| -rw-r--r-- | include/opkele/association.h | 2 | ||||
| -rw-r--r-- | include/opkele/consumer.h | 19 | ||||
| -rw-r--r-- | lib/consumer.cc | 4 |
3 files changed, 24 insertions, 1 deletions
diff --git a/include/opkele/association.h b/include/opkele/association.h index a8f3915..72eff5b 100644 --- a/include/opkele/association.h +++ b/include/opkele/association.h | |||
| @@ -40,29 +40,31 @@ namespace opkele { | |||
| 40 | * statelessness of the assoc_handle | 40 | * statelessness of the assoc_handle |
| 41 | */ | 41 | */ |
| 42 | bool _stateless; | 42 | bool _stateless; |
| 43 | 43 | ||
| 44 | /** | 44 | /** |
| 45 | * @param __server the server name | 45 | * @param __server the server name |
| 46 | * @param __handle association handle | 46 | * @param __handle association handle |
| 47 | * @param __assoc_type association type | 47 | * @param __assoc_type association type |
| 48 | * @param __secret the secret | 48 | * @param __secret the secret |
| 49 | * @param __expires expiration time | 49 | * @param __expires expiration time |
| 50 | * @param __stateless statelessness of the assoc_handle | 50 | * @param __stateless statelessness of the assoc_handle |
| 51 | */ | 51 | */ |
| 52 | association(const string& __server, const string& __handle, | 52 | association(const string& __server, const string& __handle, |
| 53 | const string& __assoc_type, const secret_t& __secret, | 53 | const string& __assoc_type, const secret_t& __secret, |
| 54 | time_t __expires, bool __stateless) | 54 | time_t __expires, bool __stateless) |
| 55 | : _server(__server), _handle(__handle), _assoc_type(__assoc_type), | 55 | : _server(__server), _handle(__handle), _assoc_type(__assoc_type), |
| 56 | _secret(__secret), _expires(__expires), _stateless(__stateless) { } | 56 | _secret(__secret), _expires(__expires), _stateless(__stateless) { } |
| 57 | 57 | ||
| 58 | virtual string server() const { return _server; } | 58 | virtual string server() const { return _server; } |
| 59 | virtual string handle() const { return _handle; } | 59 | virtual string handle() const { return _handle; } |
| 60 | virtual string assoc_type() const { return _assoc_type; } | 60 | virtual string assoc_type() const { return _assoc_type; } |
| 61 | virtual secret_t secret() const { return _secret; } | 61 | virtual secret_t secret() const { return _secret; } |
| 62 | virtual int expires_in() const { return _expires-time(0); } | 62 | virtual int expires_in() const { return _expires-time(0); } |
| 63 | virtual bool stateless() const { return _stateless; } | 63 | virtual bool stateless() const { return _stateless; } |
| 64 | |||
| 65 | virtual bool is_expired() const { return _expires<time(0); } | ||
| 64 | }; | 66 | }; |
| 65 | 67 | ||
| 66 | } | 68 | } |
| 67 | 69 | ||
| 68 | #endif /* __OPKELE_ASSOCIATION_H */ | 70 | #endif /* __OPKELE_ASSOCIATION_H */ |
diff --git a/include/opkele/consumer.h b/include/opkele/consumer.h index 042e2d1..b9d1e54 100644 --- a/include/opkele/consumer.h +++ b/include/opkele/consumer.h | |||
| @@ -1,74 +1,91 @@ | |||
| 1 | #ifndef __OPKELE_CONSUMER_H | 1 | #ifndef __OPKELE_CONSUMER_H |
| 2 | #define __OPKELE_CONSUMER_H | 2 | #define __OPKELE_CONSUMER_H |
| 3 | 3 | ||
| 4 | #include <opkele/types.h> | 4 | #include <opkele/types.h> |
| 5 | #include <opkele/extension.h> | 5 | #include <opkele/extension.h> |
| 6 | 6 | ||
| 7 | /** | 7 | /** |
| 8 | * @file | 8 | * @file |
| 9 | * @brief OpenID consumer-side functionality | 9 | * @brief OpenID consumer-side functionality |
| 10 | */ | 10 | */ |
| 11 | 11 | ||
| 12 | namespace opkele { | 12 | namespace opkele { |
| 13 | 13 | ||
| 14 | /** | 14 | /** |
| 15 | * implementation of basic consumer functionality | 15 | * implementation of basic consumer functionality |
| 16 | * | ||
| 17 | * @note | ||
| 18 | * The consumer uses libcurl internally, which means that if you're using | ||
| 19 | * libopkele in multithreaded environment you should call curl_global_init | ||
| 20 | * yourself before spawning any threads. | ||
| 16 | */ | 21 | */ |
| 17 | class consumer_t { | 22 | class consumer_t { |
| 18 | public: | 23 | public: |
| 19 | 24 | ||
| 20 | /** | 25 | /** |
| 21 | * store association. The function should be overridden in the real | 26 | * store association. The function should be overridden in the real |
| 22 | * implementation to provide persistent associations store. | 27 | * implementation to provide persistent associations store. |
| 23 | * @param server the OpenID server | 28 | * @param server the OpenID server |
| 24 | * @param handle association handle | 29 | * @param handle association handle |
| 25 | * @param secret the secret associated with the server and handle | 30 | * @param secret the secret associated with the server and handle |
| 26 | * @param expires_in the number of seconds until the handle is expired | 31 | * @param expires_in the number of seconds until the handle is expired |
| 27 | * @return the auto_ptr<> for the newly allocated association_t object | 32 | * @return the auto_ptr<> for the newly allocated association_t object |
| 28 | */ | 33 | */ |
| 29 | virtual assoc_t store_assoc(const string& server,const string& handle,const secret_t& secret,int expires_in) = 0; | 34 | virtual assoc_t store_assoc(const string& server,const string& handle,const secret_t& secret,int expires_in) = 0; |
| 30 | /** | 35 | /** |
| 31 | * retrieve stored association. The function should be overridden | 36 | * retrieve stored association. The function should be overridden |
| 32 | * in the real implementation to provide persistent assocations | 37 | * in the real implementation to provide persistent assocations |
| 33 | * store. | 38 | * store. |
| 39 | * | ||
| 40 | * @note | ||
| 41 | * The user is responsible for handling associations expiry and | ||
| 42 | * this function should never return an expired or invalidated | ||
| 43 | * association. | ||
| 44 | * | ||
| 34 | * @param server the OpenID server | 45 | * @param server the OpenID server |
| 35 | * @param handle association handle | 46 | * @param handle association handle |
| 36 | * @return the autho_ptr<> for the newly allocated association_t object | 47 | * @return the autho_ptr<> for the newly allocated association_t object |
| 37 | * @throw failed_lookup in case of error | 48 | * @throw failed_lookup if no unexpired association found |
| 38 | */ | 49 | */ |
| 39 | virtual assoc_t retrieve_assoc(const string& server,const string& handle) = 0; | 50 | virtual assoc_t retrieve_assoc(const string& server,const string& handle) = 0; |
| 40 | /** | 51 | /** |
| 41 | * invalidate stored association. The function should be overridden | 52 | * invalidate stored association. The function should be overridden |
| 42 | * in the real implementation of the consumer. | 53 | * in the real implementation of the consumer. |
| 43 | * @param server the OpenID server | 54 | * @param server the OpenID server |
| 44 | * @param handle association handle | 55 | * @param handle association handle |
| 45 | */ | 56 | */ |
| 46 | virtual void invalidate_assoc(const string& server,const string& handle) = 0; | 57 | virtual void invalidate_assoc(const string& server,const string& handle) = 0; |
| 47 | /** | 58 | /** |
| 48 | * retrieve any unexpired association for the server. If the | 59 | * retrieve any unexpired association for the server. If the |
| 49 | * function is not overridden in the real implementation, the new | 60 | * function is not overridden in the real implementation, the new |
| 50 | * association will be established for each request. | 61 | * association will be established for each request. |
| 62 | * | ||
| 63 | * @note | ||
| 64 | * The user is responsible for handling associations and this | ||
| 65 | * function should never return an expired or invalidated | ||
| 66 | * association. | ||
| 67 | * | ||
| 51 | * @param server the OpenID server | 68 | * @param server the OpenID server |
| 52 | * @return the auto_ptr<> for the newly allocated association_t object | 69 | * @return the auto_ptr<> for the newly allocated association_t object |
| 53 | * @throw failed_lookup in case of absence of the handle | 70 | * @throw failed_lookup in case of absence of the handle |
| 54 | */ | 71 | */ |
| 55 | virtual assoc_t find_assoc(const string& server); | 72 | virtual assoc_t find_assoc(const string& server); |
| 56 | 73 | ||
| 57 | /** | 74 | /** |
| 58 | * retrieve the metainformation contained in link tags from the | 75 | * retrieve the metainformation contained in link tags from the |
| 59 | * page pointed by url. the function may implement caching of the | 76 | * page pointed by url. the function may implement caching of the |
| 60 | * information. | 77 | * information. |
| 61 | * @param url url to harvest for link tags | 78 | * @param url url to harvest for link tags |
| 62 | * @param server reference to the string object where to put | 79 | * @param server reference to the string object where to put |
| 63 | * openid.server value | 80 | * openid.server value |
| 64 | * @param delegate reference to the string object where to put the | 81 | * @param delegate reference to the string object where to put the |
| 65 | * openid.delegate value (if any) | 82 | * openid.delegate value (if any) |
| 66 | */ | 83 | */ |
| 67 | virtual void retrieve_links(const string& url,string& server,string& delegate); | 84 | virtual void retrieve_links(const string& url,string& server,string& delegate); |
| 68 | 85 | ||
| 69 | /** | 86 | /** |
| 70 | * perform the associate request to OpenID server. | 87 | * perform the associate request to OpenID server. |
| 71 | * @param server the OpenID server | 88 | * @param server the OpenID server |
| 72 | * @return the auto_ptr<> for the newly allocated association_t | 89 | * @return the auto_ptr<> for the newly allocated association_t |
| 73 | * object, representing established association | 90 | * object, representing established association |
| 74 | * @throw exception in case of error | 91 | * @throw exception in case of error |
diff --git a/lib/consumer.cc b/lib/consumer.cc index dd8e150..af309c1 100644 --- a/lib/consumer.cc +++ b/lib/consumer.cc | |||
| @@ -123,65 +123,69 @@ namespace opkele { | |||
| 123 | 123 | ||
| 124 | string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { | 124 | string consumer_t::checkid_immediate(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { |
| 125 | return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext); | 125 | return checkid_(mode_checkid_immediate,identity,return_to,trust_root,ext); |
| 126 | } | 126 | } |
| 127 | string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { | 127 | string consumer_t::checkid_setup(const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { |
| 128 | return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext); | 128 | return checkid_(mode_checkid_setup,identity,return_to,trust_root,ext); |
| 129 | } | 129 | } |
| 130 | string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { | 130 | string consumer_t::checkid_(mode_t mode,const string& identity,const string& return_to,const string& trust_root,extension_t *ext) { |
| 131 | params_t p; | 131 | params_t p; |
| 132 | if(mode==mode_checkid_immediate) | 132 | if(mode==mode_checkid_immediate) |
| 133 | p["mode"]="checkid_immediate"; | 133 | p["mode"]="checkid_immediate"; |
| 134 | else if(mode==mode_checkid_setup) | 134 | else if(mode==mode_checkid_setup) |
| 135 | p["mode"]="checkid_setup"; | 135 | p["mode"]="checkid_setup"; |
| 136 | else | 136 | else |
| 137 | throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); | 137 | throw bad_input(OPKELE_CP_ "unknown checkid_* mode"); |
| 138 | string iurl = canonicalize(identity); | 138 | string iurl = canonicalize(identity); |
| 139 | string server, delegate; | 139 | string server, delegate; |
| 140 | retrieve_links(iurl,server,delegate); | 140 | retrieve_links(iurl,server,delegate); |
| 141 | p["identity"] = delegate.empty()?iurl:delegate; | 141 | p["identity"] = delegate.empty()?iurl:delegate; |
| 142 | if(!trust_root.empty()) | 142 | if(!trust_root.empty()) |
| 143 | p["trust_root"] = trust_root; | 143 | p["trust_root"] = trust_root; |
| 144 | p["return_to"] = return_to; | 144 | p["return_to"] = return_to; |
| 145 | try { | 145 | try { |
| 146 | string ah = find_assoc(server)->handle(); | 146 | string ah = find_assoc(server)->handle(); |
| 147 | if(ah->is_expired()) /* TODO: or should I throw some other exception to force programmer fix his implementation? */ | ||
| 148 | throw failed_lookup(OPKELE_CP_ "find_assoc() has returned expired handle"); | ||
| 147 | p["assoc_handle"] = ah; | 149 | p["assoc_handle"] = ah; |
| 148 | }catch(failed_lookup& fl) { | 150 | }catch(failed_lookup& fl) { |
| 149 | string ah = associate(server)->handle(); | 151 | string ah = associate(server)->handle(); |
| 150 | p["assoc_handle"] = ah; | 152 | p["assoc_handle"] = ah; |
| 151 | } | 153 | } |
| 152 | if(ext) ext->checkid_hook(p,identity); | 154 | if(ext) ext->checkid_hook(p,identity); |
| 153 | return p.append_query(server); | 155 | return p.append_query(server); |
| 154 | } | 156 | } |
| 155 | 157 | ||
| 156 | void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) { | 158 | void consumer_t::id_res(const params_t& pin,const string& identity,extension_t *ext) { |
| 157 | if(pin.has_param("openid.user_setup_url")) | 159 | if(pin.has_param("openid.user_setup_url")) |
| 158 | throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); | 160 | throw id_res_setup(OPKELE_CP_ "assertion failed, setup url provided",pin.get_param("openid.user_setup_url")); |
| 159 | string server,delegate; | 161 | string server,delegate; |
| 160 | retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); | 162 | retrieve_links(identity.empty()?pin.get_param("openid.identity"):canonicalize(identity),server,delegate); |
| 161 | params_t ps; | 163 | params_t ps; |
| 162 | try { | 164 | try { |
| 163 | assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); | 165 | assoc_t assoc = retrieve_assoc(server,pin.get_param("openid.assoc_handle")); |
| 166 | if(assoc->is_expired()) /* TODO: or should I throw some other exception to force programmer fix his implementation? */ | ||
| 167 | throw failed_lookup(OPKELE_CP_ "retrieve_assoc() has returned expired handle"); | ||
| 164 | const string& sigenc = pin.get_param("openid.sig"); | 168 | const string& sigenc = pin.get_param("openid.sig"); |
| 165 | vector<unsigned char> sig; | 169 | vector<unsigned char> sig; |
| 166 | util::decode_base64(sigenc,sig); | 170 | util::decode_base64(sigenc,sig); |
| 167 | const string& slist = pin.get_param("openid.signed"); | 171 | const string& slist = pin.get_param("openid.signed"); |
| 168 | string kv; | 172 | string kv; |
| 169 | string::size_type p = 0; | 173 | string::size_type p = 0; |
| 170 | while(true) { | 174 | while(true) { |
| 171 | string::size_type co = slist.find(',',p); | 175 | string::size_type co = slist.find(',',p); |
| 172 | string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); | 176 | string f = (co==string::npos)?slist.substr(p):slist.substr(p,co-p); |
| 173 | kv += f; | 177 | kv += f; |
| 174 | kv += ':'; | 178 | kv += ':'; |
| 175 | f.insert(0,"openid."); | 179 | f.insert(0,"openid."); |
| 176 | kv += pin.get_param(f); | 180 | kv += pin.get_param(f); |
| 177 | kv += '\n'; | 181 | kv += '\n'; |
| 178 | if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f); | 182 | if(ext) ps[f.substr(sizeof("openid.")-1)] = pin.get_param(f); |
| 179 | if(co==string::npos) | 183 | if(co==string::npos) |
| 180 | break; | 184 | break; |
| 181 | p = co+1; | 185 | p = co+1; |
| 182 | } | 186 | } |
| 183 | secret_t secret = assoc->secret(); | 187 | secret_t secret = assoc->secret(); |
| 184 | unsigned int md_len = 0; | 188 | unsigned int md_len = 0; |
| 185 | unsigned char *md = HMAC( | 189 | unsigned char *md = HMAC( |
| 186 | EVP_sha1(), | 190 | EVP_sha1(), |
| 187 | &(secret.front()),secret.size(), | 191 | &(secret.front()),secret.size(), |