Changeset 3531 for trunk/extlib/Net/OpenID/Consumer.pm

Timestamp:

03/12/09 09:11:52 (9 months ago)

Author:

fumiakiy

Message:

Merged sockfish to trunk. "svn merge -r3114:3527 http://code.sixapart.com/svn/movabletype/branches/sockfish/ ."

Files:

• trunk/extlib/Net/OpenID/Consumer.pm (modified) (13 diffs)

trunk/extlib/Net/OpenID/Consumer.pm

@@ -4 +4 @@
 use Carp ();
 use LWP::UserAgent;
-use URI::Fetch 0.02;
+use Storable;
 
 ############################################################################
@@ -10 +10 @@
 
 use vars qw($VERSION);
-$VERSION = "0.14";
+$VERSION = "1.03";
 
 use fields (
-    'cache',           # the Cache object sent to URI::Fetch
+    'cache',           # a Cache object to store HTTP responses and associations
     'ua',              # LWP::UserAgent instance to use
     'args',            # how to get at your args
@@ -30 +30 @@
 use Net::OpenID::Yadis;
 use Net::OpenID::IndirectMessage;
+use Net::OpenID::URIFetch;
 
 use MIME::Base64 ();
@@ -204 +205 @@
 }
 
-
 sub _get_url_contents {
     my Net::OpenID::Consumer $self = shift;
-    my  ($url, $final_url_ref, $hook) = @_;
+    my ($url, $final_url_ref, $hook) = @_;
     $final_url_ref ||= do { my $dummy; \$dummy; };
 
-    my $ures = URI::Fetch->fetch($url,
-                                 UserAgent        => $self->ua,
-                                 Cache            => $self->cache,
-                                 ContentAlterHook => $hook,
-                                 )
-        or return $self->_fail("url_fetch_error", "Error fetching URL: " . URI::Fetch->errstr);
-
-    # who actually uses HTTP gone response status?  uh, nobody.
-    if ($ures->status == URI::Fetch::URI_GONE()) {
-        return $self->_fail("url_gone", "URL is no longer available");
-    }
-
-    my $res = $ures->http_response;
-    $$final_url_ref = $res->request->uri->as_string;
-
-    return $ures->content;
+    my $res = Net::OpenID::URIFetch->fetch($url, $self, $hook);
+
+    $$final_url_ref = $res->final_uri;
+
+    return $res ? $res->content : undef;
 }
 
@@ -241 +230 @@
     };
 
-    my $doc = $self->_get_url_contents($url, $final_url_ref, $trim_hook) or
-        return;
+    my $doc = $self->_get_url_contents($url, $final_url_ref, $trim_hook) || '';
 
     # find <head> content of document (notably: the first head, if an attacker
@@ -403 +391 @@
     my $primary_only = delete $opts{primary_only} ? 1 : 0;
 
+    my $force_version = delete $opts{force_version};
+
     Carp::croak("Unknown option(s) ".join(', ', keys(%opts))) if %opts;
 
@@ -429 +419 @@
 
     # First we Yadis service discovery
-    my $yadis = Net::OpenID::Yadis->new(ua => $self->{ua});
+    my $yadis = Net::OpenID::Yadis->new(consumer => $self);
     if ($yadis->discover($url)) {
         # FIXME: Currently we don't ever do _find_semantic_info in the Yadis
@@ -484 +474 @@
             if (@versions) {
                 foreach my $version (@versions) {
+                    next if defined($force_version) && $force_version != $version;
                     foreach my $uri (@$service_uris) {
                         push @discovered_endpoints, {
@@ -531 +522 @@
         if ($sem_info) {
             if ($sem_info->{"openid2.provider"}) {
-                push @discovered_endpoints, {
-                    uri => $sem_info->{"openid2.provider"},
-                    version => 2,
-                    final_url => $final_url,
-                    delegate => $sem_info->{"openid2.local_id"},
-                    sem_info => $sem_info,
-                    mechanism => "HTML",
-                };
+                unless (defined($force_version) && $force_version != 2) {
+                    push @discovered_endpoints, {
+                        uri => $sem_info->{"openid2.provider"},
+                        version => 2,
+                        final_url => $final_url,
+                        delegate => $sem_info->{"openid2.local_id"},
+                        sem_info => $sem_info,
+                        mechanism => "HTML",
+                    };
+                }
             }
             if ($sem_info->{"openid.server"}) {
-                push @discovered_endpoints, {
-                    uri => $sem_info->{"openid.server"},
-                    version => 1,
-                    final_url => $final_url,
-                    delegate => $sem_info->{"openid.delegate"},
-                    sem_info => $sem_info,
-                    mechanism => "HTML",
-                };
+                unless (defined($force_version) && $force_version != 1) {
+                    push @discovered_endpoints, {
+                        uri => $sem_info->{"openid.server"},
+                        version => 1,
+                        final_url => $final_url,
+                        delegate => $sem_info->{"openid.delegate"},
+                        sem_info => $sem_info,
+                        mechanism => "HTML",
+                    };
+                }
             }
         }
@@ -652 +647 @@
     my $signed   = $self->message("signed");
 
+    my $possible_endpoints;
+    my $server;
+    my $claimed_identity;
+
     my $real_ident;
     if ($self->_message_version == 1) {
         $real_ident = $self->args("oic.identity") || $a_ident;
+
+        # In version 1, we have to assume that the primary server
+        # found during discovery is the one sending us this message.
+        $possible_endpoints = $self->_discover_acceptable_endpoints($real_ident, force_version => 1);
+
+        if ($possible_endpoints && @$possible_endpoints) {
+            $possible_endpoints = [ $possible_endpoints->[0] ];
+            $server = $possible_endpoints->[0]{uri};
+        }
+        else {
+            # We just fall out of here and bail out below for having no endpoints.
+        }
     }
     else {
         $real_ident = $self->message("claimed_id") || $a_ident;
+
+        # In version 2, the OP tells us its URL.
+        $server = $self->message("op_endpoint");
+        $possible_endpoints = $self->_discover_acceptable_endpoints($real_ident, force_version => 2);
+
+        # FIXME: It kinda sucks that the above will always do both Yadis and HTML discovery, even though
+        # in most cases only one will be in use.
+    }
+
+    $self->_debug("Server is $server");
+
+    unless ($possible_endpoints && @$possible_endpoints) {
+        return $self->_fail("no_identity_server");
     }
 
@@ -678 +702 @@
     }
 
-    my $claimed_identity = $self->claimed_identity($real_ident);
-    return $self->_fail("no_identity_server") unless $claimed_identity;
-
-    # NOTE: Currently we're expecting the "primary" OP -- that is, the one that "wins"
-    # when we do discovery -- to be the one that sends the response. Since we currently
-    # don't support falling back to other providers in the XRD case, this should always
-    # be a valid assumption unless this assersion request is unsolicited.
-    # We'll also fail if the identifier's provider priorities are twiddled between
-    # request and response, but that's unlikely enough that we're just going to ignore it.
-
-    my $final_url = $claimed_identity->claimed_url;
-
-    # OpenID 2.0 wants us to exclude the fragment part of the URL when doing equality checks
-    my $a_ident_nofragment = $a_ident;
-    my $real_ident_nofragment = $real_ident;
-    my $final_url_nofragment = $final_url;
-    if ($self->_message_version >= 2) {
-        $a_ident_nofragment =~ s/\#.*$//x;
-        $real_ident_nofragment =~ s/\#.*$//x;
-        $final_url_nofragment =~ s/\#.*$//x;
-    }
-    return $self->_fail("unexpected_url_redirect") unless $final_url_nofragment eq $real_ident_nofragment;
-
-    my $server = $claimed_identity->identity_server;
-
-    # Protocol version must match
-    return $self->_fail("protocol_version_incorrect") unless $claimed_identity->protocol_version == $self->_message_version;
-
-    # if openid.delegate was used, check that it was done correctly
-    if ($a_ident_nofragment ne $real_ident_nofragment) {
-        my $delegate = $claimed_identity->delegated_url;
+    my $last_error = undef;
+
+    foreach my $endpoint (@$possible_endpoints) {
+        my $final_url = $endpoint->{final_url};
+        my $endpoint_uri = $endpoint->{uri};
+        my $delegate = $endpoint->{delegate};
+
+        my $error = sub {
+            $self->_debug("$endpoint_uri not acceptable: ".$_[0]);
+            $last_error = $_[0];
+        };
+
+        # The endpoint_uri must match our $server
+        if ($endpoint_uri ne $server) {
+            $error->("server_not_allowed");
+            next;
+        }
+
+        # OpenID 2.0 wants us to exclude the fragment part of the URL when doing equality checks
         my $a_ident_nofragment = $a_ident;
-        $a_ident_nofragment =~ s/\#.*$//;
-        $self->_debug("verified_identity: verifying delegate $delegate for $a_ident_nofragment");
-        return $self->_fail("bogus_delegation") unless $delegate eq $a_ident;
+        my $real_ident_nofragment = $real_ident;
+        my $final_url_nofragment = $final_url;
+        if ($self->_message_version >= 2) {
+            $a_ident_nofragment =~ s/\#.*$//x;
+            $real_ident_nofragment =~ s/\#.*$//x;
+            $final_url_nofragment =~ s/\#.*$//x;
+        }
+        unless ($final_url_nofragment eq $real_ident_nofragment) {
+            $error->("unexpected_url_redirect");
+            next;
+        }
+
+        # Protocol version must match
+        unless ($endpoint->{version} == $self->_message_version) {
+            $error->("protocol_version_incorrect");
+            next;
+        }
+
+        # if openid.delegate was used, check that it was done correctly
+        if ($a_ident_nofragment ne $real_ident_nofragment) {
+            unless ($delegate eq $a_ident_nofragment) {
+                $error->("bogus_delegation");
+                next;
+            }
+        }
+
+        # If we've got this far then we've found the right endpoint.
+
+        $claimed_identity =  Net::OpenID::ClaimedIdentity->new(
+            identity         => $endpoint->{final_url},
+            server           => $endpoint->{uri},
+            consumer         => $self,
+            delegate         => $endpoint->{delegate},
+            protocol_version => $endpoint->{version},
+            semantic_info    => $endpoint->{sem_info},
+        );
+        last;
+
+    }
+
+    unless ($claimed_identity) {
+        # We failed to find a good endpoint in the above loop, so
+        # lets bail out.
+        return $self->_fail($last_error);
     }
 
@@ -721 +774 @@
 
     my %signed_fields;   # key (without openid.) -> value
+
+    # Auth 2.0 requires certain keys to be signed.
+    if ($self->_message_version >= 2) {
+        my %signed_fields = map {$_ => 1} split /,/, $signed;
+        my %unsigned_fields;
+        # these fields must be signed unconditionally
+        foreach my $f (qw/op_endpoint return_to response_nonce assoc_handle/) {
+            $unsigned_fields{$f}++ if !$signed_fields{$f};
+        }
+        # these fields must be signed if present
+        foreach my $f (qw/claimed_id identity/) {
+            next unless $self->args("openid.$f");
+            $unsigned_fields{$f}++ if !$signed_fields{$f};
+        }
+        if (%unsigned_fields) {
+            return $self->_fail(
+                "unsigned_field",
+                "Field(s) must be signed: " . join(", ", keys %unsigned_fields)
+            );
+        }
+    }
 
     if ($assoc) {
@@ -1347 +1421 @@
 This is free software. IT COMES WITHOUT WARRANTY OF ANY KIND.
 
+=head1 MAILING LIST
+
+The Net::OpenID family of modules has a mailing list powered
+by Google Groups. For more information, see
+http://groups.google.com/group/openid-perl .
+
 =head1 SEE ALSO