author | Michael Krelin <hacker@klever.net> | 2008-01-20 21:08:05 (UTC) |
---|---|---|
committer | Michael Krelin <hacker@klever.net> | 2008-01-20 21:08:05 (UTC) |
commit | 9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc (patch) (side-by-side diff) | |
tree | 702473142242e80538c4801cc379ec98fba199dd /include/opkele/basic_rp.h | |
parent | 395a126cbf59b7a50f44da3096b68bab412ab33d (diff) | |
download | libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.zip libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.gz libopkele-9bfb6fadf71c46bf4cb5adabba0c96c32e84c1bc.tar.bz2 |
the whole library rewritten
Signed-off-by: Michael Krelin <hacker@klever.net>
-rw-r--r-- | include/opkele/basic_rp.h | 218 |
1 files changed, 218 insertions, 0 deletions
diff --git a/include/opkele/basic_rp.h b/include/opkele/basic_rp.h new file mode 100644 index 0000000..3f17fd9 --- a/dev/null +++ b/include/opkele/basic_rp.h @@ -0,0 +1,218 @@ +#ifndef __OPKELE_BASIC_RP_H +#define __OPKELE_BASIC_RP_H + +#include <cstring> +#include <string> +#include <opkele/types.h> +#include <opkele/extension.h> + +namespace opkele { + using std::string; + + struct openid_endpoint_t { + string uri; + string claimed_id; + string local_id; + + openid_endpoint_t() { } + openid_endpoint_t(const string& u,const string& cid,const string& lid) + : uri(u), claimed_id(cid), local_id(lid) { } + + bool operator==(const openid_endpoint_t& x) const { + return uri==x.uri && local_id==x.local_id; } + bool operator<(const openid_endpoint_t& x) const { + int c; + return (c=strcmp(uri.c_str(),x.uri.c_str())) + ? (c<0) : (strcmp(local_id.c_str(),x.local_id.c_str())<0); } + }; + + class basic_RP { + public: + + virtual ~basic_RP() { } + + /** + * @name Global persistent store API + * These are functions related to the associations with OP storage + * and retrieval and nonce records. They provide an interface to + * the persistent storage which is shared by all sessions. If the + * implementor prefers the dumb mode instead, the function should + * throw dumb_RP exception instead. + * @see opkele::dumb_RP + * @{ + */ + /** + * Store association and return allocated association object. + * @param OP OP endpoint + * @param handle association handle + * @param type association type + * @param secret association secret + * @params expires_in the number of seconds association expires in + * @return the association object + * @throw dumb_RP for dumb RP + */ + virtual assoc_t store_assoc( + const string& OP,const string& handle, + const string& type,const secret_t& secret, + int expires_in) = 0; + /** + * Find valid unexpired association with an OP. + * @param OP OP endpoint URL + * @return association found + * @throw failed_lookup if no association found + * @throw dumb_RP for dumb RP + */ + virtual assoc_t find_assoc( + const string& OP) = 0; + /** + * Retrieve valid association handle for an OP by handle. + * @param OP OP endpoint URL + * @param handle association handle + * @return association found + * @throw failed_lookup if no association found + * @throw dumb_RP for dumb RP + */ + virtual assoc_t retrieve_assoc( + const string& OP,const string& handle) = 0; + /** + * Invalidate association with OP + * @param OP OP endpoint URL + * @param handle association handle + * @throw dumb_RP for dumb RP + */ + virtual void invalidate_assoc(const string& OP,const string& handle) = 0; + + /** + * Check the nonce validity. That is, check that we haven't + * accepted request with this nonce from this OP, yet. May involve + * cutting off by the timestamp and checking the rest against the + * store of seen nonces. + * @param OP OP endpoint URL + * @param nonce nonce value + * @throw id_res_bad_nonce if the nonce is not to be accepted, i.e. + * either too old or seen. + */ + virtual void check_nonce(const string& OP,const string& nonce) = 0; + /** + * @} + */ + + /** + * @name Session persistent store API + * @{ + */ + /** + * Retrieve OpenID endpoint being currently used for + * authentication. If there is no endpoint available, throw a + * no_endpoint exception. + * @return reference to the service endpoint object + * @see next_endpoint + * @throw no_endpoint if no endpoint available + */ + virtual const openid_endpoint_t& get_endpoint() const = 0; + /** + * Advance to the next endpoint to try. + * @see get_endpoint() + * @throw no_endpoint if there are no more endpoints + */ + virtual void next_endpoint() = 0; + /** + * @} + */ + + /** + * @name Site particulars API + * @{ + */ + /** + * Return an absolute URL of the page being processed, includining + * query parameters. It is used to validate return_to URL on + * positive assertions. + * @return fully qualified url of the page being processed. + */ + virtual const string get_this_url() const = 0; + /** + * @} + */ + + /** + * @name OpenID actions + * @{ + */ + /** + * Initiates authentication session, doing discovery, normalization + * and whatever implementor wants to do at this point. + * @param usi User-supplied identity + */ + virtual void initiate(const string& usi) = 0; + /** + * Prepare checkid_request. + * @param rv reference to the openid message to prepare + * @param mode checkid_setup or checkid_immediate + * @param return_to the URL OP should redirect to after completion + * @param realm authentication realm to pass to OP + * @param ext pointer to extension to use in request preparation + * @return reference to the openid message + */ + basic_openid_message& checkid_( + basic_openid_message& rv, + mode_t mode, + const string& return_to,const string& realm, + extension_t *ext=0); + /** + * Verify assertion at the end of round-trip. + * @param om incoming openid message + * @param ext pointer to extention to use in parsing assertion + * @throw id_res_setup if checkid_immediate request could not be + * completed + * @throw id_res_cancel if authentication request was canceled + * @throw id_res_mismatch in case of signature mismatch + * @throw id_res_bad_return_to if return_to url seems to be + * tampered with + * @throw id_res_unauthorized if OP is not authorized to make + * assertions regarding the identity + */ + void id_res(const basic_openid_message& om,extension_t *ext=0); + + /** + * Establish association with OP + * @param OP OP to establish association with + * @throw dumb_RP if for a dumb RP + */ + virtual assoc_t associate(const string& OP); + /** + * Check authentication with OP and invalidate handle if requested + * and confirmed + * @param OP OP to check with + * @param om message to check + * @throw failed_check_authentication if OP fails to confirm + * authenticity of the assertion + */ + void check_authentication(const string& OP,const basic_openid_message& om); + /** + * @} + */ + + /** + * @name Miscellanea + * @{ + */ + /** + * Verify OP authority. Return normally if OP is authorized to make + * an assertion, throw an exception otherwise. + * @param OP OP endpoint + * @param claimed_id claimed identity + * @param identity OP-Local identifier + * @throw id_res_unauthorized if OP is not authorized to make + * assertion regarding this identity. + */ + virtual void verify_OP(const string& OP, + const string& claimed_id,const string& identity) const = 0; + /** + * @} + */ + }; + +} + +#endif /* __OPKELE_BASIC_RP_H */ |