|
|
# An implementation of the OpenID Provider Authentication Policy
|
|
|
# Extension 1.0
|
|
|
# see: http://openid.net/specs/
|
|
|
|
|
|
require 'openid/extension'
|
|
|
|
|
|
module OpenID
|
|
|
|
|
|
module PAPE
|
|
|
NS_URI = "http://specs.openid.net/extensions/pape/1.0"
|
|
|
AUTH_MULTI_FACTOR_PHYSICAL =
|
|
|
'http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical'
|
|
|
AUTH_MULTI_FACTOR =
|
|
|
'http://schemas.openid.net/pape/policies/2007/06/multi-factor'
|
|
|
AUTH_PHISHING_RESISTANT =
|
|
|
'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant'
|
|
|
TIME_VALIDATOR = /\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ/
|
|
|
# A Provider Authentication Policy request, sent from a relying
|
|
|
# party to a provider
|
|
|
class Request < Extension
|
|
|
attr_accessor :preferred_auth_policies, :max_auth_age, :ns_alias, :ns_uri
|
|
|
def initialize(preferred_auth_policies=[], max_auth_age=nil)
|
|
|
@ns_alias = 'pape'
|
|
|
@ns_uri = NS_URI
|
|
|
@preferred_auth_policies = preferred_auth_policies
|
|
|
@max_auth_age = max_auth_age
|
|
|
end
|
|
|
|
|
|
# Add an acceptable authentication policy URI to this request
|
|
|
# This method is intended to be used by the relying party to add
|
|
|
# acceptable authentication types to the request.
|
|
|
def add_policy_uri(policy_uri)
|
|
|
unless @preferred_auth_policies.member? policy_uri
|
|
|
@preferred_auth_policies << policy_uri
|
|
|
end
|
|
|
end
|
|
|
|
|
|
def get_extension_args
|
|
|
ns_args = {
|
|
|
'preferred_auth_policies' => @preferred_auth_policies.join(' ')
|
|
|
}
|
|
|
ns_args['max_auth_age'] = @max_auth_age.to_s if @max_auth_age
|
|
|
return ns_args
|
|
|
end
|
|
|
|
|
|
# Instantiate a Request object from the arguments in a
|
|
|
# checkid_* OpenID message
|
|
|
# return nil if the extension was not requested.
|
|
|
def self.from_openid_request(oid_req)
|
|
|
pape_req = new
|
|
|
args = oid_req.message.get_args(NS_URI)
|
|
|
if args == {}
|
|
|
return nil
|
|
|
end
|
|
|
pape_req.parse_extension_args(args)
|
|
|
return pape_req
|
|
|
end
|
|
|
|
|
|
# Set the state of this request to be that expressed in these
|
|
|
# PAPE arguments
|
|
|
def parse_extension_args(args)
|
|
|
@preferred_auth_policies = []
|
|
|
policies_str = args['preferred_auth_policies']
|
|
|
if policies_str
|
|
|
policies_str.split(' ').each{|uri|
|
|
|
add_policy_uri(uri)
|
|
|
}
|
|
|
end
|
|
|
|
|
|
max_auth_age_str = args['max_auth_age']
|
|
|
if max_auth_age_str
|
|
|
@max_auth_age = max_auth_age_str.to_i
|
|
|
else
|
|
|
@max_auth_age = nil
|
|
|
end
|
|
|
end
|
|
|
|
|
|
# Given a list of authentication policy URIs that a provider
|
|
|
# supports, this method returns the subset of those types
|
|
|
# that are preferred by the relying party.
|
|
|
def preferred_types(supported_types)
|
|
|
@preferred_auth_policies.select{|uri| supported_types.member? uri}
|
|
|
end
|
|
|
end
|
|
|
|
|
|
# A Provider Authentication Policy response, sent from a provider
|
|
|
# to a relying party
|
|
|
class Response < Extension
|
|
|
attr_accessor :ns_alias, :auth_policies, :auth_time, :nist_auth_level
|
|
|
def initialize(auth_policies=[], auth_time=nil, nist_auth_level=nil)
|
|
|
@ns_alias = 'pape'
|
|
|
@ns_uri = NS_URI
|
|
|
@auth_policies = auth_policies
|
|
|
@auth_time = auth_time
|
|
|
@nist_auth_level = nist_auth_level
|
|
|
end
|
|
|
|
|
|
# Add a policy URI to the response
|
|
|
# see http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#auth_policies
|
|
|
def add_policy_uri(policy_uri)
|
|
|
@auth_policies << policy_uri unless @auth_policies.member?(policy_uri)
|
|
|
end
|
|
|
|
|
|
# Create a Response object from an OpenID::Consumer::SuccessResponse
|
|
|
def self.from_success_response(success_response)
|
|
|
args = success_response.get_signed_ns(NS_URI)
|
|
|
return nil if args.nil?
|
|
|
pape_resp = new
|
|
|
pape_resp.parse_extension_args(args)
|
|
|
return pape_resp
|
|
|
end
|
|
|
|
|
|
# parse the provider authentication policy arguments into the
|
|
|
# internal state of this object
|
|
|
# if strict is specified, raise an exception when bad data is
|
|
|
# encountered
|
|
|
def parse_extension_args(args, strict=false)
|
|
|
policies_str = args['auth_policies']
|
|
|
if policies_str and policies_str != 'none'
|
|
|
@auth_policies = policies_str.split(' ')
|
|
|
end
|
|
|
|
|
|
nist_level_str = args['nist_auth_level']
|
|
|
if nist_level_str
|
|
|
# special handling of zero to handle to_i behavior
|
|
|
if nist_level_str.strip == '0'
|
|
|
nist_level = 0
|
|
|
else
|
|
|
nist_level = nist_level_str.to_i
|
|
|
# if it's zero here we have a bad value
|
|
|
if nist_level == 0
|
|
|
nist_level = nil
|
|
|
end
|
|
|
end
|
|
|
if nist_level and nist_level >= 0 and nist_level < 5
|
|
|
@nist_auth_level = nist_level
|
|
|
elsif strict
|
|
|
raise ArgumentError, "nist_auth_level must be an integer 0 through 4, not #{nist_level_str.inspect}"
|
|
|
end
|
|
|
end
|
|
|
|
|
|
auth_time_str = args['auth_time']
|
|
|
if auth_time_str
|
|
|
# validate time string
|
|
|
if auth_time_str =~ TIME_VALIDATOR
|
|
|
@auth_time = auth_time_str
|
|
|
elsif strict
|
|
|
raise ArgumentError, "auth_time must be in RFC3339 format"
|
|
|
end
|
|
|
end
|
|
|
end
|
|
|
|
|
|
def get_extension_args
|
|
|
ns_args = {}
|
|
|
if @auth_policies.empty?
|
|
|
ns_args['auth_policies'] = 'none'
|
|
|
else
|
|
|
ns_args['auth_policies'] = @auth_policies.join(' ')
|
|
|
end
|
|
|
if @nist_auth_level
|
|
|
unless (0..4).member? @nist_auth_level
|
|
|
raise ArgumentError, "nist_auth_level must be an integer 0 through 4, not #{@nist_auth_level.inspect}"
|
|
|
end
|
|
|
ns_args['nist_auth_level'] = @nist_auth_level.to_s
|
|
|
end
|
|
|
|
|
|
if @auth_time
|
|
|
unless @auth_time =~ TIME_VALIDATOR
|
|
|
raise ArgumentError, "auth_time must be in RFC3339 format"
|
|
|
end
|
|
|
ns_args['auth_time'] = @auth_time
|
|
|
end
|
|
|
return ns_args
|
|
|
end
|
|
|
|
|
|
end
|
|
|
end
|
|
|
|
|
|
end
|
|
|
|
