
210 if(om.get_field("sig")!=util::base64_signature(assoc,om))
211 throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
212 }catch(dumb_RP& drp) {
213 go_dumb=true;
214 }catch(failed_lookup& e) {
215 go_dumb=true;
216 } OPKELE_RETHROW
217 if(go_dumb) {
218 try {
219 string OP = o2
220 ?om.get_field("op_endpoint")
221 :get_endpoint().uri;
222 check_authentication(OP,om);
223 }catch(failed_check_authentication& fca) {
224 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
225 } OPKELE_RETHROW
226 }
227 signed_part_message_proxy signeds(om);
228 if(o2) {
229 check_nonce(om.get_field("op_endpoint"),
230 om.get_field("response_nonce"));
231 static const char *mustsign[] = {
232 "op_endpoint", "return_to", "response_nonce", "assoc_handle",
233 "claimed_id", "identity" };
234 for(int ms=0;ms<(sizeof(mustsign)/sizeof(*mustsign));++ms) {
235 if(om.has_field(mustsign[ms]) && !signeds.has_field(mustsign[ms]))
236 throw bad_input(OPKELE_CP_ string("Field '")+mustsign[ms]+"' is not signed against the specs");
237 }
238 if( (
239 (om.has_field("claimed_id")?1:0)
240 ^
241 (om.has_field("identity")?1:0)
242 )&1 )
243 throw bad_input(OPKELE_CP_ "claimed_id and identity must be either both present or both absent");
244
245 string turl = util::rfc_3986_normalize_uri(get_this_url());
246 util::strip_uri_fragment_part(turl);
247 string rurl = util::rfc_3986_normalize_uri(om.get_field("return_to"));
248 util::strip_uri_fragment_part(rurl);
249 string::size_type
250 tq = turl.find('?'), rq = rurl.find('?');
251 if(
252 ((tq==string::npos)?turl:turl.substr(0,tq))
253 !=
254 ((rq==string::npos)?rurl:rurl.substr(0,rq))
255 )
256 throw id_res_bad_return_to(OPKELE_CP_ "return_to url doesn't match request url");
257 map<string,string> tp; parse_query(turl,tq,tp);
258 map<string,string> rp; parse_query(rurl,rq,rp);
259 for(map<string,string>::const_iterator rpi=rp.begin();rpi!=rp.end();++rpi) {
260 map<string,string>::const_iterator tpi = tp.find(rpi->first);
261 if(tpi==tp.end())
262 throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to is missing from the request");
263 if(tpi->second!=rpi->second)
264 throw id_res_bad_return_to(OPKELE_CP_ string("Parameter '")+rpi->first+"' from return_to doesn't matche the request");
265 }
266
267 if(om.has_field("claimed_id")) {
268 verify_OP(
269 om.get_field("op_endpoint"),
270 om.get_field("claimed_id"),
271 om.get_field("identity") );
272 }
273
274 }
275 if(ext) ext->id_res_hook(om,signeds);
276 }
277
278 class check_auth_message_proxy : public basic_openid_message {
279 public:
280 const basic_openid_message& x;
281
282 check_auth_message_proxy(const basic_openid_message& xx) : x(xx) { }
283
284 bool has_field(const string& n) const { return x.has_field(n); }
285 const string& get_field(const string& n) const {
286 static const string checkauthmode="check_authentication";
287 return (n=="mode")?checkauthmode:x.get_field(n); }
288 bool has_ns(const string& uri) const {return x.has_ns(uri); }
289 string get_ns(const string& uri) const { return x.get_ns(uri); }
290 fields_iterator fields_begin() const {
291 return x.fields_begin(); }
292 fields_iterator fields_end() const {
293 return x.fields_end(); }
294 };
295
296 void basic_RP::check_authentication(const string& OP,
297 const basic_openid_message& om){
298 openid_message_t res;
299 direct_request(res,check_auth_message_proxy(om),OP);
300 if(res.has_field("is_valid")) {
301 if(res.get_field("is_valid")=="true") {
302 if(res.has_field("invalidate_handle"))
303 invalidate_assoc(OP,res.get_field("invalidate_handle"));
304 return;
305 }
306 }
307 throw failed_check_authentication(
308 OPKELE_CP_ "failed to verify response");
309 }
310
311}
diff --git a/lib/consumer.cc b/lib/consumer.cc
index 3c3b4f8..ebda262 100644
--- a/lib/consumer.cc
+++ b/lib/consumer.cc
@@ -109,165 +109,165 @@ namespace opkele {
109 int cklen = DH_compute_key(ckptr,s_pub,dh); 109 int cklen = DH_compute_key(ckptr,s_pub,dh);
110 if(cklen<0) 110 if(cklen<0)
111 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()"); 111 throw exception_openssl(OPKELE_CP_ "failed to DH_compute_key()");
112 if(cklen && (*ckptr)&0x80) { 112 if(cklen && (*ckptr)&0x80) {
113 (*(--ckptr)) = 0; ++cklen; 113 (*(--ckptr)) = 0; ++cklen;
114 } 114 }
115 unsigned char key_sha1[SHA_DIGEST_LENGTH]; 115 unsigned char key_sha1[SHA_DIGEST_LENGTH];
116 SHA1(ckptr,cklen,key_sha1); 116 SHA1(ckptr,cklen,key_sha1);
117 secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key")); 117 secret.enxor_from_base64(key_sha1,p.get_param("enc_mac_key"));
118 } 118 }
119 int expires_in = 0; 119 int expires_in = 0;
120 if(p.has_param("expires_in")) { 120 if(p.has_param("expires_in")) {
121 expires_in = util::string_to_long(p.get_param("expires_in")); 121 expires_in = util::string_to_long(p.get_param("expires_in"));
122 }else if(p.has_param("issued") && p.has_param("expiry")) { 122 }else if(p.has_param("issued") && p.has_param("expiry")) {
123 expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued")); 123 expires_in = util::w3c_to_time(p.get_param("expiry"))-util::w3c_to_time(p.get_param("issued"));
124 }else 124 }else
125 throw bad_input(OPKELE_CP_ "no expiration information"); 125 throw bad_input(OPKELE_CP_ "no expiration information");
126 return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in); 126 return store_assoc(server,p.get_param("assoc_handle"),secret,expires_in);
127 } 127 }
128 128
129 string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { 129 string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
130 return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext); 130 return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext);
131 } 131 }
132 string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { 132 string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
133 return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext); 133 return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext);
134 } 134 }
135 string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { 135 string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) {
136 params_t p; 136 params_t p;
137 if(mode==mode_checkid_immediate) 137 if(mode==mode_checkid_immediate)
138 p["mode"]="checkid_immediate"; 138 p["mode"]="checkid_immediate";
139 else if(mode==mode_checkid_setup) 139 else if(mode==mode_checkid_setup)
140 p["mode"]="checkid_setup"; 140 p["mode"]="checkid_setup";
141 else 141 else
142 throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); 142 throw bad_input(OPKELE_CP_ "unknown checkid_* mode");
143 string iurl = canonicalize(identity); 143 string iurl = canonicalize(identity);
144 string server, delegate; 144 string server, delegate;
145 retrieve_links(iurl,server,delegate); 145 retrieve_links(iurl,server,delegate);
146 p["identity"] = delegate.empty()?iurl:delegate; 146 p["identity"] = delegate.empty()?iurl:delegate;
147 if(!trust_root.empty()) 147 if(!trust_root.empty())
148 p["trust_root"] = trust_root; 148 p["trust_root"] = trust_root;
149 p["return_to"] = return_to; 149 p["return_to"] = return_to;
150 try { 150 try {
151 string ah = find_assoc(server)->handle(); 151 string ah = find_assoc(server)->handle();
152 p["assoc_handle"] = ah; 152 p["assoc_handle"] = ah;
153 }catch(failed_lookup& fl) { 153 }catch(failed_lookup& fl) {
154 string ah = associate(server)->handle(); 154 string ah = associate(server)->handle();
155 p["assoc_handle"] = ah; 155 p["assoc_handle"] = ah;
156 } 156 }
157 if(ext) ext->checkid_hook(p,identity); 157 if(ext) ext->checkid_hook(p);
158 return p.append_query(server); 158 return p.append_query(server);
159 } 159 }
160 160
161 void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) { 161 void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) {
162 if(pin.has_param("openid.user_setup_url")) 162 if(pin.has_param("openid.user_setup_url"))
163 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); 163 throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url"));
164 string server,delegate; 164 string server,delegate;
165 retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); 165 retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate);
166 params_t ps; 166 params_t ps;
167 try { 167 try {
168 assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); 168 assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle"));
169 if(assoc->is_expired()) 169 if(assoc->is_expired())
170 throw id_res_expired_on_delivery(OPKELE_CP_ "retrieve_assoc() has returned expired handle"); 170 throw id_res_expired_on_delivery(OPKELE_CP_ "retrieve_assoc() has returned expired handle");
171 const string& sigenc = pin.get_param("openid.sig"); 171 const string& sigenc = pin.get_param("openid.sig");
172 vector<unsigned char> sig; 172 vector<unsigned char> sig;
173 util::decode_base64(sigenc,sig); 173 util::decode_base64(sigenc,sig);
174 const string& slist = pin.get_param("openid.signed"); 174 const string& slist = pin.get_param("openid.signed");
175 string kv; 175 string kv;
176 string::size_type p = 0; 176 string::size_type p = 0;
177 while(true) { 177 while(true) {
178 string::size_type co = slist.find(',',p); 178 string::size_type co = slist.find(',',p);
179 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); 179 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
180 kv += f; 180 kv += f;
181 kv += ':'; 181 kv += ':';
182 f.insert(0,"openid."); 182 f.insert(0,"openid.");
183 kv += pin.get_param(f); 183 kv += pin.get_param(f);
184 kv += '\n'; 184 kv += '\n';
185 if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f); 185 if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f);
186 if(co==string::npos) 186 if(co==string::npos)
187 break; 187 break;
188 p = co+1; 188 p = co+1;
189 } 189 }
190 secret_t secret = assoc->secret(); 190 secret_t secret = assoc->secret();
191 unsigned int md_len = 0; 191 unsigned int md_len = 0;
192 unsigned char *md = HMAC( 192 unsigned char *md = HMAC(
193 EVP_sha1(), 193 EVP_sha1(),
194 &(secret.front()),secret.size(), 194 &(secret.front()),secret.size(),
195 (const unsigned char *)kv.data(),kv.length(), 195 (const unsigned char *)kv.data(),kv.length(),
196 0,&md_len); 196 0,&md_len);
197 if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) 197 if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len))
198 throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); 198 throw id_res_mismatch(OPKELE_CP_ "signature mismatch");
199 }catch(failed_lookup& e) { 199 }catch(failed_lookup& e) {
200 const string& slist = pin.get_param("openid.signed"); 200 const string& slist = pin.get_param("openid.signed");
201 string::size_type pp = 0; 201 string::size_type pp = 0;
202 params_t p; 202 params_t p;
203 while(true) { 203 while(true) {
204 string::size_type co = slist.find(',',pp); 204 string::size_type co = slist.find(',',pp);
205 string f = "openid."; 205 string f = "openid.";
206 f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp); 206 f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp);
207 p[f] = pin.get_param(f); 207 p[f] = pin.get_param(f);
208 if(co==string::npos) 208 if(co==string::npos)
209 break; 209 break;
210 pp = co+1; 210 pp = co+1;
211 } 211 }
212 p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle"); 212 p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle");
213 p["openid.sig"] = pin.get_param("openid.sig"); 213 p["openid.sig"] = pin.get_param("openid.sig");
214 p["openid.signed"] = pin.get_param("openid.signed"); 214 p["openid.signed"] = pin.get_param("openid.signed");
215 try { 215 try {
216 string ih = pin.get_param("openid.invalidate_handle"); 216 string ih = pin.get_param("openid.invalidate_handle");
217 p["openid.invalidate_handle"] = ih; 217 p["openid.invalidate_handle"] = ih;
218 }catch(failed_lookup& fl) { } 218 }catch(failed_lookup& fl) { }
219 try { 219 try {
220 check_authentication(server,p); 220 check_authentication(server,p);
221 }catch(failed_check_authentication& fca) { 221 }catch(failed_check_authentication& fca) {
222 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); 222 throw id_res_failed(OPKELE_CP_ "failed to check_authentication()");
223 } 223 }
224 } 224 }
225 if(ext) ext->id_res_hook(pin,ps,identity); 225 if(ext) ext->id_res_hook(pin,ps);
226 } 226 }
227 227
228 void consumer_t::check_authentication(const string& server,const params_t& p) { 228 void consumer_t::check_authentication(const string& server,const params_t& p) {
229 string request = "openid.mode=check_authentication"; 229 string request = "openid.mode=check_authentication";
230 for(params_t::const_iterator i=p.begin();i!=p.end();++i) { 230 for(params_t::const_iterator i=p.begin();i!=p.end();++i) {
231 if(i->first!="openid.mode") { 231 if(i->first!="openid.mode") {
232 request += '&'; 232 request += '&';
233 request += i->first; 233 request += i->first;
234 request += '='; 234 request += '=';
235 request += util::url_encode(i->second); 235 request += util::url_encode(i->second);
236 } 236 }
237 } 237 }
238 curl_pick_t curl = curl_pick_t::easy_init(); 238 curl_pick_t curl = curl_pick_t::easy_init();
239 if(!curl) 239 if(!curl)
240 throw exception_curl(OPKELE_CP_ "failed to initialize curl"); 240 throw exception_curl(OPKELE_CP_ "failed to initialize curl");
241 CURLcode r; 241 CURLcode r;
242 (r=curl.misc_sets()) 242 (r=curl.misc_sets())
243 || (r=curl.easy_setopt(CURLOPT_URL,server.c_str())) 243 || (r=curl.easy_setopt(CURLOPT_URL,server.c_str()))
244 || (r=curl.easy_setopt(CURLOPT_POST,1)) 244 || (r=curl.easy_setopt(CURLOPT_POST,1))
245 || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data())) 245 || (r=curl.easy_setopt(CURLOPT_POSTFIELDS,request.data()))
246 || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length())) 246 || (r=curl.easy_setopt(CURLOPT_POSTFIELDSIZE,request.length()))
247 || (r=curl.set_write()) 247 || (r=curl.set_write())
248 ; 248 ;
249 if(r) 249 if(r)
250 throw exception_curl(OPKELE_CP_ "failed to set curly options",r); 250 throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
251 if( (r=curl.easy_perform()) ) 251 if( (r=curl.easy_perform()) )
252 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); 252 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
253 params_t pp; pp.parse_keyvalues(curl.response); 253 params_t pp; pp.parse_keyvalues(curl.response);
254 if(pp.has_param("invalidate_handle")) 254 if(pp.has_param("invalidate_handle"))
255 invalidate_assoc(server,pp.get_param("invalidate_handle")); 255 invalidate_assoc(server,pp.get_param("invalidate_handle"));
256 if(pp.has_param("is_valid")) { 256 if(pp.has_param("is_valid")) {
257 if(pp.get_param("is_valid")=="true") 257 if(pp.get_param("is_valid")=="true")
258 return; 258 return;
259 }else if(pp.has_param("lifetime")) { 259 }else if(pp.has_param("lifetime")) {
260 if(util::string_to_long(pp.get_param("lifetime"))) 260 if(util::string_to_long(pp.get_param("lifetime")))
261 return; 261 return;
262 } 262 }
263 throw failed_check_authentication(OPKELE_CP_ "failed to verify response"); 263 throw failed_check_authentication(OPKELE_CP_ "failed to verify response");
264 } 264 }
265 265
266 void consumer_t::retrieve_links(const string& url,string& server,string& delegate) { 266 void consumer_t::retrieve_links(const string& url,string& server,string& delegate) {
267 server.erase(); 267 server.erase();
268 delegate.erase(); 268 delegate.erase();
269 curl_pick_t curl = curl_pick_t::easy_init(); 269 curl_pick_t curl = curl_pick_t::easy_init();
270 if(!curl) 270 if(!curl)
271 throw exception_curl(OPKELE_CP_ "failed to initialize curl"); 271 throw exception_curl(OPKELE_CP_ "failed to initialize curl");
272 string& html = curl.response; 272 string& html = curl.response;
273 CURLcode r; 273 CURLcode r;
diff --git a/lib/discovery.cc b/lib/discovery.cc
index d868308..93409f4 100644
--- a/lib/discovery.cc
+++ b/lib/discovery.cc
@@ -1,260 +1,320 @@
1#include <list> 1#include <list>
2#include <opkele/curl.h> 2#include <opkele/curl.h>
3#include <opkele/expat.h> 3#include <opkele/expat.h>
4#include <opkele/uris.h> 4#include <opkele/uris.h>
5#include <opkele/discovery.h> 5#include <opkele/discovery.h>
6#include <opkele/exception.h> 6#include <opkele/exception.h>
7#include <opkele/util.h> 7#include <opkele/util.h>
8#include <opkele/tidy.h> 8#include <opkele/tidy.h>
9#include <opkele/debug.h> 9#include <opkele/debug.h>
10 10
11#include "config.h" 11#include "config.h"
12 12
13#define XRDS_HEADER "X-XRDS-Location" 13#define XRDS_HEADER "X-XRDS-Location"
14#define CT_HEADER "Content-Type" 14#define CT_HEADER "Content-Type"
15 15
16namespace opkele { 16namespace opkele {
17 using std::list; 17 using std::list;
18 using xrd::XRD_t; 18 using xrd::XRD_t;
19 using xrd::service_t; 19 using xrd::service_t;
20 20
21 /* TODO: the whole discovery thing needs cleanup and optimization due to
22 * many changes of concept. */
23
21 static const char *whitespace = " \t\r\n"; 24 static const char *whitespace = " \t\r\n";
22 static const char *i_leaders = "=@+$!("; 25 static const char *i_leaders = "=@+$!(";
23 static const size_t max_html = 16384; 26 static const size_t max_html = 16384;
24 27
28 static const struct service_type_t {
29 const char *uri;
30 const char *forceid;
31 } service_types[] = {
32 { STURI_OPENID20_OP, IDURI_SELECT20 },
33 { STURI_OPENID20, 0 },
34 { STURI_OPENID11, 0 },
35 { STURI_OPENID10, 0 }
36 };
37 enum {
38 st_index_1 = 2, st_index_2 = 1
39 };
40
41
25 static inline bool is_qelement(const XML_Char *n,const char *qen) { 42 static inline bool is_qelement(const XML_Char *n,const char *qen) {
26 return !strcasecmp(n,qen); 43 return !strcasecmp(n,qen);
27 } 44 }
28 static inline bool is_element(const XML_Char *n,const char *en) { 45 static inline bool is_element(const XML_Char *n,const char *en) {
29 if(!strcasecmp(n,en)) return true; 46 if(!strcasecmp(n,en)) return true;
30 int nl = strlen(n), enl = strlen(en); 47 int nl = strlen(n), enl = strlen(en);
31 if( (nl>=(enl+1)) && n[nl-enl-1]=='\t' 48 if( (nl>=(enl+1)) && n[nl-enl-1]=='\t'
32 && !strcasecmp(&n[nl-enl],en) ) 49 && !strcasecmp(&n[nl-enl],en) )
33 return true; 50 return true;
34 return false; 51 return false;
35 } 52 }
36 53
37 static long element_priority(const XML_Char **a) { 54 static long element_priority(const XML_Char **a) {
38 for(;*a;++a) 55 for(;*a;++a)
39 if(!strcasecmp(*(a++),"priority")) { 56 if(!strcasecmp(*(a++),"priority")) {
40 long rv; 57 long rv;
41 return (sscanf(*a,"%ld",&rv)==1)?rv:-1; 58 return (sscanf(*a,"%ld",&rv)==1)?rv:-1;
42 } 59 }
43 return -1; 60 return -1;
44 } 61 }
45 62
46 class idigger_t : public util::curl_t, public util::expat_t { 63 class idigger_t : public util::curl_t, public util::expat_t {
47 public: 64 public:
48 string xri_proxy; 65 string xri_proxy;
49 66
50 enum { 67 enum {
51 xmode_html = 1, xmode_xrd = 2 68 xmode_html = 1, xmode_xrd = 2, xmode_cid = 4
52 }; 69 };
53 int xmode; 70 int xmode;
54 71
55 string xrds_location; 72 string xrds_location;
56 string http_content_type; 73 string http_content_type;
57 service_t html_openid1; 74 service_t html_openid1;
58 service_t html_openid2; 75 service_t html_openid2;
59 string cdata_buf; 76 string cdata_buf;
60 long status_code; 77 long status_code;
61 string status_string; 78 string status_string;
62 79
63 typedef list<string> pt_stack_t; 80 typedef list<string> pt_stack_t;
64 pt_stack_t pt_stack; 81 pt_stack_t pt_stack;
65 int skipping; 82 int skipping;
66 bool parser_choked; 83 bool parser_choked;
67 string save_html; 84 string save_html;
68 85
69 XRD_t *xrd; 86 XRD_t *xrd;
70 service_t *xrd_service; 87 service_t *xrd_service;
71 string* cdata; 88 string* cdata;
72 89
73 idigger_t() 90 idigger_t()
74 : util::curl_t(easy_init()), 91 : util::curl_t(easy_init()),
75 util::expat_t(0), 92 util::expat_t(0),
76 xri_proxy(XRI_PROXY_URL) { 93 xri_proxy(XRI_PROXY_URL) {
77 CURLcode r; 94 CURLcode r;
78 (r=misc_sets()) 95 (r=misc_sets())
79 || (r=set_write()) 96 || (r=set_write())
80 || (r=set_header()) 97 || (r=set_header())
81 ; 98 ;
82 if(r) 99 if(r)
83 throw exception_curl(OPKELE_CP_ "failed to set curly options",r); 100 throw exception_curl(OPKELE_CP_ "failed to set curly options",r);
84 } 101 }
85 ~idigger_t() throw() { } 102 ~idigger_t() throw() { }
86 103
87 void discover(idiscovery_t& result,const string& identity) { 104 string discover(endpoint_discovery_iterator& oi,const string& identity) {
88 result.clear(); 105 string rv;
106 idiscovery_t idis;
89 string::size_type fsc = identity.find_first_not_of(whitespace); 107 string::size_type fsc = identity.find_first_not_of(whitespace);
90 if(fsc==string::npos) 108 if(fsc==string::npos)
91 throw bad_input(OPKELE_CP_ "whtiespace-only identity"); 109 throw bad_input(OPKELE_CP_ "whitespace-only identity");
92 string::size_type lsc = identity.find_last_not_of(whitespace); 110 string::size_type lsc = identity.find_last_not_of(whitespace);
93 assert(lsc!=string::npos); 111 assert(lsc!=string::npos);
94 if(!strncasecmp(identity.c_str()+fsc,"xri://",sizeof("xri://")-1)) 112 if(!strncasecmp(identity.c_str()+fsc,"xri://",sizeof("xri://")-1))
95 fsc += sizeof("xri://")-1; 113 fsc += sizeof("xri://")-1;
96 if((fsc+1)>=lsc) 114 if((fsc+1)>=lsc)
97 throw bad_input(OPKELE_CP_ "not a character of importance in identity"); 115 throw bad_input(OPKELE_CP_ "not a character of importance in identity");
98 string id(identity,fsc,lsc-fsc+1); 116 string id(identity,fsc,lsc-fsc+1);
117 idis.clear();
99 if(strchr(i_leaders,id[0])) { 118 if(strchr(i_leaders,id[0])) {
100 result.normalized_id = id; 119 /* TODO: further normalize xri identity? Like folding case
101 result.xri_identity = true; 120 * or whatever... */
102 /* TODO: further canonicalize xri identity? Like folding case or whatever... */ 121 rv = idis.normalized_id = id;
103 discover_at( 122 idis.xri_identity = true;
104 result, 123 set<string> cids;
105 xri_proxy + util::url_encode(id)+ 124 for(const struct service_type_t *st=service_types;
106 "?_xrd_r=application/xrd+xml;sep=false", xmode_xrd); 125 st<&service_types[sizeof(service_types)/sizeof(*service_types)];++st) {
107 if(status_code!=100) 126 idis.clear();
108 throw failed_xri_resolution(OPKELE_CP_ 127 discover_at( idis,
109 "XRI resolution failed with '"+status_string+"' message",status_code); 128 xri_proxy + util::url_encode(id)+
110 if(result.xrd.canonical_ids.empty()) 129 "?_xrd_t="+util::url_encode(st->uri)+
111 throw opkele::failed_discovery(OPKELE_CP_ "No CanonicalID for XRI identity found"); 130 "&_xrd_r=application/xrd%2Bxml"
112 result.canonicalized_id = result.xrd.canonical_ids.begin()->second; 131 ";sep=true;refs=true",
132 xmode_xrd );
133 if(status_code==241) continue;
134 if(status_code!=100)
135 throw failed_xri_resolution(OPKELE_CP_
136 "XRI resolution failed with '"+status_string+"' message"
137 ", while looking for SEP with type '"+st->uri+"'", status_code);
138 if(idis.xrd.canonical_ids.empty())
139 throw opkele::failed_discovery(OPKELE_CP_ "No CanonicalID found for XRI identity found");
140 string cid = idis.xrd.canonical_ids.begin()->second;
141 if(cids.find(cid)==cids.end()) {
142 cids.insert(cid);
143 idis.clear();
144 discover_at( idis,
145 xri_proxy + util::url_encode(id)+
146 "?_xrd_t="+util::url_encode(st->uri)+
147 "&_xrd_r=application/xrd%2Bxml"
148 ";sep=true;refs=true",
149 xmode_xrd );
150 if(status_code==241) continue;
151 if(status_code!=100)
152 throw failed_xri_resolution(OPKELE_CP_
153 "XRI resolution failed with '"+status_string+"' message"
154 ", while looking for SEP with type '"+st->uri+"'"
155 " on canonical id", status_code);
156 }
157 idis.canonicalized_id = cid;
158 queue_endpoints(oi,idis,st);
159 }
113 }else{ 160 }else{
114 result.xri_identity = false; 161 idis.xri_identity = false;
115 if(id.find("://")==string::npos) 162 if(id.find("://")==string::npos)
116 id.insert(0,"http://"); 163 id.insert(0,"http://");
117 string::size_type fp = id.find('#'); 164 string::size_type fp = id.find('#');
118 if(fp!=string::npos) { 165 if(fp!=string::npos) {
119 string::size_type qp = id.find('?'); 166 string::size_type qp = id.find('?');
120 if(qp==string::npos || qp<fp) 167 if(qp==string::npos || qp<fp)
121 id.erase(fp); 168 id.erase(fp);
122 else if(qp>fp) 169 else if(qp>fp)
123 id.erase(fp,qp-fp); 170 id.erase(fp,qp-fp);
124 } 171 }
125 result.normalized_id = util::rfc_3986_normalize_uri(id); 172 rv = idis.normalized_id = util::rfc_3986_normalize_uri(id);
126 discover_at(result,id,xmode_html|xmode_xrd); 173 discover_at(idis,id,xmode_html|xmode_xrd);
127 const char * eu = 0; 174 const char * eu = 0;
128 CURLcode r = easy_getinfo(CURLINFO_EFFECTIVE_URL,&eu); 175 CURLcode r = easy_getinfo(CURLINFO_EFFECTIVE_URL,&eu);
129 if(r) 176 if(r)
130 throw exception_curl(OPKELE_CP_ "failed to get CURLINFO_EFFECTIVE_URL",r); 177 throw exception_curl(OPKELE_CP_ "failed to get CURLINFO_EFFECTIVE_URL",r);
131 result.canonicalized_id = util::rfc_3986_normalize_uri(eu); /* XXX: strip fragment part? */ 178 string cid = util::strip_uri_fragment_part( idis.canonicalized_id = util::rfc_3986_normalize_uri(eu) );
132 if(xrds_location.empty()) { 179 if(xrds_location.empty()) {
133 html2xrd(result.xrd); 180 html2xrd(oi,idis);
134 }else{ 181 }else{
135 discover_at(result,xrds_location,xmode_xrd); 182 idis.clear();
136 if(result.xrd.empty()) 183 idis.canonicalized_id = cid;
137 html2xrd(result.xrd); 184 discover_at(idis,xrds_location,xmode_xrd);
185 if(idis.xrd.empty())
186 html2xrd(oi,idis);
187 else{
188 for(const service_type_t *st=service_types;
189 st<&service_types[sizeof(service_types)/sizeof(*service_types)];++st)
190 queue_endpoints(oi,idis,st);
191 }
138 } 192 }
139 } 193 }
194 return rv;
140 } 195 }
141 196
142 void discover_at(idiscovery_t& result,const string& url,int xm) { 197 void discover_at(idiscovery_t& idis,const string& url,int xm) {
198 DOUT_("Doing discovery at " << url);
143 CURLcode r = easy_setopt(CURLOPT_URL,url.c_str()); 199 CURLcode r = easy_setopt(CURLOPT_URL,url.c_str());
144 if(r) 200 if(r)
145 throw exception_curl(OPKELE_CP_ "failed to set culry urlie",r); 201 throw exception_curl(OPKELE_CP_ "failed to set culry urlie",r);
146 202
147 http_content_type.clear(); 203 http_content_type.clear();
148 xmode = xm; 204 xmode = xm;
149 prepare_to_parse(); 205 prepare_to_parse();
150 if(xmode&xmode_html) { 206 if(xmode&xmode_html) {
151 xrds_location.clear(); 207 xrds_location.clear();
152 save_html.clear(); 208 save_html.clear();
153 save_html.reserve(max_html); 209 save_html.reserve(max_html);
154 } 210 }
155 xrd = &result.xrd; 211 xrd = &idis.xrd;
156 212
157 r = easy_perform(); 213 r = easy_perform();
158 if(r && r!=CURLE_WRITE_ERROR) 214 if(r && r!=CURLE_WRITE_ERROR)
159 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r); 215 throw exception_curl(OPKELE_CP_ "failed to perform curly request",r);
160 216
161 if(!parser_choked) { 217 if(!parser_choked) {
162 parse(0,0,true); 218 parse(0,0,true);
163 }else{ 219 }else{
164 /* TODO: do not bother if we've seen xml */ 220 /* TODO: do not bother if we've seen xml */
165 try { 221 try {
166 util::tidy_doc_t td = util::tidy_doc_t::create(); 222 util::tidy_doc_t td = util::tidy_doc_t::create();
167 if(!td) 223 if(!td)
168 throw exception_tidy(OPKELE_CP_ "failed to create htmltidy document"); 224 throw exception_tidy(OPKELE_CP_ "failed to create htmltidy document");
169#ifndef NDEBUG 225#ifndef NDEBUG
170 td.opt_set(TidyQuiet,false); 226 td.opt_set(TidyQuiet,false);
171 td.opt_set(TidyShowWarnings,false); 227 td.opt_set(TidyShowWarnings,false);
172#endif /* NDEBUG */ 228#endif /* NDEBUG */
173 td.opt_set(TidyForceOutput,true); 229 td.opt_set(TidyForceOutput,true);
174 td.opt_set(TidyXhtmlOut,true); 230 td.opt_set(TidyXhtmlOut,true);
175 td.opt_set(TidyDoctypeMode,TidyDoctypeOmit); 231 td.opt_set(TidyDoctypeMode,TidyDoctypeOmit);
176 td.opt_set(TidyMark,false); 232 td.opt_set(TidyMark,false);
177 if(td.parse_string(save_html)<=0) 233 if(td.parse_string(save_html)<=0)
178 throw exception_tidy(OPKELE_CP_ "tidy failed to parse document"); 234 throw exception_tidy(OPKELE_CP_ "tidy failed to parse document");
179 if(td.clean_and_repair()<=0) 235 if(td.clean_and_repair()<=0)
180 throw exception_tidy(OPKELE_CP_ "tidy failed to clean and repair"); 236 throw exception_tidy(OPKELE_CP_ "tidy failed to clean and repair");
181 util::tidy_buf_t tide; 237 util::tidy_buf_t tide;
182 if(td.save_buffer(tide)<=0) 238 if(td.save_buffer(tide)<=0)
183 throw exception_tidy(OPKELE_CP_ "tidy failed to save buffer"); 239 throw exception_tidy(OPKELE_CP_ "tidy failed to save buffer");
184 prepare_to_parse(); 240 prepare_to_parse();
185 parse(tide.c_str(),tide.size(),true); 241 parse(tide.c_str(),tide.size(),true);
186 }catch(exception_tidy& et) { } 242 }catch(exception_tidy& et) { }
187 } 243 }
188 save_html.clear(); 244 save_html.clear();
189 } 245 }
190 246
191 void prepare_to_parse() { 247 void prepare_to_parse() {
192 (*(expat_t*)this) = parser_create_ns(); 248 (*(expat_t*)this) = parser_create_ns();
193 set_user_data(); set_element_handler(); 249 set_user_data(); set_element_handler();
194 set_character_data_handler(); 250 set_character_data_handler();
195 251
196 if(xmode&xmode_html) { 252 if(xmode&xmode_html) {
197 html_openid1.clear(); html_openid2.clear(); 253 html_openid1.clear(); html_openid2.clear();
198 parser_choked = false; 254 parser_choked = false;
199 } 255 }
200 256
201 cdata = 0; xrd_service = 0; skipping = 0; 257 cdata = 0; xrd_service = 0; skipping = 0;
258 pt_stack.clear();
202 status_code = 100; status_string.clear(); 259 status_code = 100; status_string.clear();
203 } 260 }
204 261
205 void html2xrd(XRD_t& x) { 262 void html2xrd(endpoint_discovery_iterator& oi,idiscovery_t& id) {
206 if(!html_openid1.uris.empty()) { 263 XRD_t& x = id.xrd;
207 html_openid1.types.insert(STURI_OPENID11);
208 x.services.add(-1,html_openid1);
209 }
210 if(!html_openid2.uris.empty()) { 264 if(!html_openid2.uris.empty()) {
211 html_openid2.types.insert(STURI_OPENID20); 265 html_openid2.types.insert(STURI_OPENID20);
212 x.services.add(-1,html_openid2); 266 x.services.add(-1,html_openid2);
267 queue_endpoints(oi,id,&service_types[st_index_2]);
268 }
269 if(!html_openid1.uris.empty()) {
270 html_openid1.types.insert(STURI_OPENID11);
271 x.services.add(-1,html_openid1);
272 queue_endpoints(oi,id,&service_types[st_index_1]);
213 } 273 }
214 } 274 }
215 275
216 size_t write(void *p,size_t s,size_t nm) { 276 size_t write(void *p,size_t s,size_t nm) {
217 /* TODO: limit total size */ 277 /* TODO: limit total size */
218 size_t bytes = s*nm; 278 size_t bytes = s*nm;
219 const char *inbuf = (const char*)p; 279 const char *inbuf = (const char*)p;
220 if(xmode&xmode_html) { 280 if(xmode&xmode_html) {
221 size_t mbts = save_html.capacity()-save_html.size(); 281 size_t mbts = save_html.capacity()-save_html.size();
222 size_t bts = 0; 282 size_t bts = 0;
223 if(mbts>0) { 283 if(mbts>0) {
224 bts = (bytes>mbts)?mbts:bytes; 284 bts = (bytes>mbts)?mbts:bytes;
225 save_html.append(inbuf,bts); 285 save_html.append(inbuf,bts);
226 } 286 }
227 if(skipping<0) return bts; 287 if(skipping<0) return bts;
228 } 288 }
229 if(skipping<0) return 0; 289 if(skipping<0) return 0;
230 bool rp = parse(inbuf,bytes,false); 290 bool rp = parse(inbuf,bytes,false);
231 if(!rp) { 291 if(!rp) {
232 parser_choked = true; 292 parser_choked = true;
233 skipping = -1; 293 skipping = -1;
234 if(!(xmode&xmode_html)) 294 if(!(xmode&xmode_html))
235 bytes = 0; 295 bytes = 0;
236 } 296 }
237 return bytes; 297 return bytes;
238 } 298 }
239 size_t header(void *p,size_t s,size_t nm) { 299 size_t header(void *p,size_t s,size_t nm) {
240 size_t bytes = s*nm; 300 size_t bytes = s*nm;
241 const char *h = (const char*)p; 301 const char *h = (const char*)p;
242 const char *colon = (const char*)memchr(p,':',bytes); 302 const char *colon = (const char*)memchr(p,':',bytes);
243 const char *space = (const char*)memchr(p,' ',bytes); 303 const char *space = (const char*)memchr(p,' ',bytes);
244 if(space && ( (!colon) || space<colon ) ) { 304 if(space && ( (!colon) || space<colon ) ) {
245 xrds_location.clear(); http_content_type.clear(); 305 xrds_location.clear(); http_content_type.clear();
246 }else if(colon) { 306 }else if(colon) {
247 const char *hv = ++colon; 307 const char *hv = ++colon;
248 int hnl = colon-h; 308 int hnl = colon-h;
249 int rb; 309 int rb;
250 for(rb = bytes-hnl-1;rb>0 && isspace(*hv);++hv,--rb); 310 for(rb = bytes-hnl-1;rb>0 && isspace(*hv);++hv,--rb);
251 while(rb>0 && isspace(hv[rb-1])) --rb; 311 while(rb>0 && isspace(hv[rb-1])) --rb;
252 if(rb) { 312 if(rb) {
253 if( (hnl>=sizeof(XRDS_HEADER)) 313 if( (hnl>=sizeof(XRDS_HEADER))
254 && !strncasecmp(h,XRDS_HEADER":", 314 && !strncasecmp(h,XRDS_HEADER":",
255 sizeof(XRDS_HEADER)) ) { 315 sizeof(XRDS_HEADER)) ) {
256 xrds_location.assign(hv,rb); 316 xrds_location.assign(hv,rb);
257 }else if( (hnl>=sizeof(CT_HEADER)) 317 }else if( (hnl>=sizeof(CT_HEADER))
258 && !strncasecmp(h,CT_HEADER":", 318 && !strncasecmp(h,CT_HEADER":",
259 sizeof(CT_HEADER)) ) { 319 sizeof(CT_HEADER)) ) {
260 const char *sc = (const char*)memchr( 320 const char *sc = (const char*)memchr(
@@ -265,97 +325,98 @@ namespace opkele {
265 } 325 }
266 return curl_t::header(p,s,nm); 326 return curl_t::header(p,s,nm);
267 } 327 }
268 328
269 void start_element(const XML_Char *n,const XML_Char **a) { 329 void start_element(const XML_Char *n,const XML_Char **a) {
270 if(skipping<0) return; 330 if(skipping<0) return;
271 if(skipping) { 331 if(skipping) {
272 if(xmode&xmode_html) 332 if(xmode&xmode_html)
273 html_start_element(n,a); 333 html_start_element(n,a);
274 ++skipping; return; 334 ++skipping; return;
275 } 335 }
276 if(pt_stack.empty()) { 336 if(pt_stack.empty()) {
277 if(is_qelement(n,NSURI_XRDS "\tXRDS")) 337 if(is_qelement(n,NSURI_XRDS "\tXRDS"))
278 return; 338 return;
279 if(is_qelement(n,NSURI_XRD "\tXRD")) { 339 if(is_qelement(n,NSURI_XRD "\tXRD")) {
280 assert(xrd); 340 assert(xrd);
281 xrd->clear(); 341 xrd->clear();
282 pt_stack.push_back(n); 342 pt_stack.push_back(n);
283 }else if(xmode&xmode_html) { 343 }else if(xmode&xmode_html) {
284 html_start_element(n,a); 344 html_start_element(n,a);
285 }else{ 345 }else{
286 skipping = -1; 346 skipping = -1;
287 } 347 }
288 }else{ 348 }else{
289 int pt_s = pt_stack.size(); 349 int pt_s = pt_stack.size();
290 if(pt_s==1) { 350 if(pt_s==1) {
291 if(is_qelement(n,NSURI_XRD "\tCanonicalID")) { 351 if(is_qelement(n,NSURI_XRD "\tCanonicalID")) {
292 assert(xrd); 352 assert(xrd);
293 cdata = &(xrd->canonical_ids.add(element_priority(a),string())); 353 cdata = &(xrd->canonical_ids.add(element_priority(a),string()));
294 }else if(is_qelement(n,NSURI_XRD "\tLocalID")) { 354 }else if(is_qelement(n,NSURI_XRD "\tLocalID")) {
295 assert(xrd); 355 assert(xrd);
296 cdata = &(xrd->local_ids.add(element_priority(a),string())); 356 cdata = &(xrd->local_ids.add(element_priority(a),string()));
297 }else if(is_qelement(n,NSURI_XRD "\tProviderID")) { 357 }else if(is_qelement(n,NSURI_XRD "\tProviderID")) {
298 assert(xrd); 358 assert(xrd);
299 cdata = &(xrd->provider_id); 359 cdata = &(xrd->provider_id);
300 }else if(is_qelement(n,NSURI_XRD "\tService")) { 360 }else if(is_qelement(n,NSURI_XRD "\tService")) {
301 assert(xrd); 361 assert(xrd);
302 xrd_service = &(xrd->services.add(element_priority(a), 362 xrd_service = &(xrd->services.add(element_priority(a),
303 service_t())); 363 service_t()));
304 pt_stack.push_back(n); 364 pt_stack.push_back(n);
305 }else if(is_qelement(n,NSURI_XRD "\tStatus")) { 365 }else if(is_qelement(n,NSURI_XRD "\tStatus")) {
306 for(;*a;) { 366 for(;*a;) {
307 if(!strcasecmp(*(a++),"code")) { 367 if(!strcasecmp(*(a++),"code")) {
308 if(sscanf(*(a++),"%ld",&status_code)==1 && status_code!=100) { 368 if(sscanf(*(a++),"%ld",&status_code)==1 && status_code!=100) {
309 cdata = &status_string; 369 cdata = &status_string;
310 pt_stack.push_back(n); 370 pt_stack.push_back(n);
311 break; 371 break;
312 } 372 }
313 } 373 }else
374 ++a;
314 } 375 }
315 }else if(is_qelement(n,NSURI_XRD "\tExpires")) { 376 }else if(is_qelement(n,NSURI_XRD "\tExpires")) {
316 assert(xrd); 377 assert(xrd);
317 cdata_buf.clear(); 378 cdata_buf.clear();
318 cdata = &cdata_buf; 379 cdata = &cdata_buf;
319 }else if(xmode&xmode_html) { 380 }else if(xmode&xmode_html) {
320 html_start_element(n,a); 381 html_start_element(n,a);
321 }else{ 382 }else{
322 skipping = 1; 383 skipping = 1;
323 } 384 }
324 }else if(pt_s==2) { 385 }else if(pt_s==2) {
325 if(is_qelement(pt_stack.back().c_str(), NSURI_XRD "\tService")) { 386 if(is_qelement(pt_stack.back().c_str(), NSURI_XRD "\tService")) {
326 if(is_qelement(n,NSURI_XRD "\tType")) { 387 if(is_qelement(n,NSURI_XRD "\tType")) {
327 assert(xrd); assert(xrd_service); 388 assert(xrd); assert(xrd_service);
328 cdata_buf.clear(); 389 cdata_buf.clear();
329 cdata = &cdata_buf; 390 cdata = &cdata_buf;
330 }else if(is_qelement(n,NSURI_XRD "\tURI")) { 391 }else if(is_qelement(n,NSURI_XRD "\tURI")) {
331 assert(xrd); assert(xrd_service); 392 assert(xrd); assert(xrd_service);
332 cdata = &(xrd_service->uris.add(element_priority(a),string())); 393 cdata = &(xrd_service->uris.add(element_priority(a),string()));
333 }else if(is_qelement(n,NSURI_XRD "\tLocalID") 394 }else if(is_qelement(n,NSURI_XRD "\tLocalID")
334 || is_qelement(n,NSURI_OPENID10 "\tDelegate") ) { 395 || is_qelement(n,NSURI_OPENID10 "\tDelegate") ) {
335 assert(xrd); assert(xrd_service); 396 assert(xrd); assert(xrd_service);
336 cdata = &(xrd_service->local_ids.add(element_priority(a),string())); 397 cdata = &(xrd_service->local_ids.add(element_priority(a),string()));
337 }else if(is_qelement(n,NSURI_XRD "\tProviderID")) { 398 }else if(is_qelement(n,NSURI_XRD "\tProviderID")) {
338 assert(xrd); assert(xrd_service); 399 assert(xrd); assert(xrd_service);
339 cdata = &(xrd_service->provider_id); 400 cdata = &(xrd_service->provider_id);
340 }else{ 401 }else{
341 skipping = 1; 402 skipping = 1;
342 } 403 }
343 }else 404 }else
344 skipping = 1; 405 skipping = 1;
345 }else if(xmode&xmode_html) { 406 }else if(xmode&xmode_html) {
346 html_start_element(n,a); 407 html_start_element(n,a);
347 }else{ 408 }else{
348 skipping = 1; 409 skipping = 1;
349 } 410 }
350 } 411 }
351 } 412 }
352 void end_element(const XML_Char *n) { 413 void end_element(const XML_Char *n) {
353 if(skipping<0) return; 414 if(skipping<0) return;
354 if(skipping) { 415 if(skipping) {
355 --skipping; return; 416 --skipping; return;
356 } 417 }
357 if(is_qelement(n,NSURI_XRD "\tType")) { 418 if(is_qelement(n,NSURI_XRD "\tType")) {
358 assert(xrd); assert(xrd_service); assert(cdata==&cdata_buf); 419 assert(xrd); assert(xrd_service); assert(cdata==&cdata_buf);
359 xrd_service->types.insert(cdata_buf); 420 xrd_service->types.insert(cdata_buf);
360 }else if(is_qelement(n,NSURI_XRD "\tService")) { 421 }else if(is_qelement(n,NSURI_XRD "\tService")) {
361 assert(xrd); assert(xrd_service); 422 assert(xrd); assert(xrd_service);
@@ -391,56 +452,86 @@ namespace opkele {
391 for(;*a;a+=2) { 452 for(;*a;a+=2) {
392 if(!( strcasecmp(a[0],"http-equiv") 453 if(!( strcasecmp(a[0],"http-equiv")
393 || strcasecmp(a[1],XRDS_HEADER) )) 454 || strcasecmp(a[1],XRDS_HEADER) ))
394 heq = true; 455 heq = true;
395 else if(!strcasecmp(a[0],"content")) 456 else if(!strcasecmp(a[0],"content"))
396 l.assign(a[1]); 457 l.assign(a[1]);
397 } 458 }
398 if(heq) 459 if(heq)
399 xrds_location = l; 460 xrds_location = l;
400 }else if(is_element(n,"link")) { 461 }else if(is_element(n,"link")) {
401 string rels; 462 string rels;
402 string href; 463 string href;
403 for(;*a;a+=2) { 464 for(;*a;a+=2) {
404 if( !strcasecmp(a[0],"rel") ) { 465 if( !strcasecmp(a[0],"rel") ) {
405 rels.assign(a[1]); 466 rels.assign(a[1]);
406 }else if( !strcasecmp(a[0],"href") ) { 467 }else if( !strcasecmp(a[0],"href") ) {
407 const char *ns = a[1]; 468 const char *ns = a[1];
408 for(;*ns && isspace(*ns);++ns); 469 for(;*ns && isspace(*ns);++ns);
409 href.assign(ns); 470 href.assign(ns);
410 string::size_type lns=href.find_last_not_of(whitespace); 471 string::size_type lns=href.find_last_not_of(whitespace);
411 href.erase(lns+1); 472 href.erase(lns+1);
412 } 473 }
413 } 474 }
414 for(string::size_type ns=rels.find_first_not_of(whitespace); 475 for(string::size_type ns=rels.find_first_not_of(whitespace);
415 ns!=string::npos; ns=rels.find_first_not_of(whitespace,ns)) { 476 ns!=string::npos; ns=rels.find_first_not_of(whitespace,ns)) {
416 string::size_type s = rels.find_first_of(whitespace,ns); 477 string::size_type s = rels.find_first_of(whitespace,ns);
417 string rel; 478 string rel;
418 if(s==string::npos) { 479 if(s==string::npos) {
419 rel.assign(rels,ns,string::npos); 480 rel.assign(rels,ns,string::npos);
420 ns = string::npos; 481 ns = string::npos;
421 }else{ 482 }else{
422 rel.assign(rels,ns,s-ns); 483 rel.assign(rels,ns,s-ns);
423 ns = s; 484 ns = s;
424 } 485 }
425 if(rel=="openid.server") 486 if(rel=="openid.server")
426 html_openid1.uris.add(-1,href); 487 html_openid1.uris.add(-1,href);
427 else if(rel=="openid.delegate") 488 else if(rel=="openid.delegate")
428 html_openid1.local_ids.add(-1,href); 489 html_openid1.local_ids.add(-1,href);
429 else if(rel=="openid2.provider") 490 else if(rel=="openid2.provider")
430 html_openid2.uris.add(-1,href); 491 html_openid2.uris.add(-1,href);
431 else if(rel=="openid2.local_id") 492 else if(rel=="openid2.local_id")
432 html_openid2.local_ids.add(-1,href); 493 html_openid2.local_ids.add(-1,href);
433 } 494 }
434 }else if(is_element(n,"body")) { 495 }else if(is_element(n,"body")) {
435 skipping = -1; 496 skipping = -1;
436 } 497 }
437 } 498 }
438 499
500 void queue_endpoints(endpoint_discovery_iterator& oi,
501 const idiscovery_t &id,
502 const service_type_t *st) {
503 openid_endpoint_t ep;
504 ep.claimed_id = id.canonicalized_id;
505 for(xrd::services_t::const_iterator isvc=id.xrd.services.begin();
506 isvc!=id.xrd.services.end(); ++isvc) {
507 const xrd::service_t svc = isvc->second;
508 if(svc.types.find(st->uri)==svc.types.end()) continue;
509 for(xrd::uris_t::const_iterator iu=svc.uris.begin();iu!=svc.uris.end();++iu) {
510 ep.uri = iu->second;
511 if(st->forceid) {
512 ep.local_id = ep.claimed_id = st->forceid;
513 *(oi++) = ep;
514 }else{
515 if(svc.local_ids.empty()) {
516 ep.local_id = ep.claimed_id;
517 *(oi++) = ep;
518 }else{
519 for(xrd::local_ids_t::const_iterator ilid=svc.local_ids.begin();
520 ilid!=svc.local_ids.end(); ++ilid) {
521 ep.local_id = ilid->second;
522 *(oi++) = ep;
523 }
524 }
525 }
526 }
527 }
528 }
529
439 }; 530 };
440 531
441 void idiscover(idiscovery_t& result,const string& identity) { 532 string idiscover(endpoint_discovery_iterator oi,const string& identity) {
442 idigger_t idigger; 533 idigger_t idigger;
443 idigger.discover(result,identity); 534 return idigger.discover(oi,identity);
444 } 535 }
445 536
446} 537}
diff --git a/lib/extension.cc b/lib/extension.cc
index 8f22562..6451249 100644
--- a/lib/extension.cc
+++ b/lib/extension.cc
@@ -1,15 +1,15 @@
1#include <opkele/exception.h> 1#include <opkele/exception.h>
2#include <opkele/extension.h> 2#include <opkele/extension.h>
3 3
4namespace opkele { 4namespace opkele {
5 5
6 void extension_t::checkid_hook(params_t& /* p */,const string& /* identity */ ) { 6 void extension_t::checkid_hook(basic_openid_message&) {
7 throw not_implemented(OPKELE_CP_ "Consumer checkid_hook not implemented"); 7 throw not_implemented(OPKELE_CP_ "Consumer checkid_hook not implemented");
8 } 8 }
9 void extension_t::id_res_hook(const params_t& /* p */,const params_t& /* sp */,const string& /* identity */) { 9 void extension_t::id_res_hook(const basic_openid_message&,const basic_openid_message&) {
10 throw not_implemented(OPKELE_CP_ "Consumer id_res_hook not implemented"); 10 throw not_implemented(OPKELE_CP_ "Consumer id_res_hook not implemented");
11 } 11 }
12 void extension_t::checkid_hook(const params_t& /* pin */,params_t& /* pout */) { 12 void extension_t::checkid_hook(const basic_openid_message&,basic_openid_message&) {
13 throw not_implemented(OPKELE_CP_ "Server checkid_hook not implemented"); 13 throw not_implemented(OPKELE_CP_ "Server checkid_hook not implemented");
14 } 14 }
15} 15}
diff --git a/lib/extension_chain.cc b/lib/extension_chain.cc
index 16537dc..5c2afd9 100644
--- a/lib/extension_chain.cc
+++ b/lib/extension_chain.cc
@@ -1,16 +1,16 @@
1#include <cstdarg> 1#include <cstdarg>
2#include <opkele/extension_chain.h> 2#include <opkele/extension_chain.h>
3 3
4namespace opkele { 4namespace opkele {
5 5
6 void extension_chain_t::checkid_hook(params_t& p,const string& identity) { 6 void extension_chain_t::checkid_hook(basic_openid_message& om){
7 for(iterator i=begin();i!=end();++i) (*i)->checkid_hook(p,identity); 7 for(iterator i=begin();i!=end();++i) (*i)->checkid_hook(om);
8 } 8 }
9 void extension_chain_t::id_res_hook(const params_t& p,const params_t& sp,const string& identity) { 9 void extension_chain_t::id_res_hook(const basic_openid_message& om,const basic_openid_message& sp) {
10 for(iterator i=begin();i!=end();++i) (*i)->id_res_hook(p,sp,identity); 10 for(iterator i=begin();i!=end();++i) (*i)->id_res_hook(om,sp);
11 } 11 }
12 void extension_chain_t::checkid_hook(const params_t& pin,params_t& pout) { 12 void extension_chain_t::checkid_hook(const basic_openid_message& inm,basic_openid_message& oum) {
13 for(iterator i=begin();i!=end();++i) (*i)->checkid_hook(pin,pout); 13 for(iterator i=begin();i!=end();++i) (*i)->checkid_hook(inm,oum);
14 } 14 }
15 15
16} 16}
diff --git a/lib/openid_message.cc b/lib/openid_message.cc
new file mode 100644
index 0000000..3b08748
--- a/dev/null
+++ b/lib/openid_message.cc
@@ -0,0 +1,228 @@
1#include <cassert>
2#include <opkele/types.h>
3#include <opkele/exception.h>
4#include <opkele/util.h>
5#include <opkele/debug.h>
6
7#include "config.h"
8
9namespace opkele {
10 using std::input_iterator_tag;
11 using std::unary_function;
12
13 struct __om_copier : public unary_function<const string&,void> {
14 public:
15 const basic_openid_message& from;
16 basic_openid_message& to;
17
18 __om_copier(basic_openid_message& to,const basic_openid_message& from)
19 : from(from), to(to) {
20 to.reset_fields();
21 }
22
23 result_type operator()(argument_type f) {
24 to.set_field(f,from.get_field(f)); }
25 };
26
27 basic_openid_message::basic_openid_message(const basic_openid_message& x) {
28 x.copy_to(*this);
29 }
30 void basic_openid_message::copy_to(basic_openid_message& x) const {
31 for_each(fields_begin(),fields_end(),
32 __om_copier(x,*this) );
33 }
34
35 struct __om_ns_finder : public unary_function<const string&,bool> {
36 public:
37 const basic_openid_message& om;
38 const string& uri;
39
40 __om_ns_finder(const basic_openid_message& om,
41 const string& uri) : om(om), uri(uri) { }
42
43 result_type operator()(argument_type f) {
44 return
45 (!strncmp(f.c_str(),"ns.",sizeof("ns.")-1))
46 && om.get_field(f)==uri ;
47 }
48 };
49
50 bool basic_openid_message::has_ns(const string& uri) const {
51 fields_iterator ei = fields_end();
52 fields_iterator i = find_if(fields_begin(),fields_end(),
53 __om_ns_finder(*this,uri));
54 return !(i==ei);
55 }
56 string basic_openid_message::get_ns(const string& uri) const {
57 fields_iterator ei = fields_end();
58 fields_iterator i = find_if(fields_begin(),fields_end(),
59 __om_ns_finder(*this,uri));
60 if(i==ei)
61 throw failed_lookup(OPKELE_CP_ string("failed to find namespace ")+uri);
62 return i->substr(3);
63 }
64
65 struct __om_query_builder : public unary_function<const string&,void> {
66 public:
67 const basic_openid_message& om;
68 string& rv;
69 bool first;
70
71 __om_query_builder(string& rv,const basic_openid_message& om)
72 : om(om), first(true), rv(rv) {
73 for_each(om.fields_begin(),om.fields_end(),*this);
74 }
75 __om_query_builder(string& rv,const basic_openid_message& om,const string& url)
76 : om(om), first(true), rv(rv) {
77 rv = url;
78 if(rv.find('?')==string::npos)
79 rv += '?';
80 else
81 first = false;
82 for_each(om.fields_begin(),om.fields_end(),*this);
83 }
84
85 result_type operator()(argument_type f) {
86 if(first)
87 first = false;
88 else
89 rv += '&';
90 rv += "openid."; rv+= f;
91 rv += '=';
92 rv += util::url_encode(om.get_field(f));
93 }
94 };
95
96 string basic_openid_message::append_query(const string& url) const {
97 string rv;
98 return __om_query_builder(rv,*this,url).rv;
99 }
100 string basic_openid_message::query_string() const {
101 string rv;
102 return __om_query_builder(rv,*this).rv;
103 }
104
105 void basic_openid_message::reset_fields() {
106 throw not_implemented(OPKELE_CP_ "reset_fields() not implemented");
107 }
108 void basic_openid_message::set_field(const string& n,const string& v) {
109 throw not_implemented(OPKELE_CP_ "set_field() not implemented");
110 }
111 void basic_openid_message::reset_field(const string& n) {
112 throw not_implemented(OPKELE_CP_ "reset_field() not implemented");
113 }
114
115 void basic_openid_message::from_keyvalues(const string& kv) {
116 reset_fields();
117 string::size_type p = 0;
118 while(true) {
119 string::size_type co = kv.find(':',p);
120 if(co==string::npos)
121 break;
122#ifndef POSTELS_LAW
123 string::size_type nl = kv.find('\n',co+1);
124 if(nl==string::npos)
125 throw bad_input(OPKELE_CP_ "malformed input");
126 if(nl>co)
127 insert(value_type(kv.substr(p,co-p),kv.substr(co+1,nl-co-1)));
128 p = nl+1;
129#else /* POSTELS_LAW */
130 string::size_type lb = kv.find_first_of("\r\n",co+1);
131 if(lb==string::npos) {
132 set_field(kv.substr(p,co-p),kv.substr(co+1));
133 break;
134 }
135 if(lb>co)
136 set_field(kv.substr(p,co-p),kv.substr(co+1,lb-co-1));
137 string::size_type nolb = kv.find_first_not_of("\r\n",lb);
138 if(nolb==string::npos)
139 break;
140 p = nolb;
141#endif /* POSTELS_LAW */
142 }
143 }
144
145 void basic_openid_message::add_to_signed(const string& fields) {
146 string::size_type fnc = fields.find_first_not_of(",");
147 if(fnc==string::npos)
148 throw bad_input(OPKELE_CP_ "Trying to add nothing in particular to the list of signed fields");
149 string signeds;
150 try {
151 signeds = get_field("signed");
152 string::size_type lnc = signeds.find_last_not_of(",");
153 if(lnc==string::npos)
154 signeds.assign(fields,fnc,fields.size()-fnc);
155 else{
156 string::size_type ss = signeds.size();
157 if(lnc==(ss-1)) {
158 signeds+= ',';
159 signeds.append(fields,fnc,fields.size()-fnc);
160 }else{
161 if(lnc<(ss-2))
162 signeds.replace(lnc+2,ss-lnc-2,
163 fields,fnc,fields.size()-fnc);
164 else
165 signeds.append(fields,fnc,fields.size()-fnc);
166 }
167 }
168 }catch(failed_lookup&) {
169 signeds.assign(fields,fnc,fields.size()-fnc);
170 }
171 set_field("signed",signeds);
172 }
173
174 string basic_openid_message::find_ns(const string& uri,const char *pfx) const {
175 if(has_field("ns"))
176 return get_ns(uri);
177 return pfx;
178 }
179 string basic_openid_message::allocate_ns(const string& uri,const char *pfx) {
180 if(!has_field("ns"))
181 return pfx;
182 if(has_ns(uri))
183 throw bad_input(OPKELE_CP_ "OpenID message already contains namespace");
184 string rv = pfx;
185 if(has_field("ns."+rv)) {
186 string::reference c=rv[rv.length()];
187 for(c='a';c<='z' && has_field("ns."+rv);++c);
188 if(c=='z')
189 throw exception(OPKELE_CP_ "Failed to allocate namespace");
190 }
191 set_field("ns."+rv,uri);
192 return rv;
193 }
194
195 void openid_message_t::copy_to(basic_openid_message& x) const {
196 x.reset_fields();
197 for(const_iterator i=begin();i!=end();++i)
198 x.set_field(i->first,i->second);
199 }
200
201 bool openid_message_t::has_field(const string& n) const {
202 return find(n)!=end();
203 }
204 const string& openid_message_t::get_field(const string& n) const {
205 const_iterator i=find(n);
206 if(i==end())
207 throw failed_lookup(OPKELE_CP_ n+": no such field");
208 return i->second;
209 }
210
211 openid_message_t::fields_iterator openid_message_t::fields_begin() const {
212 return util::map_keys_iterator<const_iterator,string,const string&,const string*>(begin(),end());
213 }
214 openid_message_t::fields_iterator openid_message_t::fields_end() const {
215 return util::map_keys_iterator<const_iterator,string,const string&,const string*>(end(),end());
216 }
217
218 void openid_message_t::reset_fields() {
219 clear();
220 }
221 void openid_message_t::set_field(const string& n,const string& v) {
222 insert(value_type(n,v));
223 }
224 void openid_message_t::reset_field(const string& n) {
225 erase(n);
226 }
227
228}
diff --git a/lib/params.cc b/lib/params.cc
index 7a572c1..6805516 100644
--- a/lib/params.cc
+++ b/lib/params.cc
@@ -1,121 +1,30 @@
1#include <opkele/types.h> 1#include <opkele/types.h>
2#include <opkele/exception.h> 2#include <opkele/exception.h>
3#include <opkele/util.h> 3#include <opkele/util.h>
4#include <openssl/sha.h> 4#include <openssl/sha.h>
5#include <openssl/hmac.h> 5#include <openssl/hmac.h>
6 6
7#include "config.h" 7#include "config.h"
8 8
9namespace opkele { 9namespace opkele {
10 using namespace std; 10 using namespace std;
11 11
12 bool params_t::has_param(const string& n) const {
13 return find(n)!=end();
14 }
15 const string& params_t::get_param(const string& n) const {
16 const_iterator i = find(n);
17 if(i==end())
18 throw failed_lookup(OPKELE_CP_ n+": no such parameter");
19 return i->second;
20 }
21 string& params_t::get_param(const string& n) {
22 iterator i = find(n);
23 if(i==end())
24 throw failed_lookup(OPKELE_CP_ n+": no such parameter");
25 return i->second;
26 }
27
28 void params_t::parse_keyvalues(const string& kv) {
29 clear();
30 string::size_type p = 0;
31 while(true) {
32 string::size_type co = kv.find(':',p);
33 if(co==string::npos)
34 break;
35#ifndef POSTELS_LAW
36 string::size_type nl = kv.find('\n',co+1);
37 if(nl==string::npos)
38 throw bad_input(OPKELE_CP_ "malformed input");
39 if(nl>co)
40 insert(value_type(kv.substr(p,co-p),kv.substr(co+1,nl-co-1)));
41 p = nl+1;
42#else /* POSTELS_LAW */
43 string::size_type lb = kv.find_first_of("\r\n",co+1);
44 if(lb==string::npos) {
45 insert(value_type(kv.substr(p,co-p),kv.substr(co+1)));
46 break;
47 }
48 if(lb>co)
49 insert(value_type(kv.substr(p,co-p),kv.substr(co+1,lb-co-1)));
50 string::size_type nolb = kv.find_first_not_of("\r\n",lb);
51 if(nolb==string::npos)
52 break;
53 p = nolb;
54#endif /* POSTELS_LAW */
55 }
56 }
57
58 void params_t::sign(secret_t secret,string& sig,const string& slist,const char *prefix) const {
59 string kv;
60 string::size_type p = 0;
61 while(true) {
62 string::size_type co = slist.find(',',p);
63 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
64 kv += f;
65 kv += ':';
66 if(prefix) f.insert(0,prefix);
67 kv += get_param(f);
68 kv += '\n';
69 if(co==string::npos)
70 break;
71 p = co+1;
72 }
73 unsigned int md_len = 0;
74 unsigned char *md = HMAC(
75 EVP_sha1(),
76 &(secret.front()),secret.size(),
77 (const unsigned char *)kv.data(),kv.length(),
78 0,&md_len);
79 sig = util::encode_base64(md,md_len);
80 }
81
82 string params_t::append_query(const string& url,const char *prefix) const { 12 string params_t::append_query(const string& url,const char *prefix) const {
83 string rv = url; 13 string rv = url;
84 bool p = true; 14 bool p = true;
85 if(rv.find('?')==string::npos) { 15 if(rv.find('?')==string::npos) {
86 rv += '?'; 16 rv += '?'; p = false; }
87 p = false; 17 for(fields_iterator i=fields_begin();i!=fields_end();++i) {
88 }
89 for(const_iterator i=begin();i!=end();++i) {
90 if(p) 18 if(p)
91 rv += '&'; 19 rv += '&';
92 else 20 else
93 p = true; 21 p = true;
94 rv += prefix; 22 if(prefix) rv += prefix;
95 rv += i->first; 23 rv += *i;
96 rv += '='; 24 rv += '=';
97 rv += util::url_encode(i->second); 25 rv += util::url_encode(get_field(*i));
98 } 26 }
99 return rv; 27 return rv;
100 } 28 }
101 29
102 string params_t::query_string(const char *prefix) const {
103 string rv;
104 for(const_iterator i=begin();i!=end();++i) {
105 if(!rv.empty())
106 rv += '&';
107 rv += prefix;
108 rv += i->first;
109 rv += '=';
110 rv += util::url_encode(i->second);
111 }
112 return rv;
113 }
114
115 ostream& operator << (ostream& o,const params_t& p) {
116 for(params_t::const_iterator i=p.begin();i!=p.end();++i)
117 o << i->first << ':' << i->second << '\n';
118 return o;
119 }
120
121} 30}
diff --git a/lib/prequeue_rp.cc b/lib/prequeue_rp.cc
new file mode 100644
index 0000000..e242f87
--- a/dev/null
+++ b/lib/prequeue_rp.cc
@@ -0,0 +1,81 @@
1#include <iostream>
2#include <openssl/sha.h>
3#include <openssl/hmac.h>
4#include <opkele/exception.h>
5#include <opkele/prequeue_rp.h>
6#include <opkele/discovery.h>
7#include <opkele/uris.h>
8#include <opkele/data.h>
9#include <opkele/util.h>
10#include <opkele/curl.h>
11#include <opkele/debug.h>
12
13namespace opkele {
14
15 class __OP_verifier_good_input : public exception {
16 public:
17 __OP_verifier_good_input(OPKELE_E_PARS)
18 : exception(OPKELE_E_CONS) { }
19 };
20
21 class OP_verifier : public iterator<output_iterator_tag,openid_endpoint_t,void> {
22 public:
23 const string& OP;
24 const string& id;
25
26 OP_verifier(const string& o,const string& i)
27 : OP(o), id(i) { }
28
29 OP_verifier& operator*() { return *this; }
30 OP_verifier& operator=(const openid_endpoint_t& oep) {
31 if(oep.uri==OP) {
32 if(oep.claimed_id==IDURI_SELECT20
33 || oep.local_id==IDURI_SELECT20 )
34 throw bad_input(OPKELE_CP_ "claimed_id is an OP-Id");
35 if(oep.local_id==id)
36 throw __OP_verifier_good_input(OPKELE_CP_ "Found corresponding endpoint");
37 }
38 return *this;
39 }
40
41 OP_verifier& operator++() { return *this; }
42 OP_verifier& operator++(int) { return *this; }
43 };
44
45 void prequeue_RP::verify_OP(const string& OP,const string& claimed_id,const string& identity) const {
46 try {
47 idiscover(OP_verifier(OP,identity),claimed_id);
48 throw id_res_unauthorized(OPKELE_CP_
49 "OP is not authorized to make an assertion regarding the identity");
50 }catch(__OP_verifier_good_input& ovgi) {
51 }
52 }
53
54 class endpoint_queuer : public iterator<output_iterator_tag,openid_endpoint_t,void> {
55 public:
56 prequeue_RP& rp;
57
58 endpoint_queuer(prequeue_RP& rp) : rp(rp) { }
59
60 endpoint_queuer& operator*() { return *this; }
61 endpoint_queuer& operator=(const openid_endpoint_t& oep) {
62 rp.queue_endpoint(oep); return *this; }
63
64 endpoint_queuer& operator++() { return *this; }
65 endpoint_queuer& operator++(int) { return *this; }
66 };
67
68 void prequeue_RP::initiate(const string& usi) {
69 begin_queueing();
70 set_normalized_id( idiscover(endpoint_queuer(*this),usi) );
71 end_queueing();
72 }
73
74 void prequeue_RP::set_normalized_id(const string& nid) {
75 }
76
77 const string prequeue_RP::get_normalized_id() const {
78 throw not_implemented(OPKELE_CP_ "get_normalized_id() is not implemented");
79 }
80
81}
diff --git a/lib/server.cc b/lib/server.cc
index 282521e..776f1ae 100644
--- a/lib/server.cc
+++ b/lib/server.cc
@@ -64,97 +64,97 @@ namespace opkele {
64 break; 64 break;
65 default: 65 default:
66 secret.to_base64(pout["mac_key"]); 66 secret.to_base64(pout["mac_key"]);
67 break; 67 break;
68 } 68 }
69 } 69 }
70 70
71 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 71 void server_t::checkid_immediate(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
72 checkid_(mode_checkid_immediate,pin,return_to,pout,ext); 72 checkid_(mode_checkid_immediate,pin,return_to,pout,ext);
73 } 73 }
74 74
75 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 75 void server_t::checkid_setup(const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
76 checkid_(mode_checkid_setup,pin,return_to,pout,ext); 76 checkid_(mode_checkid_setup,pin,return_to,pout,ext);
77 } 77 }
78 78
79 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) { 79 void server_t::checkid_(mode_t mode,const params_t& pin,string& return_to,params_t& pout,extension_t *ext) {
80 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup) 80 if(mode!=mode_checkid_immediate && mode!=mode_checkid_setup)
81 throw bad_input(OPKELE_CP_ "invalid checkid_* mode"); 81 throw bad_input(OPKELE_CP_ "invalid checkid_* mode");
82 pout.clear(); 82 pout.clear();
83 assoc_t assoc; 83 assoc_t assoc;
84 try { 84 try {
85 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); 85 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
86 }catch(failed_lookup& fl) { 86 }catch(failed_lookup& fl) {
87 // no handle specified or no valid handle found, going dumb 87 // no handle specified or no valid handle found, going dumb
88 assoc = alloc_assoc(mode_checkid_setup); 88 assoc = alloc_assoc(mode_checkid_setup);
89 if(pin.has_param("openid.assoc_handle")) 89 if(pin.has_param("openid.assoc_handle"))
90 pout["invalidate_handle"]=pin.get_param("openid.assoc_handle"); 90 pout["invalidate_handle"]=pin.get_param("openid.assoc_handle");
91 } 91 }
92 string trust_root; 92 string trust_root;
93 try { 93 try {
94 trust_root = pin.get_param("openid.trust_root"); 94 trust_root = pin.get_param("openid.trust_root");
95 }catch(failed_lookup& fl) { } 95 }catch(failed_lookup& fl) { }
96 string identity = pin.get_param("openid.identity"); 96 string identity = pin.get_param("openid.identity");
97 return_to = pin.get_param("openid.return_to"); 97 return_to = pin.get_param("openid.return_to");
98 validate(*assoc,pin,identity,trust_root); 98 validate(*assoc,pin,identity,trust_root);
99 pout["mode"] = "id_res"; 99 pout["mode"] = "id_res";
100 pout["assoc_handle"] = assoc->handle(); 100 pout["assoc_handle"] = assoc->handle();
101 if(pin.has_param("openid.assoc_handle") && assoc->stateless()) 101 if(pin.has_param("openid.assoc_handle") && assoc->stateless())
102 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle"); 102 pout["invalidate_handle"] = pin.get_param("openid.assoc_handle");
103 pout["identity"] = identity; 103 pout["identity"] = identity;
104 pout["return_to"] = return_to; 104 pout["return_to"] = return_to;
105 /* TODO: eventually remove deprecated stuff */ 105 /* TODO: eventually remove deprecated stuff */
106 time_t now = time(0); 106 time_t now = time(0);
107 pout["issued"] = util::time_to_w3c(now); 107 pout["issued"] = util::time_to_w3c(now);
108 pout["valid_to"] = util::time_to_w3c(now+120); 108 pout["valid_to"] = util::time_to_w3c(now+120);
109 pout["exipres_in"] = "120"; 109 pout["exipres_in"] = "120";
110 pout["signed"]="mode,identity,return_to"; 110 pout["signed"]="mode,identity,return_to";
111 if(ext) ext->checkid_hook(pin,pout); 111 if(ext) ext->checkid_hook(pin,pout);
112 pout.sign(assoc->secret(),pout["sig"],pout["signed"]); 112 pout["sig"] = util::base64_signature(assoc,pout);
113 } 113 }
114 114
115 void server_t::check_authentication(const params_t& pin,params_t& pout) { 115 void server_t::check_authentication(const params_t& pin,params_t& pout) {
116 vector<unsigned char> sig; 116 vector<unsigned char> sig;
117 const string& sigenc = pin.get_param("openid.sig"); 117 const string& sigenc = pin.get_param("openid.sig");
118 util::decode_base64(sigenc,sig); 118 util::decode_base64(sigenc,sig);
119 assoc_t assoc; 119 assoc_t assoc;
120 try { 120 try {
121 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle")); 121 assoc = retrieve_assoc(pin.get_param("openid.assoc_handle"));
122 }catch(failed_lookup& fl) { 122 }catch(failed_lookup& fl) {
123 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified"); 123 throw failed_assertion(OPKELE_CP_ "invalid handle or handle not specified");
124 } 124 }
125 if(!assoc->stateless()) 125 if(!assoc->stateless())
126 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle"); 126 throw stateful_handle(OPKELE_CP_ "will not do check_authentication on a stateful handle");
127 const string& slist = pin.get_param("openid.signed"); 127 const string& slist = pin.get_param("openid.signed");
128 string kv; 128 string kv;
129 string::size_type p =0; 129 string::size_type p =0;
130 while(true) { 130 while(true) {
131 string::size_type co = slist.find(',',p); 131 string::size_type co = slist.find(',',p);
132 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); 132 string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p);
133 kv += f; 133 kv += f;
134 kv += ':'; 134 kv += ':';
135 if(f=="mode") 135 if(f=="mode")
136 kv += "id_res"; 136 kv += "id_res";
137 else { 137 else {
138 f.insert(0,"openid."); 138 f.insert(0,"openid.");
139 kv += pin.get_param(f); 139 kv += pin.get_param(f);
140 } 140 }
141 kv += '\n'; 141 kv += '\n';
142 if(co==string::npos) 142 if(co==string::npos)
143 break; 143 break;
144 p = co+1; 144 p = co+1;
145 } 145 }
146 secret_t secret = assoc->secret(); 146 secret_t secret = assoc->secret();
147 unsigned int md_len = 0; 147 unsigned int md_len = 0;
148 unsigned char *md = HMAC( 148 unsigned char *md = HMAC(
149 EVP_sha1(), 149 EVP_sha1(),
150 &(secret.front()),secret.size(), 150 &(secret.front()),secret.size(),
151 (const unsigned char *)kv.data(),kv.length(), 151 (const unsigned char *)kv.data(),kv.length(),
152 0,&md_len); 152 0,&md_len);
153 pout.clear(); 153 pout.clear();
154 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) { 154 if(sig.size()==md_len && !memcmp(&(sig.front()),md,md_len)) {
155 pout["is_valid"]="true"; 155 pout["is_valid"]="true";
156 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */ 156 pout["lifetime"]="60"; /* TODO: eventually remove deprecated stuff */
157 }else{ 157 }else{
158 pout["is_valid"]="false"; 158 pout["is_valid"]="false";
159 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */ 159 pout["lifetime"]="0"; /* TODO: eventually remove deprecated stuff */
160 } 160 }
diff --git a/lib/sreg.cc b/lib/sreg.cc
index 03edf57..7e2d588 100644
--- a/lib/sreg.cc
+++ b/lib/sreg.cc
@@ -1,126 +1,140 @@
1#include <opkele/exception.h> 1#include <opkele/exception.h>
2#include <opkele/sreg.h> 2#include <opkele/sreg.h>
3#include <opkele/uris.h> 3#include <opkele/uris.h>
4#include <algorithm> 4#include <algorithm>
5 5
6namespace opkele { 6namespace opkele {
7 using std::find; 7 using std::find;
8 8
9 static const struct _sreg_field { 9 static const struct _sreg_field {
10 const char *fieldname; 10 const char *fieldname;
11 sreg_t::fieldbit_t fieldbit; 11 sreg_t::fieldbit_t fieldbit;
12 }fields[] = { 12 }fields[] = {
13 { "nickname", sreg_t::field_nickname }, 13 { "nickname", sreg_t::field_nickname },
14 { "email", sreg_t::field_email }, 14 { "email", sreg_t::field_email },
15 { "fullname", sreg_t::field_fullname }, 15 { "fullname", sreg_t::field_fullname },
16 { "dob", sreg_t::field_dob }, 16 { "dob", sreg_t::field_dob },
17 { "gender", sreg_t::field_gender }, 17 { "gender", sreg_t::field_gender },
18 { "postcode", sreg_t::field_postcode }, 18 { "postcode", sreg_t::field_postcode },
19 { "country", sreg_t::field_country }, 19 { "country", sreg_t::field_country },
20 { "language", sreg_t::field_language }, 20 { "language", sreg_t::field_language },
21 { "timezone", sreg_t::field_timezone } 21 { "timezone", sreg_t::field_timezone }
22 }; 22 };
23 # define fields_BEGINfields 23 # define fields_BEGINfields
24# define fields_END &fields[sizeof(fields)/sizeof(*fields)] 24# define fields_END &fields[sizeof(fields)/sizeof(*fields)]
25 typedef const struct _sreg_field *fields_iterator; 25 typedef const struct _sreg_field *fields_iterator;
26 26
27 bool operator==(const struct _sreg_field& fd,const string& fn) { 27 bool operator==(const struct _sreg_field& fd,const string& fn) {
28 return fd.fieldname==fn; 28 return fd.fieldname==fn;
29 } 29 }
30 30
31 void sreg_t::checkid_hook(params_t& p,const string& /* identity */) { 31 void sreg_t::checkid_hook(basic_openid_message& om) {
32 string fr, fo; 32 string fr, fo;
33 for(fields_iterator f=fields_BEGIN;f<fields_END;++f) { 33 for(fields_iterator f=fields_BEGIN;f<fields_END;++f) {
34 if(f->fieldbit&fields_required) { 34 if(f->fieldbit&fields_required) {
35 if(!fr.empty()) fr+=","; 35 if(!fr.empty()) fr+=",";
36 fr += f->fieldname; 36 fr += f->fieldname;
37 } 37 }
38 if(f->fieldbit&fields_optional) { 38 if(f->fieldbit&fields_optional) {
39 if(!fo.empty()) fo+=","; 39 if(!fo.empty()) fo+=",";
40 fo += f->fieldname; 40 fo += f->fieldname;
41 } 41 }
42 } 42 }
43 p["ns.sreg"] = OIURI_SREG11; 43 string pfx = om.allocate_ns(OIURI_SREG11,"sreg");
44 if(!fr.empty()) p["sreg.required"]=fr; 44 if(!fr.empty()) om.set_field(pfx+".required",fr);
45 if(!fo.empty()) p["sreg.optional"]=fo; 45 if(!fo.empty()) om.set_field(pfx+".optional",fo);
46 if(!policy_url.empty()) p["sreg.policy_url"]=policy_url; 46 if(!policy_url.empty()) om.set_field(pfx+".policy_url",policy_url);
47 } 47 }
48 48
49 void sreg_t::id_res_hook(const params_t& /* p */,const params_t& sp,const string& /* identity */) { 49 void sreg_t::id_res_hook(const basic_openid_message& om,const basic_openid_message& sp) {
50 clear(); 50 clear();
51 string pfx;
52 try {
53 pfx = om.find_ns(OIURI_SREG11,"sreg");
54 }catch(failed_lookup& fl) {
55 try {
56 pfx = om.find_ns(OIURI_SREG10,"sreg");
57 }catch(failed_lookup& fl) {
58 return;
59 }
60 }
61 pfx += '.';
51 for(fields_iterator f=fields_BEGIN;f<fields_END;++f) { 62 for(fields_iterator f=fields_BEGIN;f<fields_END;++f) {
52 string fn = "sreg."; fn+=f->fieldname; 63 string fn = pfx; fn+=f->fieldname;
53 if(!sp.has_param(fn)) continue; 64 if(!sp.has_field(fn)) continue;
54 has_fields |= f->fieldbit; 65 has_fields |= f->fieldbit;
55 response[f->fieldbit]=sp.get_param(fn); 66 response[f->fieldbit]=sp.get_field(fn);
56 } 67 }
57 } 68 }
58 69
59 const string& sreg_t::get_field(fieldbit_t fb) const { 70 const string& sreg_t::get_field(fieldbit_t fb) const {
60 response_t::const_iterator i = response.find(fb); 71 response_t::const_iterator i = response.find(fb);
61 if(i==response.end()) 72 if(i==response.end())
62 throw failed_lookup(OPKELE_CP_ "no field data available"); 73 throw failed_lookup(OPKELE_CP_ "no field data available");
63 return i->second; 74 return i->second;
64 } 75 }
65 76
66 void sreg_t::set_field(fieldbit_t fb,const string& fv) { 77 void sreg_t::set_field(fieldbit_t fb,const string& fv) {
67 response[fb] = fv; 78 response[fb] = fv;
68 has_fields |= fb; 79 has_fields |= fb;
69 } 80 }
70 81
71 void sreg_t::reset_field(fieldbit_t fb) { 82 void sreg_t::reset_field(fieldbit_t fb) {
72 has_fields &= ~fb; 83 has_fields &= ~fb;
73 response.erase(fb); 84 response.erase(fb);
74 } 85 }
75 86
76 void sreg_t::clear() { 87 void sreg_t::clear() {
77 has_fields = 0; response.clear(); 88 has_fields = 0; response.clear();
78 } 89 }
79 90
80 static long fields_list_to_bitmask(string& fl) { 91 static long fields_list_to_bitmask(string& fl) {
81 long rv = 0; 92 long rv = 0;
82 while(!fl.empty()) { 93 while(!fl.empty()) {
83 string::size_type co = fl.find(','); 94 string::size_type co = fl.find(',');
84 string fn; 95 string fn;
85 if(co==string::npos) { 96 if(co==string::npos) {
86 fn = fl; fl.erase(); 97 fn = fl; fl.erase();
87 }else{ 98 }else{
88 fn = fl.substr(0,co); fl.erase(0,co+1); 99 fn = fl.substr(0,co); fl.erase(0,co+1);
89 } 100 }
90 fields_iterator f = find(fields_BEGIN,fields_END,fn); 101 fields_iterator f = find(fields_BEGIN,fields_END,fn);
91 if(f!=fields_END) 102 if(f!=fields_END)
92 rv |= f->fieldbit; 103 rv |= f->fieldbit;
93 } 104 }
94 return rv; 105 return rv;
95 } 106 }
96 107
97 void sreg_t::checkid_hook(const params_t& pin,params_t& pout) { 108 void sreg_t::checkid_hook(const basic_openid_message& inm,basic_openid_message& oum) {
109 string ins = inm.find_ns(OIURI_SREG11,"sreg");
98 fields_optional = 0; fields_required = 0; policy_url.erase(); 110 fields_optional = 0; fields_required = 0; policy_url.erase();
99 fields_response = 0; 111 fields_response = 0;
100 try { 112 try {
101 string fl = pin.get_param("openid.sreg.required"); 113 string fl = inm.get_field(ins+".required");
102 fields_required = fields_list_to_bitmask(fl); 114 fields_required = fields_list_to_bitmask(fl);
103 }catch(failed_lookup&) { } 115 }catch(failed_lookup&) { }
104 try { 116 try {
105 string fl = pin.get_param("openid.sreg.optional"); 117 string fl = inm.get_field(ins+".optional");
106 fields_optional = fields_list_to_bitmask(fl); 118 fields_optional = fields_list_to_bitmask(fl);
107 }catch(failed_lookup&) { } 119 }catch(failed_lookup&) { }
108 try { 120 try {
109 policy_url = pin.get_param("openid.sreg.policy_url"); 121 policy_url = inm.get_field(ins+".policy_url");
110 }catch(failed_lookup&) { } 122 }catch(failed_lookup&) { }
111 setup_response(pin,pout); 123 setup_response(inm,oum);
124 string ons = oum.allocate_ns(OIURI_SREG11,"sreg");
112 fields_response &= has_fields; 125 fields_response &= has_fields;
126 string signeds = "ns."+ons;
113 for(fields_iterator f=fields_BEGIN;f<fields_END;++f) { 127 for(fields_iterator f=fields_BEGIN;f<fields_END;++f) {
114 if(!(f->fieldbit&fields_response)) continue; 128 if(!(f->fieldbit&fields_response)) continue;
115 if(!pout["signed"].empty()) 129 signeds +=',';
116 pout["signed"] +=','; 130 string pn = ons; pn += '.'; pn += f->fieldname;
117 string pn = "sreg."; pn += f->fieldname; 131 signeds += pn;
118 pout["signed"] += pn; 132 oum.set_field(pn,get_field(f->fieldbit));
119 pout[pn] = get_field(f->fieldbit);
120 } 133 }
134 oum.add_to_signed(signeds);
121 } 135 }
122 136
123 void sreg_t::setup_response(const params_t& /* pin */,params_t& /* pout */) { 137 void sreg_t::setup_response(const basic_openid_message& /* inm */,basic_openid_message& /* oum */) {
124 fields_response = (fields_required|fields_optional)&has_fields; 138 fields_response = (fields_required|fields_optional)&has_fields;
125 } 139 }
126} 140}
diff --git a/lib/util.cc b/lib/util.cc
index a9b9bed..54d6535 100644
--- a/lib/util.cc
+++ b/lib/util.cc
@@ -1,61 +1,67 @@
1#include <errno.h> 1#include <errno.h>
2#include <cassert> 2#include <cassert>
3#include <cctype> 3#include <cctype>
4#include <cstring> 4#include <cstring>
5#include <vector> 5#include <vector>
6#include <string> 6#include <string>
7#include <stack> 7#include <stack>
8#include <openssl/bio.h> 8#include <openssl/bio.h>
9#include <openssl/evp.h> 9#include <openssl/evp.h>
10#include <openssl/hmac.h>
10#include <curl/curl.h> 11#include <curl/curl.h>
11#include "opkele/util.h" 12#include "opkele/util.h"
12#include "opkele/exception.h" 13#include "opkele/exception.h"
13 14
15#include <config.h>
16#ifdef HAVE_DEMANGLE
17# include <cxxabi.h>
18#endif
19
14namespace opkele { 20namespace opkele {
15 using namespace std; 21 using namespace std;
16 22
17 namespace util { 23 namespace util {
18 24
19 /* 25 /*
20 * base64 26 * base64
21 */ 27 */
22 string encode_base64(const void *data,size_t length) { 28 string encode_base64(const void *data,size_t length) {
23 BIO *b64 = 0, *bmem = 0; 29 BIO *b64 = 0, *bmem = 0;
24 try { 30 try {
25 b64 = BIO_new(BIO_f_base64()); 31 b64 = BIO_new(BIO_f_base64());
26 if(!b64) 32 if(!b64)
27 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 encoder"); 33 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 encoder");
28 BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); 34 BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL);
29 bmem = BIO_new(BIO_s_mem()); 35 bmem = BIO_new(BIO_s_mem());
30 BIO_set_flags(b64,BIO_CLOSE); 36 BIO_set_flags(b64,BIO_CLOSE);
31 if(!bmem) 37 if(!bmem)
32 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() memory buffer"); 38 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() memory buffer");
33 BIO_push(b64,bmem); 39 BIO_push(b64,bmem);
34 if(((size_t)BIO_write(b64,data,length))!=length) 40 if(((size_t)BIO_write(b64,data,length))!=length)
35 throw exception_openssl(OPKELE_CP_ "failed to BIO_write()"); 41 throw exception_openssl(OPKELE_CP_ "failed to BIO_write()");
36 if(BIO_flush(b64)!=1) 42 if(BIO_flush(b64)!=1)
37 throw exception_openssl(OPKELE_CP_ "failed to BIO_flush()"); 43 throw exception_openssl(OPKELE_CP_ "failed to BIO_flush()");
38 char *rvd; 44 char *rvd;
39 long rvl = BIO_get_mem_data(bmem,&rvd); 45 long rvl = BIO_get_mem_data(bmem,&rvd);
40 string rv(rvd,rvl); 46 string rv(rvd,rvl);
41 BIO_free_all(b64); 47 BIO_free_all(b64);
42 return rv; 48 return rv;
43 }catch(...) { 49 }catch(...) {
44 if(b64) BIO_free_all(b64); 50 if(b64) BIO_free_all(b64);
45 throw; 51 throw;
46 } 52 }
47 } 53 }
48 54
49 void decode_base64(const string& data,vector<unsigned char>& rv) { 55 void decode_base64(const string& data,vector<unsigned char>& rv) {
50 BIO *b64 = 0, *bmem = 0; 56 BIO *b64 = 0, *bmem = 0;
51 rv.clear(); 57 rv.clear();
52 try { 58 try {
53 bmem = BIO_new_mem_buf((void*)data.data(),data.size()); 59 bmem = BIO_new_mem_buf((void*)data.data(),data.size());
54 if(!bmem) 60 if(!bmem)
55 throw exception_openssl(OPKELE_CP_ "failed to BIO_new_mem_buf()"); 61 throw exception_openssl(OPKELE_CP_ "failed to BIO_new_mem_buf()");
56 b64 = BIO_new(BIO_f_base64()); 62 b64 = BIO_new(BIO_f_base64());
57 if(!b64) 63 if(!b64)
58 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 decoder"); 64 throw exception_openssl(OPKELE_CP_ "failed to BIO_new() base64 decoder");
59 BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL); 65 BIO_set_flags(b64,BIO_FLAGS_BASE64_NO_NL);
60 BIO_push(b64,bmem); 66 BIO_push(b64,bmem);
61 unsigned char tmp[512]; 67 unsigned char tmp[512];
@@ -160,98 +166,97 @@ namespace opkele {
160 int r=snprintf(rv,sizeof(rv),"%ld",l); 166 int r=snprintf(rv,sizeof(rv),"%ld",l);
161 if(r<0 || r>=(int)sizeof(rv)) 167 if(r<0 || r>=(int)sizeof(rv))
162 throw failed_conversion(OPKELE_CP_ "failed to snprintf()"); 168 throw failed_conversion(OPKELE_CP_ "failed to snprintf()");
163 return rv; 169 return rv;
164 } 170 }
165 171
166 long string_to_long(const string& s) { 172 long string_to_long(const string& s) {
167 char *endptr = 0; 173 char *endptr = 0;
168 long rv = strtol(s.c_str(),&endptr,10); 174 long rv = strtol(s.c_str(),&endptr,10);
169 if((!endptr) || endptr==s.c_str()) 175 if((!endptr) || endptr==s.c_str())
170 throw failed_conversion(OPKELE_CP_ "failed to strtol()"); 176 throw failed_conversion(OPKELE_CP_ "failed to strtol()");
171 return rv; 177 return rv;
172 } 178 }
173 179
174 /* 180 /*
175 * Normalize URL according to the rules, described in rfc 3986, section 6 181 * Normalize URL according to the rules, described in rfc 3986, section 6
176 * 182 *
177 * - uppercase hex triplets (e.g. %ab -> %AB) 183 * - uppercase hex triplets (e.g. %ab -> %AB)
178 * - lowercase scheme and host 184 * - lowercase scheme and host
179 * - decode %-encoded characters, specified as unreserved in rfc 3986, section 2.3, 185 * - decode %-encoded characters, specified as unreserved in rfc 3986, section 2.3,
180 * that is - [:alpha:][:digit:]._~- 186 * that is - [:alpha:][:digit:]._~-
181 * - remove dot segments 187 * - remove dot segments
182 * - remove empty and default ports 188 * - remove empty and default ports
183 * - if there's no path component, add '/' 189 * - if there's no path component, add '/'
184 */ 190 */
185 string rfc_3986_normalize_uri(const string& uri) { 191 string rfc_3986_normalize_uri(const string& uri) {
186 static const char *whitespace = " \t\r\n"; 192 static const char *whitespace = " \t\r\n";
187 string rv; 193 string rv;
188 string::size_type ns = uri.find_first_not_of(whitespace); 194 string::size_type ns = uri.find_first_not_of(whitespace);
189 if(ns==string::npos) 195 if(ns==string::npos)
190 throw bad_input(OPKELE_CP_ "Can't normalize empty URI"); 196 throw bad_input(OPKELE_CP_ "Can't normalize empty URI");
191 string::size_type colon = uri.find(':',ns); 197 string::size_type colon = uri.find(':',ns);
192 if(colon==string::npos) 198 if(colon==string::npos)
193 throw bad_input(OPKELE_CP_ "No scheme specified in URI"); 199 throw bad_input(OPKELE_CP_ "No scheme specified in URI");
194 transform( 200 transform(
195 uri.begin()+ns, uri.begin()+colon+1, 201 uri.begin()+ns, uri.begin()+colon+1,
196 back_inserter(rv), ::tolower ); 202 back_inserter(rv), ::tolower );
197 bool s; 203 bool s;
198 string::size_type ul = uri.find_last_not_of(whitespace)+1; 204 string::size_type ul = uri.find_last_not_of(whitespace)+1;
199 if(ul <= (colon+3)) 205 if(ul <= (colon+3))
200 throw bad_input(OPKELE_CP_ "Unexpected end of URI being normalized encountered"); 206 throw bad_input(OPKELE_CP_ "Unexpected end of URI being normalized encountered");
201 if(uri[colon+1]!='/' || uri[colon+2]!='/') 207 if(uri[colon+1]!='/' || uri[colon+2]!='/')
202 throw bad_input(OPKELE_CP_ "Unexpected input in URI being normalized after scheme component"); 208 throw bad_input(OPKELE_CP_ "Unexpected input in URI being normalized after scheme component");
203 if(rv=="http:") 209 if(rv=="http:")
204 s = false; 210 s = false;
205 else if(rv=="https:") 211 else if(rv=="https:")
206 s = true; 212 s = true;
207 else{ 213 else{
208 /* TODO: support more schemes. 214 /* TODO: support more schemes. e.g. xri. How do we normalize
209 * e.g. xri. How do we normalize
210 * xri? 215 * xri?
211 */ 216 */
212 rv.append(uri,colon+1,ul-colon-1); 217 rv.append(uri,colon+1,ul-colon-1);
213 return rv; 218 return rv;
214 } 219 }
215 rv += "//"; 220 rv += "//";
216 string::size_type interesting = uri.find_first_of(":/#?",colon+3); 221 string::size_type interesting = uri.find_first_of(":/#?",colon+3);
217 if(interesting==string::npos) { 222 if(interesting==string::npos) {
218 transform( 223 transform(
219 uri.begin()+colon+3,uri.begin()+ul, 224 uri.begin()+colon+3,uri.begin()+ul,
220 back_inserter(rv), ::tolower ); 225 back_inserter(rv), ::tolower );
221 rv += '/'; return rv; 226 rv += '/'; return rv;
222 } 227 }
223 transform( 228 transform(
224 uri.begin()+colon+3,uri.begin()+interesting, 229 uri.begin()+colon+3,uri.begin()+interesting,
225 back_inserter(rv), ::tolower ); 230 back_inserter(rv), ::tolower );
226 bool qf = false; 231 bool qf = false;
227 char ic = uri[interesting]; 232 char ic = uri[interesting];
228 if(ic==':') { 233 if(ic==':') {
229 string::size_type ni = uri.find_first_of("/#?%",interesting+1); 234 string::size_type ni = uri.find_first_of("/#?%",interesting+1);
230 const char *nptr = uri.data()+interesting+1; 235 const char *nptr = uri.data()+interesting+1;
231 char *eptr = 0; 236 char *eptr = 0;
232 long port = strtol(nptr,&eptr,10); 237 long port = strtol(nptr,&eptr,10);
233 if( (port>0) && (port<65535) && port!=(s?443:80) ) { 238 if( (port>0) && (port<65535) && port!=(s?443:80) ) {
234 char tmp[8]; 239 char tmp[8];
235 snprintf(tmp,sizeof(tmp),":%ld",port); 240 snprintf(tmp,sizeof(tmp),":%ld",port);
236 rv += tmp; 241 rv += tmp;
237 } 242 }
238 if(ni==string::npos) { 243 if(ni==string::npos) {
239 rv += '/'; return rv; 244 rv += '/'; return rv;
240 } 245 }
241 interesting = ni; 246 interesting = ni;
242 }else if(ic!='/') { 247 }else if(ic!='/') {
243 rv += '/'; rv += ic; 248 rv += '/'; rv += ic;
244 qf = true; 249 qf = true;
245 ++interesting; 250 ++interesting;
246 } 251 }
247 string::size_type n = interesting; 252 string::size_type n = interesting;
248 char tmp[3] = { 0,0,0 }; 253 char tmp[3] = { 0,0,0 };
249 stack<string::size_type> psegs; psegs.push(rv.length()); 254 stack<string::size_type> psegs; psegs.push(rv.length());
250 string pseg; 255 string pseg;
251 for(;n<ul;) { 256 for(;n<ul;) {
252 string::size_type unsafe = uri.find_first_of(qf?"%":"%/?#",n); 257 string::size_type unsafe = uri.find_first_of(qf?"%":"%/?#",n);
253 if(unsafe==string::npos) { 258 if(unsafe==string::npos) {
254 pseg.append(uri,n,ul-n-1); n = ul-1; 259 pseg.append(uri,n,ul-n-1); n = ul-1;
255 }else{ 260 }else{
256 pseg.append(uri,n,unsafe-n); 261 pseg.append(uri,n,unsafe-n);
257 n = unsafe; 262 n = unsafe;
@@ -266,51 +271,113 @@ namespace opkele {
266 throw bad_input(OPKELE_CP_ "Invalid percent-encoded character in URI being normalized"); 271 throw bad_input(OPKELE_CP_ "Invalid percent-encoded character in URI being normalized");
267 int cc = strtol(tmp,0,16); 272 int cc = strtol(tmp,0,16);
268 if( isalpha(cc) || isdigit(cc) || strchr("._~-",cc) ) 273 if( isalpha(cc) || isdigit(cc) || strchr("._~-",cc) )
269 pseg += cc; 274 pseg += cc;
270 else{ 275 else{
271 pseg += '%'; 276 pseg += '%';
272 pseg += toupper(tmp[0]); pseg += toupper(tmp[1]); 277 pseg += toupper(tmp[0]); pseg += toupper(tmp[1]);
273 } 278 }
274 }else if(qf) { 279 }else if(qf) {
275 rv += pseg; rv += c; 280 rv += pseg; rv += c;
276 pseg.clear(); 281 pseg.clear();
277 }else if(n>=ul || strchr("?/#",c)) { 282 }else if(n>=ul || strchr("?/#",c)) {
278 if(pseg.empty() || pseg==".") { 283 if(pseg.empty() || pseg==".") {
279 }else if(pseg=="..") { 284 }else if(pseg=="..") {
280 if(psegs.size()>1) { 285 if(psegs.size()>1) {
281 rv.resize(psegs.top()); psegs.pop(); 286 rv.resize(psegs.top()); psegs.pop();
282 } 287 }
283 }else{ 288 }else{
284 psegs.push(rv.length()); 289 psegs.push(rv.length());
285 if(c!='/') { 290 if(c!='/') {
286 pseg += c; 291 pseg += c;
287 qf = true; 292 qf = true;
288 } 293 }
289 rv += '/'; rv += pseg; 294 rv += '/'; rv += pseg;
290 } 295 }
291 if(c=='/' && (n>=ul || strchr("?#",uri[n])) ) { 296 if(c=='/' && (n>=ul || strchr("?#",uri[n])) ) {
292 rv += '/'; 297 rv += '/';
293 if(n<ul) 298 if(n<ul)
294 qf = true; 299 qf = true;
295 }else if(strchr("?#",c)) { 300 }else if(strchr("?#",c)) {
296 if(psegs.size()==1 && psegs.top()==rv.length()) 301 if(psegs.size()==1 && psegs.top()==rv.length())
297 rv += '/'; 302 rv += '/';
298 if(pseg.empty()) 303 if(pseg.empty())
299 rv += c; 304 rv += c;
300 qf = true; 305 qf = true;
301 } 306 }
302 pseg.clear(); 307 pseg.clear();
303 }else{ 308 }else{
304 pseg += c; 309 pseg += c;
305 } 310 }
306 } 311 }
307 if(!pseg.empty()) { 312 if(!pseg.empty()) {
308 if(!qf) rv += '/'; 313 if(!qf) rv += '/';
309 rv += pseg; 314 rv += pseg;
310 } 315 }
311 return rv; 316 return rv;
312 } 317 }
313 318
319 string& strip_uri_fragment_part(string& u) {
320 string::size_type q = u.find('?'), f = u.find('#');
321 if(q==string::npos) {
322 if(f!=string::npos)
323 u.erase(f);
324 }else{
325 if(f!=string::npos) {
326 if(f<q)
327 u.erase(f,q-f);
328 else
329 u.erase(f);
330 }
331 }
332 return u;
333 }
334
335 string abi_demangle(const char *mn) {
336#ifndef HAVE_DEMANGLE
337 return mn;
338#else /* !HAVE_DEMANGLE */
339 int dstat;
340 char *demangled = abi::__cxa_demangle(mn,0,0,&dstat);
341 if(dstat)
342 return mn;
343 string rv = demangled;
344 free(demangled);
345 return rv;
346#endif /* !HAVE_DEMANGLE */
347 }
348
349 string base64_signature(const assoc_t& assoc,const basic_openid_message& om) {
350 const string& slist = om.get_field("signed");
351 string kv;
352 string::size_type p=0;
353 while(true) {
354 string::size_type co = slist.find(',',p);
355 string f = (co==string::npos)
356 ?slist.substr(p):slist.substr(p,co-p);
357 kv += f;
358 kv += ':';
359 kv += om.get_field(f);
360 kv += '\n';
361 if(co==string::npos) break;
362 p = co+1;
363 }
364 const secret_t& secret = assoc->secret();
365 const EVP_MD *evpmd;
366 const string& at = assoc->assoc_type();
367 if(at=="HMAC-SHA256")
368 evpmd = EVP_sha256();
369 else if(at=="HMAC-SHA1")
370 evpmd = EVP_sha1();
371 else
372 throw unsupported(OPKELE_CP_ "unknown association type");
373 unsigned int md_len = 0;
374 unsigned char *md = HMAC(evpmd,
375 &(secret.front()),secret.size(),
376 (const unsigned char*)kv.data(),kv.length(),
377 0,&md_len);
378 return encode_base64(md,md_len);
379 }
380
314 } 381 }
315 382
316} 383}