module OpenID::TrustRoot
Constants
- ALLOWED_PROTOCOLS
- RP_RETURN_TO_URL_TYPE
The URI for relying party discovery, used in realm verification.
XXX: This should probably live somewhere else (like in OpenID or OpenID::Yadis somewhere)
- TOP_LEVEL_DOMAINS
Public Class Methods
If the endpoint is a relying party OpenID return_to endpoint, return the endpoint URL. Otherwise, return None.
This function is intended to be used as a filter for the Yadis filtering interface.
endpoint: An XRDS BasicServiceEndpoint, as returned by performing Yadis dicovery.
returns the endpoint URL or None if the endpoint is not a relying party endpoint.
# File lib/openid/trustroot.rb, line 59 def TrustRoot._extract_return_url(endpoint) if endpoint.matchTypes([RP_RETURN_TO_URL_TYPE]) return endpoint.uri else return nil end end
Given a relying party discovery URL return a list of return_to URLs.
# File lib/openid/trustroot.rb, line 96 def TrustRoot.get_allowed_return_urls(relying_party_url) rp_url_after_redirects, return_to_urls = services.get_service_endpoints( relying_party_url, _extract_return_url) if rp_url_after_redirects != relying_party_url # Verification caused a redirect raise RealmVerificationRedirected.new( relying_party_url, rp_url_after_redirects) end return return_to_urls end
Is the return_to URL under one of the supplied allowed return_to URLs?
# File lib/openid/trustroot.rb, line 69 def TrustRoot.return_to_matches(allowed_return_to_urls, return_to) allowed_return_to_urls.each { |allowed_return_to| # A return_to pattern works the same as a realm, except that # it's not allowed to use a wildcard. We'll model this by # parsing it as a realm, and not trying to match it if it has # a wildcard. return_realm = TrustRoot.parse(allowed_return_to) if (# Parses as a trust root !return_realm.nil? and # Does not have a wildcard !return_realm.wildcard and # Matches the return_to that we passed in with it return_realm.validate_url(return_to) ) return true end } # No URL in the list matched return false end
Verify that a return_to URL is valid for the given realm.
This function builds a discovery URL, performs Yadis discovery on it, makes sure that the URL does not redirect, parses out the return_to URLs, and finally checks to see if the current return_to URL matches the return_to.
raises DiscoveryFailure when Yadis discovery fails returns true if the return_to URL is valid for the realm
# File lib/openid/trustroot.rb, line 118 def TrustRoot.verify_return_to(realm_str, return_to, _vrfy=nil) # _vrfy parameter is there to make testing easier if _vrfy.nil? _vrfy = self.method('get_allowed_return_urls') end if !(_vrfy.is_a?(Proc) or _vrfy.is_a?(Method)) raise ArgumentError, "_vrfy must be a Proc or Method" end realm = TrustRoot.parse(realm_str) if realm.nil? # The realm does not parse as a URL pattern return false end begin allowable_urls = _vrfy.call(realm.build_discovery_url()) rescue RealmVerificationRedirected => err Util.log(err.to_s) return false end if return_to_matches(allowable_urls, return_to) return true else Util.log("Failed to validate return_to #{return_to} for " + "realm #{realm_str}, was not in #{allowable_urls}") return false end end