1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>from_message (OpenID::Server::CheckIDRequest)</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<link rel="stylesheet" href="../../../.././rdoc-style.css" type="text/css" media="screen" />
</head>
<body class="standalone-code">
<pre><span class="ruby-comment cmt"># File lib/openid/server.rb, line 490</span>
<span class="ruby-keyword kw">def</span> <span class="ruby-keyword kw">self</span>.<span class="ruby-identifier">from_message</span>(<span class="ruby-identifier">message</span>, <span class="ruby-identifier">op_endpoint</span>)
<span class="ruby-identifier">obj</span> = <span class="ruby-keyword kw">self</span>.<span class="ruby-identifier">allocate</span>
<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">message</span> = <span class="ruby-identifier">message</span>
<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">op_endpoint</span> = <span class="ruby-identifier">op_endpoint</span>
<span class="ruby-identifier">mode</span> = <span class="ruby-identifier">message</span>.<span class="ruby-identifier">get_arg</span>(<span class="ruby-constant">OPENID_NS</span>, <span class="ruby-value str">'mode'</span>)
<span class="ruby-keyword kw">if</span> <span class="ruby-identifier">mode</span> <span class="ruby-operator">==</span> <span class="ruby-value str">"checkid_immediate"</span>
<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">immediate</span> = <span class="ruby-keyword kw">true</span>
<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">mode</span> = <span class="ruby-value str">"checkid_immediate"</span>
<span class="ruby-keyword kw">else</span>
<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">immediate</span> = <span class="ruby-keyword kw">false</span>
<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">mode</span> = <span class="ruby-value str">"checkid_setup"</span>
<span class="ruby-keyword kw">end</span>
<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">return_to</span> = <span class="ruby-identifier">message</span>.<span class="ruby-identifier">get_arg</span>(<span class="ruby-constant">OPENID_NS</span>, <span class="ruby-value str">'return_to'</span>)
<span class="ruby-keyword kw">if</span> <span class="ruby-identifier">message</span>.<span class="ruby-identifier">is_openid1</span> <span class="ruby-keyword kw">and</span> <span class="ruby-operator">!</span><span class="ruby-identifier">obj</span>.<span class="ruby-identifier">return_to</span>
<span class="ruby-identifier">msg</span> = <span class="ruby-identifier">sprintf</span>(<span class="ruby-value str">"Missing required field 'return_to' from %s"</span>,
<span class="ruby-identifier">message</span>)
<span class="ruby-identifier">raise</span> <span class="ruby-constant">ProtocolError</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">message</span>, <span class="ruby-identifier">msg</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">identity</span> = <span class="ruby-identifier">message</span>.<span class="ruby-identifier">get_arg</span>(<span class="ruby-constant">OPENID_NS</span>, <span class="ruby-value str">'identity'</span>)
<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">claimed_id</span> = <span class="ruby-identifier">message</span>.<span class="ruby-identifier">get_arg</span>(<span class="ruby-constant">OPENID_NS</span>, <span class="ruby-value str">'claimed_id'</span>)
<span class="ruby-keyword kw">if</span> <span class="ruby-identifier">message</span>.<span class="ruby-identifier">is_openid1</span>()
<span class="ruby-keyword kw">if</span> <span class="ruby-operator">!</span><span class="ruby-identifier">obj</span>.<span class="ruby-identifier">identity</span>
<span class="ruby-identifier">s</span> = <span class="ruby-value str">"OpenID 1 message did not contain openid.identity"</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">ProtocolError</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">message</span>, <span class="ruby-identifier">s</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-keyword kw">else</span>
<span class="ruby-keyword kw">if</span> <span class="ruby-identifier">obj</span>.<span class="ruby-identifier">identity</span> <span class="ruby-keyword kw">and</span> <span class="ruby-keyword kw">not</span> <span class="ruby-identifier">obj</span>.<span class="ruby-identifier">claimed_id</span>
<span class="ruby-identifier">s</span> = (<span class="ruby-value str">"OpenID 2.0 message contained openid.identity but not "</span> <span class="ruby-operator">+</span>
<span class="ruby-value str">"claimed_id"</span>)
<span class="ruby-identifier">raise</span> <span class="ruby-constant">ProtocolError</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">message</span>, <span class="ruby-identifier">s</span>)
<span class="ruby-keyword kw">elsif</span> <span class="ruby-identifier">obj</span>.<span class="ruby-identifier">claimed_id</span> <span class="ruby-keyword kw">and</span> <span class="ruby-keyword kw">not</span> <span class="ruby-identifier">obj</span>.<span class="ruby-identifier">identity</span>
<span class="ruby-identifier">s</span> = (<span class="ruby-value str">"OpenID 2.0 message contained openid.claimed_id but not "</span> <span class="ruby-operator">+</span>
<span class="ruby-value str">"identity"</span>)
<span class="ruby-identifier">raise</span> <span class="ruby-constant">ProtocolError</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">message</span>, <span class="ruby-identifier">s</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-keyword kw">end</span>
<span class="ruby-comment cmt"># There's a case for making self.trust_root be a TrustRoot</span>
<span class="ruby-comment cmt"># here. But if TrustRoot isn't currently part of the "public"</span>
<span class="ruby-comment cmt"># API, I'm not sure it's worth doing.</span>
<span class="ruby-keyword kw">if</span> <span class="ruby-identifier">message</span>.<span class="ruby-identifier">is_openid1</span>
<span class="ruby-identifier">trust_root_param</span> = <span class="ruby-value str">'trust_root'</span>
<span class="ruby-keyword kw">else</span>
<span class="ruby-identifier">trust_root_param</span> = <span class="ruby-value str">'realm'</span>
<span class="ruby-keyword kw">end</span>
<span class="ruby-identifier">trust_root</span> = <span class="ruby-identifier">message</span>.<span class="ruby-identifier">get_arg</span>(<span class="ruby-constant">OPENID_NS</span>, <span class="ruby-identifier">trust_root_param</span>)
<span class="ruby-identifier">trust_root</span> = <span class="ruby-identifier">obj</span>.<span class="ruby-identifier">return_to</span> <span class="ruby-keyword kw">if</span> (<span class="ruby-identifier">trust_root</span>.<span class="ruby-identifier">nil?</span> <span class="ruby-operator">||</span> <span class="ruby-identifier">trust_root</span>.<span class="ruby-identifier">empty?</span>)
<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">trust_root</span> = <span class="ruby-identifier">trust_root</span>
<span class="ruby-keyword kw">if</span> <span class="ruby-operator">!</span><span class="ruby-identifier">message</span>.<span class="ruby-identifier">is_openid1</span> <span class="ruby-keyword kw">and</span> <span class="ruby-operator">!</span><span class="ruby-identifier">obj</span>.<span class="ruby-identifier">return_to</span> <span class="ruby-keyword kw">and</span> <span class="ruby-operator">!</span><span class="ruby-identifier">obj</span>.<span class="ruby-identifier">trust_root</span>
<span class="ruby-identifier">raise</span> <span class="ruby-constant">ProtocolError</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">message</span>, <span class="ruby-value str">"openid.realm required when "</span> <span class="ruby-operator">+</span>
<span class="ruby-value str">"openid.return_to absent"</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">assoc_handle</span> = <span class="ruby-identifier">message</span>.<span class="ruby-identifier">get_arg</span>(<span class="ruby-constant">OPENID_NS</span>, <span class="ruby-value str">'assoc_handle'</span>)
<span class="ruby-comment cmt"># Using TrustRoot.parse here is a bit misleading, as we're not</span>
<span class="ruby-comment cmt"># parsing return_to as a trust root at all. However, valid</span>
<span class="ruby-comment cmt"># URLs are valid trust roots, so we can use this to get an</span>
<span class="ruby-comment cmt"># idea if it is a valid URL. Not all trust roots are valid</span>
<span class="ruby-comment cmt"># return_to URLs, however (particularly ones with wildcards),</span>
<span class="ruby-comment cmt"># so this is still a little sketchy.</span>
<span class="ruby-keyword kw">if</span> <span class="ruby-identifier">obj</span>.<span class="ruby-identifier">return_to</span> <span class="ruby-keyword kw">and</span> \
<span class="ruby-operator">!</span><span class="ruby-constant">TrustRoot</span><span class="ruby-operator">::</span><span class="ruby-constant">TrustRoot</span>.<span class="ruby-identifier">parse</span>(<span class="ruby-identifier">obj</span>.<span class="ruby-identifier">return_to</span>)
<span class="ruby-identifier">raise</span> <span class="ruby-constant">MalformedReturnURL</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">message</span>, <span class="ruby-identifier">obj</span>.<span class="ruby-identifier">return_to</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-comment cmt"># I first thought that checking to see if the return_to is</span>
<span class="ruby-comment cmt"># within the trust_root is premature here, a</span>
<span class="ruby-comment cmt"># logic-not-decoding thing. But it was argued that this is</span>
<span class="ruby-comment cmt"># really part of data validation. A request with an invalid</span>
<span class="ruby-comment cmt"># trust_root/return_to is broken regardless of application,</span>
<span class="ruby-comment cmt"># right?</span>
<span class="ruby-keyword kw">if</span> <span class="ruby-operator">!</span><span class="ruby-identifier">obj</span>.<span class="ruby-identifier">trust_root_valid</span>()
<span class="ruby-identifier">raise</span> <span class="ruby-constant">UntrustedReturnURL</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">message</span>, <span class="ruby-identifier">obj</span>.<span class="ruby-identifier">return_to</span>, <span class="ruby-identifier">obj</span>.<span class="ruby-identifier">trust_root</span>)
<span class="ruby-keyword kw">end</span>
<span class="ruby-keyword kw">return</span> <span class="ruby-identifier">obj</span>
<span class="ruby-keyword kw">end</span></pre>
</body>
</html>
|
