File: verify.go

package info (click to toggle)
golang-github-yohcop-openid-go 0.0~git20170901.0.cfc72ed-3
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 184 kB
  • sloc: makefile: 3
file content (250 lines) | stat: -rw-r--r-- 8,083 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
package openid

import (
	"errors"
	"fmt"
	"io/ioutil"
	"net/url"
	"strings"
)

func Verify(uri string, cache DiscoveryCache, nonceStore NonceStore) (id string, err error) {
	return defaultInstance.Verify(uri, cache, nonceStore)
}

func (oid *OpenID) Verify(uri string, cache DiscoveryCache, nonceStore NonceStore) (id string, err error) {
	parsedURL, err := url.Parse(uri)
	if err != nil {
		return "", err
	}
	values, err := url.ParseQuery(parsedURL.RawQuery)
	if err != nil {
		return "", err
	}

	// 11.  Verifying Assertions
	// When the Relying Party receives a positive assertion, it MUST
	// verify the following before accepting the assertion:

	// - The value of "openid.signed" contains all the required fields.
	//   (Section 10.1)
	if err = verifySignedFields(values); err != nil {
		return "", err
	}

	// - The signature on the assertion is valid (Section 11.4)
	if err = verifySignature(uri, values, oid.urlGetter); err != nil {
		return "", err
	}

	// - The value of "openid.return_to" matches the URL of the current
	//   request (Section 11.1)
	if err = verifyReturnTo(parsedURL, values); err != nil {
		return "", err
	}

	// - Discovered information matches the information in the assertion
	//   (Section 11.2)
	if err = oid.verifyDiscovered(parsedURL, values, cache); err != nil {
		return "", err
	}

	// - An assertion has not yet been accepted from this OP with the
	//   same value for "openid.response_nonce" (Section 11.3)
	if err = verifyNonce(values, nonceStore); err != nil {
		return "", err
	}

	// If all four of these conditions are met, assertion is now
	// verified. If the assertion contained a Claimed Identifier, the
	// user is now authenticated with that identifier.
	return values.Get("openid.claimed_id"), nil
}

// 10.1. Positive Assertions
// openid.signed - Comma-separated list of signed fields.
// This entry consists of the fields without the "openid." prefix that the signature covers.
// This list MUST contain at least "op_endpoint", "return_to" "response_nonce" and "assoc_handle",
// and if present in the response, "claimed_id" and "identity".
func verifySignedFields(vals url.Values) error {
	ok := map[string]bool{
		"op_endpoint":    false,
		"return_to":      false,
		"response_nonce": false,
		"assoc_handle":   false,
		"claimed_id":     vals.Get("openid.claimed_id") == "",
		"identity":       vals.Get("openid.identity") == "",
	}
	signed := strings.Split(vals.Get("openid.signed"), ",")
	for _, sf := range signed {
		ok[sf] = true
	}
	for k, v := range ok {
		if !v {
			return fmt.Errorf("%v must be signed but isn't", k)
		}
	}
	return nil
}

// 11.1.  Verifying the Return URL
// To verify that the "openid.return_to" URL matches the URL that is processing this assertion:
// - The URL scheme, authority, and path MUST be the same between the two
//   URLs.
// - Any query parameters that are present in the "openid.return_to" URL
//   MUST also be present with the same values in the URL of the HTTP
//   request the RP received.
func verifyReturnTo(uri *url.URL, vals url.Values) error {
	returnTo := vals.Get("openid.return_to")
	rp, err := url.Parse(returnTo)
	if err != nil {
		return err
	}
	if uri.Scheme != rp.Scheme ||
		uri.Host != rp.Host ||
		uri.Path != rp.Path {
		return errors.New(
			"Scheme, host or path don't match in return_to URL")
	}
	qp, err := url.ParseQuery(rp.RawQuery)
	if err != nil {
		return err
	}
	return compareQueryParams(qp, vals)
}

// Any parameter in q1 must also be present in q2, and values must match.
func compareQueryParams(q1, q2 url.Values) error {
	for k := range q1 {
		v1 := q1.Get(k)
		v2 := q2.Get(k)
		if v1 != v2 {
			return fmt.Errorf(
				"URLs query params don't match: Param %s different: %s vs %s",
				k, v1, v2)
		}
	}
	return nil
}

func (oid *OpenID) verifyDiscovered(uri *url.URL, vals url.Values, cache DiscoveryCache) error {
	version := vals.Get("openid.ns")
	if version != "http://specs.openid.net/auth/2.0" {
		return errors.New("Bad protocol version")
	}

	endpoint := vals.Get("openid.op_endpoint")
	if len(endpoint) == 0 {
		return errors.New("missing openid.op_endpoint url param")
	}
	localID := vals.Get("openid.identity")
	if len(localID) == 0 {
		return errors.New("no localId to verify")
	}
	claimedID := vals.Get("openid.claimed_id")
	if len(claimedID) == 0 {
		// If no Claimed Identifier is present in the response, the
		// assertion is not about an identifier and the RP MUST NOT use the
		// User-supplied Identifier associated with the current OpenID
		// authentication transaction to identify the user. Extension
		// information in the assertion MAY still be used.
		// --- This library does not support this case. So claimed
		//     identifier must be present.
		return errors.New("no claimed_id to verify")
	}

	// 11.2.  Verifying Discovered Information

	// If the Claimed Identifier in the assertion is a URL and contains a
	// fragment, the fragment part and the fragment delimiter character "#"
	// MUST NOT be used for the purposes of verifying the discovered
	// information.
	claimedIDVerify := claimedID
	if fragmentIndex := strings.Index(claimedID, "#"); fragmentIndex != -1 {
		claimedIDVerify = claimedID[0:fragmentIndex]
	}

	// If the Claimed Identifier is included in the assertion, it
	// MUST have been discovered by the Relying Party and the
	// information in the assertion MUST be present in the
	// discovered information. The Claimed Identifier MUST NOT be an
	// OP Identifier.
	if discovered := cache.Get(claimedIDVerify); discovered != nil &&
		discovered.OpEndpoint() == endpoint &&
		discovered.OpLocalID() == localID &&
		discovered.ClaimedID() == claimedIDVerify {
		return nil
	}

	// If the Claimed Identifier was not previously discovered by the
	// Relying Party (the "openid.identity" in the request was
	// "http://specs.openid.net/auth/2.0/identifier_select" or a different
	// Identifier, or if the OP is sending an unsolicited positive
	// assertion), the Relying Party MUST perform discovery on the Claimed
	// Identifier in the response to make sure that the OP is authorized to
	// make assertions about the Claimed Identifier.
	if ep, _, _, err := oid.Discover(claimedID); err == nil {
		if ep == endpoint {
			// This claimed ID points to the same endpoint, therefore this
			// endpoint is authorized to make assertions about that claimed ID.
			// TODO: There may be multiple endpoints found during discovery.
			// They should all be checked.
			cache.Put(claimedIDVerify, &SimpleDiscoveredInfo{opEndpoint: endpoint, opLocalID: localID, claimedID: claimedIDVerify})
			return nil
		}
	}

	return errors.New("Could not verify the claimed ID")
}

func verifyNonce(vals url.Values, store NonceStore) error {
	nonce := vals.Get("openid.response_nonce")
	endpoint := vals.Get("openid.op_endpoint")
	return store.Accept(endpoint, nonce)
}

func verifySignature(uri string, vals url.Values, getter httpGetter) error {
	// To have the signature verification performed by the OP, the
	// Relying Party sends a direct request to the OP. To verify the
	// signature, the OP uses a private association that was generated
	// when it issued the positive assertion.

	// 11.4.2.1.  Request Parameters
	params := make(url.Values)
	// openid.mode: Value: "check_authentication"
	params.Add("openid.mode", "check_authentication")
	// Exact copies of all fields from the authentication response,
	// except for "openid.mode".
	for k, vs := range vals {
		if k == "openid.mode" {
			continue
		}
		for _, v := range vs {
			params.Add(k, v)
		}
	}
	resp, err := getter.Post(vals.Get("openid.op_endpoint"), params)
	if err != nil {
		return err
	}
	defer resp.Body.Close()
	content, err := ioutil.ReadAll(resp.Body)
	response := string(content)
	lines := strings.Split(response, "\n")

	isValid := false
	nsValid := false
	for _, l := range lines {
		if l == "is_valid:true" {
			isValid = true
		} else if l == "ns:http://specs.openid.net/auth/2.0" {
			nsValid = true
		}
	}
	if isValid && nsValid {
		// Yay !
		return nil
	}

	return errors.New("Could not verify assertion with provider")
}