class OpenID::Server::Signatory

I sign things.

I also check signatures.

All my state is encapsulated in a store, which means I'm not generally pickleable but I am easy to reconstruct.

Attributes

secret_lifetime[RW]

The number of seconds a secret remains valid. Defaults to 14 days.

store[RW]

Public Class Methods

_dumb_key() click to toggle source
# File lib/openid/server.rb, line 1001
def self._dumb_key
  @@_dumb_key
end
_normal_key() click to toggle source
# File lib/openid/server.rb, line 997
def self._normal_key
  @@_normal_key
end
new(store) click to toggle source

Create a new Signatory. store is The back-end where my associations are stored.

# File lib/openid/server.rb, line 1009
def initialize(store)
  Util.assert(store)
  @store = store
  @secret_lifetime = 14 * 24 * 60 * 60
end

Public Instance Methods

create_association(dumb=true, assoc_type='HMAC-SHA1') click to toggle source

Make a new association.

# File lib/openid/server.rb, line 1076
def create_association(dumb=true, assoc_type='HMAC-SHA1')
  secret = CryptUtil.random_string(OpenID.get_secret_size(assoc_type))
  uniq = Util.to_base64(CryptUtil.random_string(4))
  handle = sprintf('{%s}{%x}{%s}', assoc_type, Time.now.to_i, uniq)

  assoc = Association.from_expires_in(
      secret_lifetime, handle, secret, assoc_type)

  if dumb
    key = @@_dumb_key
  else
    key = @@_normal_key
  end

  @store.store_association(key, assoc)
  return assoc
end
get_association(assoc_handle, dumb, checkExpiration=true) click to toggle source

Get the association with the specified handle.

# File lib/openid/server.rb, line 1095
def get_association(assoc_handle, dumb, checkExpiration=true)
  # Hmm.  We've created an interface that deals almost entirely
  # with assoc_handles.  The only place outside the Signatory
  # that uses this (and thus the only place that ever sees
  # Association objects) is when creating a response to an
  # association request, as it must have the association's
  # secret.

  if !assoc_handle
    raise ArgumentError.new("assoc_handle must not be None")
  end

  if dumb
    key = @@_dumb_key
  else
    key = @@_normal_key
  end

  assoc = @store.get_association(key, assoc_handle)
  if assoc and assoc.expires_in <= 0
    Util.log(sprintf("requested %sdumb key %s is expired (by %s seconds)",
                     (!dumb) ? 'not-' : '',
                     assoc_handle, assoc.expires_in))
    if checkExpiration
      @store.remove_association(key, assoc_handle)
      assoc = nil
    end
  end

  return assoc
end
invalidate(assoc_handle, dumb) click to toggle source

Invalidates the association with the given handle.

# File lib/openid/server.rb, line 1128
def invalidate(assoc_handle, dumb)
  if dumb
    key = @@_dumb_key
  else
    key = @@_normal_key
  end

  @store.remove_association(key, assoc_handle)
end
sign(response) click to toggle source

Sign a response.

I take an OpenIDResponse, create a signature for everything in its signed list, and return a new copy of the response object with that signature included.

# File lib/openid/server.rb, line 1040
def sign(response)
  signed_response = response.copy
  assoc_handle = response.request.assoc_handle
  if assoc_handle
    # normal mode disabling expiration check because even if the
    # association is expired, we still need to know some
    # properties of the association so that we may preserve
    # those properties when creating the fallback association.
    assoc = get_association(assoc_handle, false, false)

    if !assoc or assoc.expires_in <= 0
      # fall back to dumb mode
      signed_response.fields.set_arg(
            OPENID_NS, 'invalidate_handle', assoc_handle)
      assoc_type = assoc ? assoc.assoc_type : 'HMAC-SHA1'
      if assoc and assoc.expires_in <= 0
        # now do the clean-up that the disabled checkExpiration
        # code didn't get to do.
        invalidate(assoc_handle, false)
      end
      assoc = create_association(true, assoc_type)
    end
  else
    # dumb mode.
    assoc = create_association(true)
  end

  begin
    signed_response.fields = assoc.sign_message(signed_response.fields)
  rescue KVFormError => err
    raise EncodingError, err
  end
  return signed_response
end
verify(assoc_handle, message) click to toggle source

Verify that the signature for some data is valid.

# File lib/openid/server.rb, line 1016
def verify(assoc_handle, message)
  assoc = get_association(assoc_handle, true)
  if !assoc
    Util.log(sprintf("failed to get assoc with handle %s to verify " +
                     "message %s", assoc_handle, message))
    return false
  end

  begin
    valid = assoc.check_message_signature(message)
  rescue StandardError => ex
    Util.log(sprintf("Error in verifying %s with %s: %s",
                     message, assoc, ex))
    return false
  end

  return valid
end