-rw-r--r-- | lib/consumer.cc | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/lib/consumer.cc b/lib/consumer.cc index 282f0cc..dd8e150 100644 --- a/lib/consumer.cc +++ b/lib/consumer.cc | |||
@@ -185,161 +185,185 @@ namespace opkele { | |||
185 | unsigned char *md = HMAC( | 185 | unsigned char *md = HMAC( |
186 | EVP_sha1(), | 186 | EVP_sha1(), |
187 | &(secret.front()),secret.size(), | 187 | &(secret.front()),secret.size(), |
188 | (const unsigned char *)kv.data(),kv.length(), | 188 | (const unsigned char *)kv.data(),kv.length(), |
189 | 0,&md_len); | 189 | 0,&md_len); |
190 | if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) | 190 | if(sig.size()!=md_len || memcmp(&(sig.front()),md,md_len)) |
191 | throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); | 191 | throw id_res_mismatch(OPKELE_CP_ "signature mismatch"); |
192 | }catch(failed_lookup& e) { /* XXX: more specific? */ | 192 | }catch(failed_lookup& e) { /* XXX: more specific? */ |
193 | const string& slist = pin.get_param("openid.signed"); | 193 | const string& slist = pin.get_param("openid.signed"); |
194 | string::size_type pp = 0; | 194 | string::size_type pp = 0; |
195 | params_t p; | 195 | params_t p; |
196 | while(true) { | 196 | while(true) { |
197 | string::size_type co = slist.find(',',pp); | 197 | string::size_type co = slist.find(',',pp); |
198 | string f = "openid."; | 198 | string f = "openid."; |
199 | f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp); | 199 | f += (co==string::npos)?slist.substr(pp):slist.substr(pp,co-pp); |
200 | p[f] = pin.get_param(f); | 200 | p[f] = pin.get_param(f); |
201 | if(co==string::npos) | 201 | if(co==string::npos) |
202 | break; | 202 | break; |
203 | pp = co+1; | 203 | pp = co+1; |
204 | } | 204 | } |
205 | p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle"); | 205 | p["openid.assoc_handle"] = pin.get_param("openid.assoc_handle"); |
206 | p["openid.sig"] = pin.get_param("openid.sig"); | 206 | p["openid.sig"] = pin.get_param("openid.sig"); |
207 | p["openid.signed"] = pin.get_param("openid.signed"); | 207 | p["openid.signed"] = pin.get_param("openid.signed"); |
208 | try { | 208 | try { |
209 | string ih = pin.get_param("openid.invalidate_handle"); | 209 | string ih = pin.get_param("openid.invalidate_handle"); |
210 | p["openid.invalidate_handle"] = ih; | 210 | p["openid.invalidate_handle"] = ih; |
211 | }catch(failed_lookup& fl) { } | 211 | }catch(failed_lookup& fl) { } |
212 | try { | 212 | try { |
213 | check_authentication(server,p); | 213 | check_authentication(server,p); |
214 | }catch(failed_check_authentication& fca) { | 214 | }catch(failed_check_authentication& fca) { |
215 | throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); | 215 | throw id_res_failed(OPKELE_CP_ "failed to check_authentication()"); |
216 | } | 216 | } |
217 | } | 217 | } |
218 | if(ext) ext->id_res_hook(pin,ps,identity); | 218 | if(ext) ext->id_res_hook(pin,ps,identity); |
219 | } | 219 | } |
220 | 220 | ||
221 | void consumer_t::check_authentication(const string& server,const params_t& p) { | 221 | void consumer_t::check_authentication(const string& server,const params_t& p) { |
222 | string request = "openid.mode=check_authentication"; | 222 | string request = "openid.mode=check_authentication"; |
223 | for(params_t::const_iterator i=p.begin();i!=p.end();++i) { | 223 | for(params_t::const_iterator i=p.begin();i!=p.end();++i) { |
224 | if(i->first!="openid.mode") { | 224 | if(i->first!="openid.mode") { |
225 | request += '&'; | 225 | request += '&'; |
226 | request += i->first; | 226 | request += i->first; |
227 | request += '='; | 227 | request += '='; |
228 | request += util::url_encode(i->second); | 228 | request += util::url_encode(i->second); |
229 | } | 229 | } |
230 | } | 230 | } |
231 | curl_t curl = curl_easy_init(); | 231 | curl_t curl = curl_easy_init(); |
232 | if(!curl) | 232 | if(!curl) |
233 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); | 233 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); |
234 | string response; | 234 | string response; |
235 | CURLcode r; | 235 | CURLcode r; |
236 | (r=curl_misc_sets(curl)) | 236 | (r=curl_misc_sets(curl)) |
237 | || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str())) | 237 | || (r=curl_easy_setopt(curl,CURLOPT_URL,server.c_str())) |
238 | || (r=curl_easy_setopt(curl,CURLOPT_POST,1)) | 238 | || (r=curl_easy_setopt(curl,CURLOPT_POST,1)) |
239 | || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data())) | 239 | || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDS,request.data())) |
240 | || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length())) | 240 | || (r=curl_easy_setopt(curl,CURLOPT_POSTFIELDSIZE,request.length())) |
241 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring)) | 241 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring)) |
242 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response)) | 242 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&response)) |
243 | ; | 243 | ; |
244 | if(r) | 244 | if(r) |
245 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); | 245 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); |
246 | if(r=curl_easy_perform(curl)) | 246 | if(r=curl_easy_perform(curl)) |
247 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); | 247 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); |
248 | params_t pp; pp.parse_keyvalues(response); | 248 | params_t pp; pp.parse_keyvalues(response); |
249 | if(pp.has_param("invalidate_handle")) | 249 | if(pp.has_param("invalidate_handle")) |
250 | invalidate_assoc(server,pp.get_param("invalidate_handle")); | 250 | invalidate_assoc(server,pp.get_param("invalidate_handle")); |
251 | if(pp.has_param("is_valid")) { | 251 | if(pp.has_param("is_valid")) { |
252 | if(pp.get_param("is_valid")=="true") | 252 | if(pp.get_param("is_valid")=="true") |
253 | return; | 253 | return; |
254 | }else if(pp.has_param("lifetime")) { | 254 | }else if(pp.has_param("lifetime")) { |
255 | if(util::string_to_long(pp.get_param("lifetime"))) | 255 | if(util::string_to_long(pp.get_param("lifetime"))) |
256 | return; | 256 | return; |
257 | } | 257 | } |
258 | throw failed_check_authentication(OPKELE_CP_ "failed to verify response"); | 258 | throw failed_check_authentication(OPKELE_CP_ "failed to verify response"); |
259 | } | 259 | } |
260 | 260 | ||
261 | void consumer_t::retrieve_links(const string& url,string& server,string& delegate) { | 261 | void consumer_t::retrieve_links(const string& url,string& server,string& delegate) { |
262 | server.erase(); | 262 | server.erase(); |
263 | delegate.erase(); | 263 | delegate.erase(); |
264 | curl_t curl = curl_easy_init(); | 264 | curl_t curl = curl_easy_init(); |
265 | if(!curl) | 265 | if(!curl) |
266 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); | 266 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); |
267 | string html; | 267 | string html; |
268 | CURLcode r; | 268 | CURLcode r; |
269 | (r=curl_misc_sets(curl)) | 269 | (r=curl_misc_sets(curl)) |
270 | || (r=curl_easy_setopt(curl,CURLOPT_URL,url.c_str())) | 270 | || (r=curl_easy_setopt(curl,CURLOPT_URL,url.c_str())) |
271 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring)) | 271 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,_curl_tostring)) |
272 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&html)) | 272 | || (r=curl_easy_setopt(curl,CURLOPT_WRITEDATA,&html)) |
273 | ; | 273 | ; |
274 | if(r) | 274 | if(r) |
275 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); | 275 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); |
276 | r = curl_easy_perform(curl); | 276 | r = curl_easy_perform(curl); |
277 | if(r && r!=CURLE_WRITE_ERROR) | 277 | if(r && r!=CURLE_WRITE_ERROR) |
278 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); | 278 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); |
279 | pcrepp::Pcre bre("<body\\b",PCRE_CASELESS); | 279 | pcrepp::Pcre bre("<body\\b",PCRE_CASELESS); |
280 | // strip out everything past body | 280 | // strip out everything past body |
281 | if(bre.search(html)) | 281 | if(bre.search(html)) |
282 | html.erase(bre.get_match_start()); | 282 | html.erase(bre.get_match_start()); |
283 | pcrepp::Pcre hdre("<head[^>]*>",PCRE_CASELESS); | 283 | pcrepp::Pcre hdre("<head[^>]*>",PCRE_CASELESS); |
284 | if(!hdre.search(html)) | 284 | if(!hdre.search(html)) |
285 | throw bad_input(OPKELE_CP_ "failed to find head"); | 285 | throw bad_input(OPKELE_CP_ "failed to find head"); |
286 | html.erase(0,hdre.get_match_end()+1); | 286 | html.erase(0,hdre.get_match_end()+1); |
287 | pcrepp::Pcre lre("<link\\b([^>]+)>",PCRE_CASELESS), | 287 | pcrepp::Pcre lre("<link\\b([^>]+)>",PCRE_CASELESS), |
288 | rre("\\brel=['\"]([^'\"]+)['\"]",PCRE_CASELESS), | 288 | rre("\\brel=['\"]([^'\"]+)['\"]",PCRE_CASELESS), |
289 | hre("\\bhref=['\"]([^'\"]+)['\"]",PCRE_CASELESS); | 289 | hre("\\bhref=['\"]([^'\"]+)['\"]",PCRE_CASELESS); |
290 | while(lre.search(html)) { | 290 | while(lre.search(html)) { |
291 | string attrs = lre[0]; | 291 | string attrs = lre[0]; |
292 | html.erase(0,lre.get_match_end()+1); | 292 | html.erase(0,lre.get_match_end()+1); |
293 | if(!(rre.search(attrs)&&hre.search(attrs))) | 293 | if(!(rre.search(attrs)&&hre.search(attrs))) |
294 | continue; | 294 | continue; |
295 | if(rre[0]=="openid.server") { | 295 | if(rre[0]=="openid.server") { |
296 | server = hre[0]; | 296 | server = hre[0]; |
297 | if(!delegate.empty()) | 297 | if(!delegate.empty()) |
298 | break; | 298 | break; |
299 | }else if(rre[0]=="openid.delegate") { | 299 | }else if(rre[0]=="openid.delegate") { |
300 | delegate = hre[0]; | 300 | delegate = hre[0]; |
301 | if(!server.empty()) | 301 | if(!server.empty()) |
302 | break; | 302 | break; |
303 | } | 303 | } |
304 | } | 304 | } |
305 | if(server.empty()) | 305 | if(server.empty()) |
306 | throw failed_assertion(OPKELE_CP_ "The location has no openid.server declaration"); | 306 | throw failed_assertion(OPKELE_CP_ "The location has no openid.server declaration"); |
307 | } | 307 | } |
308 | 308 | ||
309 | assoc_t consumer_t::find_assoc(const string& server) { | 309 | assoc_t consumer_t::find_assoc(const string& server) { |
310 | throw failed_lookup(OPKELE_CP_ "no find_assoc() provided"); | 310 | throw failed_lookup(OPKELE_CP_ "no find_assoc() provided"); |
311 | } | 311 | } |
312 | 312 | ||
313 | string consumer_t::canonicalize(const string& url) { | 313 | string consumer_t::normalize(const string& url) { |
314 | string rv = url; | 314 | string rv = url; |
315 | // strip leading and trailing spaces | 315 | // strip leading and trailing spaces |
316 | string::size_type i = rv.find_first_not_of(" \t\r\n"); | 316 | string::size_type i = rv.find_first_not_of(" \t\r\n"); |
317 | if(i==string::npos) | 317 | if(i==string::npos) |
318 | throw bad_input(OPKELE_CP_ "empty URL"); | 318 | throw bad_input(OPKELE_CP_ "empty URL"); |
319 | if(i) | 319 | if(i) |
320 | rv.erase(0,i); | 320 | rv.erase(0,i); |
321 | i = rv.find_last_not_of(" \t\r\n"); | 321 | i = rv.find_last_not_of(" \t\r\n"); |
322 | assert(i!=string::npos); | 322 | assert(i!=string::npos); |
323 | if(i<(rv.length()-1)) | 323 | if(i<(rv.length()-1)) |
324 | rv.erase(i+1); | 324 | rv.erase(i+1); |
325 | // add missing http:// | 325 | // add missing http:// |
326 | i = rv.find("://"); | 326 | i = rv.find("://"); |
327 | if(i==string::npos) { // primitive. but do we need more? | 327 | if(i==string::npos) { // primitive. but do we need more? |
328 | rv.insert(0,"http://"); | 328 | rv.insert(0,"http://"); |
329 | i = sizeof("http://")-1; | 329 | i = sizeof("http://")-1; |
330 | }else{ | 330 | }else{ |
331 | i += sizeof("://")-1; | 331 | i += sizeof("://")-1; |
332 | } | 332 | } |
333 | string::size_type qm = rv.find('?',i); | 333 | string::size_type qm = rv.find('?',i); |
334 | string::size_type sl = rv.find('/',i); | 334 | string::size_type sl = rv.find('/',i); |
335 | if(qm!=string::npos) { | 335 | if(qm!=string::npos) { |
336 | if(sl==string::npos || sl>qm) | 336 | if(sl==string::npos || sl>qm) |
337 | rv.insert(qm,1,'/'); | 337 | rv.insert(qm,1,'/'); |
338 | }else{ | 338 | }else{ |
339 | if(sl==string::npos) | 339 | if(sl==string::npos) |
340 | rv += '/'; | 340 | rv += '/'; |
341 | } | 341 | } |
342 | return rv; | 342 | return rv; |
343 | } | 343 | } |
344 | 344 | ||
345 | string consumer_t::canonicalize(const string& url) { | ||
346 | string rv = normalize(url); | ||
347 | curl_t curl = curl_easy_init(); | ||
348 | if(!curl) | ||
349 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_init()"); | ||
350 | string html; | ||
351 | CURLcode r; | ||
352 | (r=curl_misc_sets(curl)) | ||
353 | || (r=curl_easy_setopt(curl,CURLOPT_URL,rv.c_str())) | ||
354 | || (r=curl_easy_setopt(curl,CURLOPT_NOBODY,1)) | ||
355 | ; | ||
356 | if(r) | ||
357 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_setopt()",r); | ||
358 | r = curl_easy_perform(curl); | ||
359 | if(r) | ||
360 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_perform()",r); | ||
361 | const char *eu = 0; | ||
362 | r = curl_easy_getinfo(curl,CURLINFO_EFFECTIVE_URL,&eu); | ||
363 | if(r) | ||
364 | throw exception_curl(OPKELE_CP_ "failed to curl_easy_getinfo(..CURLINFO_EFFECTIVE_URL..)",r); | ||
365 | rv = eu; | ||
366 | return normalize(rv); | ||
367 | } | ||
368 | |||
345 | } | 369 | } |