class OpenID::Server::Signatory
I sign things.
I also check signatures.
All my state is encapsulated in a store, which means I'm not generally pickleable but I am easy to reconstruct.
Attributes
secret_lifetime[RW]
The number of seconds a secret remains valid. Defaults to 14 days.
store[RW]
Public Class Methods
_dumb_key()
click to toggle source
# File lib/openid/server.rb, line 1001 def self._dumb_key @@_dumb_key end
_normal_key()
click to toggle source
# File lib/openid/server.rb, line 997 def self._normal_key @@_normal_key end
new(store)
click to toggle source
Create a new Signatory. store is The back-end where my associations are stored.
# File lib/openid/server.rb, line 1009 def initialize(store) Util.assert(store) @store = store @secret_lifetime = 14 * 24 * 60 * 60 end
Public Instance Methods
create_association(dumb=true, assoc_type='HMAC-SHA1')
click to toggle source
Make a new association.
# File lib/openid/server.rb, line 1076 def create_association(dumb=true, assoc_type='HMAC-SHA1') secret = CryptUtil.random_string(OpenID.get_secret_size(assoc_type)) uniq = Util.to_base64(CryptUtil.random_string(4)) handle = sprintf('{%s}{%x}{%s}', assoc_type, Time.now.to_i, uniq) assoc = Association.from_expires_in( secret_lifetime, handle, secret, assoc_type) if dumb key = @@_dumb_key else key = @@_normal_key end @store.store_association(key, assoc) return assoc end
get_association(assoc_handle, dumb, checkExpiration=true)
click to toggle source
Get the association with the specified handle.
# File lib/openid/server.rb, line 1095 def get_association(assoc_handle, dumb, checkExpiration=true) # Hmm. We've created an interface that deals almost entirely # with assoc_handles. The only place outside the Signatory # that uses this (and thus the only place that ever sees # Association objects) is when creating a response to an # association request, as it must have the association's # secret. if !assoc_handle raise ArgumentError.new("assoc_handle must not be None") end if dumb key = @@_dumb_key else key = @@_normal_key end assoc = @store.get_association(key, assoc_handle) if assoc and assoc.expires_in <= 0 Util.log(sprintf("requested %sdumb key %s is expired (by %s seconds)", (!dumb) ? 'not-' : '', assoc_handle, assoc.expires_in)) if checkExpiration @store.remove_association(key, assoc_handle) assoc = nil end end return assoc end
invalidate(assoc_handle, dumb)
click to toggle source
Invalidates the association with the given handle.
# File lib/openid/server.rb, line 1128 def invalidate(assoc_handle, dumb) if dumb key = @@_dumb_key else key = @@_normal_key end @store.remove_association(key, assoc_handle) end
sign(response)
click to toggle source
Sign a response.
I take an OpenIDResponse, create a signature for everything in its signed list, and return a new copy of the response object with that signature included.
# File lib/openid/server.rb, line 1040 def sign(response) signed_response = response.copy assoc_handle = response.request.assoc_handle if assoc_handle # normal mode disabling expiration check because even if the # association is expired, we still need to know some # properties of the association so that we may preserve # those properties when creating the fallback association. assoc = get_association(assoc_handle, false, false) if !assoc or assoc.expires_in <= 0 # fall back to dumb mode signed_response.fields.set_arg( OPENID_NS, 'invalidate_handle', assoc_handle) assoc_type = assoc ? assoc.assoc_type : 'HMAC-SHA1' if assoc and assoc.expires_in <= 0 # now do the clean-up that the disabled checkExpiration # code didn't get to do. invalidate(assoc_handle, false) end assoc = create_association(true, assoc_type) end else # dumb mode. assoc = create_association(true) end begin signed_response.fields = assoc.sign_message(signed_response.fields) rescue KVFormError => err raise EncodingError, err end return signed_response end
verify(assoc_handle, message)
click to toggle source
Verify that the signature for some data is valid.
# File lib/openid/server.rb, line 1016 def verify(assoc_handle, message) assoc = get_association(assoc_handle, true) if !assoc Util.log(sprintf("failed to get assoc with handle %s to verify " + "message %s", assoc_handle, message)) return false end begin valid = assoc.check_message_signature(message) rescue StandardError => ex Util.log(sprintf("Error in verifying %s with %s: %s", message, assoc, ex)) return false end return valid end