Prefer Rails.root to RAILS_ROOT
[gitorious:openid_auth.git] / lib / open_id_authentication.rb
1 require 'uri'
2 require 'openid/extensions/sreg'
3 require 'openid/extensions/ax'
4 require 'openid/store/filesystem'
5
6 require File.dirname(__FILE__) + '/open_id_authentication/association'
7 require File.dirname(__FILE__) + '/open_id_authentication/nonce'
8 require File.dirname(__FILE__) + '/open_id_authentication/db_store'
9 require File.dirname(__FILE__) + '/open_id_authentication/request'
10 require File.dirname(__FILE__) + '/open_id_authentication/timeout_fixes' if OpenID::VERSION == "2.0.4"
11
12 module OpenIdAuthentication
13   OPEN_ID_AUTHENTICATION_DIR = Rails.root.join('tmp/openids')
14
15   def self.store
16     @@store
17   end
18
19   def self.store=(*store_option)
20     store, *parameters = *([ store_option ].flatten)
21
22     @@store = case store
23     when :db
24       OpenIdAuthentication::DbStore.new
25     when :file
26       OpenID::Store::Filesystem.new(OPEN_ID_AUTHENTICATION_DIR)
27     else
28       store
29     end
30   end
31
32   self.store = :db
33
34   class InvalidOpenId < StandardError
35   end
36
37   class Result
38     ERROR_MESSAGES = {
39       :missing      => "Sorry, the OpenID server couldn't be found",
40       :invalid      => "Sorry, but this does not appear to be a valid OpenID",
41       :canceled     => "OpenID verification was canceled",
42       :failed       => "OpenID verification failed",
43       :setup_needed => "OpenID verification needs setup"
44     }
45
46     def self.[](code)
47       new(code)
48     end
49
50     def initialize(code)
51       @code = code
52     end
53
54     def status
55       @code
56     end
57
58     ERROR_MESSAGES.keys.each { |state| define_method("#{state}?") { @code == state } }
59
60     def successful?
61       @code == :successful
62     end
63
64     def unsuccessful?
65       ERROR_MESSAGES.keys.include?(@code)
66     end
67
68     def message
69       ERROR_MESSAGES[@code]
70     end
71   end
72
73   # normalizes an OpenID according to http://openid.net/specs/openid-authentication-2_0.html#normalization
74   def self.normalize_identifier(identifier)
75     # clean up whitespace
76     identifier = identifier.to_s.strip
77
78     # if an XRI has a prefix, strip it.
79     identifier.gsub!(/xri:\/\//i, '')
80
81     # dodge XRIs -- TODO: validate, don't just skip.
82     unless ['=', '@', '+', '$', '!', '('].include?(identifier.at(0))
83       # does it begin with http?  if not, add it.
84       identifier = "http://#{identifier}" unless identifier =~ /^http/i
85
86       # strip any fragments
87       identifier.gsub!(/\#(.*)$/, '')
88
89       begin
90         uri = URI.parse(identifier)
91         uri.scheme = uri.scheme.downcase  # URI should do this
92         identifier = uri.normalize.to_s
93       rescue URI::InvalidURIError
94         raise InvalidOpenId.new("#{identifier} is not an OpenID identifier")
95       end
96     end
97
98     return identifier
99   end
100
101   # deprecated for OpenID 2.0, where not all OpenIDs are URLs
102   def self.normalize_url(url)
103     ActiveSupport::Deprecation.warn "normalize_url has been deprecated, use normalize_identifier instead"
104     self.normalize_identifier(url)
105   end
106
107   protected
108     def normalize_url(url)
109       OpenIdAuthentication.normalize_url(url)
110     end
111
112     def normalize_identifier(url)
113       OpenIdAuthentication.normalize_identifier(url)
114     end
115
116     # The parameter name of "openid_identifier" is used rather than the Rails convention "open_id_identifier"
117     # because that's what the specification dictates in order to get browser auto-complete working across sites
118     def using_open_id?(identity_url = nil) #:doc:
119       identity_url ||= params[:openid_identifier] || params[:openid_url]
120       !identity_url.blank? || params[:open_id_complete]
121     end
122
123     def authenticate_with_open_id(identity_url = nil, options = {}, &block) #:doc:
124       identity_url ||= params[:openid_identifier] || params[:openid_url]
125
126       if params[:open_id_complete].nil?
127         begin_open_id_authentication(identity_url, options, &block)
128       else
129         complete_open_id_authentication(&block)
130       end
131     end
132
133   private
134     def begin_open_id_authentication(identity_url, options = {})
135       identity_url = normalize_identifier(identity_url)
136       return_to    = options.delete(:return_to)
137       method       = options.delete(:method)
138       
139       options[:required] ||= []  # reduces validation later
140       options[:optional] ||= []
141
142       open_id_request = open_id_consumer.begin(identity_url)
143       add_simple_registration_fields(open_id_request, options)
144       add_ax_fields(open_id_request, options)
145       redirect_to(open_id_redirect_url(open_id_request, return_to, method))
146     rescue OpenIdAuthentication::InvalidOpenId => e
147       yield Result[:invalid], identity_url, nil
148     rescue OpenID::OpenIDError, Timeout::Error => e
149       logger.error("[OPENID] #{e}")
150       yield Result[:missing], identity_url, nil
151     end
152
153     def complete_open_id_authentication
154       params_with_path = params.reject { |key, value| request.path_parameters[key] }
155       params_with_path.delete(:format)
156       open_id_response = timeout_protection_from_identity_server { open_id_consumer.complete(params_with_path, requested_url) }
157       identity_url     = normalize_identifier(open_id_response.display_identifier) if open_id_response.display_identifier
158
159       case open_id_response.status
160       when OpenID::Consumer::SUCCESS
161         profile_data = {}
162
163         # merge the SReg data and the AX data into a single hash of profile data
164         [ OpenID::SReg::Response, OpenID::AX::FetchResponse ].each do |data_response|
165           if data_response.from_success_response( open_id_response )
166             profile_data.merge! data_response.from_success_response( open_id_response ).data
167           end
168         end
169         
170         yield Result[:successful], identity_url, profile_data
171       when OpenID::Consumer::CANCEL
172         yield Result[:canceled], identity_url, nil
173       when OpenID::Consumer::FAILURE
174         yield Result[:failed], identity_url, nil
175       when OpenID::Consumer::SETUP_NEEDED
176         yield Result[:setup_needed], open_id_response.setup_url, nil
177       end
178     end
179
180     def open_id_consumer
181       OpenID::Consumer.new(session, OpenIdAuthentication.store)
182     end
183
184     def add_simple_registration_fields(open_id_request, fields)
185       sreg_request = OpenID::SReg::Request.new
186       
187       # filter out AX identifiers (URIs)
188       required_fields = fields[:required].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact
189       optional_fields = fields[:optional].collect { |f| f.to_s unless f =~ /^https?:\/\// }.compact
190       
191       sreg_request.request_fields(required_fields, true) unless required_fields.blank?
192       sreg_request.request_fields(optional_fields, false) unless optional_fields.blank?
193       sreg_request.policy_url = fields[:policy_url] if fields[:policy_url]
194       open_id_request.add_extension(sreg_request)
195     end
196     
197     def add_ax_fields( open_id_request, fields )
198       ax_request = OpenID::AX::FetchRequest.new
199       
200       # look through the :required and :optional fields for URIs (AX identifiers)
201       fields[:required].each do |f|
202         next unless f =~ /^https?:\/\//
203         ax_request.add( OpenID::AX::AttrInfo.new( f, nil, true ) )
204       end
205
206       fields[:optional].each do |f|
207         next unless f =~ /^https?:\/\//
208         ax_request.add( OpenID::AX::AttrInfo.new( f, nil, false ) )
209       end
210       
211       open_id_request.add_extension( ax_request )
212     end
213         
214     def open_id_redirect_url(open_id_request, return_to = nil, method = nil)
215       open_id_request.return_to_args['_method'] = (method || request.method).to_s
216       open_id_request.return_to_args['open_id_complete'] = '1'
217       open_id_request.redirect_url(root_url, return_to || requested_url)
218     end
219
220     def requested_url
221       relative_url_root = self.class.respond_to?(:relative_url_root) ?
222         self.class.relative_url_root.to_s :
223         request.relative_url_root
224       "#{request.protocol}#{request.host_with_port}#{ActionController::Base.relative_url_root}#{request.path}"
225     end
226
227     def timeout_protection_from_identity_server
228       yield
229     rescue Timeout::Error
230       Class.new do
231         def status
232           OpenID::FAILURE
233         end
234
235         def msg
236           "Identity server timed out"
237         end
238       end.new
239     end
240 end