1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
|
#
# Author:: Adam Jacob (<adam@hjksolutions.com>)
# Copyright:: Copyright (c) 2008 HJK Solutions, LLC
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
require 'pathname'
# load the openid library, first trying rubygems
#begin
# require "rubygems"
# require_gem "ruby-openid", ">= 1.0"
#rescue LoadError
require "openid"
require "openid/consumer/discovery"
require 'openid/store/filesystem'
require 'json'
#end
class OpenidServer < Application
provides :html, :json
include Merb::OpenidServerHelper
include OpenID::Server
layout nil
before :fix_up_node_id
def index
oidreq = server.decode_request(params.reject{|k,v| k == "controller" || k == "action"})
# no openid.mode was given
unless oidreq
return "This is the Chef OpenID server endpoint."
end
oidresp = nil
if oidreq.kind_of?(CheckIDRequest)
identity = oidreq.identity
if oidresp
nil
elsif self.is_authorized(identity, oidreq.trust_root)
oidresp = oidreq.answer(true, nil, identity)
elsif oidreq.immediate
server_url = url :openid_server
oidresp = oidreq.answer(false, server_url)
else
if content_type != 'application/json'
session[:last_oidreq] = oidreq
response = { :action => url(:openid_server_decision) }
return response.to_json
else
return show_decision_page(oidreq)
end
end
else
oidresp = server.handle_request(oidreq)
end
self.render_response(oidresp)
end
def show_decision_page(oidreq, message="Do you trust this site with your identity?")
session[:last_oidreq] = oidreq
@oidreq = oidreq
if message
session[:notice] = message
end
render :template => 'openid_server/decide'
end
def node_page
unless Chef::OpenIDRegistration.has_key?(params[:id])
raise NotFound, "Cannot find registration for #{params[:id]}"
end
# Yadis content-negotiation: we want to return the xrds if asked for.
accept = request.env['HTTP_ACCEPT']
# This is not technically correct, and should eventually be updated
# to do real Accept header parsing and logic. Though I expect it will work
# 99% of the time.
if accept and accept.include?('application/xrds+xml')
return node_xrds
end
# content negotiation failed, so just render the user page
xrds_url = absolute_url(:openid_node_xrds, :id => params[:id])
identity_page = <<EOS
<html><head>
<meta http-equiv="X-XRDS-Location" content="#{xrds_url}" />
<link rel="openid.server" href="#{absolute_url(:openid_node, :id => params[:id])}" />
</head><body><p>OpenID identity page for registration #{params[:id]}</p>
</body></html>
EOS
# Also add the Yadis location header, so that they don't have
# to parse the html unless absolutely necessary.
@headers['X-XRDS-Location'] = xrds_url
render identity_page
end
def node_xrds
types = [
OpenID::OPENID_2_0_TYPE,
OpenID::OPENID_1_0_TYPE
]
render_xrds(types)
end
def idp_xrds
types = [
OpenID::OPENID_IDP_2_0_TYPE,
]
render_xrds(types)
end
def decision
oidreq = session[:last_oidreq]
session[:last_oidreq] = nil
if params.has_key?(:cancel)
Merb.logger.info("Cancelling OpenID Authentication")
return(redirect(oidreq.cancel_url))
else
identity = oidreq.identity
identity =~ /node\/(.+)$/
openid_node = Chef::OpenIDRegistration.load($1)
unless openid_node.validated
raise Unauthorized, "This nodes registration has not been validated"
end
if openid_node.password == encrypt_password(openid_node.salt, params[:password])
if session[:approvals]
session[:approvals] << oidreq.trust_root
else
session[:approvals] = [oidreq.trust_root]
end
oidresp = oidreq.answer(true, nil, identity)
return self.render_response(oidresp)
else
raise Unauthorized, "Invalid credentials"
end
end
end
protected
def encrypt_password(salt, password)
Digest::SHA1.hexdigest("--#{salt}--#{password}--")
end
def server
if @server.nil?
server_url = absolute_url(:openid_server)
dir = Chef::Config[:openid_store_path]
store = OpenID::Store::Filesystem.new(dir)
@server = Server.new(store, server_url)
end
return @server
end
def approved(trust_root)
return false if session[:approvals].nil?
return session[:approvals].member?(trust_root)
end
def is_authorized(identity_url, trust_root)
return (session[:username] and (identity_url == url_for_user) and self.approved(trust_root))
end
def render_xrds(types)
type_str = ""
types.each { |uri|
type_str += "<Type>#{uri}</Type>\n "
}
yadis = <<EOS
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
#{type_str}
<URI>#{absolute_url(:openid_server)}</URI>
</Service>
</XRD>
</xrds:XRDS>
EOS
@headers['content-type'] = 'application/xrds+xml'
render yadis
end
def render_response(oidresp)
if oidresp.needs_signing
signed_response = server.signatory.sign(oidresp)
end
web_response = server.encode_response(oidresp)
case web_response.code
when HTTP_OK
@status = 200
render web_response.body
when HTTP_REDIRECT
redirect web_response.headers['location']
else
@status = 400
render web_response.body
end
end
end
|
