Redmine 3.4.4

lib/plugins/open_id_authentication/lib/open_id_authentication.rb

@@ -0,0 +1,159 @@
+require 'uri'
+require 'openid'
+require 'rack/openid'
+
+module OpenIdAuthentication
+  def self.new(app)
+    store = OpenIdAuthentication.store
+    if store.nil?
+      Rails.logger.warn "OpenIdAuthentication.store is nil. Using in-memory store."
+    end
+
+    ::Rack::OpenID.new(app, OpenIdAuthentication.store)
+  end
+
+  def self.store
+    @@store
+  end
+
+  def self.store=(*store_option)
+    store, *parameters = *([ store_option ].flatten)
+
+    @@store = case store
+    when :memory
+      require 'openid/store/memory'
+      OpenID::Store::Memory.new
+    when :file
+      require 'openid/store/filesystem'
+      OpenID::Store::Filesystem.new(Rails.root.join('tmp/openids'))
+    when :memcache
+      require 'memcache'
+      require 'openid/store/memcache'
+      OpenID::Store::Memcache.new(MemCache.new(parameters))
+    else
+      store
+    end
+  end
+
+  self.store = nil
+
+  class InvalidOpenId < StandardError
+  end
+
+  class Result
+    ERROR_MESSAGES = {
+      :missing      => "Sorry, the OpenID server couldn't be found",
+      :invalid      => "Sorry, but this does not appear to be a valid OpenID",
+      :canceled     => "OpenID verification was canceled",
+      :failed       => "OpenID verification failed",
+      :setup_needed => "OpenID verification needs setup"
+    }
+
+    def self.[](code)
+      new(code)
+    end
+
+    def initialize(code)
+      @code = code
+    end
+
+    def status
+      @code
+    end
+
+    ERROR_MESSAGES.keys.each { |state| define_method("#{state}?") { @code == state } }
+
+    def successful?
+      @code == :successful
+    end
+
+    def unsuccessful?
+      ERROR_MESSAGES.keys.include?(@code)
+    end
+
+    def message
+      ERROR_MESSAGES[@code]
+    end
+  end
+
+  # normalizes an OpenID according to http://openid.net/specs/openid-authentication-2_0.html#normalization
+  def self.normalize_identifier(identifier)
+    # clean up whitespace
+    identifier = identifier.to_s.strip
+
+    # if an XRI has a prefix, strip it.
+    identifier.gsub!(/xri:\/\//i, '')
+
+    # dodge XRIs -- TODO: validate, don't just skip.
+    unless ['=', '@', '+', '$', '!', '('].include?(identifier.at(0))
+      # does it begin with http?  if not, add it.
+      identifier = "http://#{identifier}" unless identifier =~ /^http/i
+
+      # strip any fragments
+      identifier.gsub!(/\#(.*)$/, '')
+
+      begin
+        uri = URI.parse(identifier)
+        uri.scheme = uri.scheme.downcase if uri.scheme # URI should do this
+        identifier = uri.normalize.to_s
+      rescue URI::InvalidURIError
+        raise InvalidOpenId.new("#{identifier} is not an OpenID identifier")
+      end
+    end
+
+    return identifier
+  end
+
+  protected
+    # The parameter name of "openid_identifier" is used rather than
+    # the Rails convention "open_id_identifier" because that's what
+    # the specification dictates in order to get browser auto-complete
+    # working across sites
+    def using_open_id?(identifier = nil) #:doc:
+      identifier ||= open_id_identifier
+      !identifier.blank? || request.env[Rack::OpenID::RESPONSE]
+    end
+
+    def authenticate_with_open_id(identifier = nil, options = {}, &block) #:doc:
+      identifier ||= open_id_identifier
+
+      if request.env[Rack::OpenID::RESPONSE]
+        complete_open_id_authentication(&block)
+      else
+        begin_open_id_authentication(identifier, options, &block)
+      end
+    end
+
+  private
+    def open_id_identifier
+      params[:openid_identifier] || params[:openid_url]
+    end
+
+    def begin_open_id_authentication(identifier, options = {})
+      options[:identifier] = identifier
+      value = Rack::OpenID.build_header(options)
+      response.headers[Rack::OpenID::AUTHENTICATE_HEADER] = value
+      head :unauthorized
+    end
+
+    def complete_open_id_authentication
+      response   = request.env[Rack::OpenID::RESPONSE]
+      identifier = response.display_identifier
+
+      case response.status
+      when OpenID::Consumer::SUCCESS
+        yield Result[:successful], identifier,
+          OpenID::SReg::Response.from_success_response(response)
+      when :missing
+        yield Result[:missing], identifier, nil
+      when :invalid
+        yield Result[:invalid], identifier, nil
+      when OpenID::Consumer::CANCEL
+        yield Result[:canceled], identifier, nil
+      when OpenID::Consumer::FAILURE
+        yield Result[:failed], identifier, nil
+      when OpenID::Consumer::SETUP_NEEDED
+        yield Result[:setup_needed], response.setup_url, nil
+      end
+    end
+end

lib/plugins/open_id_authentication/lib/open_id_authentication/association.rb

@@ -0,0 +1,9 @@
+module OpenIdAuthentication
+  class Association < ActiveRecord::Base
+    self.table_name = :open_id_authentication_associations
+
+    def from_record
+      OpenID::Association.new(handle, secret, issued, lifetime, assoc_type)
+    end
+  end
+end

lib/plugins/open_id_authentication/lib/open_id_authentication/db_store.rb

@@ -0,0 +1,55 @@
+require 'openid/store/interface'
+
+module OpenIdAuthentication
+  class DbStore < OpenID::Store::Interface
+    def self.cleanup_nonces
+      now = Time.now.to_i
+      Nonce.delete_all(["timestamp > ? OR timestamp < ?", now + OpenID::Nonce.skew, now - OpenID::Nonce.skew])
+    end
+
+    def self.cleanup_associations
+      now = Time.now.to_i
+      Association.delete_all(['issued + lifetime > ?',now])
+    end
+
+    def store_association(server_url, assoc)
+      remove_association(server_url, assoc.handle)
+      Association.create(:server_url => server_url,
+                         :handle     => assoc.handle,
+                         :secret     => assoc.secret,
+                         :issued     => assoc.issued,
+                         :lifetime   => assoc.lifetime,
+                         :assoc_type => assoc.assoc_type)
+    end
+
+    def get_association(server_url, handle = nil)
+      assocs = if handle.blank?
+          Association.find_all_by_server_url(server_url)
+        else
+          Association.find_all_by_server_url_and_handle(server_url, handle)
+        end
+
+      assocs.reverse.each do |assoc|
+        a = assoc.from_record
+        if a.expires_in == 0
+          assoc.destroy
+        else
+          return a
+        end
+      end if assocs.any?
+
+      return nil
+    end
+
+    def remove_association(server_url, handle)
+      Association.delete_all(['server_url = ? AND handle = ?', server_url, handle]) > 0
+    end
+
+    def use_nonce(server_url, timestamp, salt)
+      return false if Nonce.find_by_server_url_and_timestamp_and_salt(server_url, timestamp, salt)
+      return false if (timestamp - Time.now.to_i).abs > OpenID::Nonce.skew
+      Nonce.create(:server_url => server_url, :timestamp => timestamp, :salt => salt)
+      return true
+    end
+  end
+end

lib/plugins/open_id_authentication/lib/open_id_authentication/mem_cache_store.rb

@@ -0,0 +1,73 @@
+require 'digest/sha1'
+require 'openid/store/interface'
+
+module OpenIdAuthentication
+  class MemCacheStore < OpenID::Store::Interface
+    def initialize(*addresses)
+      @connection = ActiveSupport::Cache::MemCacheStore.new(addresses)
+    end
+
+    def store_association(server_url, assoc)
+      server_key = association_server_key(server_url)
+      assoc_key = association_key(server_url, assoc.handle)
+
+      assocs = @connection.read(server_key) || {}
+      assocs[assoc.issued] = assoc_key
+
+      @connection.write(server_key, assocs)
+      @connection.write(assoc_key, assoc, :expires_in => assoc.lifetime)
+    end
+
+    def get_association(server_url, handle = nil)
+      if handle
+        @connection.read(association_key(server_url, handle))
+      else
+        server_key = association_server_key(server_url)
+        assocs = @connection.read(server_key)
+        return if assocs.nil?
+
+        last_key = assocs[assocs.keys.sort.last]
+        @connection.read(last_key)
+      end
+    end
+
+    def remove_association(server_url, handle)
+      server_key = association_server_key(server_url)
+      assoc_key = association_key(server_url, handle)
+      assocs = @connection.read(server_key)
+
+      return false unless assocs && assocs.has_value?(assoc_key)
+
+      assocs = assocs.delete_if { |key, value| value == assoc_key }
+
+      @connection.write(server_key, assocs)
+      @connection.delete(assoc_key)
+
+      return true
+    end
+
+    def use_nonce(server_url, timestamp, salt)
+      return false if @connection.read(nonce_key(server_url, salt))
+      return false if (timestamp - Time.now.to_i).abs > OpenID::Nonce.skew
+      @connection.write(nonce_key(server_url, salt), timestamp, :expires_in => OpenID::Nonce.skew)
+      return true
+    end
+
+    private
+      def association_key(server_url, handle = nil)
+        "openid_association_#{digest(server_url)}_#{digest(handle)}"
+      end
+
+      def association_server_key(server_url)
+        "openid_association_server_#{digest(server_url)}"
+      end
+
+      def nonce_key(server_url, salt)
+        "openid_nonce_#{digest(server_url)}_#{digest(salt)}"
+      end
+
+      def digest(text)
+        Digest::SHA1.hexdigest(text)
+      end
+  end
+end

lib/plugins/open_id_authentication/lib/open_id_authentication/nonce.rb

@@ -0,0 +1,5 @@
+module OpenIdAuthentication
+  class Nonce < ActiveRecord::Base
+    self.table_name = :open_id_authentication_nonces
+  end
+end

lib/plugins/open_id_authentication/lib/open_id_authentication/request.rb

@@ -0,0 +1,23 @@
+module OpenIdAuthentication
+  module Request
+    def self.included(base)
+      base.alias_method_chain :request_method, :openid
+    end
+
+    def request_method_with_openid
+      if !parameters[:_method].blank? && parameters[:open_id_complete] == '1'
+        parameters[:_method].to_sym
+      else
+        request_method_without_openid
+      end
+    end
+  end
+end
+
+# In Rails 2.3, the request object has been renamed
+# from AbstractRequest to Request
+if defined? ActionController::Request
+  ActionController::Request.send :include, OpenIdAuthentication::Request
+else
+  ActionController::AbstractRequest.send :include, OpenIdAuthentication::Request
+end

lib/plugins/open_id_authentication/lib/open_id_authentication/timeout_fixes.rb

@@ -0,0 +1,20 @@
+# http://trac.openidenabled.com/trac/ticket/156
+module OpenID
+  @@timeout_threshold = 20
+
+  def self.timeout_threshold
+    @@timeout_threshold
+  end
+
+  def self.timeout_threshold=(value)
+    @@timeout_threshold = value
+  end
+
+  class StandardFetcher
+    def make_http(uri)
+      http = @proxy.new(uri.host, uri.port)
+      http.read_timeout = http.open_timeout = OpenID.timeout_threshold
+      http
+    end
+  end
+end

lib/plugins/open_id_authentication/lib/tasks/open_id_authentication_tasks.rake

@@ -0,0 +1,30 @@
+namespace :open_id_authentication do
+  namespace :db do
+    desc "Creates authentication tables for use with OpenIdAuthentication"
+    task :create => :environment do
+      generate_migration(["open_id_authentication_tables", "add_open_id_authentication_tables"])
+    end
+
+    desc "Upgrade authentication tables from ruby-openid 1.x.x to 2.x.x"
+    task :upgrade => :environment do
+      generate_migration(["upgrade_open_id_authentication_tables", "upgrade_open_id_authentication_tables"])
+    end
+
+    def generate_migration(args)
+      require 'rails_generator'
+      require 'rails_generator/scripts/generate'
+
+      if ActiveRecord::Base.connection.supports_migrations?
+        Rails::Generator::Scripts::Generate.new.run(args)
+      else
+        raise "Task unavailable to this database (no migration support)"
+      end
+    end
+
+    desc "Clear the authentication tables"
+    task :clear => :environment do
+      OpenIdAuthentication::DbStore.cleanup_nonces
+      OpenIdAuthentication::DbStore.cleanup_associations
+    end
+  end
+end