-rw-r--r-- | include/opkele/basic_rp.h | 218 |
1 files changed, 218 insertions, 0 deletions
diff --git a/include/opkele/basic_rp.h b/include/opkele/basic_rp.h new file mode 100644 index 0000000..3f17fd9 --- a/dev/null +++ b/include/opkele/basic_rp.h | |||
@@ -0,0 +1,218 @@ | |||
1 | #ifndef __OPKELE_BASIC_RP_H | ||
2 | #define __OPKELE_BASIC_RP_H | ||
3 | |||
4 | #include <cstring> | ||
5 | #include <string> | ||
6 | #include <opkele/types.h> | ||
7 | #include <opkele/extension.h> | ||
8 | |||
9 | namespace opkele { | ||
10 | using std::string; | ||
11 | |||
12 | struct openid_endpoint_t { | ||
13 | string uri; | ||
14 | string claimed_id; | ||
15 | string local_id; | ||
16 | |||
17 | openid_endpoint_t() { } | ||
18 | openid_endpoint_t(const string& u,const string& cid,const string& lid) | ||
19 | : uri(u), claimed_id(cid), local_id(lid) { } | ||
20 | |||
21 | bool operator==(const openid_endpoint_t& x) const { | ||
22 | return uri==x.uri && local_id==x.local_id; } | ||
23 | bool operator<(const openid_endpoint_t& x) const { | ||
24 | int c; | ||
25 | return (c=strcmp(uri.c_str(),x.uri.c_str())) | ||
26 | ? (c<0) : (strcmp(local_id.c_str(),x.local_id.c_str())<0); } | ||
27 | }; | ||
28 | |||
29 | class basic_RP { | ||
30 | public: | ||
31 | |||
32 | virtual ~basic_RP() { } | ||
33 | |||
34 | /** | ||
35 | * @name Global persistent store API | ||
36 | * These are functions related to the associations with OP storage | ||
37 | * and retrieval and nonce records. They provide an interface to | ||
38 | * the persistent storage which is shared by all sessions. If the | ||
39 | * implementor prefers the dumb mode instead, the function should | ||
40 | * throw dumb_RP exception instead. | ||
41 | * @see opkele::dumb_RP | ||
42 | * @{ | ||
43 | */ | ||
44 | /** | ||
45 | * Store association and return allocated association object. | ||
46 | * @param OP OP endpoint | ||
47 | * @param handle association handle | ||
48 | * @param type association type | ||
49 | * @param secret association secret | ||
50 | * @params expires_in the number of seconds association expires in | ||
51 | * @return the association object | ||
52 | * @throw dumb_RP for dumb RP | ||
53 | */ | ||
54 | virtual assoc_t store_assoc( | ||
55 | const string& OP,const string& handle, | ||
56 | const string& type,const secret_t& secret, | ||
57 | int expires_in) = 0; | ||
58 | /** | ||
59 | * Find valid unexpired association with an OP. | ||
60 | * @param OP OP endpoint URL | ||
61 | * @return association found | ||
62 | * @throw failed_lookup if no association found | ||
63 | * @throw dumb_RP for dumb RP | ||
64 | */ | ||
65 | virtual assoc_t find_assoc( | ||
66 | const string& OP) = 0; | ||
67 | /** | ||
68 | * Retrieve valid association handle for an OP by handle. | ||
69 | * @param OP OP endpoint URL | ||
70 | * @param handle association handle | ||
71 | * @return association found | ||
72 | * @throw failed_lookup if no association found | ||
73 | * @throw dumb_RP for dumb RP | ||
74 | */ | ||
75 | virtual assoc_t retrieve_assoc( | ||
76 | const string& OP,const string& handle) = 0; | ||
77 | /** | ||
78 | * Invalidate association with OP | ||
79 | * @param OP OP endpoint URL | ||
80 | * @param handle association handle | ||
81 | * @throw dumb_RP for dumb RP | ||
82 | */ | ||
83 | virtual void invalidate_assoc(const string& OP,const string& handle) = 0; | ||
84 | |||
85 | /** | ||
86 | * Check the nonce validity. That is, check that we haven't | ||
87 | * accepted request with this nonce from this OP, yet. May involve | ||
88 | * cutting off by the timestamp and checking the rest against the | ||
89 | * store of seen nonces. | ||
90 | * @param OP OP endpoint URL | ||
91 | * @param nonce nonce value | ||
92 | * @throw id_res_bad_nonce if the nonce is not to be accepted, i.e. | ||
93 | * either too old or seen. | ||
94 | */ | ||
95 | virtual void check_nonce(const string& OP,const string& nonce) = 0; | ||
96 | /** | ||
97 | * @} | ||
98 | */ | ||
99 | |||
100 | /** | ||
101 | * @name Session persistent store API | ||
102 | * @{ | ||
103 | */ | ||
104 | /** | ||
105 | * Retrieve OpenID endpoint being currently used for | ||
106 | * authentication. If there is no endpoint available, throw a | ||
107 | * no_endpoint exception. | ||
108 | * @return reference to the service endpoint object | ||
109 | * @see next_endpoint | ||
110 | * @throw no_endpoint if no endpoint available | ||
111 | */ | ||
112 | virtual const openid_endpoint_t& get_endpoint() const = 0; | ||
113 | /** | ||
114 | * Advance to the next endpoint to try. | ||
115 | * @see get_endpoint() | ||
116 | * @throw no_endpoint if there are no more endpoints | ||
117 | */ | ||
118 | virtual void next_endpoint() = 0; | ||
119 | /** | ||
120 | * @} | ||
121 | */ | ||
122 | |||
123 | /** | ||
124 | * @name Site particulars API | ||
125 | * @{ | ||
126 | */ | ||
127 | /** | ||
128 | * Return an absolute URL of the page being processed, includining | ||
129 | * query parameters. It is used to validate return_to URL on | ||
130 | * positive assertions. | ||
131 | * @return fully qualified url of the page being processed. | ||
132 | */ | ||
133 | virtual const string get_this_url() const = 0; | ||
134 | /** | ||
135 | * @} | ||
136 | */ | ||
137 | |||
138 | /** | ||
139 | * @name OpenID actions | ||
140 | * @{ | ||
141 | */ | ||
142 | /** | ||
143 | * Initiates authentication session, doing discovery, normalization | ||
144 | * and whatever implementor wants to do at this point. | ||
145 | * @param usi User-supplied identity | ||
146 | */ | ||
147 | virtual void initiate(const string& usi) = 0; | ||
148 | /** | ||
149 | * Prepare checkid_request. | ||
150 | * @param rv reference to the openid message to prepare | ||
151 | * @param mode checkid_setup or checkid_immediate | ||
152 | * @param return_to the URL OP should redirect to after completion | ||
153 | * @param realm authentication realm to pass to OP | ||
154 | * @param ext pointer to extension to use in request preparation | ||
155 | * @return reference to the openid message | ||
156 | */ | ||
157 | basic_openid_message& checkid_( | ||
158 | basic_openid_message& rv, | ||
159 | mode_t mode, | ||
160 | const string& return_to,const string& realm, | ||
161 | extension_t *ext=0); | ||
162 | /** | ||
163 | * Verify assertion at the end of round-trip. | ||
164 | * @param om incoming openid message | ||
165 | * @param ext pointer to extention to use in parsing assertion | ||
166 | * @throw id_res_setup if checkid_immediate request could not be | ||
167 | * completed | ||
168 | * @throw id_res_cancel if authentication request was canceled | ||
169 | * @throw id_res_mismatch in case of signature mismatch | ||
170 | * @throw id_res_bad_return_to if return_to url seems to be | ||
171 | * tampered with | ||
172 | * @throw id_res_unauthorized if OP is not authorized to make | ||
173 | * assertions regarding the identity | ||
174 | */ | ||
175 | void id_res(const basic_openid_message& om,extension_t *ext=0); | ||
176 | |||
177 | /** | ||
178 | * Establish association with OP | ||
179 | * @param OP OP to establish association with | ||
180 | * @throw dumb_RP if for a dumb RP | ||
181 | */ | ||
182 | virtual assoc_t associate(const string& OP); | ||
183 | /** | ||
184 | * Check authentication with OP and invalidate handle if requested | ||
185 | * and confirmed | ||
186 | * @param OP OP to check with | ||
187 | * @param om message to check | ||
188 | * @throw failed_check_authentication if OP fails to confirm | ||
189 | * authenticity of the assertion | ||
190 | */ | ||
191 | void check_authentication(const string& OP,const basic_openid_message& om); | ||
192 | /** | ||
193 | * @} | ||
194 | */ | ||
195 | |||
196 | /** | ||
197 | * @name Miscellanea | ||
198 | * @{ | ||
199 | */ | ||
200 | /** | ||
201 | * Verify OP authority. Return normally if OP is authorized to make | ||
202 | * an assertion, throw an exception otherwise. | ||
203 | * @param OP OP endpoint | ||
204 | * @param claimed_id claimed identity | ||
205 | * @param identity OP-Local identifier | ||
206 | * @throw id_res_unauthorized if OP is not authorized to make | ||
207 | * assertion regarding this identity. | ||
208 | */ | ||
209 | virtual void verify_OP(const string& OP, | ||
210 | const string& claimed_id,const string& identity) const = 0; | ||
211 | /** | ||
212 | * @} | ||
213 | */ | ||
214 | }; | ||
215 | |||
216 | } | ||
217 | |||
218 | #endif /* __OPKELE_BASIC_RP_H */ | ||