module OpenID::TrustRoot

Constants

ALLOWED_PROTOCOLS
RP_RETURN_TO_URL_TYPE

The URI for relying party discovery, used in realm verification.

XXX: This should probably live somewhere else (like in OpenID or OpenID::Yadis somewhere)

TOP_LEVEL_DOMAINS

Public Class Methods

_extract_return_url(endpoint) click to toggle source

If the endpoint is a relying party OpenID return_to endpoint, return the endpoint URL. Otherwise, return None.

This function is intended to be used as a filter for the Yadis filtering interface.

endpoint: An XRDS BasicServiceEndpoint, as returned by performing Yadis dicovery.

returns the endpoint URL or None if the endpoint is not a relying party endpoint.

# File lib/openid/trustroot.rb, line 59
def TrustRoot._extract_return_url(endpoint)
  if endpoint.matchTypes([RP_RETURN_TO_URL_TYPE])
    return endpoint.uri
  else
    return nil
  end
end
get_allowed_return_urls(relying_party_url) click to toggle source

Given a relying party discovery URL return a list of return_to URLs.

# File lib/openid/trustroot.rb, line 96
def TrustRoot.get_allowed_return_urls(relying_party_url)
  rp_url_after_redirects, return_to_urls = services.get_service_endpoints(
    relying_party_url, _extract_return_url)

  if rp_url_after_redirects != relying_party_url
    # Verification caused a redirect
    raise RealmVerificationRedirected.new(
            relying_party_url, rp_url_after_redirects)
  end

  return return_to_urls
end
return_to_matches(allowed_return_to_urls, return_to) click to toggle source

Is the return_to URL under one of the supplied allowed return_to URLs?

# File lib/openid/trustroot.rb, line 69
def TrustRoot.return_to_matches(allowed_return_to_urls, return_to)
  allowed_return_to_urls.each { |allowed_return_to|
    # A return_to pattern works the same as a realm, except that
    # it's not allowed to use a wildcard. We'll model this by
    # parsing it as a realm, and not trying to match it if it has
    # a wildcard.

    return_realm = TrustRoot.parse(allowed_return_to)
    if (# Parses as a trust root
        !return_realm.nil? and

        # Does not have a wildcard
        !return_realm.wildcard and

        # Matches the return_to that we passed in with it
        return_realm.validate_url(return_to)
        )
      return true
    end
  }

  # No URL in the list matched
  return false
end
verify_return_to(realm_str, return_to, _vrfy=nil) click to toggle source

Verify that a return_to URL is valid for the given realm.

This function builds a discovery URL, performs Yadis discovery on it, makes sure that the URL does not redirect, parses out the return_to URLs, and finally checks to see if the current return_to URL matches the return_to.

raises DiscoveryFailure when Yadis discovery fails returns true if the return_to URL is valid for the realm

# File lib/openid/trustroot.rb, line 118
def TrustRoot.verify_return_to(realm_str, return_to, _vrfy=nil)
  # _vrfy parameter is there to make testing easier
  if _vrfy.nil?
    _vrfy = self.method('get_allowed_return_urls')
  end

  if !(_vrfy.is_a?(Proc) or _vrfy.is_a?(Method))
    raise ArgumentError, "_vrfy must be a Proc or Method"
  end

  realm = TrustRoot.parse(realm_str)
  if realm.nil?
    # The realm does not parse as a URL pattern
    return false
  end

  begin
    allowable_urls = _vrfy.call(realm.build_discovery_url())
  rescue RealmVerificationRedirected => err
    Util.log(err.to_s)
    return false
  end

  if return_to_matches(allowable_urls, return_to)
    return true
  else
    Util.log("Failed to validate return_to #{return_to} for " +
        "realm #{realm_str}, was not in #{allowable_urls}")
    return false
  end
end