diff options
author | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2010-06-27 11:35:49 -0400 |
---|---|---|
committer | Evgeny Fadeev <evgeny.fadeev@gmail.com> | 2010-06-27 11:35:49 -0400 |
commit | e5309b128d28c94d7905bb37541c3c3b88f00555 (patch) | |
tree | e33061d60396a42d48de5b9a85155ca70b3d62c2 | |
parent | 1e03a6c00adc0da43c2dbf8a4856f11b6cc1d138 (diff) | |
download | askbot-e5309b128d28c94d7905bb37541c3c3b88f00555.tar.gz askbot-e5309b128d28c94d7905bb37541c3c3b88f00555.tar.bz2 askbot-e5309b128d28c94d7905bb37541c3c3b88f00555.zip |
removed python-openid from the list of external dependencies
129 files changed, 28337 insertions, 1 deletions
diff --git a/askbot/bin/__init__.py b/askbot/bin/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/askbot/bin/__init__.py diff --git a/askbot/bin/generate_modules.py b/askbot/bin/generate_modules.py new file mode 100644 index 00000000..9ff7ba68 --- /dev/null +++ b/askbot/bin/generate_modules.py @@ -0,0 +1,1065 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" + "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> +<head> + <title> + etienned / sphinx-autopackage-script / source — bitbucket.org +</title> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <meta name="description" content="Mercurial hosting - we're here to serve." /> + <meta name="keywords" content="mercurial,hg,hosting,bitbucket,etienned,This,script,parse,a,directory,tree,looking,for,python,modules,and,packages,and,create,ReST,files,appropriately,to,create,code,documentation,with,Sphinx.,It,also,create,a,modules,index.,source,sourcecode,generate_modules.py@d20aab0a12b8" /> + <link rel="stylesheet" type="text/css" href="http://bitbucket-assets.s3.amazonaws.com/css/layout.css" /> + <link rel="stylesheet" type="text/css" href="http://bitbucket-assets.s3.amazonaws.com/css/screen.css" /> + <link rel="stylesheet" type="text/css" href="http://bitbucket-assets.s3.amazonaws.com/css/print.css" media="print" /> + <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="Bitbucket" /> + <link rel="icon" href="http://bitbucket-assets.s3.amazonaws.com/img/logo_new.png" type="image/png"/> + <script type="text/javascript">var MEDIA_URL = "http://bitbucket-assets.s3.amazonaws.com/"</script> + <script type="text/javascript" src="http://bitbucket-assets.s3.amazonaws.com/js/lib/bundle.020510May.js"></script> + + <script type="text/javascript"> + $(document).ready(function() { + Dropdown.init(); + $(".tooltip").tipsy({gravity:'s'}); + }); + </script> + <noscript> + <style type="text/css"> + .dropdown-container-text .dropdown { + position: static !important; + } + </style> + </noscript> + + <!--[if lt IE 7]> + <style type="text/css"> + body { + behavior: url(http://bitbucket-assets.s3.amazonaws.com/css/csshover.htc); + } + + #issues-issue pre { + white-space: normal !important; + } + + .changeset-description { + white-space: normal !important; + } + </style> + <script type="text/javascript"> + $(document).ready(function(){ + $('#header-wrapper').pngFix(); + $('#sourcelist').pngFix(); + $('.promo-signup-screenshot').pngFix(); + }); + </script> + <![endif]--> + + <link rel="stylesheet" href="http://bitbucket-assets.s3.amazonaws.com/css/highlight/trac.css" type="text/css" /> + + +</head> +<body class=""> + <div id="main-wrapper"> + <div id="header-wrapper"> + <div id="header"> + <a href="/"><img src="http://bitbucket-assets.s3.amazonaws.com/img/logo_myriad.png" alt="Bitbucket" id="header-wrapper-logo" /></a> + + <div id="header-nav"> + <ul class="right"> + <li><a href="/">Home</a></li> + <li><a href="/plans"><b>Plans & Signup</b></a></li> + <li><a href="/repo/all">Repositories</a></li> + <li><a href="/news">News</a></li> + <li><a href="/help">Help</a></li> + <li><a href="/account/signin/">Sign in</a></li> + </ul> + </div> + + </div> + </div> + <div id="content-wrapper"> + + + + + + + + + + + + + + + <script type="text/javascript" src="http://bitbucket-assets.s3.amazonaws.com/js/lib/jquery.cookie.js"></script> <!--REMOVE WHEN NEWER BUNDLE THAN 030309Mar --> + <script type="text/javascript"> + var date = new Date(); + date.setTime(date.getTime() + (365 * 24 * 60 * 60 * 1000)); + var cookieoptions = { path: '/', expires: date }; + + window._shard = 'fe01 (ID 1)'; + + $(document).ready(function(){ + $('#toggle-repo-content').click(function(){ + $('#repo-desc-cloneinfo').toggle('fast'); + $('#repo-menu').toggle(); + $('#repo-menu-links-mini').toggle(100); + $('.repo-desc-description').toggle('fast'); + var avatar_new_width = ($('.repo-avatar').width() == 35) ? 16 : 35; + $('.repo-avatar').animate({ width: avatar_new_width }, 250); + + if ($.cookie('toggle_status') == 'hide') { + $.cookie('toggle_status', 'show', cookieoptions); + $(this).css('background-image','url(http://bitbucket-assets.s3.amazonaws.com/img/repo-toggle-up.png)'); + } else { + $.cookie('toggle_status', 'hide', cookieoptions); + $(this).css('background-image','url(http://bitbucket-assets.s3.amazonaws.com/img/repo-toggle-down.png)'); + } + }); + + if ($.cookie('toggle_status') == 'hide') { + $('#toggle-repo-content').css('background-image','url(http://bitbucket-assets.s3.amazonaws.com/img/repo-toggle-down.png)'); + $('#repo-desc-cloneinfo').hide(); + $('#repo-menu').hide(); + $('#repo-menu-links-mini').show(); + $('.repo-desc-description').hide(); + $('.repo-avatar').css({ width: '16px' }); + } else { + $('#toggle-repo-content').css('background-image','url(http://bitbucket-assets.s3.amazonaws.com/img/repo-toggle-up.png)'); + $('#repo-desc-cloneinfo').show(); + $('#repo-menu').show(); + $('#repo-menu-links-mini').hide(); + $('.repo-desc-description').show(); + $('.repo-avatar').css({ width: '35px' }); + } + }); + </script> + + +<div id="tabs"> + <ul class="ui-tabs-nav"> + <li> + <a href="/etienned/sphinx-autopackage-script/overview"><span>Overview</span></a> + </li> + + <li> + <a href="/etienned/sphinx-autopackage-script/downloads"><span>Downloads (0)</span></a> + </li> + + + + <li class="ui-tabs-selected"> + + <a href="/etienned/sphinx-autopackage-script/src/d20aab0a12b8"><span>Source</span></a> + + </li> + + <li> + <a href="/etienned/sphinx-autopackage-script/changesets"><span>Changesets</span></a> + </li> + + + + <li class="ui-tabs-nav-issues"> + <a href="/etienned/sphinx-autopackage-script/wiki"><span>Wiki</span></a> + </li> + + + + + + <li class="ui-tabs-nav-issues"> + <a href="/etienned/sphinx-autopackage-script/issues?status=new&status=open"><span>Issues (1) »</span></a> + <ul> + <li><a href="/etienned/sphinx-autopackage-script/issues?status=new">New issues</a></li> + <li><a href="/etienned/sphinx-autopackage-script/issues?status=new&status=open">Open issues</a></li> + <li><a href="/etienned/sphinx-autopackage-script/issues?status=resolved&status=invalid&status=duplicate">Closed issues</a></li> + + <li><a href="/etienned/sphinx-autopackage-script/issues">All issues</a></li> + <li><a href="/etienned/sphinx-autopackage-script/issues/query">Advanced query</a></li> + <li><a href="/etienned/sphinx-autopackage-script/issues/new">Create new issue</a></li> + </ul> + </li> + + + + + + + + <li class="tabs-right tabs-far-right"> + <a href="/etienned/sphinx-autopackage-script/descendants"><span>Forks/Queues (0)</span></a> + </li> + + <li class="tabs-right"> + <a href="/etienned/sphinx-autopackage-script/zealots"><span>Followers (2)</span></a> + </li> + </ul> +</div> + +<div id="repo-menu"> + <div id="repo-menu-links"> + <ul> + <li> + <a href="/etienned/sphinx-autopackage-script/rss" class="noborder repo-menu-rss" title="RSS Feed for sphinx-autopackage-script">RSS</a> + </li> + <li> + <a href="/etienned/sphinx-autopackage-script/atom" class="noborder repo-menu-atom" title="Atom Feed for sphinx-autopackage-script">Atom</a> + </li> + + <li> + <a href="/etienned/sphinx-autopackage-script/pull" class="link-request-pull"> + pull request + </a> + </li> + + <li><a href="/etienned/sphinx-autopackage-script/fork" class="link-fork">fork</a></li> + + <li><a href="/etienned/sphinx-autopackage-script/hack" class="link-hack">patch queue</a></li> + + <li> + + <a rel="nofollow" href="/etienned/sphinx-autopackage-script/follow" class="link-follow">follow</a> + + </li> + <li><a class="link-download">get source »</a> + + <ul> + + <li><a rel="nofollow" href="/etienned/sphinx-autopackage-script/get/d20aab0a12b8.zip" class="zip">zip</a></li> + <li><a rel="nofollow" href="/etienned/sphinx-autopackage-script/get/d20aab0a12b8.gz" class="compressed">gz</a></li> + <li><a rel="nofollow" href="/etienned/sphinx-autopackage-script/get/d20aab0a12b8.bz2" class="compressed">bz2</a></li> + + </ul> + </li> + </ul> + </div> + + + <div id="repo-menu-branches-tags"> + <ul> + <li class="icon-branches"> + branches » + + <ul> + + <li><a href="/etienned/sphinx-autopackage-script/src/d20aab0a12b8">default</a></li> + + </ul> + + </li> + <li class="icon-tags"> + tags » + + <ul> + + <li><a href="/etienned/sphinx-autopackage-script/src/d20aab0a12b8">tip</a></li> + + </ul> + </li> + </ul> + </div> + + + <div class="cb"></div> + </div> + <div id="repo-desc" class="layout-box"> + + + <div id="repo-menu-links-mini" class="right"> + <ul> + <li> + <a href="/etienned/sphinx-autopackage-script/rss" class="noborder repo-menu-rss" title="RSS Feed for sphinx-autopackage-script"></a> + </li> + <li> + <a href="/etienned/sphinx-autopackage-script/atom" class="noborder repo-menu-atom" title="Atom Feed for sphinx-autopackage-script"></a> + </li> + + <li> + <a href="/etienned/sphinx-autopackage-script/pull" class="tooltip noborder link-request-pull" title="Pull request"></a> + </li> + + <li><a href="/etienned/sphinx-autopackage-script/fork" class="tooltip noborder link-fork" title="Fork"></a></li> + + <li><a href="/etienned/sphinx-autopackage-script/hack" class="tooltip noborder link-hack" title="Patch queue"></a></li> + + <li><a class="tooltip noborder link-download" title="Get source"></a> + + <ul> + + <li><a rel="nofollow" href="/etienned/sphinx-autopackage-script/get/d20aab0a12b8.zip" class="zip">zip</a></li> + <li><a rel="nofollow" href="/etienned/sphinx-autopackage-script/get/d20aab0a12b8.gz" class="compressed">gz</a></li> + <li><a rel="nofollow" href="/etienned/sphinx-autopackage-script/get/d20aab0a12b8.bz2" class="compressed">bz2</a></li> + + </ul> + </li> + </ul> + </div> + + <h3> + <a href="/etienned">etienned</a> / + <a href="/etienned/sphinx-autopackage-script">sphinx-autopackage-script</a> + + + </h3> + + + + + + <p class="repo-desc-description">This script parse a directory tree looking for python modules and packages and
+create ReST files appropriately to create code documentation with Sphinx.
+It also create a modules index. </p> + + <div id="repo-desc-cloneinfo">Clone this repository (size: 5.8 KB): <a href="http://bitbucket.org/etienned/sphinx-autopackage-script" onclick="$('#clone-url-ssh').hide();$('#clone-url-https').toggle();return(false);"><small>HTTPS</small></a> / <a href="ssh://hg@bitbucket.org/etienned/sphinx-autopackage-script" onclick="$('#clone-url-https').hide();$('#clone-url-ssh').toggle();return(false);"><small>SSH</small></a><br/> + <pre id="clone-url-https">$ hg clone <a href="http://bitbucket.org/etienned/sphinx-autopackage-script">http://bitbucket.org/etienned/sphinx-autopackage-script</a></pre> + + <pre id="clone-url-ssh" style="display:none;">$ hg clone <a href="ssh://hg@bitbucket.org/etienned/sphinx-autopackage-script">ssh://hg@bitbucket.org/etienned/sphinx-autopackage-script</a></pre></div> + + <div class="cb"></div> + <a href="#" id="toggle-repo-content"></a> + + + + </div> + + + + + + + + + +<div id="source-summary" class="layout-box"> + <div class="right"> + <table> + <tr> + <td>commit 0:</td> + <td>d20aab0a12b8</td> + </tr> + + + <tr> + <td>branch: </td> + <td>default</td> + </tr> + + <tr> + <td>tags:</td> + <td>tip</td> + </tr> + + </table> + </div> + +<div class="changeset-description">Initial commit</div> + + <div> + + + + +<div class="dropdown-container"> + + + <img src="http://www.gravatar.com/avatar/6fc6e07b4af580b1424c082536570dd4?d=identicon&s=32" class="avatar dropdown" /> + + + + <ul class="dropdown-list"> + <li> + + <a href="/etienne">View etienne's profile</a> + + </li> + <li> + <a href="">etienne's public repos »</a> + + + + </li> + + <li> + <a href="/account/notifications/send/?receiver=etienne">Send message</a> + </li> + + </ul> +</div> + + + + + <span class="dropdown-right"> + + + <a href="/etienne">Etienne Lawlor</a> / + + <a href="/etienne">etienne</a> + + <br/> + <small class="dropdown-right">2 months ago</small> + </span> + + </div> + + <div class="cb"></div> +</div> + + + + +<div id="source-path" class="layout-box"> + <a href="/etienned/sphinx-autopackage-script/src">sphinx-autopackage-script</a> / + + + + generate_modules.py + + + + +</div> + + +<div id="source-view" class="scroll-x"> + <table class="info-table"> + <tr> + <th>r0:d20aab0a12b8</th> + <th>287 loc</th> + <th>10.7 KB</th> + <th class="source-view-links"> + <a id="embed-link" href="#" onclick="makeEmbed('#embed-link', 'http://bitbucket.org/etienned/sphinx-autopackage-script/src/d20aab0a12b8/generate_modules.py?embed=t');">embed</a> / + <a href='/etienned/sphinx-autopackage-script/history/generate_modules.py'>history</a> / + <a href='/etienned/sphinx-autopackage-script/annotate/d20aab0a12b8/generate_modules.py'>annotate</a> / + <a href='/etienned/sphinx-autopackage-script/raw/d20aab0a12b8/generate_modules.py'>raw</a> / + <form action="/etienned/sphinx-autopackage-script/diff/generate_modules.py" method="get" class="source-view-form"> + + <select name='nothing' class="smaller" disabled="disabled"> + <option>No previous changes</option> + </select> + + </form> + </th> + </tr> + </table> + + + <table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><a href="#cl-1"> 1</a> +<a href="#cl-2"> 2</a> +<a href="#cl-3"> 3</a> +<a href="#cl-4"> 4</a> +<a href="#cl-5"> 5</a> +<a href="#cl-6"> 6</a> +<a href="#cl-7"> 7</a> +<a href="#cl-8"> 8</a> +<a href="#cl-9"> 9</a> +<a href="#cl-10"> 10</a> +<a href="#cl-11"> 11</a> +<a href="#cl-12"> 12</a> +<a href="#cl-13"> 13</a> +<a href="#cl-14"> 14</a> +<a href="#cl-15"> 15</a> +<a href="#cl-16"> 16</a> +<a href="#cl-17"> 17</a> +<a href="#cl-18"> 18</a> +<a href="#cl-19"> 19</a> +<a href="#cl-20"> 20</a> +<a href="#cl-21"> 21</a> +<a href="#cl-22"> 22</a> +<a href="#cl-23"> 23</a> +<a href="#cl-24"> 24</a> +<a href="#cl-25"> 25</a> +<a href="#cl-26"> 26</a> +<a href="#cl-27"> 27</a> +<a href="#cl-28"> 28</a> +<a href="#cl-29"> 29</a> +<a href="#cl-30"> 30</a> +<a href="#cl-31"> 31</a> +<a href="#cl-32"> 32</a> +<a href="#cl-33"> 33</a> +<a href="#cl-34"> 34</a> +<a href="#cl-35"> 35</a> +<a href="#cl-36"> 36</a> +<a href="#cl-37"> 37</a> +<a href="#cl-38"> 38</a> +<a href="#cl-39"> 39</a> +<a href="#cl-40"> 40</a> +<a href="#cl-41"> 41</a> +<a href="#cl-42"> 42</a> +<a href="#cl-43"> 43</a> +<a href="#cl-44"> 44</a> +<a href="#cl-45"> 45</a> +<a href="#cl-46"> 46</a> +<a href="#cl-47"> 47</a> +<a href="#cl-48"> 48</a> +<a href="#cl-49"> 49</a> +<a href="#cl-50"> 50</a> +<a href="#cl-51"> 51</a> +<a href="#cl-52"> 52</a> +<a href="#cl-53"> 53</a> +<a href="#cl-54"> 54</a> +<a href="#cl-55"> 55</a> +<a href="#cl-56"> 56</a> +<a href="#cl-57"> 57</a> +<a href="#cl-58"> 58</a> +<a href="#cl-59"> 59</a> +<a href="#cl-60"> 60</a> +<a href="#cl-61"> 61</a> +<a href="#cl-62"> 62</a> +<a href="#cl-63"> 63</a> +<a href="#cl-64"> 64</a> +<a href="#cl-65"> 65</a> +<a href="#cl-66"> 66</a> +<a href="#cl-67"> 67</a> +<a href="#cl-68"> 68</a> +<a href="#cl-69"> 69</a> +<a href="#cl-70"> 70</a> +<a href="#cl-71"> 71</a> +<a href="#cl-72"> 72</a> +<a href="#cl-73"> 73</a> +<a href="#cl-74"> 74</a> +<a href="#cl-75"> 75</a> +<a href="#cl-76"> 76</a> +<a href="#cl-77"> 77</a> +<a href="#cl-78"> 78</a> +<a href="#cl-79"> 79</a> +<a href="#cl-80"> 80</a> +<a href="#cl-81"> 81</a> +<a href="#cl-82"> 82</a> +<a href="#cl-83"> 83</a> +<a href="#cl-84"> 84</a> +<a href="#cl-85"> 85</a> +<a href="#cl-86"> 86</a> +<a href="#cl-87"> 87</a> +<a href="#cl-88"> 88</a> +<a href="#cl-89"> 89</a> +<a href="#cl-90"> 90</a> +<a href="#cl-91"> 91</a> +<a href="#cl-92"> 92</a> +<a href="#cl-93"> 93</a> +<a href="#cl-94"> 94</a> +<a href="#cl-95"> 95</a> +<a href="#cl-96"> 96</a> +<a href="#cl-97"> 97</a> +<a href="#cl-98"> 98</a> +<a href="#cl-99"> 99</a> +<a href="#cl-100">100</a> +<a href="#cl-101">101</a> +<a href="#cl-102">102</a> +<a href="#cl-103">103</a> +<a href="#cl-104">104</a> +<a href="#cl-105">105</a> +<a href="#cl-106">106</a> +<a href="#cl-107">107</a> +<a href="#cl-108">108</a> +<a href="#cl-109">109</a> +<a href="#cl-110">110</a> +<a href="#cl-111">111</a> +<a href="#cl-112">112</a> +<a href="#cl-113">113</a> +<a href="#cl-114">114</a> +<a href="#cl-115">115</a> +<a href="#cl-116">116</a> +<a href="#cl-117">117</a> +<a href="#cl-118">118</a> +<a href="#cl-119">119</a> +<a href="#cl-120">120</a> +<a href="#cl-121">121</a> +<a href="#cl-122">122</a> +<a href="#cl-123">123</a> +<a href="#cl-124">124</a> +<a href="#cl-125">125</a> +<a href="#cl-126">126</a> +<a href="#cl-127">127</a> +<a href="#cl-128">128</a> +<a href="#cl-129">129</a> +<a href="#cl-130">130</a> +<a href="#cl-131">131</a> +<a href="#cl-132">132</a> +<a href="#cl-133">133</a> +<a href="#cl-134">134</a> +<a href="#cl-135">135</a> +<a href="#cl-136">136</a> +<a href="#cl-137">137</a> +<a href="#cl-138">138</a> +<a href="#cl-139">139</a> +<a href="#cl-140">140</a> +<a href="#cl-141">141</a> +<a href="#cl-142">142</a> +<a href="#cl-143">143</a> +<a href="#cl-144">144</a> +<a href="#cl-145">145</a> +<a href="#cl-146">146</a> +<a href="#cl-147">147</a> +<a href="#cl-148">148</a> +<a href="#cl-149">149</a> +<a href="#cl-150">150</a> +<a href="#cl-151">151</a> +<a href="#cl-152">152</a> +<a href="#cl-153">153</a> +<a href="#cl-154">154</a> +<a href="#cl-155">155</a> +<a href="#cl-156">156</a> +<a href="#cl-157">157</a> +<a href="#cl-158">158</a> +<a href="#cl-159">159</a> +<a href="#cl-160">160</a> +<a href="#cl-161">161</a> +<a href="#cl-162">162</a> +<a href="#cl-163">163</a> +<a href="#cl-164">164</a> +<a href="#cl-165">165</a> +<a href="#cl-166">166</a> +<a href="#cl-167">167</a> +<a href="#cl-168">168</a> +<a href="#cl-169">169</a> +<a href="#cl-170">170</a> +<a href="#cl-171">171</a> +<a href="#cl-172">172</a> +<a href="#cl-173">173</a> +<a href="#cl-174">174</a> +<a href="#cl-175">175</a> +<a href="#cl-176">176</a> +<a href="#cl-177">177</a> +<a href="#cl-178">178</a> +<a href="#cl-179">179</a> +<a href="#cl-180">180</a> +<a href="#cl-181">181</a> +<a href="#cl-182">182</a> +<a href="#cl-183">183</a> +<a href="#cl-184">184</a> +<a href="#cl-185">185</a> +<a href="#cl-186">186</a> +<a href="#cl-187">187</a> +<a href="#cl-188">188</a> +<a href="#cl-189">189</a> +<a href="#cl-190">190</a> +<a href="#cl-191">191</a> +<a href="#cl-192">192</a> +<a href="#cl-193">193</a> +<a href="#cl-194">194</a> +<a href="#cl-195">195</a> +<a href="#cl-196">196</a> +<a href="#cl-197">197</a> +<a href="#cl-198">198</a> +<a href="#cl-199">199</a> +<a href="#cl-200">200</a> +<a href="#cl-201">201</a> +<a href="#cl-202">202</a> +<a href="#cl-203">203</a> +<a href="#cl-204">204</a> +<a href="#cl-205">205</a> +<a href="#cl-206">206</a> +<a href="#cl-207">207</a> +<a href="#cl-208">208</a> +<a href="#cl-209">209</a> +<a href="#cl-210">210</a> +<a href="#cl-211">211</a> +<a href="#cl-212">212</a> +<a href="#cl-213">213</a> +<a href="#cl-214">214</a> +<a href="#cl-215">215</a> +<a href="#cl-216">216</a> +<a href="#cl-217">217</a> +<a href="#cl-218">218</a> +<a href="#cl-219">219</a> +<a href="#cl-220">220</a> +<a href="#cl-221">221</a> +<a href="#cl-222">222</a> +<a href="#cl-223">223</a> +<a href="#cl-224">224</a> +<a href="#cl-225">225</a> +<a href="#cl-226">226</a> +<a href="#cl-227">227</a> +<a href="#cl-228">228</a> +<a href="#cl-229">229</a> +<a href="#cl-230">230</a> +<a href="#cl-231">231</a> +<a href="#cl-232">232</a> +<a href="#cl-233">233</a> +<a href="#cl-234">234</a> +<a href="#cl-235">235</a> +<a href="#cl-236">236</a> +<a href="#cl-237">237</a> +<a href="#cl-238">238</a> +<a href="#cl-239">239</a> +<a href="#cl-240">240</a> +<a href="#cl-241">241</a> +<a href="#cl-242">242</a> +<a href="#cl-243">243</a> +<a href="#cl-244">244</a> +<a href="#cl-245">245</a> +<a href="#cl-246">246</a> +<a href="#cl-247">247</a> +<a href="#cl-248">248</a> +<a href="#cl-249">249</a> +<a href="#cl-250">250</a> +<a href="#cl-251">251</a> +<a href="#cl-252">252</a> +<a href="#cl-253">253</a> +<a href="#cl-254">254</a> +<a href="#cl-255">255</a> +<a href="#cl-256">256</a> +<a href="#cl-257">257</a> +<a href="#cl-258">258</a> +<a href="#cl-259">259</a> +<a href="#cl-260">260</a> +<a href="#cl-261">261</a> +<a href="#cl-262">262</a> +<a href="#cl-263">263</a> +<a href="#cl-264">264</a> +<a href="#cl-265">265</a> +<a href="#cl-266">266</a> +<a href="#cl-267">267</a> +<a href="#cl-268">268</a> +<a href="#cl-269">269</a> +<a href="#cl-270">270</a> +<a href="#cl-271">271</a> +<a href="#cl-272">272</a> +<a href="#cl-273">273</a> +<a href="#cl-274">274</a> +<a href="#cl-275">275</a> +<a href="#cl-276">276</a> +<a href="#cl-277">277</a> +<a href="#cl-278">278</a> +<a href="#cl-279">279</a> +<a href="#cl-280">280</a> +<a href="#cl-281">281</a> +<a href="#cl-282">282</a> +<a href="#cl-283">283</a> +<a href="#cl-284">284</a> +<a href="#cl-285">285</a> +<a href="#cl-286">286</a> +<a href="#cl-287">287</a> +<a href="#cl-288">288</a> +</pre></div></td><td class="code"><div class="highlight"><pre><a name="cl-1"></a><span class="c">#!/usr/bin/env python</span> +<a name="cl-2"></a><span class="c"># -*- coding: utf-8 -*-</span> +<a name="cl-3"></a> +<a name="cl-4"></a><span class="c"># Miville</span> +<a name="cl-5"></a><span class="c"># Copyright (C) 2008 Société des arts technologiques (SAT)</span> +<a name="cl-6"></a><span class="c"># http://www.sat.qc.ca</span> +<a name="cl-7"></a><span class="c"># All rights reserved.</span> +<a name="cl-8"></a><span class="c">#</span> +<a name="cl-9"></a><span class="c"># This file is free software: you can redistribute it and/or modify</span> +<a name="cl-10"></a><span class="c"># it under the terms of the GNU General Public License as published by</span> +<a name="cl-11"></a><span class="c"># the Free Software Foundation, either version 2 of the License, or</span> +<a name="cl-12"></a><span class="c"># (at your option) any later version.</span> +<a name="cl-13"></a><span class="c">#</span> +<a name="cl-14"></a><span class="c"># Miville is distributed in the hope that it will be useful,</span> +<a name="cl-15"></a><span class="c"># but WITHOUT ANY WARRANTY; without even the implied warranty of</span> +<a name="cl-16"></a><span class="c"># MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span> +<a name="cl-17"></a><span class="c"># GNU General Public License for more details.</span> +<a name="cl-18"></a><span class="c">#</span> +<a name="cl-19"></a><span class="c"># You should have received a copy of the GNU General Public License</span> +<a name="cl-20"></a><span class="c"># along with Miville. If not, see <http://www.gnu.org/licenses/>.</span> +<a name="cl-21"></a> +<a name="cl-22"></a><span class="sd">"""</span> +<a name="cl-23"></a><span class="sd">This script parse a directory tree looking for python modules and packages and</span> +<a name="cl-24"></a><span class="sd">create ReST files appropriately to create code documentation with Sphinx.</span> +<a name="cl-25"></a><span class="sd">It also create a modules index. </span> +<a name="cl-26"></a><span class="sd">"""</span> +<a name="cl-27"></a> +<a name="cl-28"></a><span class="kn">import</span> <span class="nn">os</span> +<a name="cl-29"></a><span class="kn">import</span> <span class="nn">optparse</span> +<a name="cl-30"></a> +<a name="cl-31"></a> +<a name="cl-32"></a><span class="c"># automodule options</span> +<a name="cl-33"></a><span class="n">OPTIONS</span> <span class="o">=</span> <span class="p">[</span><span class="s">'members'</span><span class="p">,</span> +<a name="cl-34"></a> <span class="s">'undoc-members'</span><span class="p">,</span> +<a name="cl-35"></a><span class="c"># 'inherited-members', # disable because there's a bug in sphinx</span> +<a name="cl-36"></a> <span class="s">'show-inheritance'</span><span class="p">]</span> +<a name="cl-37"></a> +<a name="cl-38"></a> +<a name="cl-39"></a><span class="k">def</span> <span class="nf">create_file_name</span><span class="p">(</span><span class="n">base</span><span class="p">,</span> <span class="n">opts</span><span class="p">):</span> +<a name="cl-40"></a> <span class="sd">"""Create file name from base name, path and suffix"""</span> +<a name="cl-41"></a> <span class="k">return</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">opts</span><span class="o">.</span><span class="n">destdir</span><span class="p">,</span> <span class="s">"</span><span class="si">%s</span><span class="s">.</span><span class="si">%s</span><span class="s">"</span> <span class="o">%</span> <span class="p">(</span><span class="n">base</span><span class="p">,</span> <span class="n">opts</span><span class="o">.</span><span class="n">suffix</span><span class="p">))</span> +<a name="cl-42"></a> +<a name="cl-43"></a><span class="k">def</span> <span class="nf">write_directive</span><span class="p">(</span><span class="n">module</span><span class="p">,</span> <span class="n">package</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> +<a name="cl-44"></a> <span class="sd">"""Create the automodule directive and add the options"""</span> +<a name="cl-45"></a> <span class="k">if</span> <span class="n">package</span><span class="p">:</span> +<a name="cl-46"></a> <span class="n">directive</span> <span class="o">=</span> <span class="s">'.. automodule:: </span><span class="si">%s</span><span class="s">.</span><span class="si">%s</span><span class="se">\n</span><span class="s">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">package</span><span class="p">,</span> <span class="n">module</span><span class="p">)</span> +<a name="cl-47"></a> <span class="k">else</span><span class="p">:</span> +<a name="cl-48"></a> <span class="n">directive</span> <span class="o">=</span> <span class="s">'.. automodule:: </span><span class="si">%s</span><span class="se">\n</span><span class="s">'</span> <span class="o">%</span> <span class="n">module</span> +<a name="cl-49"></a> <span class="k">for</span> <span class="n">option</span> <span class="ow">in</span> <span class="n">OPTIONS</span><span class="p">:</span> +<a name="cl-50"></a> <span class="n">directive</span> <span class="o">+=</span> <span class="s">' :</span><span class="si">%s</span><span class="s">:</span><span class="se">\n</span><span class="s">'</span> <span class="o">%</span> <span class="n">option</span> +<a name="cl-51"></a> <span class="k">return</span> <span class="n">directive</span> +<a name="cl-52"></a> +<a name="cl-53"></a><span class="k">def</span> <span class="nf">write_heading</span><span class="p">(</span><span class="n">module</span><span class="p">,</span> <span class="n">kind</span><span class="o">=</span><span class="s">'Module'</span><span class="p">):</span> +<a name="cl-54"></a> <span class="sd">"""Create the page heading."""</span> +<a name="cl-55"></a> <span class="n">module</span> <span class="o">=</span> <span class="n">module</span><span class="o">.</span><span class="n">title</span><span class="p">()</span> +<a name="cl-56"></a> <span class="n">heading</span> <span class="o">=</span> <span class="n">title_line</span><span class="p">(</span><span class="n">module</span> <span class="o">+</span> <span class="s">' Documentation'</span><span class="p">,</span> <span class="s">'='</span><span class="p">)</span> +<a name="cl-57"></a> <span class="n">heading</span> <span class="o">+=</span> <span class="s">'This page contains the </span><span class="si">%s</span><span class="s"> </span><span class="si">%s</span><span class="s"> documentation.</span><span class="se">\n\n</span><span class="s">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">module</span><span class="p">,</span> <span class="n">kind</span><span class="p">)</span> +<a name="cl-58"></a> <span class="k">return</span> <span class="n">heading</span> +<a name="cl-59"></a> +<a name="cl-60"></a><span class="k">def</span> <span class="nf">write_sub</span><span class="p">(</span><span class="n">module</span><span class="p">,</span> <span class="n">kind</span><span class="o">=</span><span class="s">'Module'</span><span class="p">):</span> +<a name="cl-61"></a> <span class="sd">"""Create the module subtitle"""</span> +<a name="cl-62"></a> <span class="n">sub</span> <span class="o">=</span> <span class="n">title_line</span><span class="p">(</span><span class="s">'The :mod:`</span><span class="si">%s</span><span class="s">` </span><span class="si">%s</span><span class="s">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">module</span><span class="p">,</span> <span class="n">kind</span><span class="p">),</span> <span class="s">'-'</span><span class="p">)</span> +<a name="cl-63"></a> <span class="k">return</span> <span class="n">sub</span> +<a name="cl-64"></a> +<a name="cl-65"></a><span class="k">def</span> <span class="nf">title_line</span><span class="p">(</span><span class="n">title</span><span class="p">,</span> <span class="n">char</span><span class="p">):</span> +<a name="cl-66"></a> <span class="sd">""" Underline the title with the character pass, with the right length."""</span> +<a name="cl-67"></a> <span class="k">return</span> <span class="s">'</span><span class="si">%s</span><span class="se">\n</span><span class="si">%s</span><span class="se">\n\n</span><span class="s">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">title</span><span class="p">,</span> <span class="nb">len</span><span class="p">(</span><span class="n">title</span><span class="p">)</span> <span class="o">*</span> <span class="n">char</span><span class="p">)</span> +<a name="cl-68"></a> +<a name="cl-69"></a><span class="k">def</span> <span class="nf">create_module_file</span><span class="p">(</span><span class="n">package</span><span class="p">,</span> <span class="n">module</span><span class="p">,</span> <span class="n">opts</span><span class="p">):</span> +<a name="cl-70"></a> <span class="sd">"""Build the text of the file and write the file."""</span> +<a name="cl-71"></a> <span class="n">name</span> <span class="o">=</span> <span class="n">create_file_name</span><span class="p">(</span><span class="n">module</span><span class="p">,</span> <span class="n">opts</span><span class="p">)</span> +<a name="cl-72"></a> <span class="k">if</span> <span class="ow">not</span> <span class="n">opts</span><span class="o">.</span><span class="n">force</span> <span class="ow">and</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">isfile</span><span class="p">(</span><span class="n">name</span><span class="p">):</span> +<a name="cl-73"></a> <span class="k">print</span> <span class="s">'File </span><span class="si">%s</span><span class="s"> already exists.'</span> <span class="o">%</span> <span class="n">name</span> +<a name="cl-74"></a> <span class="k">else</span><span class="p">:</span> +<a name="cl-75"></a> <span class="k">print</span> <span class="s">'Creating file </span><span class="si">%s</span><span class="s"> (module).'</span> <span class="o">%</span> <span class="n">name</span> +<a name="cl-76"></a> <span class="n">text</span> <span class="o">=</span> <span class="n">write_heading</span><span class="p">(</span><span class="n">module</span><span class="p">)</span> +<a name="cl-77"></a> <span class="n">text</span> <span class="o">+=</span> <span class="n">write_sub</span><span class="p">(</span><span class="n">module</span><span class="p">)</span> +<a name="cl-78"></a> <span class="n">text</span> <span class="o">+=</span> <span class="n">write_directive</span><span class="p">(</span><span class="n">module</span><span class="p">,</span> <span class="n">package</span><span class="p">)</span> +<a name="cl-79"></a> +<a name="cl-80"></a> <span class="c"># write the file</span> +<a name="cl-81"></a> <span class="k">if</span> <span class="ow">not</span> <span class="n">opts</span><span class="o">.</span><span class="n">dryrun</span><span class="p">:</span> +<a name="cl-82"></a> <span class="n">fd</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="s">'w'</span><span class="p">)</span> +<a name="cl-83"></a> <span class="n">fd</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> +<a name="cl-84"></a> <span class="n">fd</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> +<a name="cl-85"></a> +<a name="cl-86"></a><span class="k">def</span> <span class="nf">create_package_file</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="n">master_package</span><span class="p">,</span> <span class="n">subroot</span><span class="p">,</span> <span class="n">py_files</span><span class="p">,</span> <span class="n">opts</span><span class="p">,</span> <span class="n">subs</span><span class="o">=</span><span class="bp">None</span><span class="p">):</span> +<a name="cl-87"></a> <span class="sd">"""Build the text of the file and write the file."""</span> +<a name="cl-88"></a> <span class="n">package</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="n">root</span><span class="p">)[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span><span class="o">.</span><span class="n">lower</span><span class="p">()</span> +<a name="cl-89"></a> <span class="n">name</span> <span class="o">=</span> <span class="n">create_file_name</span><span class="p">(</span><span class="n">subroot</span><span class="p">,</span> <span class="n">opts</span><span class="p">)</span> +<a name="cl-90"></a> <span class="k">if</span> <span class="ow">not</span> <span class="n">opts</span><span class="o">.</span><span class="n">force</span> <span class="ow">and</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">isfile</span><span class="p">(</span><span class="n">name</span><span class="p">):</span> +<a name="cl-91"></a> <span class="k">print</span> <span class="s">'File </span><span class="si">%s</span><span class="s"> already exists.'</span> <span class="o">%</span> <span class="n">name</span> +<a name="cl-92"></a> <span class="k">else</span><span class="p">:</span> +<a name="cl-93"></a> <span class="k">print</span> <span class="s">'Creating file </span><span class="si">%s</span><span class="s"> (package).'</span> <span class="o">%</span> <span class="n">name</span> +<a name="cl-94"></a> <span class="n">text</span> <span class="o">=</span> <span class="n">write_heading</span><span class="p">(</span><span class="n">package</span><span class="p">,</span> <span class="s">'Package'</span><span class="p">)</span> +<a name="cl-95"></a> <span class="k">if</span> <span class="n">subs</span> <span class="o">==</span> <span class="bp">None</span><span class="p">:</span> +<a name="cl-96"></a> <span class="n">subs</span> <span class="o">=</span> <span class="p">[]</span> +<a name="cl-97"></a> <span class="k">else</span><span class="p">:</span> +<a name="cl-98"></a> <span class="c"># build a list of directories that are package (they contain an __init_.py file)</span> +<a name="cl-99"></a> <span class="n">subs</span> <span class="o">=</span> <span class="p">[</span><span class="n">sub</span> <span class="k">for</span> <span class="n">sub</span> <span class="ow">in</span> <span class="n">subs</span> <span class="k">if</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">isfile</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="n">sub</span><span class="p">,</span> <span class="s">'__init__.py'</span><span class="p">))]</span> +<a name="cl-100"></a> <span class="c"># if there's some package directories, add a TOC for theses subpackages</span> +<a name="cl-101"></a> <span class="k">if</span> <span class="n">subs</span><span class="p">:</span> +<a name="cl-102"></a> <span class="n">text</span> <span class="o">+=</span> <span class="n">title_line</span><span class="p">(</span><span class="s">'Subpackages'</span><span class="p">,</span> <span class="s">'-'</span><span class="p">)</span> +<a name="cl-103"></a> <span class="n">text</span> <span class="o">+=</span> <span class="s">'.. toctree::</span><span class="se">\n\n</span><span class="s">'</span> +<a name="cl-104"></a> <span class="k">for</span> <span class="n">sub</span> <span class="ow">in</span> <span class="n">subs</span><span class="p">:</span> +<a name="cl-105"></a> <span class="n">text</span> <span class="o">+=</span> <span class="s">' </span><span class="si">%s</span><span class="s">.</span><span class="si">%s</span><span class="se">\n</span><span class="s">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">subroot</span><span class="p">,</span> <span class="n">sub</span><span class="p">)</span> +<a name="cl-106"></a> <span class="n">text</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\n</span><span class="s">'</span> +<a name="cl-107"></a> +<a name="cl-108"></a> <span class="c"># add each package's module</span> +<a name="cl-109"></a> <span class="k">for</span> <span class="n">py_file</span> <span class="ow">in</span> <span class="n">py_files</span><span class="p">:</span> +<a name="cl-110"></a> <span class="k">if</span> <span class="ow">not</span> <span class="n">check_for_code</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="n">py_file</span><span class="p">)):</span> +<a name="cl-111"></a> <span class="c"># don't build the file if there's no code in it</span> +<a name="cl-112"></a> <span class="k">continue</span> +<a name="cl-113"></a> <span class="n">py_file</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">splitext</span><span class="p">(</span><span class="n">py_file</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> +<a name="cl-114"></a> <span class="n">py_path</span> <span class="o">=</span> <span class="s">'</span><span class="si">%s</span><span class="s">.</span><span class="si">%s</span><span class="s">'</span> <span class="o">%</span> <span class="p">(</span><span class="n">subroot</span><span class="p">,</span> <span class="n">py_file</span><span class="p">)</span> +<a name="cl-115"></a> <span class="n">kind</span> <span class="o">=</span> <span class="s">"Module"</span> +<a name="cl-116"></a> <span class="k">if</span> <span class="n">py_file</span> <span class="o">==</span> <span class="s">'__init__'</span><span class="p">:</span> +<a name="cl-117"></a> <span class="n">kind</span> <span class="o">=</span> <span class="s">"Package"</span> +<a name="cl-118"></a> <span class="n">text</span> <span class="o">+=</span> <span class="n">write_sub</span><span class="p">(</span><span class="n">kind</span> <span class="o">==</span> <span class="s">'Package'</span> <span class="ow">and</span> <span class="n">package</span> <span class="ow">or</span> <span class="n">py_file</span><span class="p">,</span> <span class="n">kind</span><span class="p">)</span> +<a name="cl-119"></a> <span class="n">text</span> <span class="o">+=</span> <span class="n">write_directive</span><span class="p">(</span><span class="n">kind</span> <span class="o">==</span> <span class="s">"Package"</span> <span class="ow">and</span> <span class="n">subroot</span> <span class="ow">or</span> <span class="n">py_path</span><span class="p">,</span> <span class="n">master_package</span><span class="p">)</span> +<a name="cl-120"></a> <span class="n">text</span> <span class="o">+=</span> <span class="s">'</span><span class="se">\n</span><span class="s">'</span> +<a name="cl-121"></a> +<a name="cl-122"></a> <span class="c"># write the file</span> +<a name="cl-123"></a> <span class="k">if</span> <span class="ow">not</span> <span class="n">opts</span><span class="o">.</span><span class="n">dryrun</span><span class="p">:</span> +<a name="cl-124"></a> <span class="n">fd</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="s">'w'</span><span class="p">)</span> +<a name="cl-125"></a> <span class="n">fd</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> +<a name="cl-126"></a> <span class="n">fd</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> +<a name="cl-127"></a> +<a name="cl-128"></a><span class="k">def</span> <span class="nf">check_for_code</span><span class="p">(</span><span class="n">module</span><span class="p">):</span> +<a name="cl-129"></a> <span class="sd">"""</span> +<a name="cl-130"></a><span class="sd"> Check if there's at least one class or one function in the module.</span> +<a name="cl-131"></a><span class="sd"> """</span> +<a name="cl-132"></a> <span class="n">fd</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">module</span><span class="p">,</span> <span class="s">'r'</span><span class="p">)</span> +<a name="cl-133"></a> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">fd</span><span class="p">:</span> +<a name="cl-134"></a> <span class="k">if</span> <span class="n">line</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'def '</span><span class="p">)</span> <span class="ow">or</span> <span class="n">line</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="s">'class '</span><span class="p">):</span> +<a name="cl-135"></a> <span class="n">fd</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> +<a name="cl-136"></a> <span class="k">return</span> <span class="bp">True</span> +<a name="cl-137"></a> <span class="n">fd</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> +<a name="cl-138"></a> <span class="k">return</span> <span class="bp">False</span> +<a name="cl-139"></a> +<a name="cl-140"></a><span class="k">def</span> <span class="nf">recurse_tree</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">excludes</span><span class="p">,</span> <span class="n">opts</span><span class="p">):</span> +<a name="cl-141"></a> <span class="sd">"""</span> +<a name="cl-142"></a><span class="sd"> Look for every file in the directory tree and create the corresponding</span> +<a name="cl-143"></a><span class="sd"> ReST files.</span> +<a name="cl-144"></a><span class="sd"> """</span> +<a name="cl-145"></a> <span class="n">package_name</span> <span class="o">=</span> <span class="bp">None</span> +<a name="cl-146"></a> <span class="c"># check if the base directory is a package and get is name</span> +<a name="cl-147"></a> <span class="k">if</span> <span class="s">'__init__.py'</span> <span class="ow">in</span> <span class="n">os</span><span class="o">.</span><span class="n">listdir</span><span class="p">(</span><span class="n">path</span><span class="p">):</span> +<a name="cl-148"></a> <span class="n">package_name</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">abspath</span><span class="p">(</span><span class="n">path</span><span class="p">)</span><span class="o">.</span><span class="n">split</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">sep</span><span class="p">)[</span><span class="o">-</span><span class="mi">1</span><span class="p">]</span> +<a name="cl-149"></a> +<a name="cl-150"></a> <span class="n">toc</span> <span class="o">=</span> <span class="p">[]</span> +<a name="cl-151"></a> <span class="n">excludes</span> <span class="o">=</span> <span class="n">format_excludes</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">excludes</span><span class="p">)</span> +<a name="cl-152"></a> <span class="n">tree</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">walk</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span> +<a name="cl-153"></a> <span class="k">for</span> <span class="n">root</span><span class="p">,</span> <span class="n">subs</span><span class="p">,</span> <span class="n">files</span> <span class="ow">in</span> <span class="n">tree</span><span class="p">:</span> +<a name="cl-154"></a> <span class="c"># keep only the Python script files</span> +<a name="cl-155"></a> <span class="n">py_files</span> <span class="o">=</span> <span class="n">check_py_file</span><span class="p">(</span><span class="n">files</span><span class="p">)</span> +<a name="cl-156"></a> <span class="c"># remove hidden ('.') and private ('_') directories</span> +<a name="cl-157"></a> <span class="n">subs</span> <span class="o">=</span> <span class="p">[</span><span class="n">sub</span> <span class="k">for</span> <span class="n">sub</span> <span class="ow">in</span> <span class="n">subs</span> <span class="k">if</span> <span class="n">sub</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">[</span><span class="s">'.'</span><span class="p">,</span> <span class="s">'_'</span><span class="p">]]</span> +<a name="cl-158"></a> <span class="c"># check if there's valid files to process</span> +<a name="cl-159"></a> <span class="c"># TODO: could add check for windows hidden files</span> +<a name="cl-160"></a> <span class="k">if</span> <span class="s">"/."</span> <span class="ow">in</span> <span class="n">root</span> <span class="ow">or</span> <span class="s">"/_"</span> <span class="ow">in</span> <span class="n">root</span> \ +<a name="cl-161"></a> <span class="ow">or</span> <span class="ow">not</span> <span class="n">py_files</span> \ +<a name="cl-162"></a> <span class="ow">or</span> <span class="n">check_excludes</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="n">excludes</span><span class="p">):</span> +<a name="cl-163"></a> <span class="k">continue</span> +<a name="cl-164"></a> <span class="n">subroot</span> <span class="o">=</span> <span class="n">root</span><span class="p">[</span><span class="nb">len</span><span class="p">(</span><span class="n">path</span><span class="p">):]</span><span class="o">.</span><span class="n">lstrip</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">sep</span><span class="p">)</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">sep</span><span class="p">,</span> <span class="s">'.'</span><span class="p">)</span> +<a name="cl-165"></a> <span class="k">if</span> <span class="n">root</span> <span class="o">==</span> <span class="n">path</span><span class="p">:</span> +<a name="cl-166"></a> <span class="c"># we are at the root level so we create only modules</span> +<a name="cl-167"></a> <span class="k">for</span> <span class="n">py_file</span> <span class="ow">in</span> <span class="n">py_files</span><span class="p">:</span> +<a name="cl-168"></a> <span class="n">module</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">splitext</span><span class="p">(</span><span class="n">py_file</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> +<a name="cl-169"></a> <span class="c"># add the module if it contains code</span> +<a name="cl-170"></a> <span class="k">if</span> <span class="n">check_for_code</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="s">'</span><span class="si">%s</span><span class="s">.py'</span> <span class="o">%</span> <span class="n">module</span><span class="p">)):</span> +<a name="cl-171"></a> <span class="n">create_module_file</span><span class="p">(</span><span class="n">package_name</span><span class="p">,</span> <span class="n">module</span><span class="p">,</span> <span class="n">opts</span><span class="p">)</span> +<a name="cl-172"></a> <span class="n">toc</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">module</span><span class="p">)</span> +<a name="cl-173"></a> <span class="k">elif</span> <span class="ow">not</span> <span class="n">subs</span> <span class="ow">and</span> <span class="s">"__init__.py"</span> <span class="ow">in</span> <span class="n">py_files</span><span class="p">:</span> +<a name="cl-174"></a> <span class="c"># we are in a package without sub package</span> +<a name="cl-175"></a> <span class="c"># check if there's only an __init__.py file</span> +<a name="cl-176"></a> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">py_files</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span> +<a name="cl-177"></a> <span class="c"># check if there's code in the __init__.py file</span> +<a name="cl-178"></a> <span class="k">if</span> <span class="n">check_for_code</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="s">'__init__.py'</span><span class="p">)):</span> +<a name="cl-179"></a> <span class="n">create_package_file</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="n">package_name</span><span class="p">,</span> <span class="n">subroot</span><span class="p">,</span> <span class="n">py_files</span><span class="p">,</span> <span class="n">opts</span><span class="o">=</span><span class="n">opts</span><span class="p">)</span> +<a name="cl-180"></a> <span class="n">toc</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">subroot</span><span class="p">)</span> +<a name="cl-181"></a> <span class="k">else</span><span class="p">:</span> +<a name="cl-182"></a> <span class="n">create_package_file</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="n">package_name</span><span class="p">,</span> <span class="n">subroot</span><span class="p">,</span> <span class="n">py_files</span><span class="p">,</span> <span class="n">opts</span><span class="o">=</span><span class="n">opts</span><span class="p">)</span> +<a name="cl-183"></a> <span class="n">toc</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">subroot</span><span class="p">)</span> +<a name="cl-184"></a> <span class="k">elif</span> <span class="s">"__init__.py"</span> <span class="ow">in</span> <span class="n">py_files</span><span class="p">:</span> +<a name="cl-185"></a> <span class="c"># we are in package with subpackage(s)</span> +<a name="cl-186"></a> <span class="n">create_package_file</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="n">package_name</span><span class="p">,</span> <span class="n">subroot</span><span class="p">,</span> <span class="n">py_files</span><span class="p">,</span> <span class="n">opts</span><span class="p">,</span> <span class="n">subs</span><span class="p">)</span> +<a name="cl-187"></a> <span class="n">toc</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">subroot</span><span class="p">)</span> +<a name="cl-188"></a> +<a name="cl-189"></a> <span class="c"># create the module's index</span> +<a name="cl-190"></a> <span class="k">if</span> <span class="ow">not</span> <span class="n">opts</span><span class="o">.</span><span class="n">notoc</span><span class="p">:</span> +<a name="cl-191"></a> <span class="n">modules_toc</span><span class="p">(</span><span class="n">toc</span><span class="p">,</span> <span class="n">opts</span><span class="p">)</span> +<a name="cl-192"></a> +<a name="cl-193"></a><span class="k">def</span> <span class="nf">modules_toc</span><span class="p">(</span><span class="n">modules</span><span class="p">,</span> <span class="n">opts</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="s">'modules'</span><span class="p">):</span> +<a name="cl-194"></a> <span class="sd">"""</span> +<a name="cl-195"></a><span class="sd"> Create the module's index.</span> +<a name="cl-196"></a><span class="sd"> """</span> +<a name="cl-197"></a> <span class="n">fname</span> <span class="o">=</span> <span class="n">create_file_name</span><span class="p">(</span><span class="n">name</span><span class="p">,</span> <span class="n">opts</span><span class="p">)</span> +<a name="cl-198"></a> <span class="k">if</span> <span class="ow">not</span> <span class="n">opts</span><span class="o">.</span><span class="n">force</span> <span class="ow">and</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">exists</span><span class="p">(</span><span class="n">fname</span><span class="p">):</span> +<a name="cl-199"></a> <span class="k">print</span> <span class="s">"File </span><span class="si">%s</span><span class="s"> already exists."</span> <span class="o">%</span> <span class="n">name</span> +<a name="cl-200"></a> <span class="k">return</span> +<a name="cl-201"></a> +<a name="cl-202"></a> <span class="k">print</span> <span class="s">"Creating module's index modules.txt."</span> +<a name="cl-203"></a> <span class="n">text</span> <span class="o">=</span> <span class="n">write_heading</span><span class="p">(</span><span class="n">opts</span><span class="o">.</span><span class="n">header</span><span class="p">,</span> <span class="s">'Modules'</span><span class="p">)</span> +<a name="cl-204"></a> <span class="n">text</span> <span class="o">+=</span> <span class="n">title_line</span><span class="p">(</span><span class="s">'Modules:'</span><span class="p">,</span> <span class="s">'-'</span><span class="p">)</span> +<a name="cl-205"></a> <span class="n">text</span> <span class="o">+=</span> <span class="s">'.. toctree::</span><span class="se">\n</span><span class="s">'</span> +<a name="cl-206"></a> <span class="n">text</span> <span class="o">+=</span> <span class="s">' :maxdepth: </span><span class="si">%s</span><span class="se">\n\n</span><span class="s">'</span> <span class="o">%</span> <span class="n">opts</span><span class="o">.</span><span class="n">maxdepth</span> +<a name="cl-207"></a> +<a name="cl-208"></a> <span class="n">modules</span><span class="o">.</span><span class="n">sort</span><span class="p">()</span> +<a name="cl-209"></a> <span class="n">prev_module</span> <span class="o">=</span> <span class="s">''</span> +<a name="cl-210"></a> <span class="k">for</span> <span class="n">module</span> <span class="ow">in</span> <span class="n">modules</span><span class="p">:</span> +<a name="cl-211"></a> <span class="c"># look if the module is a subpackage and, if yes, ignore it</span> +<a name="cl-212"></a> <span class="k">if</span> <span class="n">module</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="n">prev_module</span> <span class="o">+</span> <span class="s">'.'</span><span class="p">):</span> +<a name="cl-213"></a> <span class="k">continue</span> +<a name="cl-214"></a> <span class="n">prev_module</span> <span class="o">=</span> <span class="n">module</span> +<a name="cl-215"></a> <span class="n">text</span> <span class="o">+=</span> <span class="s">' </span><span class="si">%s</span><span class="se">\n</span><span class="s">'</span> <span class="o">%</span> <span class="n">module</span> +<a name="cl-216"></a> +<a name="cl-217"></a> <span class="c"># write the file</span> +<a name="cl-218"></a> <span class="k">if</span> <span class="ow">not</span> <span class="n">opts</span><span class="o">.</span><span class="n">dryrun</span><span class="p">:</span> +<a name="cl-219"></a> <span class="n">fd</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="n">fname</span><span class="p">,</span> <span class="s">'w'</span><span class="p">)</span> +<a name="cl-220"></a> <span class="n">fd</span><span class="o">.</span><span class="n">write</span><span class="p">(</span><span class="n">text</span><span class="p">)</span> +<a name="cl-221"></a> <span class="n">fd</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> +<a name="cl-222"></a> +<a name="cl-223"></a><span class="k">def</span> <span class="nf">format_excludes</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">excludes</span><span class="p">):</span> +<a name="cl-224"></a> <span class="sd">"""</span> +<a name="cl-225"></a><span class="sd"> Format the excluded directory list.</span> +<a name="cl-226"></a><span class="sd"> (verify that the path is not from the root of the volume or the root of the</span> +<a name="cl-227"></a><span class="sd"> package)</span> +<a name="cl-228"></a><span class="sd"> """</span> +<a name="cl-229"></a> <span class="n">f_excludes</span> <span class="o">=</span> <span class="p">[]</span> +<a name="cl-230"></a> <span class="k">for</span> <span class="n">exclude</span> <span class="ow">in</span> <span class="n">excludes</span><span class="p">:</span> +<a name="cl-231"></a> <span class="k">if</span> <span class="ow">not</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">isabs</span><span class="p">(</span><span class="n">exclude</span><span class="p">)</span> <span class="ow">and</span> <span class="n">exclude</span><span class="p">[:</span><span class="nb">len</span><span class="p">(</span><span class="n">path</span><span class="p">)]</span> <span class="o">!=</span> <span class="n">path</span><span class="p">:</span> +<a name="cl-232"></a> <span class="n">exclude</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">join</span><span class="p">(</span><span class="n">path</span><span class="p">,</span> <span class="n">exclude</span><span class="p">)</span> +<a name="cl-233"></a> <span class="c"># remove trailing slash</span> +<a name="cl-234"></a> <span class="n">f_excludes</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">exclude</span><span class="o">.</span><span class="n">rstrip</span><span class="p">(</span><span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">sep</span><span class="p">))</span> +<a name="cl-235"></a> <span class="k">return</span> <span class="n">f_excludes</span> +<a name="cl-236"></a> +<a name="cl-237"></a><span class="k">def</span> <span class="nf">check_excludes</span><span class="p">(</span><span class="n">root</span><span class="p">,</span> <span class="n">excludes</span><span class="p">):</span> +<a name="cl-238"></a> <span class="sd">"""</span> +<a name="cl-239"></a><span class="sd"> Check if the directory is in the exclude list.</span> +<a name="cl-240"></a><span class="sd"> """</span> +<a name="cl-241"></a> <span class="k">for</span> <span class="n">exclude</span> <span class="ow">in</span> <span class="n">excludes</span><span class="p">:</span> +<a name="cl-242"></a> <span class="k">if</span> <span class="n">root</span><span class="p">[:</span><span class="nb">len</span><span class="p">(</span><span class="n">exclude</span><span class="p">)]</span> <span class="o">==</span> <span class="n">exclude</span><span class="p">:</span> +<a name="cl-243"></a> <span class="k">return</span> <span class="bp">True</span> +<a name="cl-244"></a> <span class="k">return</span> <span class="bp">False</span> +<a name="cl-245"></a> +<a name="cl-246"></a><span class="k">def</span> <span class="nf">check_py_file</span><span class="p">(</span><span class="n">files</span><span class="p">):</span> +<a name="cl-247"></a> <span class="sd">"""</span> +<a name="cl-248"></a><span class="sd"> Return a list with only the python scripts (remove all other files). </span> +<a name="cl-249"></a><span class="sd"> """</span> +<a name="cl-250"></a> <span class="n">py_files</span> <span class="o">=</span> <span class="p">[</span><span class="n">fich</span> <span class="k">for</span> <span class="n">fich</span> <span class="ow">in</span> <span class="n">files</span> <span class="k">if</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">splitext</span><span class="p">(</span><span class="n">fich</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="o">==</span> <span class="s">'.py'</span><span class="p">]</span> +<a name="cl-251"></a> <span class="k">return</span> <span class="n">py_files</span> +<a name="cl-252"></a> +<a name="cl-253"></a> +<a name="cl-254"></a><span class="k">def</span> <span class="nf">main</span><span class="p">():</span> +<a name="cl-255"></a> <span class="sd">"""</span> +<a name="cl-256"></a><span class="sd"> Parse and check the command line arguments</span> +<a name="cl-257"></a><span class="sd"> """</span> +<a name="cl-258"></a> <span class="n">parser</span> <span class="o">=</span> <span class="n">optparse</span><span class="o">.</span><span class="n">OptionParser</span><span class="p">(</span><span class="n">usage</span><span class="o">=</span><span class="s">"""usage: %prog [options] <package path> [exclude paths, ...]</span> +<a name="cl-259"></a><span class="s"> </span> +<a name="cl-260"></a><span class="s">Note: By default this script will not overwrite already created files."""</span><span class="p">)</span> +<a name="cl-261"></a> <span class="n">parser</span><span class="o">.</span><span class="n">add_option</span><span class="p">(</span><span class="s">"-n"</span><span class="p">,</span> <span class="s">"--doc-header"</span><span class="p">,</span> <span class="n">action</span><span class="o">=</span><span class="s">"store"</span><span class="p">,</span> <span class="n">dest</span><span class="o">=</span><span class="s">"header"</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="s">"Documentation Header (default=Project)"</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="s">"Project"</span><span class="p">)</span> +<a name="cl-262"></a> <span class="n">parser</span><span class="o">.</span><span class="n">add_option</span><span class="p">(</span><span class="s">"-d"</span><span class="p">,</span> <span class="s">"--dest-dir"</span><span class="p">,</span> <span class="n">action</span><span class="o">=</span><span class="s">"store"</span><span class="p">,</span> <span class="n">dest</span><span class="o">=</span><span class="s">"destdir"</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="s">"Output destination directory"</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="s">""</span><span class="p">)</span> +<a name="cl-263"></a> <span class="n">parser</span><span class="o">.</span><span class="n">add_option</span><span class="p">(</span><span class="s">"-s"</span><span class="p">,</span> <span class="s">"--suffix"</span><span class="p">,</span> <span class="n">action</span><span class="o">=</span><span class="s">"store"</span><span class="p">,</span> <span class="n">dest</span><span class="o">=</span><span class="s">"suffix"</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="s">"module suffix (default=txt)"</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="s">"txt"</span><span class="p">)</span> +<a name="cl-264"></a> <span class="n">parser</span><span class="o">.</span><span class="n">add_option</span><span class="p">(</span><span class="s">"-m"</span><span class="p">,</span> <span class="s">"--maxdepth"</span><span class="p">,</span> <span class="n">action</span><span class="o">=</span><span class="s">"store"</span><span class="p">,</span> <span class="n">dest</span><span class="o">=</span><span class="s">"maxdepth"</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="s">"Maximum depth of submodules to show in the TOC (default=4)"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="s">"int"</span><span class="p">,</span> <span class="n">default</span><span class="o">=</span><span class="mi">4</span><span class="p">)</span> +<a name="cl-265"></a> <span class="n">parser</span><span class="o">.</span><span class="n">add_option</span><span class="p">(</span><span class="s">"-r"</span><span class="p">,</span> <span class="s">"--dry-run"</span><span class="p">,</span> <span class="n">action</span><span class="o">=</span><span class="s">"store_true"</span><span class="p">,</span> <span class="n">dest</span><span class="o">=</span><span class="s">"dryrun"</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="s">"Run the script without creating the files"</span><span class="p">)</span> +<a name="cl-266"></a> <span class="n">parser</span><span class="o">.</span><span class="n">add_option</span><span class="p">(</span><span class="s">"-f"</span><span class="p">,</span> <span class="s">"--force"</span><span class="p">,</span> <span class="n">action</span><span class="o">=</span><span class="s">"store_true"</span><span class="p">,</span> <span class="n">dest</span><span class="o">=</span><span class="s">"force"</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="s">"Overwrite all the files"</span><span class="p">)</span> +<a name="cl-267"></a> <span class="n">parser</span><span class="o">.</span><span class="n">add_option</span><span class="p">(</span><span class="s">"-t"</span><span class="p">,</span> <span class="s">"--no-toc"</span><span class="p">,</span> <span class="n">action</span><span class="o">=</span><span class="s">"store_true"</span><span class="p">,</span> <span class="n">dest</span><span class="o">=</span><span class="s">"notoc"</span><span class="p">,</span> <span class="n">help</span><span class="o">=</span><span class="s">"Don't create the table of content file"</span><span class="p">)</span> +<a name="cl-268"></a> <span class="p">(</span><span class="n">opts</span><span class="p">,</span> <span class="n">args</span><span class="p">)</span> <span class="o">=</span> <span class="n">parser</span><span class="o">.</span><span class="n">parse_args</span><span class="p">()</span> +<a name="cl-269"></a> <span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">args</span><span class="p">)</span> <span class="o"><</span> <span class="mi">1</span><span class="p">:</span> +<a name="cl-270"></a> <span class="n">parser</span><span class="o">.</span><span class="n">error</span><span class="p">(</span><span class="s">"package path is required."</span><span class="p">)</span> +<a name="cl-271"></a> <span class="k">else</span><span class="p">:</span> +<a name="cl-272"></a> <span class="k">if</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">isdir</span><span class="p">(</span><span class="n">args</span><span class="p">[</span><span class="mi">0</span><span class="p">]):</span> +<a name="cl-273"></a> <span class="c"># check if the output destination is a valid directory</span> +<a name="cl-274"></a> <span class="k">if</span> <span class="n">opts</span><span class="o">.</span><span class="n">destdir</span> <span class="ow">and</span> <span class="n">os</span><span class="o">.</span><span class="n">path</span><span class="o">.</span><span class="n">isdir</span><span class="p">(</span><span class="n">opts</span><span class="o">.</span><span class="n">destdir</span><span class="p">):</span> +<a name="cl-275"></a> <span class="c"># if there's some exclude arguments, build the list of excludes</span> +<a name="cl-276"></a> <span class="n">excludes</span> <span class="o">=</span> <span class="n">args</span><span class="p">[</span><span class="mi">1</span><span class="p">:]</span> +<a name="cl-277"></a> <span class="n">recurse_tree</span><span class="p">(</span><span class="n">args</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">excludes</span><span class="p">,</span> <span class="n">opts</span><span class="p">)</span> +<a name="cl-278"></a> <span class="k">else</span><span class="p">:</span> +<a name="cl-279"></a> <span class="k">print</span> <span class="s">'</span><span class="si">%s</span><span class="s"> is not a valid output destination directory.'</span> <span class="o">%</span> <span class="n">opts</span><span class="o">.</span><span class="n">destdir</span> +<a name="cl-280"></a> <span class="k">else</span><span class="p">:</span> +<a name="cl-281"></a> <span class="k">print</span> <span class="s">'</span><span class="si">%s</span><span class="s"> is not a valid directory.'</span> <span class="o">%</span> <span class="n">args</span> +<a name="cl-282"></a> +<a name="cl-283"></a> +<a name="cl-284"></a> +<a name="cl-285"></a> +<a name="cl-286"></a><span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="s">'__main__'</span><span class="p">:</span> +<a name="cl-287"></a> <span class="n">main</span><span class="p">()</span> +<a name="cl-288"></a> +</pre></div> +</td></tr></table> + + +</div> + + + + <div class="cb"></div> + </div> + <div class="cb footer-placeholder"></div> + </div> + <div id="footer-wrapper"> + <div id="footer"> + <a href="/site/terms/">TOS</a> | <a href="/site/privacy/">Privacy Policy</a> | <a href="http://blog.bitbucket.org/">Blog</a> | <a href="http://bitbucket.org/jespern/bitbucket/issues/new/">Report Bug</a> | <a href="http://groups.google.com/group/bitbucket-users">Discuss</a> | <a href="http://avantlumiere.com/">© 2008-2010</a> + | We run <small><b> + <a href="http://www.djangoproject.com/">Django 1.2.1</a> / + <a href="http://bitbucket.org/jespern/django-piston/">Piston 0.2.3rc1</a> / + <a href="http://www.selenic.com/mercurial/">Hg 1.3.1</a> / + <a href="http://www.python.org">Python 2.5.2</a> / + r3049| fe02 + </b></small> + </div> + </div> + + <script type="text/javascript"> + var _gaq = _gaq || []; + _gaq.push(['_setAccount', 'UA-2456069-3'], ['_trackPageview']); + + var _gaq = _gaq || []; + _gaq.push(['atl._setAccount', 'UA-6032469-33'], ['atl._trackPageview']); + (function() { + var ga = document.createElement('script'); + ga.src = ('https:' == document.location.protocol ? 'https://ssl' : + 'http://www') + '.google-analytics.com/ga.js'; + ga.setAttribute('async', 'true'); + document.documentElement.firstChild.appendChild(ga); + })(); + </script> + +</body> +</html> diff --git a/askbot/deps/__init__.py b/askbot/deps/__init__.py index e69de29b..d25583a2 100644 --- a/askbot/deps/__init__.py +++ b/askbot/deps/__init__.py @@ -0,0 +1,24 @@ +""" +.. _askbot.deps + +:mod:askbot.deps - dependency packages for Askbot +=================================================== + +Most askbot dependencies are satisfied with setuptools, but some modules +were either too seriously modified - like `django_authopenid` specifically for +askbot, while others are not available via PyPI. Yet some other packages +while being listed on PyPI, still do not install reliably - those were also +added to the ``askbot.deps`` module. + +Some packages included here were modified with hardcoded imports like:: + + from askbot.deps.somepackage import xyz + from askbot.deps import somepackage + +So these cannot be moved around at all. + +There is one package - ``python.openid`` which has not been modified this way. +In order for this one to import, PYTHONPATH variable was modified within `django.wsgi`_ +file - the connector script for Apache mod_wsgi. + +""" diff --git a/askbot/deps/openid/__init__.py b/askbot/deps/openid/__init__.py new file mode 100644 index 00000000..6be6538e --- /dev/null +++ b/askbot/deps/openid/__init__.py @@ -0,0 +1,55 @@ +""" +This package is an implementation of the OpenID specification in +Python. It contains code for both server and consumer +implementations. For information on implementing an OpenID consumer, +see the C{L{openid.consumer.consumer}} module. For information on +implementing an OpenID server, see the C{L{openid.server.server}} +module. + +@contact: U{http://openid.net/developers/dev-mailing-lists/ + <http://openid.net/developers/dev-mailing-lists/} + +@copyright: (C) 2005-2008 JanRain, Inc. + +@license: Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + U{http://www.apache.org/licenses/LICENSE-2.0} + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions + and limitations under the License. +""" + +__version__ = '[library version:2.2.1]'[17:-1] + +__all__ = [ + 'association', + 'consumer', + 'cryptutil', + 'dh', + 'extension', + 'extensions', + 'fetchers', + 'kvform', + 'message', + 'oidutil', + 'server', + 'sreg', + 'store', + 'urinorm', + 'yadis', + ] + +# Parse the version info +try: + version_info = map(int, __version__.split('.')) +except ValueError: + version_info = (None, None, None) +else: + if len(version_info) != 3: + version_info = (None, None, None) + else: + version_info = tuple(version_info) diff --git a/askbot/deps/openid/association.py b/askbot/deps/openid/association.py new file mode 100644 index 00000000..5be534b9 --- /dev/null +++ b/askbot/deps/openid/association.py @@ -0,0 +1,555 @@ +# -*- test-case-name: openid.test.test_association -*- +""" +This module contains code for dealing with associations between +consumers and servers. Associations contain a shared secret that is +used to sign C{openid.mode=id_res} messages. + +Users of the library should not usually need to interact directly with +associations. The L{store<openid.store>}, +L{server<openid.server.server>} and +L{consumer<openid.consumer.consumer>} objects will create and manage +the associations. The consumer and server code will make use of a +C{L{SessionNegotiator}} when managing associations, which enables +users to express a preference for what kind of associations should be +allowed, and what kind of exchange should be done to establish the +association. + +@var default_negotiator: A C{L{SessionNegotiator}} that allows all + association types that are specified by the OpenID + specification. It prefers to use HMAC-SHA1/DH-SHA1, if it's + available. If HMAC-SHA256 is not supported by your Python runtime, + HMAC-SHA256 and DH-SHA256 will not be available. + +@var encrypted_negotiator: A C{L{SessionNegotiator}} that + does not support C{'no-encryption'} associations. It prefers + HMAC-SHA1/DH-SHA1 association types if available. +""" + +__all__ = [ + 'default_negotiator', + 'encrypted_negotiator', + 'SessionNegotiator', + 'Association', + ] + +import time + +from openid import cryptutil +from openid import kvform +from openid import oidutil +from openid.message import OPENID_NS + +all_association_types = [ + 'HMAC-SHA1', + 'HMAC-SHA256', + ] + +if hasattr(cryptutil, 'hmacSha256'): + supported_association_types = list(all_association_types) + + default_association_order = [ + ('HMAC-SHA1', 'DH-SHA1'), + ('HMAC-SHA1', 'no-encryption'), + ('HMAC-SHA256', 'DH-SHA256'), + ('HMAC-SHA256', 'no-encryption'), + ] + + only_encrypted_association_order = [ + ('HMAC-SHA1', 'DH-SHA1'), + ('HMAC-SHA256', 'DH-SHA256'), + ] +else: + supported_association_types = ['HMAC-SHA1'] + + default_association_order = [ + ('HMAC-SHA1', 'DH-SHA1'), + ('HMAC-SHA1', 'no-encryption'), + ] + + only_encrypted_association_order = [ + ('HMAC-SHA1', 'DH-SHA1'), + ] + +def getSessionTypes(assoc_type): + """Return the allowed session types for a given association type""" + assoc_to_session = { + 'HMAC-SHA1': ['DH-SHA1', 'no-encryption'], + 'HMAC-SHA256': ['DH-SHA256', 'no-encryption'], + } + return assoc_to_session.get(assoc_type, []) + +def checkSessionType(assoc_type, session_type): + """Check to make sure that this pair of assoc type and session + type are allowed""" + if session_type not in getSessionTypes(assoc_type): + raise ValueError( + 'Session type %r not valid for assocation type %r' + % (session_type, assoc_type)) + +class SessionNegotiator(object): + """A session negotiator controls the allowed and preferred + association types and association session types. Both the + C{L{Consumer<openid.consumer.consumer.Consumer>}} and + C{L{Server<openid.server.server.Server>}} use negotiators when + creating associations. + + You can create and use negotiators if you: + + - Do not want to do Diffie-Hellman key exchange because you use + transport-layer encryption (e.g. SSL) + + - Want to use only SHA-256 associations + + - Do not want to support plain-text associations over a non-secure + channel + + It is up to you to set a policy for what kinds of associations to + accept. By default, the library will make any kind of association + that is allowed in the OpenID 2.0 specification. + + Use of negotiators in the library + ================================= + + When a consumer makes an association request, it calls + C{L{getAllowedType}} to get the preferred association type and + association session type. + + The server gets a request for a particular association/session + type and calls C{L{isAllowed}} to determine if it should + create an association. If it is supported, negotiation is + complete. If it is not, the server calls C{L{getAllowedType}} to + get an allowed association type to return to the consumer. + + If the consumer gets an error response indicating that the + requested association/session type is not supported by the server + that contains an assocation/session type to try, it calls + C{L{isAllowed}} to determine if it should try again with the + given combination of association/session type. + + @ivar allowed_types: A list of association/session types that are + allowed by the server. The order of the pairs in this list + determines preference. If an association/session type comes + earlier in the list, the library is more likely to use that + type. + @type allowed_types: [(str, str)] + """ + + def __init__(self, allowed_types): + self.setAllowedTypes(allowed_types) + + def copy(self): + return self.__class__(list(self.allowed_types)) + + def setAllowedTypes(self, allowed_types): + """Set the allowed association types, checking to make sure + each combination is valid.""" + for (assoc_type, session_type) in allowed_types: + checkSessionType(assoc_type, session_type) + + self.allowed_types = allowed_types + + def addAllowedType(self, assoc_type, session_type=None): + """Add an association type and session type to the allowed + types list. The assocation/session pairs are tried in the + order that they are added.""" + if self.allowed_types is None: + self.allowed_types = [] + + if session_type is None: + available = getSessionTypes(assoc_type) + + if not available: + raise ValueError('No session available for association type %r' + % (assoc_type,)) + + for session_type in getSessionTypes(assoc_type): + self.addAllowedType(assoc_type, session_type) + else: + checkSessionType(assoc_type, session_type) + self.allowed_types.append((assoc_type, session_type)) + + + def isAllowed(self, assoc_type, session_type): + """Is this combination of association type and session type allowed?""" + assoc_good = (assoc_type, session_type) in self.allowed_types + matches = session_type in getSessionTypes(assoc_type) + return assoc_good and matches + + def getAllowedType(self): + """Get a pair of assocation type and session type that are + supported""" + try: + return self.allowed_types[0] + except IndexError: + return (None, None) + +default_negotiator = SessionNegotiator(default_association_order) +encrypted_negotiator = SessionNegotiator(only_encrypted_association_order) + +def getSecretSize(assoc_type): + if assoc_type == 'HMAC-SHA1': + return 20 + elif assoc_type == 'HMAC-SHA256': + return 32 + else: + raise ValueError('Unsupported association type: %r' % (assoc_type,)) + +class Association(object): + """ + This class represents an association between a server and a + consumer. In general, users of this library will never see + instances of this object. The only exception is if you implement + a custom C{L{OpenIDStore<openid.store.interface.OpenIDStore>}}. + + If you do implement such a store, it will need to store the values + of the C{L{handle}}, C{L{secret}}, C{L{issued}}, C{L{lifetime}}, and + C{L{assoc_type}} instance variables. + + @ivar handle: This is the handle the server gave this association. + + @type handle: C{str} + + + @ivar secret: This is the shared secret the server generated for + this association. + + @type secret: C{str} + + + @ivar issued: This is the time this association was issued, in + seconds since 00:00 GMT, January 1, 1970. (ie, a unix + timestamp) + + @type issued: C{int} + + + @ivar lifetime: This is the amount of time this association is + good for, measured in seconds since the association was + issued. + + @type lifetime: C{int} + + + @ivar assoc_type: This is the type of association this instance + represents. The only valid value of this field at this time + is C{'HMAC-SHA1'}, but new types may be defined in the future. + + @type assoc_type: C{str} + + + @sort: __init__, fromExpiresIn, getExpiresIn, __eq__, __ne__, + handle, secret, issued, lifetime, assoc_type + """ + + # The ordering and name of keys as stored by serialize + assoc_keys = [ + 'version', + 'handle', + 'secret', + 'issued', + 'lifetime', + 'assoc_type', + ] + + + _macs = { + 'HMAC-SHA1': cryptutil.hmacSha1, + 'HMAC-SHA256': cryptutil.hmacSha256, + } + + + def fromExpiresIn(cls, expires_in, handle, secret, assoc_type): + """ + This is an alternate constructor used by the OpenID consumer + library to create associations. C{L{OpenIDStore + <openid.store.interface.OpenIDStore>}} implementations + shouldn't use this constructor. + + + @param expires_in: This is the amount of time this association + is good for, measured in seconds since the association was + issued. + + @type expires_in: C{int} + + + @param handle: This is the handle the server gave this + association. + + @type handle: C{str} + + + @param secret: This is the shared secret the server generated + for this association. + + @type secret: C{str} + + + @param assoc_type: This is the type of association this + instance represents. The only valid value of this field + at this time is C{'HMAC-SHA1'}, but new types may be + defined in the future. + + @type assoc_type: C{str} + """ + issued = int(time.time()) + lifetime = expires_in + return cls(handle, secret, issued, lifetime, assoc_type) + + fromExpiresIn = classmethod(fromExpiresIn) + + def __init__(self, handle, secret, issued, lifetime, assoc_type): + """ + This is the standard constructor for creating an association. + + + @param handle: This is the handle the server gave this + association. + + @type handle: C{str} + + + @param secret: This is the shared secret the server generated + for this association. + + @type secret: C{str} + + + @param issued: This is the time this association was issued, + in seconds since 00:00 GMT, January 1, 1970. (ie, a unix + timestamp) + + @type issued: C{int} + + + @param lifetime: This is the amount of time this association + is good for, measured in seconds since the association was + issued. + + @type lifetime: C{int} + + + @param assoc_type: This is the type of association this + instance represents. The only valid value of this field + at this time is C{'HMAC-SHA1'}, but new types may be + defined in the future. + + @type assoc_type: C{str} + """ + if assoc_type not in all_association_types: + fmt = '%r is not a supported association type' + raise ValueError(fmt % (assoc_type,)) + +# secret_size = getSecretSize(assoc_type) +# if len(secret) != secret_size: +# fmt = 'Wrong size secret (%s bytes) for association type %s' +# raise ValueError(fmt % (len(secret), assoc_type)) + + self.handle = handle + self.secret = secret + self.issued = issued + self.lifetime = lifetime + self.assoc_type = assoc_type + + def getExpiresIn(self, now=None): + """ + This returns the number of seconds this association is still + valid for, or C{0} if the association is no longer valid. + + + @return: The number of seconds this association is still valid + for, or C{0} if the association is no longer valid. + + @rtype: C{int} + """ + if now is None: + now = int(time.time()) + + return max(0, self.issued + self.lifetime - now) + + expiresIn = property(getExpiresIn) + + def __eq__(self, other): + """ + This checks to see if two C{L{Association}} instances + represent the same association. + + + @return: C{True} if the two instances represent the same + association, C{False} otherwise. + + @rtype: C{bool} + """ + return type(self) is type(other) and self.__dict__ == other.__dict__ + + def __ne__(self, other): + """ + This checks to see if two C{L{Association}} instances + represent different associations. + + + @return: C{True} if the two instances represent different + associations, C{False} otherwise. + + @rtype: C{bool} + """ + return not (self == other) + + def serialize(self): + """ + Convert an association to KV form. + + @return: String in KV form suitable for deserialization by + deserialize. + + @rtype: str + """ + data = { + 'version':'2', + 'handle':self.handle, + 'secret':oidutil.toBase64(self.secret), + 'issued':str(int(self.issued)), + 'lifetime':str(int(self.lifetime)), + 'assoc_type':self.assoc_type + } + + assert len(data) == len(self.assoc_keys) + pairs = [] + for field_name in self.assoc_keys: + pairs.append((field_name, data[field_name])) + + return kvform.seqToKV(pairs, strict=True) + + def deserialize(cls, assoc_s): + """ + Parse an association as stored by serialize(). + + inverse of serialize + + + @param assoc_s: Association as serialized by serialize() + + @type assoc_s: str + + + @return: instance of this class + """ + pairs = kvform.kvToSeq(assoc_s, strict=True) + keys = [] + values = [] + for k, v in pairs: + keys.append(k) + values.append(v) + + if keys != cls.assoc_keys: + raise ValueError('Unexpected key values: %r', keys) + + version, handle, secret, issued, lifetime, assoc_type = values + if version != '2': + raise ValueError('Unknown version: %r' % version) + issued = int(issued) + lifetime = int(lifetime) + secret = oidutil.fromBase64(secret) + return cls(handle, secret, issued, lifetime, assoc_type) + + deserialize = classmethod(deserialize) + + def sign(self, pairs): + """ + Generate a signature for a sequence of (key, value) pairs + + + @param pairs: The pairs to sign, in order + + @type pairs: sequence of (str, str) + + + @return: The binary signature of this sequence of pairs + + @rtype: str + """ + kv = kvform.seqToKV(pairs) + + try: + mac = self._macs[self.assoc_type] + except KeyError: + raise ValueError( + 'Unknown association type: %r' % (self.assoc_type,)) + + return mac(self.secret, kv) + + + def getMessageSignature(self, message): + """Return the signature of a message. + + If I am not a sign-all association, the message must have a + signed list. + + @return: the signature, base64 encoded + + @rtype: str + + @raises ValueError: If there is no signed list and I am not a sign-all + type of association. + """ + pairs = self._makePairs(message) + return oidutil.toBase64(self.sign(pairs)) + + def signMessage(self, message): + """Add a signature (and a signed list) to a message. + + @return: a new Message object with a signature + @rtype: L{openid.message.Message} + """ + if (message.hasKey(OPENID_NS, 'sig') or + message.hasKey(OPENID_NS, 'signed')): + raise ValueError('Message already has signed list or signature') + + extant_handle = message.getArg(OPENID_NS, 'assoc_handle') + if extant_handle and extant_handle != self.handle: + raise ValueError("Message has a different association handle") + + signed_message = message.copy() + signed_message.setArg(OPENID_NS, 'assoc_handle', self.handle) + message_keys = signed_message.toPostArgs().keys() + signed_list = [k[7:] for k in message_keys + if k.startswith('openid.')] + signed_list.append('signed') + signed_list.sort() + signed_message.setArg(OPENID_NS, 'signed', ','.join(signed_list)) + sig = self.getMessageSignature(signed_message) + signed_message.setArg(OPENID_NS, 'sig', sig) + return signed_message + + def checkMessageSignature(self, message): + """Given a message with a signature, calculate a new signature + and return whether it matches the signature in the message. + + @raises ValueError: if the message has no signature or no signature + can be calculated for it. + """ + message_sig = message.getArg(OPENID_NS, 'sig') + if not message_sig: + raise ValueError("%s has no sig." % (message,)) + calculated_sig = self.getMessageSignature(message) + return calculated_sig == message_sig + + + def _makePairs(self, message): + signed = message.getArg(OPENID_NS, 'signed') + if not signed: + raise ValueError('Message has no signed list: %s' % (message,)) + + signed_list = signed.split(',') + pairs = [] + data = message.toPostArgs() + for field in signed_list: + pairs.append((field, data.get('openid.' + field, ''))) + return pairs + + def __repr__(self): + return "<%s.%s %s %s>" % ( + self.__class__.__module__, + self.__class__.__name__, + self.assoc_type, + self.handle) diff --git a/askbot/deps/openid/consumer/__init__.py b/askbot/deps/openid/consumer/__init__.py new file mode 100644 index 00000000..aab51a29 --- /dev/null +++ b/askbot/deps/openid/consumer/__init__.py @@ -0,0 +1,6 @@ +""" +This package contains the portions of the library used only when +implementing an OpenID consumer. +""" + +__all__ = ['consumer', 'discover'] diff --git a/askbot/deps/openid/consumer/consumer.py b/askbot/deps/openid/consumer/consumer.py new file mode 100644 index 00000000..52057494 --- /dev/null +++ b/askbot/deps/openid/consumer/consumer.py @@ -0,0 +1,1900 @@ +# -*- test-case-name: openid.test.test_consumer -*- +"""OpenID support for Relying Parties (aka Consumers). + +This module documents the main interface with the OpenID consumer +library. The only part of the library which has to be used and isn't +documented in full here is the store required to create an +C{L{Consumer}} instance. More on the abstract store type and +concrete implementations of it that are provided in the documentation +for the C{L{__init__<Consumer.__init__>}} method of the +C{L{Consumer}} class. + + +OVERVIEW +======== + + The OpenID identity verification process most commonly uses the + following steps, as visible to the user of this library: + + 1. The user enters their OpenID into a field on the consumer's + site, and hits a login button. + + 2. The consumer site discovers the user's OpenID provider using + the Yadis protocol. + + 3. The consumer site sends the browser a redirect to the + OpenID provider. This is the authentication request as + described in the OpenID specification. + + 4. The OpenID provider's site sends the browser a redirect + back to the consumer site. This redirect contains the + provider's response to the authentication request. + + The most important part of the flow to note is the consumer's site + must handle two separate HTTP requests in order to perform the + full identity check. + + +LIBRARY DESIGN +============== + + This consumer library is designed with that flow in mind. The + goal is to make it as easy as possible to perform the above steps + securely. + + At a high level, there are two important parts in the consumer + library. The first important part is this module, which contains + the interface to actually use this library. The second is the + C{L{openid.store.interface}} module, which describes the + interface to use if you need to create a custom method for storing + the state this library needs to maintain between requests. + + In general, the second part is less important for users of the + library to know about, as several implementations are provided + which cover a wide variety of situations in which consumers may + use the library. + + This module contains a class, C{L{Consumer}}, with methods + corresponding to the actions necessary in each of steps 2, 3, and + 4 described in the overview. Use of this library should be as easy + as creating an C{L{Consumer}} instance and calling the methods + appropriate for the action the site wants to take. + + +SESSIONS, STORES, AND STATELESS MODE +==================================== + + The C{L{Consumer}} object keeps track of two types of state: + + 1. State of the user's current authentication attempt. Things like + the identity URL, the list of endpoints discovered for that + URL, and in case where some endpoints are unreachable, the list + of endpoints already tried. This state needs to be held from + Consumer.begin() to Consumer.complete(), but it is only applicable + to a single session with a single user agent, and at the end of + the authentication process (i.e. when an OP replies with either + C{id_res} or C{cancel}) it may be discarded. + + 2. State of relationships with servers, i.e. shared secrets + (associations) with servers and nonces seen on signed messages. + This information should persist from one session to the next and + should not be bound to a particular user-agent. + + + These two types of storage are reflected in the first two arguments of + Consumer's constructor, C{session} and C{store}. C{session} is a + dict-like object and we hope your web framework provides you with one + of these bound to the user agent. C{store} is an instance of + L{openid.store.interface.OpenIDStore}. + + Since the store does hold secrets shared between your application and the + OpenID provider, you should be careful about how you use it in a shared + hosting environment. If the filesystem or database permissions of your + web host allow strangers to read from them, do not store your data there! + If you have no safe place to store your data, construct your consumer + with C{None} for the store, and it will operate only in stateless mode. + Stateless mode may be slower, put more load on the OpenID provider, and + trusts the provider to keep you safe from replay attacks. + + + Several store implementation are provided, and the interface is + fully documented so that custom stores can be used as well. See + the documentation for the C{L{Consumer}} class for more + information on the interface for stores. The implementations that + are provided allow the consumer site to store the necessary data + in several different ways, including several SQL databases and + normal files on disk. + + +IMMEDIATE MODE +============== + + In the flow described above, the user may need to confirm to the + OpenID provider that it's ok to disclose his or her identity. + The provider may draw pages asking for information from the user + before it redirects the browser back to the consumer's site. This + is generally transparent to the consumer site, so it is typically + ignored as an implementation detail. + + There can be times, however, where the consumer site wants to get + a response immediately. When this is the case, the consumer can + put the library in immediate mode. In immediate mode, there is an + extra response possible from the server, which is essentially the + server reporting that it doesn't have enough information to answer + the question yet. + + +USING THIS LIBRARY +================== + + Integrating this library into an application is usually a + relatively straightforward process. The process should basically + follow this plan: + + Add an OpenID login field somewhere on your site. When an OpenID + is entered in that field and the form is submitted, it should make + a request to your site which includes that OpenID URL. + + First, the application should L{instantiate a Consumer<Consumer.__init__>} + with a session for per-user state and store for shared state. + using the store of choice. + + Next, the application should call the 'C{L{begin<Consumer.begin>}}' method on the + C{L{Consumer}} instance. This method takes the OpenID URL. The + C{L{begin<Consumer.begin>}} method returns an C{L{AuthRequest}} + object. + + Next, the application should call the + C{L{redirectURL<AuthRequest.redirectURL>}} method on the + C{L{AuthRequest}} object. The parameter C{return_to} is the URL + that the OpenID server will send the user back to after attempting + to verify his or her identity. The C{realm} parameter is the + URL (or URL pattern) that identifies your web site to the user + when he or she is authorizing it. Send a redirect to the + resulting URL to the user's browser. + + That's the first half of the authentication process. The second + half of the process is done after the user's OpenID Provider sends the + user's browser a redirect back to your site to complete their + login. + + When that happens, the user will contact your site at the URL + given as the C{return_to} URL to the + C{L{redirectURL<AuthRequest.redirectURL>}} call made + above. The request will have several query parameters added to + the URL by the OpenID provider as the information necessary to + finish the request. + + Get a C{L{Consumer}} instance with the same session and store as + before and call its C{L{complete<Consumer.complete>}} method, + passing in all the received query arguments. + + There are multiple possible return types possible from that + method. These indicate whether or not the login was successful, + and include any additional information appropriate for their type. + +@var SUCCESS: constant used as the status for + L{SuccessResponse<openid.consumer.consumer.SuccessResponse>} objects. + +@var FAILURE: constant used as the status for + L{FailureResponse<openid.consumer.consumer.FailureResponse>} objects. + +@var CANCEL: constant used as the status for + L{CancelResponse<openid.consumer.consumer.CancelResponse>} objects. + +@var SETUP_NEEDED: constant used as the status for + L{SetupNeededResponse<openid.consumer.consumer.SetupNeededResponse>} + objects. +""" + +import cgi +import copy +from urlparse import urlparse, urldefrag + +from openid import fetchers + +from openid.consumer.discover import discover, OpenIDServiceEndpoint, \ + DiscoveryFailure, OPENID_1_0_TYPE, OPENID_1_1_TYPE, OPENID_2_0_TYPE +from openid.message import Message, OPENID_NS, OPENID2_NS, OPENID1_NS, \ + IDENTIFIER_SELECT, no_default, BARE_NS +from openid import cryptutil +from openid import oidutil +from openid.association import Association, default_negotiator, \ + SessionNegotiator +from openid.dh import DiffieHellman +from openid.store.nonce import mkNonce, split as splitNonce +from openid.yadis.manager import Discovery +from openid import urinorm + + +__all__ = ['AuthRequest', 'Consumer', 'SuccessResponse', + 'SetupNeededResponse', 'CancelResponse', 'FailureResponse', + 'SUCCESS', 'FAILURE', 'CANCEL', 'SETUP_NEEDED', + ] + + +def makeKVPost(request_message, server_url): + """Make a Direct Request to an OpenID Provider and return the + result as a Message object. + + @raises openid.fetchers.HTTPFetchingError: if an error is + encountered in making the HTTP post. + + @rtype: L{openid.message.Message} + """ + # XXX: TESTME + resp = fetchers.fetch(server_url, body=request_message.toURLEncoded()) + + # Process response in separate function that can be shared by async code. + return _httpResponseToMessage(resp, server_url) + + +def _httpResponseToMessage(response, server_url): + """Adapt a POST response to a Message. + + @type response: L{openid.fetchers.HTTPResponse} + @param response: Result of a POST to an OpenID endpoint. + + @rtype: L{openid.message.Message} + + @raises openid.fetchers.HTTPFetchingError: if the server returned a + status of other than 200 or 400. + + @raises ServerError: if the server returned an OpenID error. + """ + # Should this function be named Message.fromHTTPResponse instead? + response_message = Message.fromKVForm(response.body) + if response.status == 400: + raise ServerError.fromMessage(response_message) + + elif response.status not in (200, 206): + fmt = 'bad status code from server %s: %s' + error_message = fmt % (server_url, response.status) + raise fetchers.HTTPFetchingError(error_message) + + return response_message + + + +class Consumer(object): + """An OpenID consumer implementation that performs discovery and + does session management. + + @ivar consumer: an instance of an object implementing the OpenID + protocol, but doing no discovery or session management. + + @type consumer: GenericConsumer + + @ivar session: A dictionary-like object representing the user's + session data. This is used for keeping state of the OpenID + transaction when the user is redirected to the server. + + @cvar session_key_prefix: A string that is prepended to session + keys to ensure that they are unique. This variable may be + changed to suit your application. + """ + session_key_prefix = "_openid_consumer_" + + _token = 'last_token' + + _discover = staticmethod(discover) + + def __init__(self, session, store, consumer_class=None): + """Initialize a Consumer instance. + + You should create a new instance of the Consumer object with + every HTTP request that handles OpenID transactions. + + @param session: See L{the session instance variable<openid.consumer.consumer.Consumer.session>} + + @param store: an object that implements the interface in + C{L{openid.store.interface.OpenIDStore}}. Several + implementations are provided, to cover common database + environments. + + @type store: C{L{openid.store.interface.OpenIDStore}} + + @see: L{openid.store.interface} + @see: L{openid.store} + """ + self.session = session + if consumer_class is None: + consumer_class = GenericConsumer + self.consumer = consumer_class(store) + self._token_key = self.session_key_prefix + self._token + + def begin(self, user_url, anonymous=False): + """Start the OpenID authentication process. See steps 1-2 in + the overview at the top of this file. + + @param user_url: Identity URL given by the user. This method + performs a textual transformation of the URL to try and + make sure it is normalized. For example, a user_url of + example.com will be normalized to http://example.com/ + normalizing and resolving any redirects the server might + issue. + + @type user_url: unicode + + @param anonymous: Whether to make an anonymous request of the OpenID + provider. Such a request does not ask for an authorization + assertion for an OpenID identifier, but may be used with + extensions to pass other data. e.g. "I don't care who you are, + but I'd like to know your time zone." + + @type anonymous: bool + + @returns: An object containing the discovered information will + be returned, with a method for building a redirect URL to + the server, as described in step 3 of the overview. This + object may also be used to add extension arguments to the + request, using its + L{addExtensionArg<openid.consumer.consumer.AuthRequest.addExtensionArg>} + method. + + @returntype: L{AuthRequest<openid.consumer.consumer.AuthRequest>} + + @raises openid.consumer.discover.DiscoveryFailure: when I fail to + find an OpenID server for this URL. If the C{yadis} package + is available, L{openid.consumer.discover.DiscoveryFailure} is + an alias for C{yadis.discover.DiscoveryFailure}. + """ + disco = Discovery(self.session, user_url, self.session_key_prefix) + try: + service = disco.getNextService(self._discover) + except fetchers.HTTPFetchingError, why: + raise DiscoveryFailure( + 'Error fetching XRDS document: %s' % (why[0],), None) + + if service is None: + raise DiscoveryFailure( + 'No usable OpenID services found for %s' % (user_url,), None) + else: + return self.beginWithoutDiscovery(service, anonymous) + + def beginWithoutDiscovery(self, service, anonymous=False): + """Start OpenID verification without doing OpenID server + discovery. This method is used internally by Consumer.begin + after discovery is performed, and exists to provide an + interface for library users needing to perform their own + discovery. + + @param service: an OpenID service endpoint descriptor. This + object and factories for it are found in the + L{openid.consumer.discover} module. + + @type service: + L{OpenIDServiceEndpoint<openid.consumer.discover.OpenIDServiceEndpoint>} + + @returns: an OpenID authentication request object. + + @rtype: L{AuthRequest<openid.consumer.consumer.AuthRequest>} + + @See: Openid.consumer.consumer.Consumer.begin + @see: openid.consumer.discover + """ + auth_req = self.consumer.begin(service) + self.session[self._token_key] = auth_req.endpoint + + try: + auth_req.setAnonymous(anonymous) + except ValueError, why: + raise ProtocolError(str(why)) + + return auth_req + + def complete(self, query, current_url): + """Called to interpret the server's response to an OpenID + request. It is called in step 4 of the flow described in the + consumer overview. + + @param query: A dictionary of the query parameters for this + HTTP request. + + @param current_url: The URL used to invoke the application. + Extract the URL from your application's web + request framework and specify it here to have it checked + against the openid.return_to value in the response. If + the return_to URL check fails, the status of the + completion will be FAILURE. + + @returns: a subclass of Response. The type of response is + indicated by the status attribute, which will be one of + SUCCESS, CANCEL, FAILURE, or SETUP_NEEDED. + + @see: L{SuccessResponse<openid.consumer.consumer.SuccessResponse>} + @see: L{CancelResponse<openid.consumer.consumer.CancelResponse>} + @see: L{SetupNeededResponse<openid.consumer.consumer.SetupNeededResponse>} + @see: L{FailureResponse<openid.consumer.consumer.FailureResponse>} + """ + + endpoint = self.session.get(self._token_key) + + message = Message.fromPostArgs(query) + response = self.consumer.complete(message, endpoint, current_url) + + try: + del self.session[self._token_key] + except KeyError: + pass + + if (response.status in ['success', 'cancel'] and + response.identity_url is not None): + + disco = Discovery(self.session, + response.identity_url, + self.session_key_prefix) + # This is OK to do even if we did not do discovery in + # the first place. + disco.cleanup(force=True) + + return response + + def setAssociationPreference(self, association_preferences): + """Set the order in which association types/sessions should be + attempted. For instance, to only allow HMAC-SHA256 + associations created with a DH-SHA256 association session: + + >>> consumer.setAssociationPreference([('HMAC-SHA256', 'DH-SHA256')]) + + Any association type/association type pair that is not in this + list will not be attempted at all. + + @param association_preferences: The list of allowed + (association type, association session type) pairs that + should be allowed for this consumer to use, in order from + most preferred to least preferred. + @type association_preferences: [(str, str)] + + @returns: None + + @see: C{L{openid.association.SessionNegotiator}} + """ + self.consumer.negotiator = SessionNegotiator(association_preferences) + +class DiffieHellmanSHA1ConsumerSession(object): + session_type = 'DH-SHA1' + hash_func = staticmethod(cryptutil.sha1) + secret_size = 20 + allowed_assoc_types = ['HMAC-SHA1'] + + def __init__(self, dh=None): + if dh is None: + dh = DiffieHellman.fromDefaults() + + self.dh = dh + + def getRequest(self): + cpub = cryptutil.longToBase64(self.dh.public) + + args = {'dh_consumer_public': cpub} + + if not self.dh.usingDefaultValues(): + args.update({ + 'dh_modulus': cryptutil.longToBase64(self.dh.modulus), + 'dh_gen': cryptutil.longToBase64(self.dh.generator), + }) + + return args + + def extractSecret(self, response): + dh_server_public64 = response.getArg( + OPENID_NS, 'dh_server_public', no_default) + enc_mac_key64 = response.getArg(OPENID_NS, 'enc_mac_key', no_default) + dh_server_public = cryptutil.base64ToLong(dh_server_public64) + enc_mac_key = oidutil.fromBase64(enc_mac_key64) + return self.dh.xorSecret(dh_server_public, enc_mac_key, self.hash_func) + +class DiffieHellmanSHA256ConsumerSession(DiffieHellmanSHA1ConsumerSession): + session_type = 'DH-SHA256' + hash_func = staticmethod(cryptutil.sha256) + secret_size = 32 + allowed_assoc_types = ['HMAC-SHA256'] + +class PlainTextConsumerSession(object): + session_type = 'no-encryption' + allowed_assoc_types = ['HMAC-SHA1', 'HMAC-SHA256'] + + def getRequest(self): + return {} + + def extractSecret(self, response): + mac_key64 = response.getArg(OPENID_NS, 'mac_key', no_default) + return oidutil.fromBase64(mac_key64) + +class SetupNeededError(Exception): + """Internally-used exception that indicates that an immediate-mode + request cancelled.""" + def __init__(self, user_setup_url=None): + Exception.__init__(self, user_setup_url) + self.user_setup_url = user_setup_url + +class ProtocolError(ValueError): + """Exception that indicates that a message violated the + protocol. It is raised and caught internally to this file.""" + +class TypeURIMismatch(ProtocolError): + """A protocol error arising from type URIs mismatching + """ + + def __init__(self, expected, endpoint): + ProtocolError.__init__(self, expected, endpoint) + self.expected = expected + self.endpoint = endpoint + + def __str__(self): + s = '<%s.%s: Required type %s not found in %s for endpoint %s>' % ( + self.__class__.__module__, self.__class__.__name__, + self.expected, self.endpoint.type_uris, self.endpoint) + return s + + + +class ServerError(Exception): + """Exception that is raised when the server returns a 400 response + code to a direct request.""" + + def __init__(self, error_text, error_code, message): + Exception.__init__(self, error_text) + self.error_text = error_text + self.error_code = error_code + self.message = message + + def fromMessage(cls, message): + """Generate a ServerError instance, extracting the error text + and the error code from the message.""" + error_text = message.getArg( + OPENID_NS, 'error', '<no error message supplied>') + error_code = message.getArg(OPENID_NS, 'error_code') + return cls(error_text, error_code, message) + + fromMessage = classmethod(fromMessage) + +class GenericConsumer(object): + """This is the implementation of the common logic for OpenID + consumers. It is unaware of the application in which it is + running. + + @ivar negotiator: An object that controls the kind of associations + that the consumer makes. It defaults to + C{L{openid.association.default_negotiator}}. Assign a + different negotiator to it if you have specific requirements + for how associations are made. + @type negotiator: C{L{openid.association.SessionNegotiator}} + """ + + # The name of the query parameter that gets added to the return_to + # URL when using OpenID1. You can change this value if you want or + # need a different name, but don't make it start with openid, + # because it's not a standard protocol thing for OpenID1. For + # OpenID2, the library will take care of the nonce using standard + # OpenID query parameter names. + openid1_nonce_query_arg_name = 'janrain_nonce' + + # Another query parameter that gets added to the return_to for + # OpenID 1; if the user's session state is lost, use this claimed + # identifier to do discovery when verifying the response. + openid1_return_to_identifier_name = 'openid1_claimed_id' + + session_types = { + 'DH-SHA1':DiffieHellmanSHA1ConsumerSession, + 'DH-SHA256':DiffieHellmanSHA256ConsumerSession, + 'no-encryption':PlainTextConsumerSession, + } + + _discover = staticmethod(discover) + + def __init__(self, store): + self.store = store + self.negotiator = default_negotiator.copy() + + def begin(self, service_endpoint): + """Create an AuthRequest object for the specified + service_endpoint. This method will create an association if + necessary.""" + if self.store is None: + assoc = None + else: + assoc = self._getAssociation(service_endpoint) + + request = AuthRequest(service_endpoint, assoc) + request.return_to_args[self.openid1_nonce_query_arg_name] = mkNonce() + + if request.message.isOpenID1(): + request.return_to_args[self.openid1_return_to_identifier_name] = \ + request.endpoint.claimed_id + + return request + + def complete(self, message, endpoint, return_to): + """Process the OpenID message, using the specified endpoint + and return_to URL as context. This method will handle any + OpenID message that is sent to the return_to URL. + """ + mode = message.getArg(OPENID_NS, 'mode', '<No mode set>') + + modeMethod = getattr(self, '_complete_' + mode, + self._completeInvalid) + + return modeMethod(message, endpoint, return_to) + + def _complete_cancel(self, message, endpoint, _): + return CancelResponse(endpoint) + + def _complete_error(self, message, endpoint, _): + error = message.getArg(OPENID_NS, 'error') + contact = message.getArg(OPENID_NS, 'contact') + reference = message.getArg(OPENID_NS, 'reference') + + return FailureResponse(endpoint, error, contact=contact, + reference=reference) + + def _complete_setup_needed(self, message, endpoint, _): + if not message.isOpenID2(): + return self._completeInvalid(message, endpoint, _) + + user_setup_url = message.getArg(OPENID2_NS, 'user_setup_url') + return SetupNeededResponse(endpoint, user_setup_url) + + def _complete_id_res(self, message, endpoint, return_to): + try: + self._checkSetupNeeded(message) + except SetupNeededError, why: + return SetupNeededResponse(endpoint, why.user_setup_url) + else: + try: + return self._doIdRes(message, endpoint, return_to) + except (ProtocolError, DiscoveryFailure), why: + return FailureResponse(endpoint, why[0]) + + def _completeInvalid(self, message, endpoint, _): + mode = message.getArg(OPENID_NS, 'mode', '<No mode set>') + return FailureResponse(endpoint, + 'Invalid openid.mode: %r' % (mode,)) + + def _checkReturnTo(self, message, return_to): + """Check an OpenID message and its openid.return_to value + against a return_to URL from an application. Return True on + success, False on failure. + """ + # Check the openid.return_to args against args in the original + # message. + try: + self._verifyReturnToArgs(message.toPostArgs()) + except ProtocolError, why: + oidutil.log("Verifying return_to arguments: %s" % (why[0],)) + return False + + # Check the return_to base URL against the one in the message. + msg_return_to = message.getArg(OPENID_NS, 'return_to') + + # The URL scheme, authority, and path MUST be the same between + # the two URLs. + app_parts = urlparse(urinorm.urinorm(return_to)) + msg_parts = urlparse(urinorm.urinorm(msg_return_to)) + + # (addressing scheme, network location, path) must be equal in + # both URLs. + for part in range(0, 3): + if app_parts[part] != msg_parts[part]: + return False + + return True + + _makeKVPost = staticmethod(makeKVPost) + + def _checkSetupNeeded(self, message): + """Check an id_res message to see if it is a + checkid_immediate cancel response. + + @raises SetupNeededError: if it is a checkid_immediate cancellation + """ + # In OpenID 1, we check to see if this is a cancel from + # immediate mode by the presence of the user_setup_url + # parameter. + if message.isOpenID1(): + user_setup_url = message.getArg(OPENID1_NS, 'user_setup_url') + if user_setup_url is not None: + raise SetupNeededError(user_setup_url) + + def _doIdRes(self, message, endpoint, return_to): + """Handle id_res responses that are not cancellations of + immediate mode requests. + + @param message: the response paramaters. + @param endpoint: the discovered endpoint object. May be None. + + @raises ProtocolError: If the message contents are not + well-formed according to the OpenID specification. This + includes missing fields or not signing fields that should + be signed. + + @raises DiscoveryFailure: If the subject of the id_res message + does not match the supplied endpoint, and discovery on the + identifier in the message fails (this should only happen + when using OpenID 2) + + @returntype: L{Response} + """ + # Checks for presence of appropriate fields (and checks + # signed list fields) + self._idResCheckForFields(message) + + if not self._checkReturnTo(message, return_to): + raise ProtocolError( + "return_to does not match return URL. Expected %r, got %r" + % (return_to, message.getArg(OPENID_NS, 'return_to'))) + + + # Verify discovery information: + endpoint = self._verifyDiscoveryResults(message, endpoint) + oidutil.log("Received id_res response from %s using association %s" % + (endpoint.server_url, + message.getArg(OPENID_NS, 'assoc_handle'))) + + self._idResCheckSignature(message, endpoint.server_url) + + # Will raise a ProtocolError if the nonce is bad + self._idResCheckNonce(message, endpoint) + + signed_list_str = message.getArg(OPENID_NS, 'signed', no_default) + signed_list = signed_list_str.split(',') + signed_fields = ["openid." + s for s in signed_list] + return SuccessResponse(endpoint, message, signed_fields) + + def _idResGetNonceOpenID1(self, message, endpoint): + """Extract the nonce from an OpenID 1 response. Return the + nonce from the BARE_NS since we independently check the + return_to arguments are the same as those in the response + message. + + See the openid1_nonce_query_arg_name class variable + + @returns: The nonce as a string or None + """ + return message.getArg(BARE_NS, self.openid1_nonce_query_arg_name) + + def _idResCheckNonce(self, message, endpoint): + if message.isOpenID1(): + # This indicates that the nonce was generated by the consumer + nonce = self._idResGetNonceOpenID1(message, endpoint) + server_url = '' + else: + nonce = message.getArg(OPENID2_NS, 'response_nonce') + server_url = endpoint.server_url + + if nonce is None: + raise ProtocolError('Nonce missing from response') + + try: + timestamp, salt = splitNonce(nonce) + except ValueError, why: + raise ProtocolError('Malformed nonce: %s' % (why[0],)) + + if (self.store is not None and + not self.store.useNonce(server_url, timestamp, salt)): + raise ProtocolError('Nonce already used or out of range') + + def _idResCheckSignature(self, message, server_url): + assoc_handle = message.getArg(OPENID_NS, 'assoc_handle') + if self.store is None: + assoc = None + else: + assoc = self.store.getAssociation(server_url, assoc_handle) + + if assoc: + if assoc.getExpiresIn() <= 0: + # XXX: It might be a good idea sometimes to re-start the + # authentication with a new association. Doing it + # automatically opens the possibility for + # denial-of-service by a server that just returns expired + # associations (or really short-lived associations) + raise ProtocolError( + 'Association with %s expired' % (server_url,)) + + if not assoc.checkMessageSignature(message): + raise ProtocolError('Bad signature') + + else: + # It's not an association we know about. Stateless mode is our + # only possible path for recovery. + # XXX - async framework will not want to block on this call to + # _checkAuth. + if not self._checkAuth(message, server_url): + raise ProtocolError('Server denied check_authentication') + + def _idResCheckForFields(self, message): + # XXX: this should be handled by the code that processes the + # response (that is, if a field is missing, we should not have + # to explicitly check that it's present, just make sure that + # the fields are actually being used by the rest of the code + # in tests). Although, which fields are signed does need to be + # checked somewhere. + basic_fields = ['return_to', 'assoc_handle', 'sig', 'signed'] + basic_sig_fields = ['return_to', 'identity'] + + require_fields = { + OPENID2_NS: basic_fields + ['op_endpoint'], + OPENID1_NS: basic_fields + ['identity'], + } + + require_sigs = { + OPENID2_NS: basic_sig_fields + ['response_nonce', + 'claimed_id', + 'assoc_handle', + 'op_endpoint',], + OPENID1_NS: basic_sig_fields, + } + + for field in require_fields[message.getOpenIDNamespace()]: + if not message.hasKey(OPENID_NS, field): + raise ProtocolError('Missing required field %r' % (field,)) + + signed_list_str = message.getArg(OPENID_NS, 'signed', no_default) + signed_list = signed_list_str.split(',') + + for field in require_sigs[message.getOpenIDNamespace()]: + # Field is present and not in signed list + if message.hasKey(OPENID_NS, field) and field not in signed_list: + raise ProtocolError('"%s" not signed' % (field,)) + + + def _verifyReturnToArgs(query): + """Verify that the arguments in the return_to URL are present in this + response. + """ + message = Message.fromPostArgs(query) + return_to = message.getArg(OPENID_NS, 'return_to') + + if return_to is None: + raise ProtocolError('Response has no return_to') + + parsed_url = urlparse(return_to) + rt_query = parsed_url[4] + parsed_args = cgi.parse_qsl(rt_query) + + for rt_key, rt_value in parsed_args: + try: + value = query[rt_key] + if rt_value != value: + format = ("parameter %s value %r does not match " + "return_to's value %r") + raise ProtocolError(format % (rt_key, value, rt_value)) + except KeyError: + format = "return_to parameter %s absent from query %r" + raise ProtocolError(format % (rt_key, query)) + + # Make sure all non-OpenID arguments in the response are also + # in the signed return_to. + bare_args = message.getArgs(BARE_NS) + for pair in bare_args.iteritems(): + if pair not in parsed_args: + raise ProtocolError("Parameter %s not in return_to URL" % (pair[0],)) + + _verifyReturnToArgs = staticmethod(_verifyReturnToArgs) + + def _verifyDiscoveryResults(self, resp_msg, endpoint=None): + """ + Extract the information from an OpenID assertion message and + verify it against the original + + @param endpoint: The endpoint that resulted from doing discovery + @param resp_msg: The id_res message object + + @returns: the verified endpoint + """ + if resp_msg.getOpenIDNamespace() == OPENID2_NS: + return self._verifyDiscoveryResultsOpenID2(resp_msg, endpoint) + else: + return self._verifyDiscoveryResultsOpenID1(resp_msg, endpoint) + + + def _verifyDiscoveryResultsOpenID2(self, resp_msg, endpoint): + to_match = OpenIDServiceEndpoint() + to_match.type_uris = [OPENID_2_0_TYPE] + to_match.claimed_id = resp_msg.getArg(OPENID2_NS, 'claimed_id') + to_match.local_id = resp_msg.getArg(OPENID2_NS, 'identity') + + # Raises a KeyError when the op_endpoint is not present + to_match.server_url = resp_msg.getArg( + OPENID2_NS, 'op_endpoint', no_default) + + # claimed_id and identifier must both be present or both + # be absent + if (to_match.claimed_id is None and + to_match.local_id is not None): + raise ProtocolError( + 'openid.identity is present without openid.claimed_id') + + elif (to_match.claimed_id is not None and + to_match.local_id is None): + raise ProtocolError( + 'openid.claimed_id is present without openid.identity') + + # This is a response without identifiers, so there's really no + # checking that we can do, so return an endpoint that's for + # the specified `openid.op_endpoint' + elif to_match.claimed_id is None: + return OpenIDServiceEndpoint.fromOPEndpointURL(to_match.server_url) + + # The claimed ID doesn't match, so we have to do discovery + # again. This covers not using sessions, OP identifier + # endpoints and responses that didn't match the original + # request. + if not endpoint: + oidutil.log('No pre-discovered information supplied.') + endpoint = self._discoverAndVerify(to_match.claimed_id, [to_match]) + else: + # The claimed ID matches, so we use the endpoint that we + # discovered in initiation. This should be the most common + # case. + try: + self._verifyDiscoverySingle(endpoint, to_match) + except ProtocolError, e: + oidutil.log( + "Error attempting to use stored discovery information: " + + str(e)) + oidutil.log("Attempting discovery to verify endpoint") + endpoint = self._discoverAndVerify( + to_match.claimed_id, [to_match]) + + # The endpoint we return should have the claimed ID from the + # message we just verified, fragment and all. + if endpoint.claimed_id != to_match.claimed_id: + endpoint = copy.copy(endpoint) + endpoint.claimed_id = to_match.claimed_id + return endpoint + + def _verifyDiscoveryResultsOpenID1(self, resp_msg, endpoint): + claimed_id = resp_msg.getArg(BARE_NS, self.openid1_return_to_identifier_name) + + if endpoint is None and claimed_id is None: + raise RuntimeError( + 'When using OpenID 1, the claimed ID must be supplied, ' + 'either by passing it through as a return_to parameter ' + 'or by using a session, and supplied to the GenericConsumer ' + 'as the argument to complete()') + elif endpoint is not None and claimed_id is None: + claimed_id = endpoint.claimed_id + + to_match = OpenIDServiceEndpoint() + to_match.type_uris = [OPENID_1_1_TYPE] + to_match.local_id = resp_msg.getArg(OPENID1_NS, 'identity') + # Restore delegate information from the initiation phase + to_match.claimed_id = claimed_id + + if to_match.local_id is None: + raise ProtocolError('Missing required field openid.identity') + + to_match_1_0 = copy.copy(to_match) + to_match_1_0.type_uris = [OPENID_1_0_TYPE] + + if endpoint is not None: + try: + try: + self._verifyDiscoverySingle(endpoint, to_match) + except TypeURIMismatch: + self._verifyDiscoverySingle(endpoint, to_match_1_0) + except ProtocolError, e: + oidutil.log("Error attempting to use stored discovery information: " + + str(e)) + oidutil.log("Attempting discovery to verify endpoint") + else: + return endpoint + + # Endpoint is either bad (failed verification) or None + return self._discoverAndVerify(claimed_id, [to_match, to_match_1_0]) + + def _verifyDiscoverySingle(self, endpoint, to_match): + """Verify that the given endpoint matches the information + extracted from the OpenID assertion, and raise an exception if + there is a mismatch. + + @type endpoint: openid.consumer.discover.OpenIDServiceEndpoint + @type to_match: openid.consumer.discover.OpenIDServiceEndpoint + + @rtype: NoneType + + @raises ProtocolError: when the endpoint does not match the + discovered information. + """ + # Every type URI that's in the to_match endpoint has to be + # present in the discovered endpoint. + for type_uri in to_match.type_uris: + if not endpoint.usesExtension(type_uri): + raise TypeURIMismatch(type_uri, endpoint) + + # Fragments do not influence discovery, so we can't compare a + # claimed identifier with a fragment to discovered information. + defragged_claimed_id, _ = urldefrag(to_match.claimed_id) + if defragged_claimed_id != endpoint.claimed_id: + raise ProtocolError( + 'Claimed ID does not match (different subjects!), ' + 'Expected %s, got %s' % + (defragged_claimed_id, endpoint.claimed_id)) + + if to_match.getLocalID() != endpoint.getLocalID(): + raise ProtocolError('local_id mismatch. Expected %s, got %s' % + (to_match.getLocalID(), endpoint.getLocalID())) + + # If the server URL is None, this must be an OpenID 1 + # response, because op_endpoint is a required parameter in + # OpenID 2. In that case, we don't actually care what the + # discovered server_url is, because signature checking or + # check_auth should take care of that check for us. + if to_match.server_url is None: + assert to_match.preferredNamespace() == OPENID1_NS, ( + """The code calling this must ensure that OpenID 2 + responses have a non-none `openid.op_endpoint' and + that it is set as the `server_url' attribute of the + `to_match' endpoint.""") + + elif to_match.server_url != endpoint.server_url: + raise ProtocolError('OP Endpoint mismatch. Expected %s, got %s' % + (to_match.server_url, endpoint.server_url)) + + def _discoverAndVerify(self, claimed_id, to_match_endpoints): + """Given an endpoint object created from the information in an + OpenID response, perform discovery and verify the discovery + results, returning the matching endpoint that is the result of + doing that discovery. + + @type to_match: openid.consumer.discover.OpenIDServiceEndpoint + @param to_match: The endpoint whose information we're confirming + + @rtype: openid.consumer.discover.OpenIDServiceEndpoint + @returns: The result of performing discovery on the claimed + identifier in `to_match' + + @raises DiscoveryFailure: when discovery fails. + """ + oidutil.log('Performing discovery on %s' % (claimed_id,)) + _, services = self._discover(claimed_id) + if not services: + raise DiscoveryFailure('No OpenID information found at %s' % + (claimed_id,), None) + return self._verifyDiscoveredServices(claimed_id, services, + to_match_endpoints) + + + def _verifyDiscoveredServices(self, claimed_id, services, to_match_endpoints): + """See @L{_discoverAndVerify}""" + + # Search the services resulting from discovery to find one + # that matches the information from the assertion + failure_messages = [] + for endpoint in services: + for to_match_endpoint in to_match_endpoints: + try: + self._verifyDiscoverySingle( + endpoint, to_match_endpoint) + except ProtocolError, why: + failure_messages.append(str(why)) + else: + # It matches, so discover verification has + # succeeded. Return this endpoint. + return endpoint + else: + oidutil.log('Discovery verification failure for %s' % + (claimed_id,)) + for failure_message in failure_messages: + oidutil.log(' * Endpoint mismatch: ' + failure_message) + + raise DiscoveryFailure( + 'No matching endpoint found after discovering %s' + % (claimed_id,), None) + + def _checkAuth(self, message, server_url): + """Make a check_authentication request to verify this message. + + @returns: True if the request is valid. + @rtype: bool + """ + oidutil.log('Using OpenID check_authentication') + request = self._createCheckAuthRequest(message) + if request is None: + return False + try: + response = self._makeKVPost(request, server_url) + except (fetchers.HTTPFetchingError, ServerError), e: + oidutil.log('check_authentication failed: %s' % (e[0],)) + return False + else: + return self._processCheckAuthResponse(response, server_url) + + def _createCheckAuthRequest(self, message): + """Generate a check_authentication request message given an + id_res message. + """ + signed = message.getArg(OPENID_NS, 'signed') + if signed: + for k in signed.split(','): + oidutil.log(k) + val = message.getAliasedArg(k) + + # Signed value is missing + if val is None: + oidutil.log('Missing signed field %r' % (k,)) + return None + + check_auth_message = message.copy() + check_auth_message.setArg(OPENID_NS, 'mode', 'check_authentication') + return check_auth_message + + def _processCheckAuthResponse(self, response, server_url): + """Process the response message from a check_authentication + request, invalidating associations if requested. + """ + is_valid = response.getArg(OPENID_NS, 'is_valid', 'false') + + invalidate_handle = response.getArg(OPENID_NS, 'invalidate_handle') + if invalidate_handle is not None: + oidutil.log( + 'Received "invalidate_handle" from server %s' % (server_url,)) + if self.store is None: + oidutil.log('Unexpectedly got invalidate_handle without ' + 'a store!') + else: + self.store.removeAssociation(server_url, invalidate_handle) + + if is_valid == 'true': + return True + else: + oidutil.log('Server responds that checkAuth call is not valid') + return False + + def _getAssociation(self, endpoint): + """Get an association for the endpoint's server_url. + + First try seeing if we have a good association in the + store. If we do not, then attempt to negotiate an association + with the server. + + If we negotiate a good association, it will get stored. + + @returns: A valid association for the endpoint's server_url or None + @rtype: openid.association.Association or NoneType + """ + assoc = self.store.getAssociation(endpoint.server_url) + + if assoc is None or assoc.expiresIn <= 0: + assoc = self._negotiateAssociation(endpoint) + if assoc is not None: + self.store.storeAssociation(endpoint.server_url, assoc) + + return assoc + + def _negotiateAssociation(self, endpoint): + """Make association requests to the server, attempting to + create a new association. + + @returns: a new association object + + @rtype: L{openid.association.Association} + """ + # Get our preferred session/association type from the negotiatior. + assoc_type, session_type = self.negotiator.getAllowedType() + + try: + assoc = self._requestAssociation( + endpoint, assoc_type, session_type) + except ServerError, why: + supportedTypes = self._extractSupportedAssociationType(why, + endpoint, + assoc_type) + if supportedTypes is not None: + assoc_type, session_type = supportedTypes + # Attempt to create an association from the assoc_type + # and session_type that the server told us it + # supported. + try: + assoc = self._requestAssociation( + endpoint, assoc_type, session_type) + except ServerError, why: + # Do not keep trying, since it rejected the + # association type that it told us to use. + oidutil.log('Server %s refused its suggested association ' + 'type: session_type=%s, assoc_type=%s' + % (endpoint.server_url, session_type, + assoc_type)) + return None + else: + return assoc + else: + return assoc + + def _extractSupportedAssociationType(self, server_error, endpoint, + assoc_type): + """Handle ServerErrors resulting from association requests. + + @returns: If server replied with an C{unsupported-type} error, + return a tuple of supported C{association_type}, C{session_type}. + Otherwise logs the error and returns None. + @rtype: tuple or None + """ + # Any error message whose code is not 'unsupported-type' + # should be considered a total failure. + if server_error.error_code != 'unsupported-type' or \ + server_error.message.isOpenID1(): + oidutil.log( + 'Server error when requesting an association from %r: %s' + % (endpoint.server_url, server_error.error_text)) + return None + + # The server didn't like the association/session type + # that we sent, and it sent us back a message that + # might tell us how to handle it. + oidutil.log( + 'Unsupported association type %s: %s' % (assoc_type, + server_error.error_text,)) + + # Extract the session_type and assoc_type from the + # error message + assoc_type = server_error.message.getArg(OPENID_NS, 'assoc_type') + session_type = server_error.message.getArg(OPENID_NS, 'session_type') + + if assoc_type is None or session_type is None: + oidutil.log('Server responded with unsupported association ' + 'session but did not supply a fallback.') + return None + elif not self.negotiator.isAllowed(assoc_type, session_type): + fmt = ('Server sent unsupported session/association type: ' + 'session_type=%s, assoc_type=%s') + oidutil.log(fmt % (session_type, assoc_type)) + return None + else: + return assoc_type, session_type + + + def _requestAssociation(self, endpoint, assoc_type, session_type): + """Make and process one association request to this endpoint's + OP endpoint URL. + + @returns: An association object or None if the association + processing failed. + + @raises ServerError: when the remote OpenID server returns an error. + """ + assoc_session, args = self._createAssociateRequest( + endpoint, assoc_type, session_type) + + try: + response = self._makeKVPost(args, endpoint.server_url) + except fetchers.HTTPFetchingError, why: + oidutil.log('openid.associate request failed: %s' % (why[0],)) + return None + + try: + assoc = self._extractAssociation(response, assoc_session) + except KeyError, why: + oidutil.log('Missing required parameter in response from %s: %s' + % (endpoint.server_url, why[0])) + return None + except ProtocolError, why: + oidutil.log('Protocol error parsing response from %s: %s' % ( + endpoint.server_url, why[0])) + return None + else: + return assoc + + def _createAssociateRequest(self, endpoint, assoc_type, session_type): + """Create an association request for the given assoc_type and + session_type. + + @param endpoint: The endpoint whose server_url will be + queried. The important bit about the endpoint is whether + it's in compatiblity mode (OpenID 1.1) + + @param assoc_type: The association type that the request + should ask for. + @type assoc_type: str + + @param session_type: The session type that should be used in + the association request. The session_type is used to + create an association session object, and that session + object is asked for any additional fields that it needs to + add to the request. + @type session_type: str + + @returns: a pair of the association session object and the + request message that will be sent to the server. + @rtype: (association session type (depends on session_type), + openid.message.Message) + """ + session_type_class = self.session_types[session_type] + assoc_session = session_type_class() + + args = { + 'mode': 'associate', + 'assoc_type': assoc_type, + } + + if not endpoint.compatibilityMode(): + args['ns'] = OPENID2_NS + + # Leave out the session type if we're in compatibility mode + # *and* it's no-encryption. + if (not endpoint.compatibilityMode() or + assoc_session.session_type != 'no-encryption'): + args['session_type'] = assoc_session.session_type + + args.update(assoc_session.getRequest()) + message = Message.fromOpenIDArgs(args) + return assoc_session, message + + def _getOpenID1SessionType(self, assoc_response): + """Given an association response message, extract the OpenID + 1.X session type. + + This function mostly takes care of the 'no-encryption' default + behavior in OpenID 1. + + If the association type is plain-text, this function will + return 'no-encryption' + + @returns: The association type for this message + @rtype: str + + @raises KeyError: when the session_type field is absent. + """ + # If it's an OpenID 1 message, allow session_type to default + # to None (which signifies "no-encryption") + session_type = assoc_response.getArg(OPENID1_NS, 'session_type') + + # Handle the differences between no-encryption association + # respones in OpenID 1 and 2: + + # no-encryption is not really a valid session type for + # OpenID 1, but we'll accept it anyway, while issuing a + # warning. + if session_type == 'no-encryption': + oidutil.log('WARNING: OpenID server sent "no-encryption"' + 'for OpenID 1.X') + + # Missing or empty session type is the way to flag a + # 'no-encryption' response. Change the session type to + # 'no-encryption' so that it can be handled in the same + # way as OpenID 2 'no-encryption' respones. + elif session_type == '' or session_type is None: + session_type = 'no-encryption' + + return session_type + + def _extractAssociation(self, assoc_response, assoc_session): + """Attempt to extract an association from the response, given + the association response message and the established + association session. + + @param assoc_response: The association response message from + the server + @type assoc_response: openid.message.Message + + @param assoc_session: The association session object that was + used when making the request + @type assoc_session: depends on the session type of the request + + @raises ProtocolError: when data is malformed + @raises KeyError: when a field is missing + + @rtype: openid.association.Association + """ + # Extract the common fields from the response, raising an + # exception if they are not found + assoc_type = assoc_response.getArg( + OPENID_NS, 'assoc_type', no_default) + assoc_handle = assoc_response.getArg( + OPENID_NS, 'assoc_handle', no_default) + + # expires_in is a base-10 string. The Python parsing will + # accept literals that have whitespace around them and will + # accept negative values. Neither of these are really in-spec, + # but we think it's OK to accept them. + expires_in_str = assoc_response.getArg( + OPENID_NS, 'expires_in', no_default) + try: + expires_in = int(expires_in_str) + except ValueError, why: + raise ProtocolError('Invalid expires_in field: %s' % (why[0],)) + + # OpenID 1 has funny association session behaviour. + if assoc_response.isOpenID1(): + session_type = self._getOpenID1SessionType(assoc_response) + else: + session_type = assoc_response.getArg( + OPENID2_NS, 'session_type', no_default) + + # Session type mismatch + if assoc_session.session_type != session_type: + if (assoc_response.isOpenID1() and + session_type == 'no-encryption'): + # In OpenID 1, any association request can result in a + # 'no-encryption' association response. Setting + # assoc_session to a new no-encryption session should + # make the rest of this function work properly for + # that case. + assoc_session = PlainTextConsumerSession() + else: + # Any other mismatch, regardless of protocol version + # results in the failure of the association session + # altogether. + fmt = 'Session type mismatch. Expected %r, got %r' + message = fmt % (assoc_session.session_type, session_type) + raise ProtocolError(message) + + # Make sure assoc_type is valid for session_type + if assoc_type not in assoc_session.allowed_assoc_types: + fmt = 'Unsupported assoc_type for session %s returned: %s' + raise ProtocolError(fmt % (assoc_session.session_type, assoc_type)) + + # Delegate to the association session to extract the secret + # from the response, however is appropriate for that session + # type. + try: + secret = assoc_session.extractSecret(assoc_response) + except ValueError, why: + fmt = 'Malformed response for %s session: %s' + raise ProtocolError(fmt % (assoc_session.session_type, why[0])) + + return Association.fromExpiresIn( + expires_in, assoc_handle, secret, assoc_type) + +class AuthRequest(object): + """An object that holds the state necessary for generating an + OpenID authentication request. This object holds the association + with the server and the discovered information with which the + request will be made. + + It is separate from the consumer because you may wish to add + things to the request before sending it on its way to the + server. It also has serialization options that let you encode the + authentication request as a URL or as a form POST. + """ + + def __init__(self, endpoint, assoc): + """ + Creates a new AuthRequest object. This just stores each + argument in an appropriately named field. + + Users of this library should not create instances of this + class. Instances of this class are created by the library + when needed. + """ + self.assoc = assoc + self.endpoint = endpoint + self.return_to_args = {} + self.message = Message(endpoint.preferredNamespace()) + self._anonymous = False + + def setAnonymous(self, is_anonymous): + """Set whether this request should be made anonymously. If a + request is anonymous, the identifier will not be sent in the + request. This is only useful if you are making another kind of + request with an extension in this request. + + Anonymous requests are not allowed when the request is made + with OpenID 1. + + @raises ValueError: when attempting to set an OpenID1 request + as anonymous + """ + if is_anonymous and self.message.isOpenID1(): + raise ValueError('OpenID 1 requests MUST include the ' + 'identifier in the request') + else: + self._anonymous = is_anonymous + + def addExtension(self, extension_request): + """Add an extension to this checkid request. + + @param extension_request: An object that implements the + extension interface for adding arguments to an OpenID + message. + """ + extension_request.toMessage(self.message) + + def addExtensionArg(self, namespace, key, value): + """Add an extension argument to this OpenID authentication + request. + + Use caution when adding arguments, because they will be + URL-escaped and appended to the redirect URL, which can easily + get quite long. + + @param namespace: The namespace for the extension. For + example, the simple registration extension uses the + namespace C{sreg}. + + @type namespace: str + + @param key: The key within the extension namespace. For + example, the nickname field in the simple registration + extension's key is C{nickname}. + + @type key: str + + @param value: The value to provide to the server for this + argument. + + @type value: str + """ + self.message.setArg(namespace, key, value) + + def getMessage(self, realm, return_to=None, immediate=False): + """Produce a L{openid.message.Message} representing this request. + + @param realm: The URL (or URL pattern) that identifies your + web site to the user when she is authorizing it. + + @type realm: str + + @param return_to: The URL that the OpenID provider will send the + user back to after attempting to verify her identity. + + Not specifying a return_to URL means that the user will not + be returned to the site issuing the request upon its + completion. + + @type return_to: str + + @param immediate: If True, the OpenID provider is to send back + a response immediately, useful for behind-the-scenes + authentication attempts. Otherwise the OpenID provider + may engage the user before providing a response. This is + the default case, as the user may need to provide + credentials or approve the request before a positive + response can be sent. + + @type immediate: bool + + @returntype: L{openid.message.Message} + """ + if return_to: + return_to = oidutil.appendArgs(return_to, self.return_to_args) + elif immediate: + raise ValueError( + '"return_to" is mandatory when using "checkid_immediate"') + elif self.message.isOpenID1(): + raise ValueError('"return_to" is mandatory for OpenID 1 requests') + elif self.return_to_args: + raise ValueError('extra "return_to" arguments were specified, ' + 'but no return_to was specified') + + if immediate: + mode = 'checkid_immediate' + else: + mode = 'checkid_setup' + + message = self.message.copy() + if message.isOpenID1(): + realm_key = 'trust_root' + else: + realm_key = 'realm' + + message.updateArgs(OPENID_NS, + { + realm_key:realm, + 'mode':mode, + 'return_to':return_to, + }) + + if not self._anonymous: + if self.endpoint.isOPIdentifier(): + # This will never happen when we're in compatibility + # mode, as long as isOPIdentifier() returns False + # whenever preferredNamespace() returns OPENID1_NS. + claimed_id = request_identity = IDENTIFIER_SELECT + else: + request_identity = self.endpoint.getLocalID() + claimed_id = self.endpoint.claimed_id + + # This is true for both OpenID 1 and 2 + message.setArg(OPENID_NS, 'identity', request_identity) + + if message.isOpenID2(): + message.setArg(OPENID2_NS, 'claimed_id', claimed_id) + + if self.assoc: + message.setArg(OPENID_NS, 'assoc_handle', self.assoc.handle) + assoc_log_msg = 'with assocication %s' % (self.assoc.handle,) + else: + assoc_log_msg = 'using stateless mode.' + + oidutil.log("Generated %s request to %s %s" % + (mode, self.endpoint.server_url, assoc_log_msg)) + + return message + + def redirectURL(self, realm, return_to=None, immediate=False): + """Returns a URL with an encoded OpenID request. + + The resulting URL is the OpenID provider's endpoint URL with + parameters appended as query arguments. You should redirect + the user agent to this URL. + + OpenID 2.0 endpoints also accept POST requests, see + C{L{shouldSendRedirect}} and C{L{formMarkup}}. + + @param realm: The URL (or URL pattern) that identifies your + web site to the user when she is authorizing it. + + @type realm: str + + @param return_to: The URL that the OpenID provider will send the + user back to after attempting to verify her identity. + + Not specifying a return_to URL means that the user will not + be returned to the site issuing the request upon its + completion. + + @type return_to: str + + @param immediate: If True, the OpenID provider is to send back + a response immediately, useful for behind-the-scenes + authentication attempts. Otherwise the OpenID provider + may engage the user before providing a response. This is + the default case, as the user may need to provide + credentials or approve the request before a positive + response can be sent. + + @type immediate: bool + + @returns: The URL to redirect the user agent to. + + @returntype: str + """ + message = self.getMessage(realm, return_to, immediate) + return message.toURL(self.endpoint.server_url) + + def formMarkup(self, realm, return_to=None, immediate=False, + form_tag_attrs=None): + """Get html for a form to submit this request to the IDP. + + @param form_tag_attrs: Dictionary of attributes to be added to + the form tag. 'accept-charset' and 'enctype' have defaults + that can be overridden. If a value is supplied for + 'action' or 'method', it will be replaced. + @type form_tag_attrs: {unicode: unicode} + """ + message = self.getMessage(realm, return_to, immediate) + return message.toFormMarkup(self.endpoint.server_url, + form_tag_attrs) + + def htmlMarkup(self, realm, return_to=None, immediate=False, + form_tag_attrs=None): + """Get an autosubmitting HTML page that submits this request to the + IDP. This is just a wrapper for formMarkup. + + @see: formMarkup + + @returns: str + """ + return oidutil.autoSubmitHTML(self.formMarkup(realm, + return_to, + immediate, + form_tag_attrs)) + + def shouldSendRedirect(self): + """Should this OpenID authentication request be sent as a HTTP + redirect or as a POST (form submission)? + + @rtype: bool + """ + return self.endpoint.compatibilityMode() + +FAILURE = 'failure' +SUCCESS = 'success' +CANCEL = 'cancel' +SETUP_NEEDED = 'setup_needed' + +class Response(object): + status = None + + def setEndpoint(self, endpoint): + self.endpoint = endpoint + if endpoint is None: + self.identity_url = None + else: + self.identity_url = endpoint.claimed_id + + def getDisplayIdentifier(self): + """Return the display identifier for this response. + + The display identifier is related to the Claimed Identifier, but the + two are not always identical. The display identifier is something the + user should recognize as what they entered, whereas the response's + claimed identifier (in the L{identity_url} attribute) may have extra + information for better persistence. + + URLs will be stripped of their fragments for display. XRIs will + display the human-readable identifier (i-name) instead of the + persistent identifier (i-number). + + Use the display identifier in your user interface. Use + L{identity_url} for querying your database or authorization server. + """ + if self.endpoint is not None: + return self.endpoint.getDisplayIdentifier() + return None + +class SuccessResponse(Response): + """A response with a status of SUCCESS. Indicates that this request is a + successful acknowledgement from the OpenID server that the + supplied URL is, indeed controlled by the requesting agent. + + @ivar identity_url: The identity URL that has been authenticated; the Claimed Identifier. + See also L{getDisplayIdentifier}. + + @ivar endpoint: The endpoint that authenticated the identifier. You + may access other discovered information related to this endpoint, + such as the CanonicalID of an XRI, through this object. + @type endpoint: L{OpenIDServiceEndpoint<openid.consumer.discover.OpenIDServiceEndpoint>} + + @ivar signed_fields: The arguments in the server's response that + were signed and verified. + + @cvar status: SUCCESS + """ + + status = SUCCESS + + def __init__(self, endpoint, message, signed_fields=None): + # Don't use setEndpoint, because endpoint should never be None + # for a successfull transaction. + self.endpoint = endpoint + self.identity_url = endpoint.claimed_id + + self.message = message + + if signed_fields is None: + signed_fields = [] + self.signed_fields = signed_fields + + def isOpenID1(self): + """Was this authentication response an OpenID 1 authentication + response? + """ + return self.message.isOpenID1() + + def isSigned(self, ns_uri, ns_key): + """Return whether a particular key is signed, regardless of + its namespace alias + """ + return self.message.getKey(ns_uri, ns_key) in self.signed_fields + + def getSigned(self, ns_uri, ns_key, default=None): + """Return the specified signed field if available, + otherwise return default + """ + if self.isSigned(ns_uri, ns_key): + return self.message.getArg(ns_uri, ns_key, default) + else: + return default + + def getSignedNS(self, ns_uri): + """Get signed arguments from the response message. Return a + dict of all arguments in the specified namespace. If any of + the arguments are not signed, return None. + """ + msg_args = self.message.getArgs(ns_uri) + + for key in msg_args.iterkeys(): + if not self.isSigned(ns_uri, key): + oidutil.log("SuccessResponse.getSignedNS: (%s, %s) not signed." + % (ns_uri, key)) + return None + + return msg_args + + def extensionResponse(self, namespace_uri, require_signed): + """Return response arguments in the specified namespace. + + @param namespace_uri: The namespace URI of the arguments to be + returned. + + @param require_signed: True if the arguments should be among + those signed in the response, False if you don't care. + + If require_signed is True and the arguments are not signed, + return None. + """ + if require_signed: + return self.getSignedNS(namespace_uri) + else: + return self.message.getArgs(namespace_uri) + + def getReturnTo(self): + """Get the openid.return_to argument from this response. + + This is useful for verifying that this request was initiated + by this consumer. + + @returns: The return_to URL supplied to the server on the + initial request, or C{None} if the response did not contain + an C{openid.return_to} argument. + + @returntype: str + """ + return self.getSigned(OPENID_NS, 'return_to') + + def __eq__(self, other): + return ( + (self.endpoint == other.endpoint) and + (self.identity_url == other.identity_url) and + (self.message == other.message) and + (self.signed_fields == other.signed_fields) and + (self.status == other.status)) + + def __ne__(self, other): + return not (self == other) + + def __repr__(self): + return '<%s.%s id=%r signed=%r>' % ( + self.__class__.__module__, + self.__class__.__name__, + self.identity_url, self.signed_fields) + + +class FailureResponse(Response): + """A response with a status of FAILURE. Indicates that the OpenID + protocol has failed. This could be locally or remotely triggered. + + @ivar identity_url: The identity URL for which authenitcation was + attempted, if it can be determined. Otherwise, None. + + @ivar message: A message indicating why the request failed, if one + is supplied. otherwise, None. + + @cvar status: FAILURE + """ + + status = FAILURE + + def __init__(self, endpoint, message=None, contact=None, + reference=None): + self.setEndpoint(endpoint) + self.message = message + self.contact = contact + self.reference = reference + + def __repr__(self): + return "<%s.%s id=%r message=%r>" % ( + self.__class__.__module__, self.__class__.__name__, + self.identity_url, self.message) + + +class CancelResponse(Response): + """A response with a status of CANCEL. Indicates that the user + cancelled the OpenID authentication request. + + @ivar identity_url: The identity URL for which authenitcation was + attempted, if it can be determined. Otherwise, None. + + @cvar status: CANCEL + """ + + status = CANCEL + + def __init__(self, endpoint): + self.setEndpoint(endpoint) + +class SetupNeededResponse(Response): + """A response with a status of SETUP_NEEDED. Indicates that the + request was in immediate mode, and the server is unable to + authenticate the user without further interaction. + + @ivar identity_url: The identity URL for which authenitcation was + attempted. + + @ivar setup_url: A URL that can be used to send the user to the + server to set up for authentication. The user should be + redirected in to the setup_url, either in the current window + or in a new browser window. C{None} in OpenID 2.0. + + @cvar status: SETUP_NEEDED + """ + + status = SETUP_NEEDED + + def __init__(self, endpoint, setup_url=None): + self.setEndpoint(endpoint) + self.setup_url = setup_url diff --git a/askbot/deps/openid/consumer/discover.py b/askbot/deps/openid/consumer/discover.py new file mode 100644 index 00000000..2c86dda8 --- /dev/null +++ b/askbot/deps/openid/consumer/discover.py @@ -0,0 +1,470 @@ +# -*- test-case-name: openid.test.test_discover -*- +"""Functions to discover OpenID endpoints from identifiers. +""" + +__all__ = [ + 'DiscoveryFailure', + 'OPENID_1_0_NS', + 'OPENID_1_0_TYPE', + 'OPENID_1_1_TYPE', + 'OPENID_2_0_TYPE', + 'OPENID_IDP_2_0_TYPE', + 'OpenIDServiceEndpoint', + 'discover', + ] + +import urlparse + +from openid import oidutil, fetchers, urinorm + +from openid import yadis +from openid.yadis.etxrd import nsTag, XRDSError, XRD_NS_2_0 +from openid.yadis.services import applyFilter as extractServices +from openid.yadis.discover import discover as yadisDiscover +from openid.yadis.discover import DiscoveryFailure +from openid.yadis import xrires, filters +from openid.yadis import xri + +from openid.consumer import html_parse + +OPENID_1_0_NS = 'http://openid.net/xmlns/1.0' +OPENID_IDP_2_0_TYPE = 'http://specs.openid.net/auth/2.0/server' +OPENID_2_0_TYPE = 'http://specs.openid.net/auth/2.0/signon' +OPENID_1_1_TYPE = 'http://openid.net/signon/1.1' +OPENID_1_0_TYPE = 'http://openid.net/signon/1.0' + +from openid.message import OPENID1_NS as OPENID_1_0_MESSAGE_NS +from openid.message import OPENID2_NS as OPENID_2_0_MESSAGE_NS + +class OpenIDServiceEndpoint(object): + """Object representing an OpenID service endpoint. + + @ivar identity_url: the verified identifier. + @ivar canonicalID: For XRI, the persistent identifier. + """ + + # OpenID service type URIs, listed in order of preference. The + # ordering of this list affects yadis and XRI service discovery. + openid_type_uris = [ + OPENID_IDP_2_0_TYPE, + + OPENID_2_0_TYPE, + OPENID_1_1_TYPE, + OPENID_1_0_TYPE, + ] + + def __init__(self): + self.claimed_id = None + self.server_url = None + self.type_uris = [] + self.local_id = None + self.canonicalID = None + self.used_yadis = False # whether this came from an XRDS + self.display_identifier = None + + def usesExtension(self, extension_uri): + return extension_uri in self.type_uris + + def preferredNamespace(self): + if (OPENID_IDP_2_0_TYPE in self.type_uris or + OPENID_2_0_TYPE in self.type_uris): + return OPENID_2_0_MESSAGE_NS + else: + return OPENID_1_0_MESSAGE_NS + + def supportsType(self, type_uri): + """Does this endpoint support this type? + + I consider C{/server} endpoints to implicitly support C{/signon}. + """ + return ( + (type_uri in self.type_uris) or + (type_uri == OPENID_2_0_TYPE and self.isOPIdentifier()) + ) + + def getDisplayIdentifier(self): + """Return the display_identifier if set, else return the claimed_id. + """ + if self.display_identifier is not None: + return self.display_identifier + if self.claimed_id is None: + return None + else: + return urlparse.urldefrag(self.claimed_id)[0] + + def compatibilityMode(self): + return self.preferredNamespace() != OPENID_2_0_MESSAGE_NS + + def isOPIdentifier(self): + return OPENID_IDP_2_0_TYPE in self.type_uris + + def parseService(self, yadis_url, uri, type_uris, service_element): + """Set the state of this object based on the contents of the + service element.""" + self.type_uris = type_uris + self.server_url = uri + self.used_yadis = True + + if not self.isOPIdentifier(): + # XXX: This has crappy implications for Service elements + # that contain both 'server' and 'signon' Types. But + # that's a pathological configuration anyway, so I don't + # think I care. + self.local_id = findOPLocalIdentifier(service_element, + self.type_uris) + self.claimed_id = yadis_url + + def getLocalID(self): + """Return the identifier that should be sent as the + openid.identity parameter to the server.""" + # I looked at this conditional and thought "ah-hah! there's the bug!" + # but Python actually makes that one big expression somehow, i.e. + # "x is x is x" is not the same thing as "(x is x) is x". + # That's pretty weird, dude. -- kmt, 1/07 + if (self.local_id is self.canonicalID is None): + return self.claimed_id + else: + return self.local_id or self.canonicalID + + def fromBasicServiceEndpoint(cls, endpoint): + """Create a new instance of this class from the endpoint + object passed in. + + @return: None or OpenIDServiceEndpoint for this endpoint object""" + type_uris = endpoint.matchTypes(cls.openid_type_uris) + + # If any Type URIs match and there is an endpoint URI + # specified, then this is an OpenID endpoint + if type_uris and endpoint.uri is not None: + openid_endpoint = cls() + openid_endpoint.parseService( + endpoint.yadis_url, + endpoint.uri, + endpoint.type_uris, + endpoint.service_element) + else: + openid_endpoint = None + + return openid_endpoint + + fromBasicServiceEndpoint = classmethod(fromBasicServiceEndpoint) + + def fromHTML(cls, uri, html): + """Parse the given document as HTML looking for an OpenID <link + rel=...> + + @rtype: [OpenIDServiceEndpoint] + """ + discovery_types = [ + (OPENID_2_0_TYPE, 'openid2.provider', 'openid2.local_id'), + (OPENID_1_1_TYPE, 'openid.server', 'openid.delegate'), + ] + + link_attrs = html_parse.parseLinkAttrs(html) + services = [] + for type_uri, op_endpoint_rel, local_id_rel in discovery_types: + op_endpoint_url = html_parse.findFirstHref( + link_attrs, op_endpoint_rel) + if op_endpoint_url is None: + continue + + service = cls() + service.claimed_id = uri + service.local_id = html_parse.findFirstHref( + link_attrs, local_id_rel) + service.server_url = op_endpoint_url + service.type_uris = [type_uri] + + services.append(service) + + return services + + fromHTML = classmethod(fromHTML) + + + def fromXRDS(cls, uri, xrds): + """Parse the given document as XRDS looking for OpenID services. + + @rtype: [OpenIDServiceEndpoint] + + @raises XRDSError: When the XRDS does not parse. + + @since: 2.1.0 + """ + return extractServices(uri, xrds, cls) + + fromXRDS = classmethod(fromXRDS) + + + def fromDiscoveryResult(cls, discoveryResult): + """Create endpoints from a DiscoveryResult. + + @type discoveryResult: L{DiscoveryResult} + + @rtype: list of L{OpenIDServiceEndpoint} + + @raises XRDSError: When the XRDS does not parse. + + @since: 2.1.0 + """ + if discoveryResult.isXRDS(): + method = cls.fromXRDS + else: + method = cls.fromHTML + return method(discoveryResult.normalized_uri, + discoveryResult.response_text) + + fromDiscoveryResult = classmethod(fromDiscoveryResult) + + + def fromOPEndpointURL(cls, op_endpoint_url): + """Construct an OP-Identifier OpenIDServiceEndpoint object for + a given OP Endpoint URL + + @param op_endpoint_url: The URL of the endpoint + @rtype: OpenIDServiceEndpoint + """ + service = cls() + service.server_url = op_endpoint_url + service.type_uris = [OPENID_IDP_2_0_TYPE] + return service + + fromOPEndpointURL = classmethod(fromOPEndpointURL) + + + def __str__(self): + return ("<%s.%s " + "server_url=%r " + "claimed_id=%r " + "local_id=%r " + "canonicalID=%r " + "used_yadis=%s " + ">" + % (self.__class__.__module__, self.__class__.__name__, + self.server_url, + self.claimed_id, + self.local_id, + self.canonicalID, + self.used_yadis)) + + + +def findOPLocalIdentifier(service_element, type_uris): + """Find the OP-Local Identifier for this xrd:Service element. + + This considers openid:Delegate to be a synonym for xrd:LocalID if + both OpenID 1.X and OpenID 2.0 types are present. If only OpenID + 1.X is present, it returns the value of openid:Delegate. If only + OpenID 2.0 is present, it returns the value of xrd:LocalID. If + there is more than one LocalID tag and the values are different, + it raises a DiscoveryFailure. This is also triggered when the + xrd:LocalID and openid:Delegate tags are different. + + @param service_element: The xrd:Service element + @type service_element: ElementTree.Node + + @param type_uris: The xrd:Type values present in this service + element. This function could extract them, but higher level + code needs to do that anyway. + @type type_uris: [str] + + @raises DiscoveryFailure: when discovery fails. + + @returns: The OP-Local Identifier for this service element, if one + is present, or None otherwise. + @rtype: str or unicode or NoneType + """ + # XXX: Test this function on its own! + + # Build the list of tags that could contain the OP-Local Identifier + local_id_tags = [] + if (OPENID_1_1_TYPE in type_uris or + OPENID_1_0_TYPE in type_uris): + local_id_tags.append(nsTag(OPENID_1_0_NS, 'Delegate')) + + if OPENID_2_0_TYPE in type_uris: + local_id_tags.append(nsTag(XRD_NS_2_0, 'LocalID')) + + # Walk through all the matching tags and make sure that they all + # have the same value + local_id = None + for local_id_tag in local_id_tags: + for local_id_element in service_element.findall(local_id_tag): + if local_id is None: + local_id = local_id_element.text + elif local_id != local_id_element.text: + format = 'More than one %r tag found in one service element' + message = format % (local_id_tag,) + raise DiscoveryFailure(message, None) + + return local_id + +def normalizeURL(url): + """Normalize a URL, converting normalization failures to + DiscoveryFailure""" + try: + normalized = urinorm.urinorm(url) + except ValueError, why: + raise DiscoveryFailure('Normalizing identifier: %s' % (why[0],), None) + else: + return urlparse.urldefrag(normalized)[0] + +def normalizeXRI(xri): + """Normalize an XRI, stripping its scheme if present""" + if xri.startswith("xri://"): + xri = xri[6:] + return xri + +def arrangeByType(service_list, preferred_types): + """Rearrange service_list in a new list so services are ordered by + types listed in preferred_types. Return the new list.""" + + def enumerate(elts): + """Return an iterable that pairs the index of an element with + that element. + + For Python 2.2 compatibility""" + return zip(range(len(elts)), elts) + + def bestMatchingService(service): + """Return the index of the first matching type, or something + higher if no type matches. + + This provides an ordering in which service elements that + contain a type that comes earlier in the preferred types list + come before service elements that come later. If a service + element has more than one type, the most preferred one wins. + """ + for i, t in enumerate(preferred_types): + if preferred_types[i] in service.type_uris: + return i + + return len(preferred_types) + + # Build a list with the service elements in tuples whose + # comparison will prefer the one with the best matching service + prio_services = [(bestMatchingService(s), orig_index, s) + for (orig_index, s) in enumerate(service_list)] + prio_services.sort() + + # Now that the services are sorted by priority, remove the sort + # keys from the list. + for i in range(len(prio_services)): + prio_services[i] = prio_services[i][2] + + return prio_services + +def getOPOrUserServices(openid_services): + """Extract OP Identifier services. If none found, return the + rest, sorted with most preferred first according to + OpenIDServiceEndpoint.openid_type_uris. + + openid_services is a list of OpenIDServiceEndpoint objects. + + Returns a list of OpenIDServiceEndpoint objects.""" + + op_services = arrangeByType(openid_services, [OPENID_IDP_2_0_TYPE]) + + openid_services = arrangeByType(openid_services, + OpenIDServiceEndpoint.openid_type_uris) + + return op_services or openid_services + +def discoverYadis(uri): + """Discover OpenID services for a URI. Tries Yadis and falls back + on old-style <link rel='...'> discovery if Yadis fails. + + @param uri: normalized identity URL + @type uri: str + + @return: (claimed_id, services) + @rtype: (str, list(OpenIDServiceEndpoint)) + + @raises DiscoveryFailure: when discovery fails. + """ + # Might raise a yadis.discover.DiscoveryFailure if no document + # came back for that URI at all. I don't think falling back + # to OpenID 1.0 discovery on the same URL will help, so don't + # bother to catch it. + response = yadisDiscover(uri) + + yadis_url = response.normalized_uri + body = response.response_text + try: + openid_services = OpenIDServiceEndpoint.fromXRDS(yadis_url, body) + except XRDSError: + # Does not parse as a Yadis XRDS file + openid_services = [] + + if not openid_services: + # Either not an XRDS or there are no OpenID services. + + if response.isXRDS(): + # if we got the Yadis content-type or followed the Yadis + # header, re-fetch the document without following the Yadis + # header, with no Accept header. + return discoverNoYadis(uri) + + # Try to parse the response as HTML. + # <link rel="..."> + openid_services = OpenIDServiceEndpoint.fromHTML(yadis_url, body) + + return (yadis_url, getOPOrUserServices(openid_services)) + +def discoverXRI(iname): + endpoints = [] + iname = normalizeXRI(iname) + try: + canonicalID, services = xrires.ProxyResolver().query( + iname, OpenIDServiceEndpoint.openid_type_uris) + + if canonicalID is None: + raise XRDSError('No CanonicalID found for XRI %r' % (iname,)) + + flt = filters.mkFilter(OpenIDServiceEndpoint) + for service_element in services: + endpoints.extend(flt.getServiceEndpoints(iname, service_element)) + except XRDSError: + oidutil.log('xrds error on ' + iname) + + for endpoint in endpoints: + # Is there a way to pass this through the filter to the endpoint + # constructor instead of tacking it on after? + endpoint.canonicalID = canonicalID + endpoint.claimed_id = canonicalID + endpoint.display_identifier = iname + + # FIXME: returned xri should probably be in some normal form + return iname, getOPOrUserServices(endpoints) + + +def discoverNoYadis(uri): + http_resp = fetchers.fetch(uri) + if http_resp.status not in (200, 206): + raise DiscoveryFailure( + 'HTTP Response status from identity URL host is not 200. ' + 'Got status %r' % (http_resp.status,), http_resp) + + claimed_id = http_resp.final_url + openid_services = OpenIDServiceEndpoint.fromHTML( + claimed_id, http_resp.body) + return claimed_id, openid_services + +def discoverURI(uri): + parsed = urlparse.urlparse(uri) + if parsed[0] and parsed[1]: + if parsed[0] not in ['http', 'https']: + raise DiscoveryFailure('URI scheme is not HTTP or HTTPS', None) + else: + uri = 'http://' + uri + + uri = normalizeURL(uri) + claimed_id, openid_services = discoverYadis(uri) + claimed_id = normalizeURL(claimed_id) + return claimed_id, openid_services + +def discover(identifier): + if xri.identifierScheme(identifier) == "XRI": + return discoverXRI(identifier) + else: + return discoverURI(identifier) diff --git a/askbot/deps/openid/consumer/html_parse.py b/askbot/deps/openid/consumer/html_parse.py new file mode 100644 index 00000000..880dfda6 --- /dev/null +++ b/askbot/deps/openid/consumer/html_parse.py @@ -0,0 +1,249 @@ +""" +This module implements a VERY limited parser that finds <link> tags in +the head of HTML or XHTML documents and parses out their attributes +according to the OpenID spec. It is a liberal parser, but it requires +these things from the data in order to work: + + - There must be an open <html> tag + + - There must be an open <head> tag inside of the <html> tag + + - Only <link>s that are found inside of the <head> tag are parsed + (this is by design) + + - The parser follows the OpenID specification in resolving the + attributes of the link tags. This means that the attributes DO NOT + get resolved as they would by an XML or HTML parser. In particular, + only certain entities get replaced, and href attributes do not get + resolved relative to a base URL. + +From http://openid.net/specs.bml#linkrel: + + - The openid.server URL MUST be an absolute URL. OpenID consumers + MUST NOT attempt to resolve relative URLs. + + - The openid.server URL MUST NOT include entities other than &, + <, >, and ". + +The parser ignores SGML comments and <![CDATA[blocks]]>. Both kinds of +quoting are allowed for attributes. + +The parser deals with invalid markup in these ways: + + - Tag names are not case-sensitive + + - The <html> tag is accepted even when it is not at the top level + + - The <head> tag is accepted even when it is not a direct child of + the <html> tag, but a <html> tag must be an ancestor of the <head> + tag + + - <link> tags are accepted even when they are not direct children of + the <head> tag, but a <head> tag must be an ancestor of the <link> + tag + + - If there is no closing tag for an open <html> or <head> tag, the + remainder of the document is viewed as being inside of the tag. If + there is no closing tag for a <link> tag, the link tag is treated + as a short tag. Exceptions to this rule are that <html> closes + <html> and <body> or <head> closes <head> + + - Attributes of the <link> tag are not required to be quoted. + + - In the case of duplicated attribute names, the attribute coming + last in the tag will be the value returned. + + - Any text that does not parse as an attribute within a link tag will + be ignored. (e.g. <link pumpkin rel='openid.server' /> will ignore + pumpkin) + + - If there are more than one <html> or <head> tag, the parser only + looks inside of the first one. + + - The contents of <script> tags are ignored entirely, except unclosed + <script> tags. Unclosed <script> tags are ignored. + + - Any other invalid markup is ignored, including unclosed SGML + comments and unclosed <![CDATA[blocks. +""" + +__all__ = ['parseLinkAttrs'] + +import re + +flags = ( re.DOTALL # Match newlines with '.' + | re.IGNORECASE + | re.VERBOSE # Allow comments and whitespace in patterns + | re.UNICODE # Make \b respect Unicode word boundaries + ) + +# Stuff to remove before we start looking for tags +removed_re = re.compile(r''' + # Comments + <!--.*?--> + + # CDATA blocks +| <!\[CDATA\[.*?\]\]> + + # script blocks +| <script\b + + # make sure script is not an XML namespace + (?!:) + + [^>]*>.*?</script> + +''', flags) + +tag_expr = r''' +# Starts with the tag name at a word boundary, where the tag name is +# not a namespace +<%(tag_name)s\b(?!:) + +# All of the stuff up to a ">", hopefully attributes. +(?P<attrs>[^>]*?) + +(?: # Match a short tag + /> + +| # Match a full tag + > + + (?P<contents>.*?) + + # Closed by + (?: # One of the specified close tags + </?%(closers)s\s*> + + # End of the string + | \Z + + ) + +) +''' + +def tagMatcher(tag_name, *close_tags): + if close_tags: + options = '|'.join((tag_name,) + close_tags) + closers = '(?:%s)' % (options,) + else: + closers = tag_name + + expr = tag_expr % locals() + return re.compile(expr, flags) + +# Must contain at least an open html and an open head tag +html_find = tagMatcher('html') +head_find = tagMatcher('head', 'body') +link_find = re.compile(r'<link\b(?!:)', flags) + +attr_find = re.compile(r''' +# Must start with a sequence of word-characters, followed by an equals sign +(?P<attr_name>\w+)= + +# Then either a quoted or unquoted attribute +(?: + + # Match everything that\'s between matching quote marks + (?P<qopen>["\'])(?P<q_val>.*?)(?P=qopen) +| + + # If the value is not quoted, match up to whitespace + (?P<unq_val>(?:[^\s<>/]|/(?!>))+) +) + +| + +(?P<end_link>[<>]) +''', flags) + +# Entity replacement: +replacements = { + 'amp':'&', + 'lt':'<', + 'gt':'>', + 'quot':'"', + } + +ent_replace = re.compile(r'&(%s);' % '|'.join(replacements.keys())) +def replaceEnt(mo): + "Replace the entities that are specified by OpenID" + return replacements.get(mo.group(1), mo.group()) + +def parseLinkAttrs(html): + """Find all link tags in a string representing a HTML document and + return a list of their attributes. + + @param html: the text to parse + @type html: str or unicode + + @return: A list of dictionaries of attributes, one for each link tag + @rtype: [[(type(html), type(html))]] + """ + stripped = removed_re.sub('', html) + html_mo = html_find.search(stripped) + if html_mo is None or html_mo.start('contents') == -1: + return [] + + start, end = html_mo.span('contents') + head_mo = head_find.search(stripped, start, end) + if head_mo is None or head_mo.start('contents') == -1: + return [] + + start, end = head_mo.span('contents') + link_mos = link_find.finditer(stripped, head_mo.start(), head_mo.end()) + + matches = [] + for link_mo in link_mos: + start = link_mo.start() + 5 + link_attrs = {} + for attr_mo in attr_find.finditer(stripped, start): + if attr_mo.lastgroup == 'end_link': + break + + # Either q_val or unq_val must be present, but not both + # unq_val is a True (non-empty) value if it is present + attr_name, q_val, unq_val = attr_mo.group( + 'attr_name', 'q_val', 'unq_val') + attr_val = ent_replace.sub(replaceEnt, unq_val or q_val) + + link_attrs[attr_name] = attr_val + + matches.append(link_attrs) + + return matches + +def relMatches(rel_attr, target_rel): + """Does this target_rel appear in the rel_str?""" + # XXX: TESTME + rels = rel_attr.strip().split() + for rel in rels: + rel = rel.lower() + if rel == target_rel: + return 1 + + return 0 + +def linkHasRel(link_attrs, target_rel): + """Does this link have target_rel as a relationship?""" + # XXX: TESTME + rel_attr = link_attrs.get('rel') + return rel_attr and relMatches(rel_attr, target_rel) + +def findLinksRel(link_attrs_list, target_rel): + """Filter the list of link attributes on whether it has target_rel + as a relationship.""" + # XXX: TESTME + matchesTarget = lambda attrs: linkHasRel(attrs, target_rel) + return filter(matchesTarget, link_attrs_list) + +def findFirstHref(link_attrs_list, target_rel): + """Return the value of the href attribute for the first link tag + in the list that has target_rel as a relationship.""" + # XXX: TESTME + matches = findLinksRel(link_attrs_list, target_rel) + if not matches: + return None + first = matches[0] + return first.get('href') diff --git a/askbot/deps/openid/cryptutil.py b/askbot/deps/openid/cryptutil.py new file mode 100644 index 00000000..3123be64 --- /dev/null +++ b/askbot/deps/openid/cryptutil.py @@ -0,0 +1,220 @@ +"""Module containing a cryptographic-quality source of randomness and +other cryptographically useful functionality + +Python 2.4 needs no external support for this module, nor does Python +2.3 on a system with /dev/urandom. + +Other configurations will need a quality source of random bytes and +access to a function that will convert binary strings to long +integers. This module will work with the Python Cryptography Toolkit +(pycrypto) if it is present. pycrypto can be found with a search +engine, but is currently found at: + +http://www.amk.ca/python/code/crypto +""" + +__all__ = [ + 'base64ToLong', + 'binaryToLong', + 'hmacSha1', + 'hmacSha256', + 'longToBase64', + 'longToBinary', + 'randomString', + 'randrange', + 'sha1', + 'sha256', + ] + +import hmac +import os +import random + +from openid.oidutil import toBase64, fromBase64 + +try: + import hashlib +except ImportError: + import sha as sha1_module + + try: + from Crypto.Hash import SHA256 as sha256_module + except ImportError: + sha256_module = None + +else: + class HashContainer(object): + def __init__(self, hash_constructor): + self.new = hash_constructor + self.digest_size = hash_constructor().digest_size + + sha1_module = HashContainer(hashlib.sha1) + sha256_module = HashContainer(hashlib.sha256) + +def hmacSha1(key, text): + return hmac.new(key, text, sha1_module).digest() + +def sha1(s): + return sha1_module.new(s).digest() + +if sha256_module is not None: + def hmacSha256(key, text): + return hmac.new(key, text, sha256_module).digest() + + def sha256(s): + return sha256_module.new(s).digest() + + SHA256_AVAILABLE = True + +else: + _no_sha256 = NotImplementedError( + 'Use Python 2.5, install pycrypto or install hashlib to use SHA256') + + def hmacSha256(unused_key, unused_text): + raise _no_sha256 + + def sha256(s): + raise _no_sha256 + + SHA256_AVAILABLE = False + +try: + from Crypto.Util.number import long_to_bytes, bytes_to_long +except ImportError: + import pickle + try: + # Check Python compatiblity by raising an exception on import + # if the needed functionality is not present. Present in + # Python >= 2.3 + pickle.encode_long + pickle.decode_long + except AttributeError: + raise ImportError( + 'No functionality for serializing long integers found') + + # Present in Python >= 2.4 + try: + reversed + except NameError: + def reversed(seq): + return map(seq.__getitem__, xrange(len(seq) - 1, -1, -1)) + + def longToBinary(l): + if l == 0: + return '\x00' + + return ''.join(reversed(pickle.encode_long(l))) + + def binaryToLong(s): + return pickle.decode_long(''.join(reversed(s))) +else: + # We have pycrypto + + def longToBinary(l): + if l < 0: + raise ValueError('This function only supports positive integers') + + bytes = long_to_bytes(l) + if ord(bytes[0]) > 127: + return '\x00' + bytes + else: + return bytes + + def binaryToLong(bytes): + if not bytes: + raise ValueError('Empty string passed to strToLong') + + if ord(bytes[0]) > 127: + raise ValueError('This function only supports positive integers') + + return bytes_to_long(bytes) + +# A cryptographically safe source of random bytes +try: + getBytes = os.urandom +except AttributeError: + try: + from Crypto.Util.randpool import RandomPool + except ImportError: + # Fall back on /dev/urandom, if present. It would be nice to + # have Windows equivalent here, but for now, require pycrypto + # on Windows. + try: + _urandom = file('/dev/urandom', 'rb') + except IOError: + raise ImportError('No adequate source of randomness found!') + else: + def getBytes(n): + bytes = [] + while n: + chunk = _urandom.read(n) + n -= len(chunk) + bytes.append(chunk) + assert n >= 0 + return ''.join(bytes) + else: + _pool = RandomPool() + def getBytes(n, pool=_pool): + if pool.entropy < n: + pool.randomize() + return pool.get_bytes(n) + +# A randrange function that works for longs +try: + randrange = random.SystemRandom().randrange +except AttributeError: + # In Python 2.2's random.Random, randrange does not support + # numbers larger than sys.maxint for randrange. For simplicity, + # use this implementation for any Python that does not have + # random.SystemRandom + from math import log, ceil + + _duplicate_cache = {} + def randrange(start, stop=None, step=1): + if stop is None: + stop = start + start = 0 + + r = (stop - start) // step + try: + (duplicate, nbytes) = _duplicate_cache[r] + except KeyError: + rbytes = longToBinary(r) + if rbytes[0] == '\x00': + nbytes = len(rbytes) - 1 + else: + nbytes = len(rbytes) + + mxrand = (256 ** nbytes) + + # If we get a number less than this, then it is in the + # duplicated range. + duplicate = mxrand % r + + if len(_duplicate_cache) > 10: + _duplicate_cache.clear() + + _duplicate_cache[r] = (duplicate, nbytes) + + while 1: + bytes = '\x00' + getBytes(nbytes) + n = binaryToLong(bytes) + # Keep looping if this value is in the low duplicated range + if n >= duplicate: + break + + return start + (n % r) * step + +def longToBase64(l): + return toBase64(longToBinary(l)) + +def base64ToLong(s): + return binaryToLong(fromBase64(s)) + +def randomString(length, chrs=None): + """Produce a string of length random bytes, chosen from chrs.""" + if chrs is None: + return getBytes(length) + else: + n = len(chrs) + return ''.join([chrs[randrange(n)] for _ in xrange(length)]) diff --git a/askbot/deps/openid/dh.py b/askbot/deps/openid/dh.py new file mode 100644 index 00000000..bb83bbe8 --- /dev/null +++ b/askbot/deps/openid/dh.py @@ -0,0 +1,42 @@ +from openid import cryptutil +from openid import oidutil + +def strxor(x, y): + if len(x) != len(y): + raise ValueError('Inputs to strxor must have the same length') + + xor = lambda (a, b): chr(ord(a) ^ ord(b)) + return "".join(map(xor, zip(x, y))) + +class DiffieHellman(object): + DEFAULT_MOD = 155172898181473697471232257763715539915724801966915404479707795314057629378541917580651227423698188993727816152646631438561595825688188889951272158842675419950341258706556549803580104870537681476726513255747040765857479291291572334510643245094715007229621094194349783925984760375594985848253359305585439638443L + + DEFAULT_GEN = 2 + + def fromDefaults(cls): + return cls(cls.DEFAULT_MOD, cls.DEFAULT_GEN) + + fromDefaults = classmethod(fromDefaults) + + def __init__(self, modulus, generator): + self.modulus = long(modulus) + self.generator = long(generator) + + self._setPrivate(cryptutil.randrange(1, modulus - 1)) + + def _setPrivate(self, private): + """This is here to make testing easier""" + self.private = private + self.public = pow(self.generator, self.private, self.modulus) + + def usingDefaultValues(self): + return (self.modulus == self.DEFAULT_MOD and + self.generator == self.DEFAULT_GEN) + + def getSharedSecret(self, composite): + return pow(composite, self.private, self.modulus) + + def xorSecret(self, composite, secret, hash_func): + dh_shared = self.getSharedSecret(composite) + hashed_dh_shared = hash_func(cryptutil.longToBinary(dh_shared)) + return strxor(secret, hashed_dh_shared) diff --git a/askbot/deps/openid/extension.py b/askbot/deps/openid/extension.py new file mode 100644 index 00000000..d48bbb2f --- /dev/null +++ b/askbot/deps/openid/extension.py @@ -0,0 +1,46 @@ +from openid import message as message_module + +class Extension(object): + """An interface for OpenID extensions. + + @ivar ns_uri: The namespace to which to add the arguments for this + extension + """ + ns_uri = None + ns_alias = None + + def getExtensionArgs(self): + """Get the string arguments that should be added to an OpenID + message for this extension. + + @returns: A dictionary of completely non-namespaced arguments + to be added. For example, if the extension's alias is + 'uncle', and this method returns {'meat':'Hot Rats'}, the + final message will contain {'openid.uncle.meat':'Hot Rats'} + """ + raise NotImplementedError + + def toMessage(self, message=None): + """Add the arguments from this extension to the provided + message, or create a new message containing only those + arguments. + + @returns: The message with the extension arguments added + """ + if message is None: + warnings.warn('Passing None to Extension.toMessage is deprecated. ' + 'Creating a message assuming you want OpenID 2.', + DeprecationWarning, stacklevel=2) + message = message_module.Message(message_module.OPENID2_NS) + + implicit = message.isOpenID1() + + try: + message.namespaces.addAlias(self.ns_uri, self.ns_alias, + implicit=implicit) + except KeyError: + if message.namespaces.getAlias(self.ns_uri) != self.ns_alias: + raise + + message.updateArgs(self.ns_uri, self.getExtensionArgs()) + return message diff --git a/askbot/deps/openid/extensions/__init__.py b/askbot/deps/openid/extensions/__init__.py new file mode 100644 index 00000000..710b2002 --- /dev/null +++ b/askbot/deps/openid/extensions/__init__.py @@ -0,0 +1,5 @@ +"""OpenID Extension modules.""" + +__all__ = ['ax', 'pape', 'sreg'] + +from openid.extensions.draft import pape5 as pape diff --git a/askbot/deps/openid/extensions/ax.py b/askbot/deps/openid/extensions/ax.py new file mode 100644 index 00000000..65d0a512 --- /dev/null +++ b/askbot/deps/openid/extensions/ax.py @@ -0,0 +1,774 @@ +# -*- test-case-name: openid.test.test_ax -*- +"""Implements the OpenID Attribute Exchange specification, version 1.0. + +@since: 2.1.0 +""" + +__all__ = [ + 'AttributeRequest', + 'FetchRequest', + 'FetchResponse', + 'StoreRequest', + 'StoreResponse', + ] + +from openid import extension +from openid.server.trustroot import TrustRoot +from openid.message import NamespaceMap, OPENID_NS + +# Use this as the 'count' value for an attribute in a FetchRequest to +# ask for as many values as the OP can provide. +UNLIMITED_VALUES = "unlimited" + +# Minimum supported alias length in characters. Here for +# completeness. +MINIMUM_SUPPORTED_ALIAS_LENGTH = 32 + +def checkAlias(alias): + """ + Check an alias for invalid characters; raise AXError if any are + found. Return None if the alias is valid. + """ + if ',' in alias: + raise AXError("Alias %r must not contain comma" % (alias,)) + if '.' in alias: + raise AXError("Alias %r must not contain period" % (alias,)) + + +class AXError(ValueError): + """Results from data that does not meet the attribute exchange 1.0 + specification""" + + +class NotAXMessage(AXError): + """Raised when there is no Attribute Exchange mode in the message.""" + + def __repr__(self): + return self.__class__.__name__ + + def __str__(self): + return self.__class__.__name__ + + +class AXMessage(extension.Extension): + """Abstract class containing common code for attribute exchange messages + + @cvar ns_alias: The preferred namespace alias for attribute + exchange messages + + @cvar mode: The type of this attribute exchange message. This must + be overridden in subclasses. + """ + + # This class is abstract, so it's OK that it doesn't override the + # abstract method in Extension: + # + #pylint:disable-msg=W0223 + + ns_alias = 'ax' + mode = None + ns_uri = 'http://openid.net/srv/ax/1.0' + + def _checkMode(self, ax_args): + """Raise an exception if the mode in the attribute exchange + arguments does not match what is expected for this class. + + @raises NotAXMessage: When there is no mode value in ax_args at all. + + @raises AXError: When mode does not match. + """ + mode = ax_args.get('mode') + if mode != self.mode: + if not mode: + raise NotAXMessage() + else: + raise AXError( + 'Expected mode %r; got %r' % (self.mode, mode)) + + def _newArgs(self): + """Return a set of attribute exchange arguments containing the + basic information that must be in every attribute exchange + message. + """ + return {'mode':self.mode} + + +class AttrInfo(object): + """Represents a single attribute in an attribute exchange + request. This should be added to an AXRequest object in order to + request the attribute. + + @ivar required: Whether the attribute will be marked as required + when presented to the subject of the attribute exchange + request. + @type required: bool + + @ivar count: How many values of this type to request from the + subject. Defaults to one. + @type count: int + + @ivar type_uri: The identifier that determines what the attribute + represents and how it is serialized. For example, one type URI + representing dates could represent a Unix timestamp in base 10 + and another could represent a human-readable string. + @type type_uri: str + + @ivar alias: The name that should be given to this alias in the + request. If it is not supplied, a generic name will be + assigned. For example, if you want to call a Unix timestamp + value 'tstamp', set its alias to that value. If two attributes + in the same message request to use the same alias, the request + will fail to be generated. + @type alias: str or NoneType + """ + + # It's OK that this class doesn't have public methods (it's just a + # holder for a bunch of attributes): + # + #pylint:disable-msg=R0903 + + def __init__(self, type_uri, count=1, required=False, alias=None): + self.required = required + self.count = count + self.type_uri = type_uri + self.alias = alias + + if self.alias is not None: + checkAlias(self.alias) + + def wantsUnlimitedValues(self): + """ + When processing a request for this attribute, the OP should + call this method to determine whether all available attribute + values were requested. If self.count == UNLIMITED_VALUES, + this returns True. Otherwise this returns False, in which + case self.count is an integer. + """ + return self.count == UNLIMITED_VALUES + +def toTypeURIs(namespace_map, alias_list_s): + """Given a namespace mapping and a string containing a + comma-separated list of namespace aliases, return a list of type + URIs that correspond to those aliases. + + @param namespace_map: The mapping from namespace URI to alias + @type namespace_map: openid.message.NamespaceMap + + @param alias_list_s: The string containing the comma-separated + list of aliases. May also be None for convenience. + @type alias_list_s: str or NoneType + + @returns: The list of namespace URIs that corresponds to the + supplied list of aliases. If the string was zero-length or + None, an empty list will be returned. + + @raise KeyError: If an alias is present in the list of aliases but + is not present in the namespace map. + """ + uris = [] + + if alias_list_s: + for alias in alias_list_s.split(','): + type_uri = namespace_map.getNamespaceURI(alias) + if type_uri is None: + raise KeyError( + 'No type is defined for attribute name %r' % (alias,)) + else: + uris.append(type_uri) + + return uris + + +class FetchRequest(AXMessage): + """An attribute exchange 'fetch_request' message. This message is + sent by a relying party when it wishes to obtain attributes about + the subject of an OpenID authentication request. + + @ivar requested_attributes: The attributes that have been + requested thus far, indexed by the type URI. + @type requested_attributes: {str:AttrInfo} + + @ivar update_url: A URL that will accept responses for this + attribute exchange request, even in the absence of the user + who made this request. + """ + mode = 'fetch_request' + + def __init__(self, update_url=None): + AXMessage.__init__(self) + self.requested_attributes = {} + self.update_url = update_url + + def add(self, attribute): + """Add an attribute to this attribute exchange request. + + @param attribute: The attribute that is being requested + @type attribute: C{L{AttrInfo}} + + @returns: None + + @raise KeyError: when the requested attribute is already + present in this fetch request. + """ + if attribute.type_uri in self.requested_attributes: + raise KeyError('The attribute %r has already been requested' + % (attribute.type_uri,)) + + self.requested_attributes[attribute.type_uri] = attribute + + def getExtensionArgs(self): + """Get the serialized form of this attribute fetch request. + + @returns: The fetch request message parameters + @rtype: {unicode:unicode} + """ + aliases = NamespaceMap() + + required = [] + if_available = [] + + ax_args = self._newArgs() + + for type_uri, attribute in self.requested_attributes.iteritems(): + if attribute.alias is None: + alias = aliases.add(type_uri) + else: + # This will raise an exception when the second + # attribute with the same alias is added. I think it + # would be better to complain at the time that the + # attribute is added to this object so that the code + # that is adding it is identified in the stack trace, + # but it's more work to do so, and it won't be 100% + # accurate anyway, since the attributes are + # mutable. So for now, just live with the fact that + # we'll learn about the error later. + # + # The other possible approach is to hide the error and + # generate a new alias on the fly. I think that would + # probably be bad. + alias = aliases.addAlias(type_uri, attribute.alias) + + if attribute.required: + required.append(alias) + else: + if_available.append(alias) + + if attribute.count != 1: + ax_args['count.' + alias] = str(attribute.count) + + ax_args['type.' + alias] = type_uri + + if required: + ax_args['required'] = ','.join(required) + + if if_available: + ax_args['if_available'] = ','.join(if_available) + + return ax_args + + def getRequiredAttrs(self): + """Get the type URIs for all attributes that have been marked + as required. + + @returns: A list of the type URIs for attributes that have + been marked as required. + @rtype: [str] + """ + required = [] + for type_uri, attribute in self.requested_attributes.iteritems(): + if attribute.required: + required.append(type_uri) + + return required + + def fromOpenIDRequest(cls, openid_request): + """Extract a FetchRequest from an OpenID message + + @param openid_request: The OpenID authentication request + containing the attribute fetch request + @type openid_request: C{L{openid.server.server.CheckIDRequest}} + + @rtype: C{L{FetchRequest}} or C{None} + @returns: The FetchRequest extracted from the message or None, if + the message contained no AX extension. + + @raises KeyError: if the AuthRequest is not consistent in its use + of namespace aliases. + + @raises AXError: When parseExtensionArgs would raise same. + + @see: L{parseExtensionArgs} + """ + message = openid_request.message + ax_args = message.getArgs(cls.ns_uri) + self = cls() + try: + self.parseExtensionArgs(ax_args) + except NotAXMessage, err: + return None + + if self.update_url: + # Update URL must match the openid.realm of the underlying + # OpenID 2 message. + realm = message.getArg(OPENID_NS, 'realm', + message.getArg(OPENID_NS, 'return_to')) + + if not realm: + raise AXError(("Cannot validate update_url %r " + + "against absent realm") % (self.update_url,)) + + tr = TrustRoot.parse(realm) + if not tr.validateURL(self.update_url): + raise AXError("Update URL %r failed validation against realm %r" % + (self.update_url, realm,)) + + return self + + fromOpenIDRequest = classmethod(fromOpenIDRequest) + + def parseExtensionArgs(self, ax_args): + """Given attribute exchange arguments, populate this FetchRequest. + + @param ax_args: Attribute Exchange arguments from the request. + As returned from L{Message.getArgs<openid.message.Message.getArgs>}. + @type ax_args: dict + + @raises KeyError: if the message is not consistent in its use + of namespace aliases. + + @raises NotAXMessage: If ax_args does not include an Attribute Exchange + mode. + + @raises AXError: If the data to be parsed does not follow the + attribute exchange specification. At least when + 'if_available' or 'required' is not specified for a + particular attribute type. + """ + # Raises an exception if the mode is not the expected value + self._checkMode(ax_args) + + aliases = NamespaceMap() + + for key, value in ax_args.iteritems(): + if key.startswith('type.'): + alias = key[5:] + type_uri = value + aliases.addAlias(type_uri, alias) + + count_key = 'count.' + alias + count_s = ax_args.get(count_key) + if count_s: + try: + count = int(count_s) + if count <= 0: + raise AXError("Count %r must be greater than zero, got %r" % (count_key, count_s,)) + except ValueError: + if count_s != UNLIMITED_VALUES: + raise AXError("Invalid count value for %r: %r" % (count_key, count_s,)) + count = count_s + else: + count = 1 + + self.add(AttrInfo(type_uri, alias=alias, count=count)) + + required = toTypeURIs(aliases, ax_args.get('required')) + + for type_uri in required: + self.requested_attributes[type_uri].required = True + + if_available = toTypeURIs(aliases, ax_args.get('if_available')) + + all_type_uris = required + if_available + + for type_uri in aliases.iterNamespaceURIs(): + if type_uri not in all_type_uris: + raise AXError( + 'Type URI %r was in the request but not ' + 'present in "required" or "if_available"' % (type_uri,)) + + self.update_url = ax_args.get('update_url') + + def iterAttrs(self): + """Iterate over the AttrInfo objects that are + contained in this fetch_request. + """ + return self.requested_attributes.itervalues() + + def __iter__(self): + """Iterate over the attribute type URIs in this fetch_request + """ + return iter(self.requested_attributes) + + def has_key(self, type_uri): + """Is the given type URI present in this fetch_request? + """ + return type_uri in self.requested_attributes + + __contains__ = has_key + + +class AXKeyValueMessage(AXMessage): + """An abstract class that implements a message that has attribute + keys and values. It contains the common code between + fetch_response and store_request. + """ + + # This class is abstract, so it's OK that it doesn't override the + # abstract method in Extension: + # + #pylint:disable-msg=W0223 + + def __init__(self): + AXMessage.__init__(self) + self.data = {} + + def addValue(self, type_uri, value): + """Add a single value for the given attribute type to the + message. If there are already values specified for this type, + this value will be sent in addition to the values already + specified. + + @param type_uri: The URI for the attribute + + @param value: The value to add to the response to the relying + party for this attribute + @type value: unicode + + @returns: None + """ + try: + values = self.data[type_uri] + except KeyError: + values = self.data[type_uri] = [] + + values.append(value) + + def setValues(self, type_uri, values): + """Set the values for the given attribute type. This replaces + any values that have already been set for this attribute. + + @param type_uri: The URI for the attribute + + @param values: A list of values to send for this attribute. + @type values: [unicode] + """ + + self.data[type_uri] = values + + def _getExtensionKVArgs(self, aliases=None): + """Get the extension arguments for the key/value pairs + contained in this message. + + @param aliases: An alias mapping. Set to None if you don't + care about the aliases for this request. + """ + if aliases is None: + aliases = NamespaceMap() + + ax_args = {} + + for type_uri, values in self.data.iteritems(): + alias = aliases.add(type_uri) + + ax_args['type.' + alias] = type_uri + ax_args['count.' + alias] = str(len(values)) + + for i, value in enumerate(values): + key = 'value.%s.%d' % (alias, i + 1) + ax_args[key] = value + + return ax_args + + def parseExtensionArgs(self, ax_args): + """Parse attribute exchange key/value arguments into this + object. + + @param ax_args: The attribute exchange fetch_response + arguments, with namespacing removed. + @type ax_args: {unicode:unicode} + + @returns: None + + @raises ValueError: If the message has bad values for + particular fields + + @raises KeyError: If the namespace mapping is bad or required + arguments are missing + """ + self._checkMode(ax_args) + + aliases = NamespaceMap() + + for key, value in ax_args.iteritems(): + if key.startswith('type.'): + type_uri = value + alias = key[5:] + checkAlias(alias) + aliases.addAlias(type_uri, alias) + + for type_uri, alias in aliases.iteritems(): + try: + count_s = ax_args['count.' + alias] + except KeyError: + value = ax_args['value.' + alias] + + if value == u'': + values = [] + else: + values = [value] + else: + count = int(count_s) + values = [] + for i in range(1, count + 1): + value_key = 'value.%s.%d' % (alias, i) + value = ax_args[value_key] + values.append(value) + + self.data[type_uri] = values + + def getSingle(self, type_uri, default=None): + """Get a single value for an attribute. If no value was sent + for this attribute, use the supplied default. If there is more + than one value for this attribute, this method will fail. + + @type type_uri: str + @param type_uri: The URI for the attribute + + @param default: The value to return if the attribute was not + sent in the fetch_response. + + @returns: The value of the attribute in the fetch_response + message, or the default supplied + @rtype: unicode or NoneType + + @raises ValueError: If there is more than one value for this + parameter in the fetch_response message. + @raises KeyError: If the attribute was not sent in this response + """ + values = self.data.get(type_uri) + if not values: + return default + elif len(values) == 1: + return values[0] + else: + raise AXError( + 'More than one value present for %r' % (type_uri,)) + + def get(self, type_uri): + """Get the list of values for this attribute in the + fetch_response. + + XXX: what to do if the values are not present? default + parameter? this is funny because it's always supposed to + return a list, so the default may break that, though it's + provided by the user's code, so it might be okay. If no + default is supplied, should the return be None or []? + + @param type_uri: The URI of the attribute + + @returns: The list of values for this attribute in the + response. May be an empty list. + @rtype: [unicode] + + @raises KeyError: If the attribute was not sent in the response + """ + return self.data[type_uri] + + def count(self, type_uri): + """Get the number of responses for a particular attribute in + this fetch_response message. + + @param type_uri: The URI of the attribute + + @returns: The number of values sent for this attribute + + @raises KeyError: If the attribute was not sent in the + response. KeyError will not be raised if the number of + values was zero. + """ + return len(self.get(type_uri)) + + +class FetchResponse(AXKeyValueMessage): + """A fetch_response attribute exchange message + """ + mode = 'fetch_response' + + def __init__(self, request=None, update_url=None): + """ + @param request: When supplied, I will use namespace aliases + that match those in this request. I will also check to + make sure I do not respond with attributes that were not + requested. + + @type request: L{FetchRequest} + + @param update_url: By default, C{update_url} is taken from the + request. But if you do not supply the request, you may set + the C{update_url} here. + + @type update_url: str + """ + AXKeyValueMessage.__init__(self) + self.update_url = update_url + self.request = request + + def getExtensionArgs(self): + """Serialize this object into arguments in the attribute + exchange namespace + + @returns: The dictionary of unqualified attribute exchange + arguments that represent this fetch_response. + @rtype: {unicode;unicode} + """ + + aliases = NamespaceMap() + + zero_value_types = [] + + if self.request is not None: + # Validate the data in the context of the request (the + # same attributes should be present in each, and the + # counts in the response must be no more than the counts + # in the request) + + for type_uri in self.data: + if type_uri not in self.request: + raise KeyError( + 'Response attribute not present in request: %r' + % (type_uri,)) + + for attr_info in self.request.iterAttrs(): + # Copy the aliases from the request so that reading + # the response in light of the request is easier + if attr_info.alias is None: + aliases.add(attr_info.type_uri) + else: + aliases.addAlias(attr_info.type_uri, attr_info.alias) + + try: + values = self.data[attr_info.type_uri] + except KeyError: + values = [] + zero_value_types.append(attr_info) + + if (attr_info.count != UNLIMITED_VALUES) and \ + (attr_info.count < len(values)): + raise AXError( + 'More than the number of requested values were ' + 'specified for %r' % (attr_info.type_uri,)) + + kv_args = self._getExtensionKVArgs(aliases) + + # Add the KV args into the response with the args that are + # unique to the fetch_response + ax_args = self._newArgs() + + # For each requested attribute, put its type/alias and count + # into the response even if no data were returned. + for attr_info in zero_value_types: + alias = aliases.getAlias(attr_info.type_uri) + kv_args['type.' + alias] = attr_info.type_uri + kv_args['count.' + alias] = '0' + + update_url = ((self.request and self.request.update_url) + or self.update_url) + + if update_url: + ax_args['update_url'] = update_url + + ax_args.update(kv_args) + + return ax_args + + def parseExtensionArgs(self, ax_args): + """@see: {Extension.parseExtensionArgs<openid.extension.Extension.parseExtensionArgs>}""" + super(FetchResponse, self).parseExtensionArgs(ax_args) + self.update_url = ax_args.get('update_url') + + def fromSuccessResponse(cls, success_response, signed=True): + """Construct a FetchResponse object from an OpenID library + SuccessResponse object. + + @param success_response: A successful id_res response object + @type success_response: openid.consumer.consumer.SuccessResponse + + @param signed: Whether non-signed args should be + processsed. If True (the default), only signed arguments + will be processsed. + @type signed: bool + + @returns: A FetchResponse containing the data from the OpenID + message, or None if the SuccessResponse did not contain AX + extension data. + + @raises AXError: when the AX data cannot be parsed. + """ + self = cls() + ax_args = success_response.extensionResponse(self.ns_uri, signed) + + try: + self.parseExtensionArgs(ax_args) + except NotAXMessage, err: + return None + else: + return self + + fromSuccessResponse = classmethod(fromSuccessResponse) + + +class StoreRequest(AXKeyValueMessage): + """A store request attribute exchange message representation + """ + mode = 'store_request' + + def __init__(self, aliases=None): + """ + @param aliases: The namespace aliases to use when making this + store request. Leave as None to use defaults. + """ + super(StoreRequest, self).__init__() + self.aliases = aliases + + def getExtensionArgs(self): + """ + @see: L{Extension.getExtensionArgs<openid.extension.Extension.getExtensionArgs>} + """ + ax_args = self._newArgs() + kv_args = self._getExtensionKVArgs(self.aliases) + ax_args.update(kv_args) + return ax_args + + +class StoreResponse(AXMessage): + """An indication that the store request was processed along with + this OpenID transaction. + """ + + SUCCESS_MODE = 'store_response_success' + FAILURE_MODE = 'store_response_failure' + + def __init__(self, succeeded=True, error_message=None): + AXMessage.__init__(self) + + if succeeded and error_message is not None: + raise AXError('An error message may only be included in a ' + 'failing fetch response') + if succeeded: + self.mode = self.SUCCESS_MODE + else: + self.mode = self.FAILURE_MODE + + self.error_message = error_message + + def succeeded(self): + """Was this response a success response?""" + return self.mode == self.SUCCESS_MODE + + def getExtensionArgs(self): + """@see: {Extension.getExtensionArgs<openid.extension.Extension.getExtensionArgs>}""" + ax_args = self._newArgs() + if not self.succeeded() and self.error_message: + ax_args['error'] = self.error_message + + return ax_args diff --git a/askbot/deps/openid/extensions/draft/__init__.py b/askbot/deps/openid/extensions/draft/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/askbot/deps/openid/extensions/draft/__init__.py diff --git a/askbot/deps/openid/extensions/draft/pape2.py b/askbot/deps/openid/extensions/draft/pape2.py new file mode 100644 index 00000000..e7320465 --- /dev/null +++ b/askbot/deps/openid/extensions/draft/pape2.py @@ -0,0 +1,277 @@ +"""An implementation of the OpenID Provider Authentication Policy +Extension 1.0 + +@see: http://openid.net/developers/specs/ + +@since: 2.1.0 +""" + +__all__ = [ + 'Request', + 'Response', + 'ns_uri', + 'AUTH_PHISHING_RESISTANT', + 'AUTH_MULTI_FACTOR', + 'AUTH_MULTI_FACTOR_PHYSICAL', + ] + +from openid.extension import Extension +import re + +ns_uri = "http://specs.openid.net/extensions/pape/1.0" + +AUTH_MULTI_FACTOR_PHYSICAL = \ + 'http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical' +AUTH_MULTI_FACTOR = \ + 'http://schemas.openid.net/pape/policies/2007/06/multi-factor' +AUTH_PHISHING_RESISTANT = \ + 'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant' + +TIME_VALIDATOR = re.compile('^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$') + +class Request(Extension): + """A Provider Authentication Policy request, sent from a relying + party to a provider + + @ivar preferred_auth_policies: The authentication policies that + the relying party prefers + @type preferred_auth_policies: [str] + + @ivar max_auth_age: The maximum time, in seconds, that the relying + party wants to allow to have elapsed before the user must + re-authenticate + @type max_auth_age: int or NoneType + """ + + ns_alias = 'pape' + + def __init__(self, preferred_auth_policies=None, max_auth_age=None): + super(Request, self).__init__() + if not preferred_auth_policies: + preferred_auth_policies = [] + + self.preferred_auth_policies = preferred_auth_policies + self.max_auth_age = max_auth_age + + def __nonzero__(self): + return bool(self.preferred_auth_policies or + self.max_auth_age is not None) + + def addPolicyURI(self, policy_uri): + """Add an acceptable authentication policy URI to this request + + This method is intended to be used by the relying party to add + acceptable authentication types to the request. + + @param policy_uri: The identifier for the preferred type of + authentication. + @see: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#auth_policies + """ + if policy_uri not in self.preferred_auth_policies: + self.preferred_auth_policies.append(policy_uri) + + def getExtensionArgs(self): + """@see: C{L{Extension.getExtensionArgs}} + """ + ns_args = { + 'preferred_auth_policies':' '.join(self.preferred_auth_policies) + } + + if self.max_auth_age is not None: + ns_args['max_auth_age'] = str(self.max_auth_age) + + return ns_args + + def fromOpenIDRequest(cls, request): + """Instantiate a Request object from the arguments in a + C{checkid_*} OpenID message + """ + self = cls() + args = request.message.getArgs(self.ns_uri) + + if args == {}: + return None + + self.parseExtensionArgs(args) + return self + + fromOpenIDRequest = classmethod(fromOpenIDRequest) + + def parseExtensionArgs(self, args): + """Set the state of this request to be that expressed in these + PAPE arguments + + @param args: The PAPE arguments without a namespace + + @rtype: None + + @raises ValueError: When the max_auth_age is not parseable as + an integer + """ + + # preferred_auth_policies is a space-separated list of policy URIs + self.preferred_auth_policies = [] + + policies_str = args.get('preferred_auth_policies') + if policies_str: + for uri in policies_str.split(' '): + if uri not in self.preferred_auth_policies: + self.preferred_auth_policies.append(uri) + + # max_auth_age is base-10 integer number of seconds + max_auth_age_str = args.get('max_auth_age') + self.max_auth_age = None + + if max_auth_age_str: + try: + self.max_auth_age = int(max_auth_age_str) + except ValueError: + pass + + def preferredTypes(self, supported_types): + """Given a list of authentication policy URIs that a provider + supports, this method returns the subsequence of those types + that are preferred by the relying party. + + @param supported_types: A sequence of authentication policy + type URIs that are supported by a provider + + @returns: The sub-sequence of the supported types that are + preferred by the relying party. This list will be ordered + in the order that the types appear in the supported_types + sequence, and may be empty if the provider does not prefer + any of the supported authentication types. + + @returntype: [str] + """ + return filter(self.preferred_auth_policies.__contains__, + supported_types) + +Request.ns_uri = ns_uri + + +class Response(Extension): + """A Provider Authentication Policy response, sent from a provider + to a relying party + """ + + ns_alias = 'pape' + + def __init__(self, auth_policies=None, auth_time=None, + nist_auth_level=None): + super(Response, self).__init__() + if auth_policies: + self.auth_policies = auth_policies + else: + self.auth_policies = [] + + self.auth_time = auth_time + self.nist_auth_level = nist_auth_level + + def addPolicyURI(self, policy_uri): + """Add a authentication policy to this response + + This method is intended to be used by the provider to add a + policy that the provider conformed to when authenticating the user. + + @param policy_uri: The identifier for the preferred type of + authentication. + @see: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#auth_policies + """ + if policy_uri not in self.auth_policies: + self.auth_policies.append(policy_uri) + + def fromSuccessResponse(cls, success_response): + """Create a C{L{Response}} object from a successful OpenID + library response + (C{L{openid.consumer.consumer.SuccessResponse}}) response + message + + @param success_response: A SuccessResponse from consumer.complete() + @type success_response: C{L{openid.consumer.consumer.SuccessResponse}} + + @rtype: Response or None + @returns: A provider authentication policy response from the + data that was supplied with the C{id_res} response or None + if the provider sent no signed PAPE response arguments. + """ + self = cls() + + # PAPE requires that the args be signed. + args = success_response.getSignedNS(self.ns_uri) + + # Only try to construct a PAPE response if the arguments were + # signed in the OpenID response. If not, return None. + if args is not None: + self.parseExtensionArgs(args) + return self + else: + return None + + def parseExtensionArgs(self, args, strict=False): + """Parse the provider authentication policy arguments into the + internal state of this object + + @param args: unqualified provider authentication policy + arguments + + @param strict: Whether to raise an exception when bad data is + encountered + + @returns: None. The data is parsed into the internal fields of + this object. + """ + policies_str = args.get('auth_policies') + if policies_str and policies_str != 'none': + self.auth_policies = policies_str.split(' ') + + nist_level_str = args.get('nist_auth_level') + if nist_level_str: + try: + nist_level = int(nist_level_str) + except ValueError: + if strict: + raise ValueError('nist_auth_level must be an integer between ' + 'zero and four, inclusive') + else: + self.nist_auth_level = None + else: + if 0 <= nist_level < 5: + self.nist_auth_level = nist_level + + auth_time = args.get('auth_time') + if auth_time: + if TIME_VALIDATOR.match(auth_time): + self.auth_time = auth_time + elif strict: + raise ValueError("auth_time must be in RFC3339 format") + + fromSuccessResponse = classmethod(fromSuccessResponse) + + def getExtensionArgs(self): + """@see: C{L{Extension.getExtensionArgs}} + """ + if len(self.auth_policies) == 0: + ns_args = { + 'auth_policies':'none', + } + else: + ns_args = { + 'auth_policies':' '.join(self.auth_policies), + } + + if self.nist_auth_level is not None: + if self.nist_auth_level not in range(0, 5): + raise ValueError('nist_auth_level must be an integer between ' + 'zero and four, inclusive') + ns_args['nist_auth_level'] = str(self.nist_auth_level) + + if self.auth_time is not None: + if not TIME_VALIDATOR.match(self.auth_time): + raise ValueError('auth_time must be in RFC3339 format') + + ns_args['auth_time'] = self.auth_time + + return ns_args + +Response.ns_uri = ns_uri diff --git a/askbot/deps/openid/extensions/draft/pape5.py b/askbot/deps/openid/extensions/draft/pape5.py new file mode 100644 index 00000000..3bd1ffc0 --- /dev/null +++ b/askbot/deps/openid/extensions/draft/pape5.py @@ -0,0 +1,473 @@ +"""An implementation of the OpenID Provider Authentication Policy +Extension 1.0, Draft 5 + +@see: http://openid.net/developers/specs/ + +@since: 2.1.0 +""" + +__all__ = [ + 'Request', + 'Response', + 'ns_uri', + 'AUTH_PHISHING_RESISTANT', + 'AUTH_MULTI_FACTOR', + 'AUTH_MULTI_FACTOR_PHYSICAL', + 'LEVELS_NIST', + 'LEVELS_JISA', + ] + +from openid.extension import Extension +import warnings +import re + +ns_uri = "http://specs.openid.net/extensions/pape/1.0" + +AUTH_MULTI_FACTOR_PHYSICAL = \ + 'http://schemas.openid.net/pape/policies/2007/06/multi-factor-physical' +AUTH_MULTI_FACTOR = \ + 'http://schemas.openid.net/pape/policies/2007/06/multi-factor' +AUTH_PHISHING_RESISTANT = \ + 'http://schemas.openid.net/pape/policies/2007/06/phishing-resistant' +AUTH_NONE = \ + 'http://schemas.openid.net/pape/policies/2007/06/none' + +TIME_VALIDATOR = re.compile('^\d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\dZ$') + +LEVELS_NIST = 'http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf' +LEVELS_JISA = 'http://www.jisa.or.jp/spec/auth_level.html' + +class PAPEExtension(Extension): + _default_auth_level_aliases = { + 'nist': LEVELS_NIST, + 'jisa': LEVELS_JISA, + } + + def __init__(self): + self.auth_level_aliases = self._default_auth_level_aliases.copy() + + def _addAuthLevelAlias(self, auth_level_uri, alias=None): + """Add an auth level URI alias to this request. + + @param auth_level_uri: The auth level URI to send in the + request. + + @param alias: The namespace alias to use for this auth level + in this message. May be None if the alias is not + important. + """ + if alias is None: + try: + alias = self._getAlias(auth_level_uri) + except KeyError: + alias = self._generateAlias() + else: + existing_uri = self.auth_level_aliases.get(alias) + if existing_uri is not None and existing_uri != auth_level_uri: + raise KeyError('Attempting to redefine alias %r from %r to %r', + alias, existing_uri, auth_level_uri) + + self.auth_level_aliases[alias] = auth_level_uri + + def _generateAlias(self): + """Return an unused auth level alias""" + for i in xrange(1000): + alias = 'cust%d' % (i,) + if alias not in self.auth_level_aliases: + return alias + + raise RuntimeError('Could not find an unused alias (tried 1000!)') + + def _getAlias(self, auth_level_uri): + """Return the alias for the specified auth level URI. + + @raises KeyError: if no alias is defined + """ + for (alias, existing_uri) in self.auth_level_aliases.iteritems(): + if auth_level_uri == existing_uri: + return alias + + raise KeyError(auth_level_uri) + +class Request(PAPEExtension): + """A Provider Authentication Policy request, sent from a relying + party to a provider + + @ivar preferred_auth_policies: The authentication policies that + the relying party prefers + @type preferred_auth_policies: [str] + + @ivar max_auth_age: The maximum time, in seconds, that the relying + party wants to allow to have elapsed before the user must + re-authenticate + @type max_auth_age: int or NoneType + + @ivar preferred_auth_level_types: Ordered list of authentication + level namespace URIs + + @type preferred_auth_level_types: [str] + """ + + ns_alias = 'pape' + + def __init__(self, preferred_auth_policies=None, max_auth_age=None, + preferred_auth_level_types=None): + super(Request, self).__init__() + if preferred_auth_policies is None: + preferred_auth_policies = [] + + self.preferred_auth_policies = preferred_auth_policies + self.max_auth_age = max_auth_age + self.preferred_auth_level_types = [] + + if preferred_auth_level_types is not None: + for auth_level in preferred_auth_level_types: + self.addAuthLevel(auth_level) + + def __nonzero__(self): + return bool(self.preferred_auth_policies or + self.max_auth_age is not None or + self.preferred_auth_level_types) + + def addPolicyURI(self, policy_uri): + """Add an acceptable authentication policy URI to this request + + This method is intended to be used by the relying party to add + acceptable authentication types to the request. + + @param policy_uri: The identifier for the preferred type of + authentication. + @see: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-05.html#auth_policies + """ + if policy_uri not in self.preferred_auth_policies: + self.preferred_auth_policies.append(policy_uri) + + def addAuthLevel(self, auth_level_uri, alias=None): + self._addAuthLevelAlias(auth_level_uri, alias) + if auth_level_uri not in self.preferred_auth_level_types: + self.preferred_auth_level_types.append(auth_level_uri) + + def getExtensionArgs(self): + """@see: C{L{Extension.getExtensionArgs}} + """ + ns_args = { + 'preferred_auth_policies':' '.join(self.preferred_auth_policies), + } + + if self.max_auth_age is not None: + ns_args['max_auth_age'] = str(self.max_auth_age) + + if self.preferred_auth_level_types: + preferred_types = [] + + for auth_level_uri in self.preferred_auth_level_types: + alias = self._getAlias(auth_level_uri) + ns_args['auth_level.ns.%s' % (alias,)] = auth_level_uri + preferred_types.append(alias) + + ns_args['preferred_auth_level_types'] = ' '.join(preferred_types) + + return ns_args + + def fromOpenIDRequest(cls, request): + """Instantiate a Request object from the arguments in a + C{checkid_*} OpenID message + """ + self = cls() + args = request.message.getArgs(self.ns_uri) + is_openid1 = request.message.isOpenID1() + + if args == {}: + return None + + self.parseExtensionArgs(args, is_openid1) + return self + + fromOpenIDRequest = classmethod(fromOpenIDRequest) + + def parseExtensionArgs(self, args, is_openid1, strict=False): + """Set the state of this request to be that expressed in these + PAPE arguments + + @param args: The PAPE arguments without a namespace + + @param strict: Whether to raise an exception if the input is + out of spec or otherwise malformed. If strict is false, + malformed input will be ignored. + + @param is_openid1: Whether the input should be treated as part + of an OpenID1 request + + @rtype: None + + @raises ValueError: When the max_auth_age is not parseable as + an integer + """ + + # preferred_auth_policies is a space-separated list of policy URIs + self.preferred_auth_policies = [] + + policies_str = args.get('preferred_auth_policies') + if policies_str: + for uri in policies_str.split(' '): + if uri not in self.preferred_auth_policies: + self.preferred_auth_policies.append(uri) + + # max_auth_age is base-10 integer number of seconds + max_auth_age_str = args.get('max_auth_age') + self.max_auth_age = None + + if max_auth_age_str: + try: + self.max_auth_age = int(max_auth_age_str) + except ValueError: + if strict: + raise + + # Parse auth level information + preferred_auth_level_types = args.get('preferred_auth_level_types') + if preferred_auth_level_types: + aliases = preferred_auth_level_types.strip().split() + + for alias in aliases: + key = 'auth_level.ns.%s' % (alias,) + try: + uri = args[key] + except KeyError: + if is_openid1: + uri = self._default_auth_level_aliases.get(alias) + else: + uri = None + + if uri is None: + if strict: + raise ValueError('preferred auth level %r is not ' + 'defined in this message' % (alias,)) + else: + self.addAuthLevel(uri, alias) + + def preferredTypes(self, supported_types): + """Given a list of authentication policy URIs that a provider + supports, this method returns the subsequence of those types + that are preferred by the relying party. + + @param supported_types: A sequence of authentication policy + type URIs that are supported by a provider + + @returns: The sub-sequence of the supported types that are + preferred by the relying party. This list will be ordered + in the order that the types appear in the supported_types + sequence, and may be empty if the provider does not prefer + any of the supported authentication types. + + @returntype: [str] + """ + return filter(self.preferred_auth_policies.__contains__, + supported_types) + +Request.ns_uri = ns_uri + + +class Response(PAPEExtension): + """A Provider Authentication Policy response, sent from a provider + to a relying party + + @ivar auth_policies: List of authentication policies conformed to + by this OpenID assertion, represented as policy URIs + """ + + ns_alias = 'pape' + + def __init__(self, auth_policies=None, auth_time=None, + auth_levels=None): + super(Response, self).__init__() + if auth_policies: + self.auth_policies = auth_policies + else: + self.auth_policies = [] + + self.auth_time = auth_time + self.auth_levels = {} + + if auth_levels is None: + auth_levels = {} + + for uri, level in auth_levels.iteritems(): + self.setAuthLevel(uri, level) + + def setAuthLevel(self, level_uri, level, alias=None): + """Set the value for the given auth level type. + + @param level: string representation of an authentication level + valid for level_uri + + @param alias: An optional namespace alias for the given auth + level URI. May be omitted if the alias is not + significant. The library will use a reasonable default for + widely-used auth level types. + """ + self._addAuthLevelAlias(level_uri, alias) + self.auth_levels[level_uri] = level + + def getAuthLevel(self, level_uri): + """Return the auth level for the specified auth level + identifier + + @returns: A string that should map to the auth levels defined + for the auth level type + + @raises KeyError: If the auth level type is not present in + this message + """ + return self.auth_levels[level_uri] + + def _getNISTAuthLevel(self): + try: + return int(self.getAuthLevel(LEVELS_NIST)) + except KeyError: + return None + + nist_auth_level = property( + _getNISTAuthLevel, + doc="Backward-compatibility accessor for the NIST auth level") + + def addPolicyURI(self, policy_uri): + """Add a authentication policy to this response + + This method is intended to be used by the provider to add a + policy that the provider conformed to when authenticating the user. + + @param policy_uri: The identifier for the preferred type of + authentication. + @see: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#auth_policies + """ + if policy_uri == AUTH_NONE: + raise RuntimeError( + 'To send no policies, do not set any on the response.') + + if policy_uri not in self.auth_policies: + self.auth_policies.append(policy_uri) + + def fromSuccessResponse(cls, success_response): + """Create a C{L{Response}} object from a successful OpenID + library response + (C{L{openid.consumer.consumer.SuccessResponse}}) response + message + + @param success_response: A SuccessResponse from consumer.complete() + @type success_response: C{L{openid.consumer.consumer.SuccessResponse}} + + @rtype: Response or None + @returns: A provider authentication policy response from the + data that was supplied with the C{id_res} response or None + if the provider sent no signed PAPE response arguments. + """ + self = cls() + + # PAPE requires that the args be signed. + args = success_response.getSignedNS(self.ns_uri) + is_openid1 = success_response.isOpenID1() + + # Only try to construct a PAPE response if the arguments were + # signed in the OpenID response. If not, return None. + if args is not None: + self.parseExtensionArgs(args, is_openid1) + return self + else: + return None + + def parseExtensionArgs(self, args, is_openid1, strict=False): + """Parse the provider authentication policy arguments into the + internal state of this object + + @param args: unqualified provider authentication policy + arguments + + @param strict: Whether to raise an exception when bad data is + encountered + + @returns: None. The data is parsed into the internal fields of + this object. + """ + policies_str = args.get('auth_policies') + if policies_str: + auth_policies = policies_str.split(' ') + elif strict: + raise ValueError('Missing auth_policies') + else: + auth_policies = [] + + if (len(auth_policies) > 1 and strict and AUTH_NONE in auth_policies): + raise ValueError('Got some auth policies, as well as the special ' + '"none" URI: %r' % (auth_policies,)) + + if 'none' in auth_policies: + msg = '"none" used as a policy URI (see PAPE draft < 5)' + if strict: + raise ValueError(msg) + else: + warnings.warn(msg, stacklevel=2) + + auth_policies = [u for u in auth_policies + if u not in ['none', AUTH_NONE]] + + self.auth_policies = auth_policies + + for (key, val) in args.iteritems(): + if key.startswith('auth_level.'): + alias = key[11:] + + # skip the already-processed namespace declarations + if alias.startswith('ns.'): + continue + + try: + uri = args['auth_level.ns.%s' % (alias,)] + except KeyError: + if is_openid1: + uri = self._default_auth_level_aliases.get(alias) + else: + uri = None + + if uri is None: + if strict: + raise ValueError( + 'Undefined auth level alias: %r' % (alias,)) + else: + self.setAuthLevel(uri, val, alias) + + auth_time = args.get('auth_time') + if auth_time: + if TIME_VALIDATOR.match(auth_time): + self.auth_time = auth_time + elif strict: + raise ValueError("auth_time must be in RFC3339 format") + + fromSuccessResponse = classmethod(fromSuccessResponse) + + def getExtensionArgs(self): + """@see: C{L{Extension.getExtensionArgs}} + """ + if len(self.auth_policies) == 0: + ns_args = { + 'auth_policies': AUTH_NONE, + } + else: + ns_args = { + 'auth_policies':' '.join(self.auth_policies), + } + + for level_type, level in self.auth_levels.iteritems(): + alias = self._getAlias(level_type) + ns_args['auth_level.ns.%s' % (alias,)] = level_type + ns_args['auth_level.%s' % (alias,)] = str(level) + + if self.auth_time is not None: + if not TIME_VALIDATOR.match(self.auth_time): + raise ValueError('auth_time must be in RFC3339 format') + + ns_args['auth_time'] = self.auth_time + + return ns_args + +Response.ns_uri = ns_uri diff --git a/askbot/deps/openid/extensions/sreg.py b/askbot/deps/openid/extensions/sreg.py new file mode 100644 index 00000000..76909d22 --- /dev/null +++ b/askbot/deps/openid/extensions/sreg.py @@ -0,0 +1,518 @@ +"""Simple registration request and response parsing and object representation + +This module contains objects representing simple registration requests +and responses that can be used with both OpenID relying parties and +OpenID providers. + + 1. The relying party creates a request object and adds it to the + C{L{AuthRequest<openid.consumer.consumer.AuthRequest>}} object + before making the C{checkid_} request to the OpenID provider:: + + auth_request.addExtension(SRegRequest(required=['email'])) + + 2. The OpenID provider extracts the simple registration request from + the OpenID request using C{L{SRegRequest.fromOpenIDRequest}}, + gets the user's approval and data, creates a C{L{SRegResponse}} + object and adds it to the C{id_res} response:: + + sreg_req = SRegRequest.fromOpenIDRequest(checkid_request) + # [ get the user's approval and data, informing the user that + # the fields in sreg_response were requested ] + sreg_resp = SRegResponse.extractResponse(sreg_req, user_data) + sreg_resp.toMessage(openid_response.fields) + + 3. The relying party uses C{L{SRegResponse.fromSuccessResponse}} to + extract the data from the OpenID response:: + + sreg_resp = SRegResponse.fromSuccessResponse(success_response) + +@since: 2.0 + +@var sreg_data_fields: The names of the data fields that are listed in + the sreg spec, and a description of them in English + +@var sreg_uri: The preferred URI to use for the simple registration + namespace and XRD Type value +""" + +from openid.message import registerNamespaceAlias, \ + NamespaceAliasRegistrationError +from openid.extension import Extension +from openid import oidutil + +try: + basestring #pylint:disable-msg=W0104 +except NameError: + # For Python 2.2 + basestring = (str, unicode) #pylint:disable-msg=W0622 + +__all__ = [ + 'SRegRequest', + 'SRegResponse', + 'data_fields', + 'ns_uri', + 'ns_uri_1_0', + 'ns_uri_1_1', + 'supportsSReg', + ] + +# The data fields that are listed in the sreg spec +data_fields = { + 'fullname':'Full Name', + 'nickname':'Nickname', + 'dob':'Date of Birth', + 'email':'E-mail Address', + 'gender':'Gender', + 'postcode':'Postal Code', + 'country':'Country', + 'language':'Language', + 'timezone':'Time Zone', + } + +def checkFieldName(field_name): + """Check to see that the given value is a valid simple + registration data field name. + + @raise ValueError: if the field name is not a valid simple + registration data field name + """ + if field_name not in data_fields: + raise ValueError('%r is not a defined simple registration field' % + (field_name,)) + +# URI used in the wild for Yadis documents advertising simple +# registration support +ns_uri_1_0 = 'http://openid.net/sreg/1.0' + +# URI in the draft specification for simple registration 1.1 +# <http://openid.net/specs/openid-simple-registration-extension-1_1-01.html> +ns_uri_1_1 = 'http://openid.net/extensions/sreg/1.1' + +# This attribute will always hold the preferred URI to use when adding +# sreg support to an XRDS file or in an OpenID namespace declaration. +ns_uri = ns_uri_1_1 + +try: + registerNamespaceAlias(ns_uri_1_1, 'sreg') +except NamespaceAliasRegistrationError, e: + oidutil.log('registerNamespaceAlias(%r, %r) failed: %s' % (ns_uri_1_1, + 'sreg', str(e),)) + +def supportsSReg(endpoint): + """Does the given endpoint advertise support for simple + registration? + + @param endpoint: The endpoint object as returned by OpenID discovery + @type endpoint: openid.consumer.discover.OpenIDEndpoint + + @returns: Whether an sreg type was advertised by the endpoint + @rtype: bool + """ + return (endpoint.usesExtension(ns_uri_1_1) or + endpoint.usesExtension(ns_uri_1_0)) + +class SRegNamespaceError(ValueError): + """The simple registration namespace was not found and could not + be created using the expected name (there's another extension + using the name 'sreg') + + This is not I{illegal}, for OpenID 2, although it probably + indicates a problem, since it's not expected that other extensions + will re-use the alias that is in use for OpenID 1. + + If this is an OpenID 1 request, then there is no recourse. This + should not happen unless some code has modified the namespaces for + the message that is being processed. + """ + +def getSRegNS(message): + """Extract the simple registration namespace URI from the given + OpenID message. Handles OpenID 1 and 2, as well as both sreg + namespace URIs found in the wild, as well as missing namespace + definitions (for OpenID 1) + + @param message: The OpenID message from which to parse simple + registration fields. This may be a request or response message. + @type message: C{L{openid.message.Message}} + + @returns: the sreg namespace URI for the supplied message. The + message may be modified to define a simple registration + namespace. + @rtype: C{str} + + @raise ValueError: when using OpenID 1 if the message defines + the 'sreg' alias to be something other than a simple + registration type. + """ + # See if there exists an alias for one of the two defined simple + # registration types. + for sreg_ns_uri in [ns_uri_1_1, ns_uri_1_0]: + alias = message.namespaces.getAlias(sreg_ns_uri) + if alias is not None: + break + else: + # There is no alias for either of the types, so try to add + # one. We default to using the modern value (1.1) + sreg_ns_uri = ns_uri_1_1 + try: + message.namespaces.addAlias(ns_uri_1_1, 'sreg') + except KeyError, why: + # An alias for the string 'sreg' already exists, but it's + # defined for something other than simple registration + raise SRegNamespaceError(why[0]) + + # we know that sreg_ns_uri defined, because it's defined in the + # else clause of the loop as well, so disable the warning + return sreg_ns_uri #pylint:disable-msg=W0631 + +class SRegRequest(Extension): + """An object to hold the state of a simple registration request. + + @ivar required: A list of the required fields in this simple + registration request + @type required: [str] + + @ivar optional: A list of the optional fields in this simple + registration request + @type optional: [str] + + @ivar policy_url: The policy URL that was provided with the request + @type policy_url: str or NoneType + + @group Consumer: requestField, requestFields, getExtensionArgs, addToOpenIDRequest + @group Server: fromOpenIDRequest, parseExtensionArgs + """ + + ns_alias = 'sreg' + + def __init__(self, required=None, optional=None, policy_url=None, + sreg_ns_uri=ns_uri): + """Initialize an empty simple registration request""" + Extension.__init__(self) + self.required = [] + self.optional = [] + self.policy_url = policy_url + self.ns_uri = sreg_ns_uri + + if required: + self.requestFields(required, required=True, strict=True) + + if optional: + self.requestFields(optional, required=False, strict=True) + + # Assign getSRegNS to a static method so that it can be + # overridden for testing. + _getSRegNS = staticmethod(getSRegNS) + + def fromOpenIDRequest(cls, request): + """Create a simple registration request that contains the + fields that were requested in the OpenID request with the + given arguments + + @param request: The OpenID request + @type request: openid.server.CheckIDRequest + + @returns: The newly created simple registration request + @rtype: C{L{SRegRequest}} + """ + self = cls() + + # Since we're going to mess with namespace URI mapping, don't + # mutate the object that was passed in. + message = request.message.copy() + + self.ns_uri = self._getSRegNS(message) + args = message.getArgs(self.ns_uri) + self.parseExtensionArgs(args) + + return self + + fromOpenIDRequest = classmethod(fromOpenIDRequest) + + def parseExtensionArgs(self, args, strict=False): + """Parse the unqualified simple registration request + parameters and add them to this object. + + This method is essentially the inverse of + C{L{getExtensionArgs}}. This method restores the serialized simple + registration request fields. + + If you are extracting arguments from a standard OpenID + checkid_* request, you probably want to use C{L{fromOpenIDRequest}}, + which will extract the sreg namespace and arguments from the + OpenID request. This method is intended for cases where the + OpenID server needs more control over how the arguments are + parsed than that method provides. + + >>> args = message.getArgs(ns_uri) + >>> request.parseExtensionArgs(args) + + @param args: The unqualified simple registration arguments + @type args: {str:str} + + @param strict: Whether requests with fields that are not + defined in the simple registration specification should be + tolerated (and ignored) + @type strict: bool + + @returns: None; updates this object + """ + for list_name in ['required', 'optional']: + required = (list_name == 'required') + items = args.get(list_name) + if items: + for field_name in items.split(','): + try: + self.requestField(field_name, required, strict) + except ValueError: + if strict: + raise + + self.policy_url = args.get('policy_url') + + def allRequestedFields(self): + """A list of all of the simple registration fields that were + requested, whether they were required or optional. + + @rtype: [str] + """ + return self.required + self.optional + + def wereFieldsRequested(self): + """Have any simple registration fields been requested? + + @rtype: bool + """ + return bool(self.allRequestedFields()) + + def __contains__(self, field_name): + """Was this field in the request?""" + return (field_name in self.required or + field_name in self.optional) + + def requestField(self, field_name, required=False, strict=False): + """Request the specified field from the OpenID user + + @param field_name: the unqualified simple registration field name + @type field_name: str + + @param required: whether the given field should be presented + to the user as being a required to successfully complete + the request + + @param strict: whether to raise an exception when a field is + added to a request more than once + + @raise ValueError: when the field requested is not a simple + registration field or strict is set and the field was + requested more than once + """ + checkFieldName(field_name) + + if strict: + if field_name in self.required or field_name in self.optional: + raise ValueError('That field has already been requested') + else: + if field_name in self.required: + return + + if field_name in self.optional: + if required: + self.optional.remove(field_name) + else: + return + + if required: + self.required.append(field_name) + else: + self.optional.append(field_name) + + def requestFields(self, field_names, required=False, strict=False): + """Add the given list of fields to the request + + @param field_names: The simple registration data fields to request + @type field_names: [str] + + @param required: Whether these values should be presented to + the user as required + + @param strict: whether to raise an exception when a field is + added to a request more than once + + @raise ValueError: when a field requested is not a simple + registration field or strict is set and a field was + requested more than once + """ + if isinstance(field_names, basestring): + raise TypeError('Fields should be passed as a list of ' + 'strings (not %r)' % (type(field_names),)) + + for field_name in field_names: + self.requestField(field_name, required, strict=strict) + + def getExtensionArgs(self): + """Get a dictionary of unqualified simple registration + arguments representing this request. + + This method is essentially the inverse of + C{L{parseExtensionArgs}}. This method serializes the simple + registration request fields. + + @rtype: {str:str} + """ + args = {} + + if self.required: + args['required'] = ','.join(self.required) + + if self.optional: + args['optional'] = ','.join(self.optional) + + if self.policy_url: + args['policy_url'] = self.policy_url + + return args + +class SRegResponse(Extension): + """Represents the data returned in a simple registration response + inside of an OpenID C{id_res} response. This object will be + created by the OpenID server, added to the C{id_res} response + object, and then extracted from the C{id_res} message by the + Consumer. + + @ivar data: The simple registration data, keyed by the unqualified + simple registration name of the field (i.e. nickname is keyed + by C{'nickname'}) + + @ivar ns_uri: The URI under which the simple registration data was + stored in the response message. + + @group Server: extractResponse + @group Consumer: fromSuccessResponse + @group Read-only dictionary interface: keys, iterkeys, items, iteritems, + __iter__, get, __getitem__, keys, has_key + """ + + ns_alias = 'sreg' + + def __init__(self, data=None, sreg_ns_uri=ns_uri): + Extension.__init__(self) + if data is None: + self.data = {} + else: + self.data = data + + self.ns_uri = sreg_ns_uri + + def extractResponse(cls, request, data): + """Take a C{L{SRegRequest}} and a dictionary of simple + registration values and create a C{L{SRegResponse}} + object containing that data. + + @param request: The simple registration request object + @type request: SRegRequest + + @param data: The simple registration data for this + response, as a dictionary from unqualified simple + registration field name to string (unicode) value. For + instance, the nickname should be stored under the key + 'nickname'. + @type data: {str:str} + + @returns: a simple registration response object + @rtype: SRegResponse + """ + self = cls() + self.ns_uri = request.ns_uri + for field in request.allRequestedFields(): + value = data.get(field) + if value is not None: + self.data[field] = value + return self + + extractResponse = classmethod(extractResponse) + + # Assign getSRegArgs to a static method so that it can be + # overridden for testing + _getSRegNS = staticmethod(getSRegNS) + + def fromSuccessResponse(cls, success_response, signed_only=True): + """Create a C{L{SRegResponse}} object from a successful OpenID + library response + (C{L{openid.consumer.consumer.SuccessResponse}}) response + message + + @param success_response: A SuccessResponse from consumer.complete() + @type success_response: C{L{openid.consumer.consumer.SuccessResponse}} + + @param signed_only: Whether to process only data that was + signed in the id_res message from the server. + @type signed_only: bool + + @rtype: SRegResponse + @returns: A simple registration response containing the data + that was supplied with the C{id_res} response. + """ + self = cls() + self.ns_uri = self._getSRegNS(success_response.message) + if signed_only: + args = success_response.getSignedNS(self.ns_uri) + else: + args = success_response.message.getArgs(self.ns_uri) + + if not args: + return None + + for field_name in data_fields: + if field_name in args: + self.data[field_name] = args[field_name] + + return self + + fromSuccessResponse = classmethod(fromSuccessResponse) + + def getExtensionArgs(self): + """Get the fields to put in the simple registration namespace + when adding them to an id_res message. + + @see: openid.extension + """ + return self.data + + # Read-only dictionary interface + def get(self, field_name, default=None): + """Like dict.get, except that it checks that the field name is + defined by the simple registration specification""" + checkFieldName(field_name) + return self.data.get(field_name, default) + + def items(self): + """All of the data values in this simple registration response + """ + return self.data.items() + + def iteritems(self): + return self.data.iteritems() + + def keys(self): + return self.data.keys() + + def iterkeys(self): + return self.data.iterkeys() + + def has_key(self, key): + return key in self + + def __contains__(self, field_name): + checkFieldName(field_name) + return field_name in self.data + + def __iter__(self): + return iter(self.data) + + def __getitem__(self, field_name): + checkFieldName(field_name) + return self.data[field_name] + + def __nonzero__(self): + return bool(self.data) diff --git a/askbot/deps/openid/fetchers.py b/askbot/deps/openid/fetchers.py new file mode 100644 index 00000000..944e2157 --- /dev/null +++ b/askbot/deps/openid/fetchers.py @@ -0,0 +1,427 @@ +# -*- test-case-name: openid.test.test_fetchers -*- +""" +This module contains the HTTP fetcher interface and several implementations. +""" + +__all__ = ['fetch', 'getDefaultFetcher', 'setDefaultFetcher', 'HTTPResponse', + 'HTTPFetcher', 'createHTTPFetcher', 'HTTPFetchingError', + 'HTTPError'] + +import urllib2 +import time +import cStringIO +import sys + +import openid +import openid.urinorm + +# Try to import httplib2 for caching support +# http://bitworking.org/projects/httplib2/ +try: + import httplib2 +except ImportError: + # httplib2 not available + httplib2 = None + +# try to import pycurl, which will let us use CurlHTTPFetcher +try: + import pycurl +except ImportError: + pycurl = None + +USER_AGENT = "python-openid/%s (%s)" % (openid.__version__, sys.platform) +MAX_RESPONSE_KB = 1024 + +def fetch(url, body=None, headers=None): + """Invoke the fetch method on the default fetcher. Most users + should need only this method. + + @raises Exception: any exceptions that may be raised by the default fetcher + """ + fetcher = getDefaultFetcher() + return fetcher.fetch(url, body, headers) + +def createHTTPFetcher(): + """Create a default HTTP fetcher instance + + prefers Curl to urllib2.""" + if pycurl is None: + fetcher = Urllib2Fetcher() + else: + fetcher = CurlHTTPFetcher() + + return fetcher + +# Contains the currently set HTTP fetcher. If it is set to None, the +# library will call createHTTPFetcher() to set it. Do not access this +# variable outside of this module. +_default_fetcher = None + +def getDefaultFetcher(): + """Return the default fetcher instance + if no fetcher has been set, it will create a default fetcher. + + @return: the default fetcher + @rtype: HTTPFetcher + """ + global _default_fetcher + + if _default_fetcher is None: + setDefaultFetcher(createHTTPFetcher()) + + return _default_fetcher + +def setDefaultFetcher(fetcher, wrap_exceptions=True): + """Set the default fetcher + + @param fetcher: The fetcher to use as the default HTTP fetcher + @type fetcher: HTTPFetcher + + @param wrap_exceptions: Whether to wrap exceptions thrown by the + fetcher wil HTTPFetchingError so that they may be caught + easier. By default, exceptions will be wrapped. In general, + unwrapped fetchers are useful for debugging of fetching errors + or if your fetcher raises well-known exceptions that you would + like to catch. + @type wrap_exceptions: bool + """ + global _default_fetcher + if fetcher is None or not wrap_exceptions: + _default_fetcher = fetcher + else: + _default_fetcher = ExceptionWrappingFetcher(fetcher) + +def usingCurl(): + """Whether the currently set HTTP fetcher is a Curl HTTP fetcher.""" + return isinstance(getDefaultFetcher(), CurlHTTPFetcher) + +class HTTPResponse(object): + """XXX document attributes""" + headers = None + status = None + body = None + final_url = None + + def __init__(self, final_url=None, status=None, headers=None, body=None): + self.final_url = final_url + self.status = status + self.headers = headers + self.body = body + + def __repr__(self): + return "<%s status %s for %s>" % (self.__class__.__name__, + self.status, + self.final_url) + +class HTTPFetcher(object): + """ + This class is the interface for openid HTTP fetchers. This + interface is only important if you need to write a new fetcher for + some reason. + """ + + def fetch(self, url, body=None, headers=None): + """ + This performs an HTTP POST or GET, following redirects along + the way. If a body is specified, then the request will be a + POST. Otherwise, it will be a GET. + + + @param headers: HTTP headers to include with the request + @type headers: {str:str} + + @return: An object representing the server's HTTP response. If + there are network or protocol errors, an exception will be + raised. HTTP error responses, like 404 or 500, do not + cause exceptions. + + @rtype: L{HTTPResponse} + + @raise Exception: Different implementations will raise + different errors based on the underlying HTTP library. + """ + raise NotImplementedError + +def _allowedURL(url): + return url.startswith('http://') or url.startswith('https://') + +class HTTPFetchingError(Exception): + """Exception that is wrapped around all exceptions that are raised + by the underlying fetcher when using the ExceptionWrappingFetcher + + @ivar why: The exception that caused this exception + """ + def __init__(self, why=None): + Exception.__init__(self, why) + self.why = why + +class ExceptionWrappingFetcher(HTTPFetcher): + """Fetcher that wraps another fetcher, causing all exceptions + + @cvar uncaught_exceptions: Exceptions that should be exposed to the + user if they are raised by the fetch call + """ + + uncaught_exceptions = (SystemExit, KeyboardInterrupt, MemoryError) + + def __init__(self, fetcher): + self.fetcher = fetcher + + def fetch(self, *args, **kwargs): + try: + return self.fetcher.fetch(*args, **kwargs) + except self.uncaught_exceptions: + raise + except: + exc_cls, exc_inst = sys.exc_info()[:2] + if exc_inst is None: + # string exceptions + exc_inst = exc_cls + + raise HTTPFetchingError(why=exc_inst) + +class Urllib2Fetcher(HTTPFetcher): + """An C{L{HTTPFetcher}} that uses urllib2. + """ + + # Parameterized for the benefit of testing frameworks, see + # http://trac.openidenabled.com/trac/ticket/85 + urlopen = staticmethod(urllib2.urlopen) + + def fetch(self, url, body=None, headers=None): + if not _allowedURL(url): + raise ValueError('Bad URL scheme: %r' % (url,)) + + if headers is None: + headers = {} + + headers.setdefault( + 'User-Agent', + "%s Python-urllib/%s" % (USER_AGENT, urllib2.__version__,)) + + req = urllib2.Request(url, data=body, headers=headers) + try: + f = self.urlopen(req) + try: + return self._makeResponse(f) + finally: + f.close() + except urllib2.HTTPError, why: + try: + return self._makeResponse(why) + finally: + why.close() + + def _makeResponse(self, urllib2_response): + resp = HTTPResponse() + resp.body = urllib2_response.read(MAX_RESPONSE_KB * 1024) + resp.final_url = urllib2_response.geturl() + resp.headers = dict(urllib2_response.info().items()) + + if hasattr(urllib2_response, 'code'): + resp.status = urllib2_response.code + else: + resp.status = 200 + + return resp + +class HTTPError(HTTPFetchingError): + """ + This exception is raised by the C{L{CurlHTTPFetcher}} when it + encounters an exceptional situation fetching a URL. + """ + pass + +# XXX: define what we mean by paranoid, and make sure it is. +class CurlHTTPFetcher(HTTPFetcher): + """ + An C{L{HTTPFetcher}} that uses pycurl for fetching. + See U{http://pycurl.sourceforge.net/}. + """ + ALLOWED_TIME = 20 # seconds + + def __init__(self): + HTTPFetcher.__init__(self) + if pycurl is None: + raise RuntimeError('Cannot find pycurl library') + + def _parseHeaders(self, header_file): + header_file.seek(0) + + # Remove the status line from the beginning of the input + unused_http_status_line = header_file.readline().lower () + if unused_http_status_line.startswith('http/1.1 100 '): + unused_http_status_line = header_file.readline() + unused_http_status_line = header_file.readline() + + lines = [line.strip() for line in header_file] + + # and the blank line from the end + empty_line = lines.pop() + if empty_line: + raise HTTPError("No blank line at end of headers: %r" % (line,)) + + headers = {} + for line in lines: + try: + name, value = line.split(':', 1) + except ValueError: + raise HTTPError( + "Malformed HTTP header line in response: %r" % (line,)) + + value = value.strip() + + # HTTP headers are case-insensitive + name = name.lower() + headers[name] = value + + return headers + + def _checkURL(self, url): + # XXX: document that this can be overridden to match desired policy + # XXX: make sure url is well-formed and routeable + return _allowedURL(url) + + def fetch(self, url, body=None, headers=None): + stop = int(time.time()) + self.ALLOWED_TIME + off = self.ALLOWED_TIME + + if headers is None: + headers = {} + + headers.setdefault('User-Agent', + "%s %s" % (USER_AGENT, pycurl.version,)) + + header_list = [] + if headers is not None: + for header_name, header_value in headers.iteritems(): + header_list.append('%s: %s' % (header_name, header_value)) + + c = pycurl.Curl() + try: + c.setopt(pycurl.NOSIGNAL, 1) + + if header_list: + c.setopt(pycurl.HTTPHEADER, header_list) + + # Presence of a body indicates that we should do a POST + if body is not None: + c.setopt(pycurl.POST, 1) + c.setopt(pycurl.POSTFIELDS, body) + + while off > 0: + if not self._checkURL(url): + raise HTTPError("Fetching URL not allowed: %r" % (url,)) + + data = cStringIO.StringIO() + def write_data(chunk): + if data.tell() > 1024*MAX_RESPONSE_KB: + return 0 + else: + return data.write(chunk) + + response_header_data = cStringIO.StringIO() + c.setopt(pycurl.WRITEFUNCTION, write_data) + c.setopt(pycurl.HEADERFUNCTION, response_header_data.write) + c.setopt(pycurl.TIMEOUT, off) + c.setopt(pycurl.URL, openid.urinorm.urinorm(url)) + + c.perform() + + response_headers = self._parseHeaders(response_header_data) + code = c.getinfo(pycurl.RESPONSE_CODE) + if code in [301, 302, 303, 307]: + url = response_headers.get('location') + if url is None: + raise HTTPError( + 'Redirect (%s) returned without a location' % code) + + # Redirects are always GETs + c.setopt(pycurl.POST, 0) + + # There is no way to reset POSTFIELDS to empty and + # reuse the connection, but we only use it once. + else: + resp = HTTPResponse() + resp.headers = response_headers + resp.status = code + resp.final_url = url + resp.body = data.getvalue() + return resp + + off = stop - int(time.time()) + + raise HTTPError("Timed out fetching: %r" % (url,)) + finally: + c.close() + +class HTTPLib2Fetcher(HTTPFetcher): + """A fetcher that uses C{httplib2} for performing HTTP + requests. This implementation supports HTTP caching. + + @see: http://bitworking.org/projects/httplib2/ + """ + + def __init__(self, cache=None): + """@param cache: An object suitable for use as an C{httplib2} + cache. If a string is passed, it is assumed to be a + directory name. + """ + if httplib2 is None: + raise RuntimeError('Cannot find httplib2 library. ' + 'See http://bitworking.org/projects/httplib2/') + + super(HTTPLib2Fetcher, self).__init__() + + # An instance of the httplib2 object that performs HTTP requests + self.httplib2 = httplib2.Http(cache) + + # We want httplib2 to raise exceptions for errors, just like + # the other fetchers. + self.httplib2.force_exception_to_status_code = False + + def fetch(self, url, body=None, headers=None): + """Perform an HTTP request + + @raises Exception: Any exception that can be raised by httplib2 + + @see: C{L{HTTPFetcher.fetch}} + """ + if body: + method = 'POST' + else: + method = 'GET' + + if headers is None: + headers = {} + + # httplib2 doesn't check to make sure that the URL's scheme is + # 'http' so we do it here. + if not (url.startswith('http://') or url.startswith('https://')): + raise ValueError('URL is not a HTTP URL: %r' % (url,)) + + httplib2_response, content = self.httplib2.request( + url, method, body=body, headers=headers) + + # Translate the httplib2 response to our HTTP response abstraction + + # When a 400 is returned, there is no "content-location" + # header set. This seems like a bug to me. I can't think of a + # case where we really care about the final URL when it is an + # error response, but being careful about it can't hurt. + try: + final_url = httplib2_response['content-location'] + except KeyError: + # We're assuming that no redirects occurred + assert not httplib2_response.previous + + # And this should never happen for a successful response + assert httplib2_response.status != 200 + final_url = url + + return HTTPResponse( + body=content, + final_url=final_url, + headers=dict(httplib2_response.items()), + status=httplib2_response.status, + ) diff --git a/askbot/deps/openid/kvform.py b/askbot/deps/openid/kvform.py new file mode 100644 index 00000000..d875f56c --- /dev/null +++ b/askbot/deps/openid/kvform.py @@ -0,0 +1,123 @@ +__all__ = ['seqToKV', 'kvToSeq', 'dictToKV', 'kvToDict'] + +from openid import oidutil + +import types + +class KVFormError(ValueError): + pass + +def seqToKV(seq, strict=False): + """Represent a sequence of pairs of strings as newline-terminated + key:value pairs. The pairs are generated in the order given. + + @param seq: The pairs + @type seq: [(str, (unicode|str))] + + @return: A string representation of the sequence + @rtype: str + """ + def err(msg): + formatted = 'seqToKV warning: %s: %r' % (msg, seq) + if strict: + raise KVFormError(formatted) + else: + oidutil.log(formatted) + + lines = [] + for k, v in seq: + if isinstance(k, types.StringType): + k = k.decode('UTF8') + elif not isinstance(k, types.UnicodeType): + err('Converting key to string: %r' % k) + k = str(k) + + if '\n' in k: + raise KVFormError( + 'Invalid input for seqToKV: key contains newline: %r' % (k,)) + + if ':' in k: + raise KVFormError( + 'Invalid input for seqToKV: key contains colon: %r' % (k,)) + + if k.strip() != k: + err('Key has whitespace at beginning or end: %r' % (k,)) + + if isinstance(v, types.StringType): + v = v.decode('UTF8') + elif not isinstance(v, types.UnicodeType): + err('Converting value to string: %r' % (v,)) + v = str(v) + + if '\n' in v: + raise KVFormError( + 'Invalid input for seqToKV: value contains newline: %r' % (v,)) + + if v.strip() != v: + err('Value has whitespace at beginning or end: %r' % (v,)) + + lines.append(k + ':' + v + '\n') + + return ''.join(lines).encode('UTF8') + +def kvToSeq(data, strict=False): + """ + + After one parse, seqToKV and kvToSeq are inverses, with no warnings:: + + seq = kvToSeq(s) + seqToKV(kvToSeq(seq)) == seq + """ + def err(msg): + formatted = 'kvToSeq warning: %s: %r' % (msg, data) + if strict: + raise KVFormError(formatted) + else: + oidutil.log(formatted) + + lines = data.split('\n') + if lines[-1]: + err('Does not end in a newline') + else: + del lines[-1] + + pairs = [] + line_num = 0 + for line in lines: + line_num += 1 + + # Ignore blank lines + if not line.strip(): + continue + + pair = line.split(':', 1) + if len(pair) == 2: + k, v = pair + k_s = k.strip() + if k_s != k: + fmt = ('In line %d, ignoring leading or trailing ' + 'whitespace in key %r') + err(fmt % (line_num, k)) + + if not k_s: + err('In line %d, got empty key' % (line_num,)) + + v_s = v.strip() + if v_s != v: + fmt = ('In line %d, ignoring leading or trailing ' + 'whitespace in value %r') + err(fmt % (line_num, v)) + + pairs.append((k_s.decode('UTF8'), v_s.decode('UTF8'))) + else: + err('Line %d does not contain a colon' % line_num) + + return pairs + +def dictToKV(d): + seq = d.items() + seq.sort() + return seqToKV(seq) + +def kvToDict(s): + return dict(kvToSeq(s)) diff --git a/askbot/deps/openid/message.py b/askbot/deps/openid/message.py new file mode 100644 index 00000000..472e5175 --- /dev/null +++ b/askbot/deps/openid/message.py @@ -0,0 +1,631 @@ +"""Extension argument processing code +""" +__all__ = ['Message', 'NamespaceMap', 'no_default', 'registerNamespaceAlias', + 'OPENID_NS', 'BARE_NS', 'OPENID1_NS', 'OPENID2_NS', 'SREG_URI', + 'IDENTIFIER_SELECT'] + +import copy +import warnings +import urllib + +from openid import oidutil +from openid import kvform +try: + ElementTree = oidutil.importElementTree() +except ImportError: + # No elementtree found, so give up, but don't fail to import, + # since we have fallbacks. + ElementTree = None + +# This doesn't REALLY belong here, but where is better? +IDENTIFIER_SELECT = 'http://specs.openid.net/auth/2.0/identifier_select' + +# URI for Simple Registration extension, the only commonly deployed +# OpenID 1.x extension, and so a special case +SREG_URI = 'http://openid.net/sreg/1.0' + +# The OpenID 1.X namespace URI +OPENID1_NS = 'http://openid.net/signon/1.0' +THE_OTHER_OPENID1_NS = 'http://openid.net/signon/1.1' + +OPENID1_NAMESPACES = OPENID1_NS, THE_OTHER_OPENID1_NS + +# The OpenID 2.0 namespace URI +OPENID2_NS = 'http://specs.openid.net/auth/2.0' + +# The namespace consisting of pairs with keys that are prefixed with +# "openid." but not in another namespace. +NULL_NAMESPACE = oidutil.Symbol('Null namespace') + +# The null namespace, when it is an allowed OpenID namespace +OPENID_NS = oidutil.Symbol('OpenID namespace') + +# The top-level namespace, excluding all pairs with keys that start +# with "openid." +BARE_NS = oidutil.Symbol('Bare namespace') + +# Limit, in bytes, of identity provider and return_to URLs, including +# response payload. See OpenID 1.1 specification, Appendix D. +OPENID1_URL_LIMIT = 2047 + +# All OpenID protocol fields. Used to check namespace aliases. +OPENID_PROTOCOL_FIELDS = [ + 'ns', 'mode', 'error', 'return_to', 'contact', 'reference', + 'signed', 'assoc_type', 'session_type', 'dh_modulus', 'dh_gen', + 'dh_consumer_public', 'claimed_id', 'identity', 'realm', + 'invalidate_handle', 'op_endpoint', 'response_nonce', 'sig', + 'assoc_handle', 'trust_root', 'openid', + ] + +class UndefinedOpenIDNamespace(ValueError): + """Raised if the generic OpenID namespace is accessed when there + is no OpenID namespace set for this message.""" + +class InvalidOpenIDNamespace(ValueError): + """Raised if openid.ns is not a recognized value. + + For recognized values, see L{Message.allowed_openid_namespaces} + """ + def __str__(self): + s = "Invalid OpenID Namespace" + if self.args: + s += " %r" % (self.args[0],) + return s + + +# Sentinel used for Message implementation to indicate that getArg +# should raise an exception instead of returning a default. +no_default = object() + +# Global namespace / alias registration map. See +# registerNamespaceAlias. +registered_aliases = {} + +class NamespaceAliasRegistrationError(Exception): + """ + Raised when an alias or namespace URI has already been registered. + """ + pass + +def registerNamespaceAlias(namespace_uri, alias): + """ + Registers a (namespace URI, alias) mapping in a global namespace + alias map. Raises NamespaceAliasRegistrationError if either the + namespace URI or alias has already been registered with a + different value. This function is required if you want to use a + namespace with an OpenID 1 message. + """ + global registered_aliases + + if registered_aliases.get(alias) == namespace_uri: + return + + if namespace_uri in registered_aliases.values(): + raise NamespaceAliasRegistrationError, \ + 'Namespace uri %r already registered' % (namespace_uri,) + + if alias in registered_aliases: + raise NamespaceAliasRegistrationError, \ + 'Alias %r already registered' % (alias,) + + registered_aliases[alias] = namespace_uri + +class Message(object): + """ + In the implementation of this object, None represents the global + namespace as well as a namespace with no key. + + @cvar namespaces: A dictionary specifying specific + namespace-URI to alias mappings that should be used when + generating namespace aliases. + + @ivar ns_args: two-level dictionary of the values in this message, + grouped by namespace URI. The first level is the namespace + URI. + """ + + allowed_openid_namespaces = [OPENID1_NS, THE_OTHER_OPENID1_NS, OPENID2_NS] + + def __init__(self, openid_namespace=None): + """Create an empty Message. + + @raises InvalidOpenIDNamespace: if openid_namespace is not in + L{Message.allowed_openid_namespaces} + """ + self.args = {} + self.namespaces = NamespaceMap() + if openid_namespace is None: + self._openid_ns_uri = None + else: + implicit = openid_namespace in OPENID1_NAMESPACES + self.setOpenIDNamespace(openid_namespace, implicit) + + def fromPostArgs(cls, args): + """Construct a Message containing a set of POST arguments. + + """ + self = cls() + + # Partition into "openid." args and bare args + openid_args = {} + for key, value in args.items(): + if isinstance(value, list): + raise TypeError("query dict must have one value for each key, " + "not lists of values. Query is %r" % (args,)) + + + try: + prefix, rest = key.split('.', 1) + except ValueError: + prefix = None + + if prefix != 'openid': + self.args[(BARE_NS, key)] = value + else: + openid_args[rest] = value + + self._fromOpenIDArgs(openid_args) + + return self + + fromPostArgs = classmethod(fromPostArgs) + + def fromOpenIDArgs(cls, openid_args): + """Construct a Message from a parsed KVForm message. + + @raises InvalidOpenIDNamespace: if openid.ns is not in + L{Message.allowed_openid_namespaces} + """ + self = cls() + self._fromOpenIDArgs(openid_args) + return self + + fromOpenIDArgs = classmethod(fromOpenIDArgs) + + def _fromOpenIDArgs(self, openid_args): + ns_args = [] + + # Resolve namespaces + for rest, value in openid_args.iteritems(): + try: + ns_alias, ns_key = rest.split('.', 1) + except ValueError: + ns_alias = NULL_NAMESPACE + ns_key = rest + + if ns_alias == 'ns': + self.namespaces.addAlias(value, ns_key) + elif ns_alias == NULL_NAMESPACE and ns_key == 'ns': + # null namespace + self.setOpenIDNamespace(value, False) + else: + ns_args.append((ns_alias, ns_key, value)) + + # Implicitly set an OpenID namespace definition (OpenID 1) + if not self.getOpenIDNamespace(): + self.setOpenIDNamespace(OPENID1_NS, True) + + # Actually put the pairs into the appropriate namespaces + for (ns_alias, ns_key, value) in ns_args: + ns_uri = self.namespaces.getNamespaceURI(ns_alias) + if ns_uri is None: + # we found a namespaced arg without a namespace URI defined + ns_uri = self._getDefaultNamespace(ns_alias) + if ns_uri is None: + ns_uri = self.getOpenIDNamespace() + ns_key = '%s.%s' % (ns_alias, ns_key) + else: + self.namespaces.addAlias(ns_uri, ns_alias, implicit=True) + + self.setArg(ns_uri, ns_key, value) + + def _getDefaultNamespace(self, mystery_alias): + """OpenID 1 compatibility: look for a default namespace URI to + use for this alias.""" + global registered_aliases + # Only try to map an alias to a default if it's an + # OpenID 1.x message. + if self.isOpenID1(): + return registered_aliases.get(mystery_alias) + else: + return None + + def setOpenIDNamespace(self, openid_ns_uri, implicit): + """Set the OpenID namespace URI used in this message. + + @raises InvalidOpenIDNamespace: if the namespace is not in + L{Message.allowed_openid_namespaces} + """ + if openid_ns_uri not in self.allowed_openid_namespaces: + raise InvalidOpenIDNamespace(openid_ns_uri) + + self.namespaces.addAlias(openid_ns_uri, NULL_NAMESPACE, implicit) + self._openid_ns_uri = openid_ns_uri + + def getOpenIDNamespace(self): + return self._openid_ns_uri + + def isOpenID1(self): + return self.getOpenIDNamespace() in OPENID1_NAMESPACES + + def isOpenID2(self): + return self.getOpenIDNamespace() == OPENID2_NS + + def fromKVForm(cls, kvform_string): + """Create a Message from a KVForm string""" + return cls.fromOpenIDArgs(kvform.kvToDict(kvform_string)) + + fromKVForm = classmethod(fromKVForm) + + def copy(self): + return copy.deepcopy(self) + + def toPostArgs(self): + """Return all arguments with openid. in front of namespaced arguments. + """ + args = {} + + # Add namespace definitions to the output + for ns_uri, alias in self.namespaces.iteritems(): + if self.namespaces.isImplicit(ns_uri): + continue + if alias == NULL_NAMESPACE: + ns_key = 'openid.ns' + else: + ns_key = 'openid.ns.' + alias + args[ns_key] = ns_uri + + for (ns_uri, ns_key), value in self.args.iteritems(): + key = self.getKey(ns_uri, ns_key) + args[key] = value.encode('UTF-8') + + return args + + def toArgs(self): + """Return all namespaced arguments, failing if any + non-namespaced arguments exist.""" + # FIXME - undocumented exception + post_args = self.toPostArgs() + kvargs = {} + for k, v in post_args.iteritems(): + if not k.startswith('openid.'): + raise ValueError( + 'This message can only be encoded as a POST, because it ' + 'contains arguments that are not prefixed with "openid."') + else: + kvargs[k[7:]] = v + + return kvargs + + def toFormMarkup(self, action_url, form_tag_attrs=None, + submit_text="Continue"): + """Generate HTML form markup that contains the values in this + message, to be HTTP POSTed as x-www-form-urlencoded UTF-8. + + @param action_url: The URL to which the form will be POSTed + @type action_url: str + + @param form_tag_attrs: Dictionary of attributes to be added to + the form tag. 'accept-charset' and 'enctype' have defaults + that can be overridden. If a value is supplied for + 'action' or 'method', it will be replaced. + @type form_tag_attrs: {unicode: unicode} + + @param submit_text: The text that will appear on the submit + button for this form. + @type submit_text: unicode + + @returns: A string containing (X)HTML markup for a form that + encodes the values in this Message object. + @rtype: str or unicode + """ + if ElementTree is None: + raise RuntimeError('This function requires ElementTree.') + + assert action_url is not None + + form = ElementTree.Element('form') + + if form_tag_attrs: + for name, attr in form_tag_attrs.iteritems(): + form.attrib[name] = attr + + form.attrib['action'] = action_url + form.attrib['method'] = 'post' + form.attrib['accept-charset'] = 'UTF-8' + form.attrib['enctype'] = 'application/x-www-form-urlencoded' + + for name, value in self.toPostArgs().iteritems(): + attrs = {'type': 'hidden', + 'name': name, + 'value': value} + form.append(ElementTree.Element('input', attrs)) + + submit = ElementTree.Element( + 'input', {'type':'submit', 'value':submit_text}) + form.append(submit) + + return ElementTree.tostring(form) + + def toURL(self, base_url): + """Generate a GET URL with the parameters in this message + attached as query parameters.""" + return oidutil.appendArgs(base_url, self.toPostArgs()) + + def toKVForm(self): + """Generate a KVForm string that contains the parameters in + this message. This will fail if the message contains arguments + outside of the 'openid.' prefix. + """ + return kvform.dictToKV(self.toArgs()) + + def toURLEncoded(self): + """Generate an x-www-urlencoded string""" + args = self.toPostArgs().items() + args.sort() + return urllib.urlencode(args) + + def _fixNS(self, namespace): + """Convert an input value into the internally used values of + this object + + @param namespace: The string or constant to convert + @type namespace: str or unicode or BARE_NS or OPENID_NS + """ + if namespace == OPENID_NS: + if self._openid_ns_uri is None: + raise UndefinedOpenIDNamespace('OpenID namespace not set') + else: + namespace = self._openid_ns_uri + + if namespace != BARE_NS and type(namespace) not in [str, unicode]: + raise TypeError( + "Namespace must be BARE_NS, OPENID_NS or a string. got %r" + % (namespace,)) + + if namespace != BARE_NS and ':' not in namespace: + fmt = 'OpenID 2.0 namespace identifiers SHOULD be URIs. Got %r' + warnings.warn(fmt % (namespace,), DeprecationWarning) + + if namespace == 'sreg': + fmt = 'Using %r instead of "sreg" as namespace' + warnings.warn(fmt % (SREG_URI,), DeprecationWarning,) + return SREG_URI + + return namespace + + def hasKey(self, namespace, ns_key): + namespace = self._fixNS(namespace) + return (namespace, ns_key) in self.args + + def getKey(self, namespace, ns_key): + """Get the key for a particular namespaced argument""" + namespace = self._fixNS(namespace) + if namespace == BARE_NS: + return ns_key + + ns_alias = self.namespaces.getAlias(namespace) + + # No alias is defined, so no key can exist + if ns_alias is None: + return None + + if ns_alias == NULL_NAMESPACE: + tail = ns_key + else: + tail = '%s.%s' % (ns_alias, ns_key) + + return 'openid.' + tail + + def getArg(self, namespace, key, default=None): + """Get a value for a namespaced key. + + @param namespace: The namespace in the message for this key + @type namespace: str + + @param key: The key to get within this namespace + @type key: str + + @param default: The value to use if this key is absent from + this message. Using the special value + openid.message.no_default will result in this method + raising a KeyError instead of returning the default. + + @rtype: str or the type of default + @raises KeyError: if default is no_default + @raises UndefinedOpenIDNamespace: if the message has not yet + had an OpenID namespace set + """ + namespace = self._fixNS(namespace) + args_key = (namespace, key) + try: + return self.args[args_key] + except KeyError: + if default is no_default: + raise KeyError((namespace, key)) + else: + return default + + def getArgs(self, namespace): + """Get the arguments that are defined for this namespace URI + + @returns: mapping from namespaced keys to values + @returntype: dict + """ + namespace = self._fixNS(namespace) + return dict([ + (ns_key, value) + for ((pair_ns, ns_key), value) + in self.args.iteritems() + if pair_ns == namespace + ]) + + def updateArgs(self, namespace, updates): + """Set multiple key/value pairs in one call + + @param updates: The values to set + @type updates: {unicode:unicode} + """ + namespace = self._fixNS(namespace) + for k, v in updates.iteritems(): + self.setArg(namespace, k, v) + + def setArg(self, namespace, key, value): + """Set a single argument in this namespace""" + assert key is not None + assert value is not None + namespace = self._fixNS(namespace) + self.args[(namespace, key)] = value + if not (namespace is BARE_NS): + self.namespaces.add(namespace) + + def delArg(self, namespace, key): + namespace = self._fixNS(namespace) + del self.args[(namespace, key)] + + def __repr__(self): + return "<%s.%s %r>" % (self.__class__.__module__, + self.__class__.__name__, + self.args) + + def __eq__(self, other): + return self.args == other.args + + + def __ne__(self, other): + return not (self == other) + + + def getAliasedArg(self, aliased_key, default=None): + if aliased_key == 'ns': + return self.getOpenIDNamespace() + + if aliased_key.startswith('ns.'): + uri = self.namespaces.getNamespaceURI(aliased_key[3:]) + if uri is None: + if default == no_default: + raise KeyError + else: + return default + else: + return uri + + try: + alias, key = aliased_key.split('.', 1) + except ValueError: + # need more than x values to unpack + ns = None + else: + ns = self.namespaces.getNamespaceURI(alias) + + if ns is None: + key = aliased_key + ns = self.getOpenIDNamespace() + + return self.getArg(ns, key, default) + +class NamespaceMap(object): + """Maintains a bijective map between namespace uris and aliases. + """ + def __init__(self): + self.alias_to_namespace = {} + self.namespace_to_alias = {} + self.implicit_namespaces = [] + + def getAlias(self, namespace_uri): + return self.namespace_to_alias.get(namespace_uri) + + def getNamespaceURI(self, alias): + return self.alias_to_namespace.get(alias) + + def iterNamespaceURIs(self): + """Return an iterator over the namespace URIs""" + return iter(self.namespace_to_alias) + + def iterAliases(self): + """Return an iterator over the aliases""" + return iter(self.alias_to_namespace) + + def iteritems(self): + """Iterate over the mapping + + @returns: iterator of (namespace_uri, alias) + """ + return self.namespace_to_alias.iteritems() + + def addAlias(self, namespace_uri, desired_alias, implicit=False): + """Add an alias from this namespace URI to the desired alias + """ + # Check that desired_alias is not an openid protocol field as + # per the spec. + assert desired_alias not in OPENID_PROTOCOL_FIELDS, \ + "%r is not an allowed namespace alias" % (desired_alias,) + + # Check that desired_alias does not contain a period as per + # the spec. + if type(desired_alias) in [str, unicode]: + assert '.' not in desired_alias, \ + "%r must not contain a dot" % (desired_alias,) + + # Check that there is not a namespace already defined for + # the desired alias + current_namespace_uri = self.alias_to_namespace.get(desired_alias) + if (current_namespace_uri is not None + and current_namespace_uri != namespace_uri): + + fmt = ('Cannot map %r to alias %r. ' + '%r is already mapped to alias %r') + + msg = fmt % ( + namespace_uri, + desired_alias, + current_namespace_uri, + desired_alias) + raise KeyError(msg) + + # Check that there is not already a (different) alias for + # this namespace URI + alias = self.namespace_to_alias.get(namespace_uri) + if alias is not None and alias != desired_alias: + fmt = ('Cannot map %r to alias %r. ' + 'It is already mapped to alias %r') + raise KeyError(fmt % (namespace_uri, desired_alias, alias)) + + assert (desired_alias == NULL_NAMESPACE or + type(desired_alias) in [str, unicode]), repr(desired_alias) + assert namespace_uri not in self.implicit_namespaces + self.alias_to_namespace[desired_alias] = namespace_uri + self.namespace_to_alias[namespace_uri] = desired_alias + if implicit: + self.implicit_namespaces.append(namespace_uri) + return desired_alias + + def add(self, namespace_uri): + """Add this namespace URI to the mapping, without caring what + alias it ends up with""" + # See if this namespace is already mapped to an alias + alias = self.namespace_to_alias.get(namespace_uri) + if alias is not None: + return alias + + # Fall back to generating a numerical alias + i = 0 + while True: + alias = 'ext' + str(i) + try: + self.addAlias(namespace_uri, alias) + except KeyError: + i += 1 + else: + return alias + + assert False, "Not reached" + + def isDefined(self, namespace_uri): + return namespace_uri in self.namespace_to_alias + + def __contains__(self, namespace_uri): + return self.isDefined(namespace_uri) + + def isImplicit(self, namespace_uri): + return namespace_uri in self.implicit_namespaces diff --git a/askbot/deps/openid/oidutil.py b/askbot/deps/openid/oidutil.py new file mode 100644 index 00000000..5246d160 --- /dev/null +++ b/askbot/deps/openid/oidutil.py @@ -0,0 +1,190 @@ +"""This module contains general utility code that is used throughout +the library. + +For users of this library, the C{L{log}} function is probably the most +interesting. +""" + +__all__ = ['log', 'appendArgs', 'toBase64', 'fromBase64', 'autoSubmitHTML'] + +import binascii +import sys +import urlparse + +from urllib import urlencode + +elementtree_modules = [ + 'lxml.etree', + 'xml.etree.cElementTree', + 'xml.etree.ElementTree', + 'cElementTree', + 'elementtree.ElementTree', + ] + +def autoSubmitHTML(form, title='OpenID transaction in progress'): + return """ +<html> +<head> + <title>%s</title> +</head> +<body onload="document.forms[0].submit();"> +%s +<script> +var elements = document.forms[0].elements; +for (var i = 0; i < elements.length; i++) { + elements[i].style.display = "none"; +} +</script> +</body> +</html> +""" % (title, form) + +def importElementTree(module_names=None): + """Find a working ElementTree implementation, trying the standard + places that such a thing might show up. + + >>> ElementTree = importElementTree() + + @param module_names: The names of modules to try to use as + ElementTree. Defaults to C{L{elementtree_modules}} + + @returns: An ElementTree module + """ + if module_names is None: + module_names = elementtree_modules + + for mod_name in module_names: + try: + ElementTree = __import__(mod_name, None, None, ['unused']) + except ImportError: + pass + else: + # Make sure it can actually parse XML + try: + ElementTree.XML('<unused/>') + except (SystemExit, MemoryError, AssertionError): + raise + except: + why = sys.exc_info()[1] + log('Not using ElementTree library %r because it failed to ' + 'parse a trivial document: %s' % (mod_name, why)) + else: + return ElementTree + else: + raise ImportError('No ElementTree library found. ' + 'You may need to install one. ' + 'Tried importing %r' % (module_names,) + ) + +def log(message, level=0): + """Handle a log message from the OpenID library. + + This implementation writes the string it to C{sys.stderr}, + followed by a newline. + + Currently, the library does not use the second parameter to this + function, but that may change in the future. + + To install your own logging hook:: + + from openid import oidutil + + def myLoggingFunction(message, level): + ... + + oidutil.log = myLoggingFunction + + @param message: A string containing a debugging message from the + OpenID library + @type message: str + + @param level: The severity of the log message. This parameter is + currently unused, but in the future, the library may indicate + more important information with a higher level value. + @type level: int or None + + @returns: Nothing. + """ + + sys.stderr.write(message) + sys.stderr.write('\n') + +def appendArgs(url, args): + """Append query arguments to a HTTP(s) URL. If the URL already has + query arguemtns, these arguments will be added, and the existing + arguments will be preserved. Duplicate arguments will not be + detected or collapsed (both will appear in the output). + + @param url: The url to which the arguments will be appended + @type url: str + + @param args: The query arguments to add to the URL. If a + dictionary is passed, the items will be sorted before + appending them to the URL. If a sequence of pairs is passed, + the order of the sequence will be preserved. + @type args: A dictionary from string to string, or a sequence of + pairs of strings. + + @returns: The URL with the parameters added + @rtype: str + """ + if hasattr(args, 'items'): + args = args.items() + args.sort() + else: + args = list(args) + + if len(args) == 0: + return url + + if '?' in url: + sep = '&' + else: + sep = '?' + + # Map unicode to UTF-8 if present. Do not make any assumptions + # about the encodings of plain bytes (str). + i = 0 + for k, v in args: + if type(k) is not str: + k = k.encode('UTF-8') + + if type(v) is not str: + v = v.encode('UTF-8') + + args[i] = (k, v) + i += 1 + + return '%s%s%s' % (url, sep, urlencode(args)) + +def toBase64(s): + """Represent string s as base64, omitting newlines""" + return binascii.b2a_base64(s)[:-1] + +def fromBase64(s): + try: + return binascii.a2b_base64(s) + except binascii.Error, why: + # Convert to a common exception type + raise ValueError(why[0]) + +class Symbol(object): + """This class implements an object that compares equal to others + of the same type that have the same name. These are distict from + str or unicode objects. + """ + + def __init__(self, name): + self.name = name + + def __eq__(self, other): + return type(self) is type(other) and self.name == other.name + + def __ne__(self, other): + return not (self == other) + + def __hash__(self): + return hash((self.__class__, self.name)) + + def __repr__(self): + return '<Symbol %s>' % (self.name,) diff --git a/askbot/deps/openid/server/__init__.py b/askbot/deps/openid/server/__init__.py new file mode 100644 index 00000000..c8fde257 --- /dev/null +++ b/askbot/deps/openid/server/__init__.py @@ -0,0 +1,6 @@ +""" +This package contains the portions of the library used only when +implementing an OpenID server. See L{openid.server.server}. +""" + +__all__ = ['server', 'trustroot'] diff --git a/askbot/deps/openid/server/server.py b/askbot/deps/openid/server/server.py new file mode 100644 index 00000000..f653b047 --- /dev/null +++ b/askbot/deps/openid/server/server.py @@ -0,0 +1,1849 @@ +# -*- test-case-name: openid.test.test_server -*- +"""OpenID server protocol and logic. + +Overview +======== + + An OpenID server must perform three tasks: + + 1. Examine the incoming request to determine its nature and validity. + + 2. Make a decision about how to respond to this request. + + 3. Format the response according to the protocol. + + The first and last of these tasks may performed by + the L{decodeRequest<Server.decodeRequest>} and + L{encodeResponse<Server.encodeResponse>} methods of the + L{Server} object. Who gets to do the intermediate task -- deciding + how to respond to the request -- will depend on what type of request it + is. + + If it's a request to authenticate a user (a X{C{checkid_setup}} or + X{C{checkid_immediate}} request), you need to decide if you will assert + that this user may claim the identity in question. Exactly how you do + that is a matter of application policy, but it generally involves making + sure the user has an account with your system and is logged in, checking + to see if that identity is hers to claim, and verifying with the user that + she does consent to releasing that information to the party making the + request. + + Examine the properties of the L{CheckIDRequest} object, optionally + check L{CheckIDRequest.returnToVerified}, and and when you've come + to a decision, form a response by calling L{CheckIDRequest.answer}. + + Other types of requests relate to establishing associations between client + and server and verifying the authenticity of previous communications. + L{Server} contains all the logic and data necessary to respond to + such requests; just pass the request to L{Server.handleRequest}. + + +OpenID Extensions +================= + + Do you want to provide other information for your users + in addition to authentication? Version 2.0 of the OpenID + protocol allows consumers to add extensions to their requests. + For example, with sites using the U{Simple Registration + Extension<http://openid.net/specs/openid-simple-registration-extension-1_0.html>}, + a user can agree to have their nickname and e-mail address sent to a + site when they sign up. + + Since extensions do not change the way OpenID authentication works, + code to handle extension requests may be completely separate from the + L{OpenIDRequest} class here. But you'll likely want data sent back by + your extension to be signed. L{OpenIDResponse} provides methods with + which you can add data to it which can be signed with the other data in + the OpenID signature. + + For example:: + + # when request is a checkid_* request + response = request.answer(True) + # this will a signed 'openid.sreg.timezone' parameter to the response + # as well as a namespace declaration for the openid.sreg namespace + response.fields.setArg('http://openid.net/sreg/1.0', 'timezone', 'America/Los_Angeles') + + There are helper modules for a number of extensions, including + L{Attribute Exchange<openid.extensions.ax>}, + L{PAPE<openid.extensions.pape>}, and + L{Simple Registration<openid.extensions.sreg>} in the L{openid.extensions} + package. + +Stores +====== + + The OpenID server needs to maintain state between requests in order + to function. Its mechanism for doing this is called a store. The + store interface is defined in C{L{openid.store.interface.OpenIDStore}}. + Additionally, several concrete store implementations are provided, so that + most sites won't need to implement a custom store. For a store backed + by flat files on disk, see C{L{openid.store.filestore.FileOpenIDStore}}. + For stores based on MySQL or SQLite, see the C{L{openid.store.sqlstore}} + module. + + +Upgrading +========= + +From 1.0 to 1.1 +--------------- + + The keys by which a server looks up associations in its store have changed + in version 1.2 of this library. If your store has entries created from + version 1.0 code, you should empty it. + +From 1.1 to 2.0 +--------------- + + One of the additions to the OpenID protocol was a specified nonce + format for one-way nonces. As a result, the nonce table in the store + has changed. You'll need to run contrib/upgrade-store-1.1-to-2.0 to + upgrade your store, or you'll encounter errors about the wrong number + of columns in the oid_nonces table. + + If you've written your own custom store or code that interacts + directly with it, you'll need to review the change notes in + L{openid.store.interface}. + +@group Requests: OpenIDRequest, AssociateRequest, CheckIDRequest, + CheckAuthRequest + +@group Responses: OpenIDResponse + +@group HTTP Codes: HTTP_OK, HTTP_REDIRECT, HTTP_ERROR + +@group Response Encodings: ENCODE_KVFORM, ENCODE_HTML_FORM, ENCODE_URL +""" + +import time, warnings +from copy import deepcopy + +from openid import cryptutil +from openid import oidutil +from openid import kvform +from openid.dh import DiffieHellman +from openid.store.nonce import mkNonce +from openid.server.trustroot import TrustRoot, verifyReturnTo +from openid.association import Association, default_negotiator, getSecretSize +from openid.message import Message, InvalidOpenIDNamespace, \ + OPENID_NS, OPENID2_NS, IDENTIFIER_SELECT, OPENID1_URL_LIMIT +from openid.urinorm import urinorm + +HTTP_OK = 200 +HTTP_REDIRECT = 302 +HTTP_ERROR = 400 + +BROWSER_REQUEST_MODES = ['checkid_setup', 'checkid_immediate'] + +ENCODE_KVFORM = ('kvform',) +ENCODE_URL = ('URL/redirect',) +ENCODE_HTML_FORM = ('HTML form',) + +UNUSED = None + +class OpenIDRequest(object): + """I represent an incoming OpenID request. + + @cvar mode: the C{X{openid.mode}} of this request. + @type mode: str + """ + mode = None + + +class CheckAuthRequest(OpenIDRequest): + """A request to verify the validity of a previous response. + + @cvar mode: "X{C{check_authentication}}" + @type mode: str + + @ivar assoc_handle: The X{association handle} the response was signed with. + @type assoc_handle: str + @ivar signed: The message with the signature which wants checking. + @type signed: L{Message} + + @ivar invalidate_handle: An X{association handle} the client is asking + about the validity of. Optional, may be C{None}. + @type invalidate_handle: str + + @see: U{OpenID Specs, Mode: check_authentication + <http://openid.net/specs.bml#mode-check_authentication>} + """ + mode = "check_authentication" + + required_fields = ["identity", "return_to", "response_nonce"] + + def __init__(self, assoc_handle, signed, invalidate_handle=None): + """Construct me. + + These parameters are assigned directly as class attributes, see + my L{class documentation<CheckAuthRequest>} for their descriptions. + + @type assoc_handle: str + @type signed: L{Message} + @type invalidate_handle: str + """ + self.assoc_handle = assoc_handle + self.signed = signed + self.invalidate_handle = invalidate_handle + self.namespace = OPENID2_NS + + + def fromMessage(klass, message, op_endpoint=UNUSED): + """Construct me from an OpenID Message. + + @param message: An OpenID check_authentication Message + @type message: L{openid.message.Message} + + @returntype: L{CheckAuthRequest} + """ + self = klass.__new__(klass) + self.message = message + self.namespace = message.getOpenIDNamespace() + self.assoc_handle = message.getArg(OPENID_NS, 'assoc_handle') + self.sig = message.getArg(OPENID_NS, 'sig') + + if (self.assoc_handle is None or + self.sig is None): + fmt = "%s request missing required parameter from message %s" + raise ProtocolError( + message, text=fmt % (self.mode, message)) + + self.invalidate_handle = message.getArg(OPENID_NS, 'invalidate_handle') + + self.signed = message.copy() + # openid.mode is currently check_authentication because + # that's the mode of this request. But the signature + # was made on something with a different openid.mode. + # http://article.gmane.org/gmane.comp.web.openid.general/537 + if self.signed.hasKey(OPENID_NS, "mode"): + self.signed.setArg(OPENID_NS, "mode", "id_res") + + return self + + fromMessage = classmethod(fromMessage) + + def answer(self, signatory): + """Respond to this request. + + Given a L{Signatory}, I can check the validity of the signature and + the X{C{invalidate_handle}}. + + @param signatory: The L{Signatory} to use to check the signature. + @type signatory: L{Signatory} + + @returns: A response with an X{C{is_valid}} (and, if + appropriate X{C{invalidate_handle}}) field. + @returntype: L{OpenIDResponse} + """ + is_valid = signatory.verify(self.assoc_handle, self.signed) + # Now invalidate that assoc_handle so it this checkAuth message cannot + # be replayed. + signatory.invalidate(self.assoc_handle, dumb=True) + response = OpenIDResponse(self) + valid_str = (is_valid and "true") or "false" + response.fields.setArg(OPENID_NS, 'is_valid', valid_str) + + if self.invalidate_handle: + assoc = signatory.getAssociation(self.invalidate_handle, dumb=False) + if not assoc: + response.fields.setArg( + OPENID_NS, 'invalidate_handle', self.invalidate_handle) + return response + + + def __str__(self): + if self.invalidate_handle: + ih = " invalidate? %r" % (self.invalidate_handle,) + else: + ih = "" + s = "<%s handle: %r sig: %r: signed: %r%s>" % ( + self.__class__.__name__, self.assoc_handle, + self.sig, self.signed, ih) + return s + + +class PlainTextServerSession(object): + """An object that knows how to handle association requests with no + session type. + + @cvar session_type: The session_type for this association + session. There is no type defined for plain-text in the OpenID + specification, so we use 'no-encryption'. + @type session_type: str + + @see: U{OpenID Specs, Mode: associate + <http://openid.net/specs.bml#mode-associate>} + @see: AssociateRequest + """ + session_type = 'no-encryption' + allowed_assoc_types = ['HMAC-SHA1', 'HMAC-SHA256'] + + def fromMessage(cls, unused_request): + return cls() + + fromMessage = classmethod(fromMessage) + + def answer(self, secret): + return {'mac_key': oidutil.toBase64(secret)} + + +class DiffieHellmanSHA1ServerSession(object): + """An object that knows how to handle association requests with the + Diffie-Hellman session type. + + @cvar session_type: The session_type for this association + session. + @type session_type: str + + @ivar dh: The Diffie-Hellman algorithm values for this request + @type dh: DiffieHellman + + @ivar consumer_pubkey: The public key sent by the consumer in the + associate request + @type consumer_pubkey: long + + @see: U{OpenID Specs, Mode: associate + <http://openid.net/specs.bml#mode-associate>} + @see: AssociateRequest + """ + session_type = 'DH-SHA1' + hash_func = staticmethod(cryptutil.sha1) + allowed_assoc_types = ['HMAC-SHA1'] + + def __init__(self, dh, consumer_pubkey): + self.dh = dh + self.consumer_pubkey = consumer_pubkey + + def fromMessage(cls, message): + """ + @param message: The associate request message + @type message: openid.message.Message + + @returntype: L{DiffieHellmanSHA1ServerSession} + + @raises ProtocolError: When parameters required to establish the + session are missing. + """ + dh_modulus = message.getArg(OPENID_NS, 'dh_modulus') + dh_gen = message.getArg(OPENID_NS, 'dh_gen') + if (dh_modulus is None and dh_gen is not None or + dh_gen is None and dh_modulus is not None): + + if dh_modulus is None: + missing = 'modulus' + else: + missing = 'generator' + + raise ProtocolError(message, + 'If non-default modulus or generator is ' + 'supplied, both must be supplied. Missing %s' + % (missing,)) + + if dh_modulus or dh_gen: + dh_modulus = cryptutil.base64ToLong(dh_modulus) + dh_gen = cryptutil.base64ToLong(dh_gen) + dh = DiffieHellman(dh_modulus, dh_gen) + else: + dh = DiffieHellman.fromDefaults() + + consumer_pubkey = message.getArg(OPENID_NS, 'dh_consumer_public') + if consumer_pubkey is None: + raise ProtocolError(message, "Public key for DH-SHA1 session " + "not found in message %s" % (message,)) + + consumer_pubkey = cryptutil.base64ToLong(consumer_pubkey) + + return cls(dh, consumer_pubkey) + + fromMessage = classmethod(fromMessage) + + def answer(self, secret): + mac_key = self.dh.xorSecret(self.consumer_pubkey, + secret, + self.hash_func) + return { + 'dh_server_public': cryptutil.longToBase64(self.dh.public), + 'enc_mac_key': oidutil.toBase64(mac_key), + } + +class DiffieHellmanSHA256ServerSession(DiffieHellmanSHA1ServerSession): + session_type = 'DH-SHA256' + hash_func = staticmethod(cryptutil.sha256) + allowed_assoc_types = ['HMAC-SHA256'] + +class AssociateRequest(OpenIDRequest): + """A request to establish an X{association}. + + @cvar mode: "X{C{check_authentication}}" + @type mode: str + + @ivar assoc_type: The type of association. The protocol currently only + defines one value for this, "X{C{HMAC-SHA1}}". + @type assoc_type: str + + @ivar session: An object that knows how to handle association + requests of a certain type. + + @see: U{OpenID Specs, Mode: associate + <http://openid.net/specs.bml#mode-associate>} + """ + + mode = "associate" + + session_classes = { + 'no-encryption': PlainTextServerSession, + 'DH-SHA1': DiffieHellmanSHA1ServerSession, + 'DH-SHA256': DiffieHellmanSHA256ServerSession, + } + + def __init__(self, session, assoc_type): + """Construct me. + + The session is assigned directly as a class attribute. See my + L{class documentation<AssociateRequest>} for its description. + """ + super(AssociateRequest, self).__init__() + self.session = session + self.assoc_type = assoc_type + self.namespace = OPENID2_NS + + + def fromMessage(klass, message, op_endpoint=UNUSED): + """Construct me from an OpenID Message. + + @param message: The OpenID associate request + @type message: openid.message.Message + + @returntype: L{AssociateRequest} + """ + if message.isOpenID1(): + session_type = message.getArg(OPENID_NS, 'session_type') + if session_type == 'no-encryption': + oidutil.log('Received OpenID 1 request with a no-encryption ' + 'assocaition session type. Continuing anyway.') + elif not session_type: + session_type = 'no-encryption' + else: + session_type = message.getArg(OPENID2_NS, 'session_type') + if session_type is None: + raise ProtocolError(message, + text="session_type missing from request") + + try: + session_class = klass.session_classes[session_type] + except KeyError: + raise ProtocolError(message, + "Unknown session type %r" % (session_type,)) + + try: + session = session_class.fromMessage(message) + except ValueError, why: + raise ProtocolError(message, 'Error parsing %s session: %s' % + (session_class.session_type, why[0])) + + assoc_type = message.getArg(OPENID_NS, 'assoc_type', 'HMAC-SHA1') + if assoc_type not in session.allowed_assoc_types: + fmt = 'Session type %s does not support association type %s' + raise ProtocolError(message, fmt % (session_type, assoc_type)) + + self = klass(session, assoc_type) + self.message = message + self.namespace = message.getOpenIDNamespace() + return self + + fromMessage = classmethod(fromMessage) + + def answer(self, assoc): + """Respond to this request with an X{association}. + + @param assoc: The association to send back. + @type assoc: L{openid.association.Association} + + @returns: A response with the association information, encrypted + to the consumer's X{public key} if appropriate. + @returntype: L{OpenIDResponse} + """ + response = OpenIDResponse(self) + response.fields.updateArgs(OPENID_NS, { + 'expires_in': '%d' % (assoc.getExpiresIn(),), + 'assoc_type': self.assoc_type, + 'assoc_handle': assoc.handle, + }) + response.fields.updateArgs(OPENID_NS, + self.session.answer(assoc.secret)) + + if not (self.session.session_type == 'no-encryption' and + self.message.isOpenID1()): + # The session type "no-encryption" did not have a name + # in OpenID v1, it was just omitted. + response.fields.setArg( + OPENID_NS, 'session_type', self.session.session_type) + + return response + + def answerUnsupported(self, message, preferred_association_type=None, + preferred_session_type=None): + """Respond to this request indicating that the association + type or association session type is not supported.""" + if self.message.isOpenID1(): + raise ProtocolError(self.message) + + response = OpenIDResponse(self) + response.fields.setArg(OPENID_NS, 'error_code', 'unsupported-type') + response.fields.setArg(OPENID_NS, 'error', message) + + if preferred_association_type: + response.fields.setArg( + OPENID_NS, 'assoc_type', preferred_association_type) + + if preferred_session_type: + response.fields.setArg( + OPENID_NS, 'session_type', preferred_session_type) + + return response + +class CheckIDRequest(OpenIDRequest): + """A request to confirm the identity of a user. + + This class handles requests for openid modes X{C{checkid_immediate}} + and X{C{checkid_setup}}. + + @cvar mode: "X{C{checkid_immediate}}" or "X{C{checkid_setup}}" + @type mode: str + + @ivar immediate: Is this an immediate-mode request? + @type immediate: bool + + @ivar identity: The OP-local identifier being checked. + @type identity: str + + @ivar claimed_id: The claimed identifier. Not present in OpenID 1.x + messages. + @type claimed_id: str + + @ivar trust_root: "Are you Frank?" asks the checkid request. "Who wants + to know?" C{trust_root}, that's who. This URL identifies the party + making the request, and the user will use that to make her decision + about what answer she trusts them to have. Referred to as "realm" in + OpenID 2.0. + @type trust_root: str + + @ivar return_to: The URL to send the user agent back to to reply to this + request. + @type return_to: str + + @ivar assoc_handle: Provided in smart mode requests, a handle for a + previously established association. C{None} for dumb mode requests. + @type assoc_handle: str + """ + + def __init__(self, identity, return_to, trust_root=None, immediate=False, + assoc_handle=None, op_endpoint=None, claimed_id=None): + """Construct me. + + These parameters are assigned directly as class attributes, see + my L{class documentation<CheckIDRequest>} for their descriptions. + + @raises MalformedReturnURL: When the C{return_to} URL is not a URL. + """ + self.assoc_handle = assoc_handle + self.identity = identity + self.claimed_id = claimed_id or identity + self.return_to = return_to + self.trust_root = trust_root or return_to + self.op_endpoint = op_endpoint + assert self.op_endpoint is not None + if immediate: + self.immediate = True + self.mode = "checkid_immediate" + else: + self.immediate = False + self.mode = "checkid_setup" + + if self.return_to is not None and \ + not TrustRoot.parse(self.return_to): + raise MalformedReturnURL(None, self.return_to) + if not self.trustRootValid(): + raise UntrustedReturnURL(None, self.return_to, self.trust_root) + self.message = None + + def _getNamespace(self): + warnings.warn('The "namespace" attribute of CheckIDRequest objects ' + 'is deprecated. Use "message.getOpenIDNamespace()" ' + 'instead', DeprecationWarning, stacklevel=2) + return self.message.getOpenIDNamespace() + + namespace = property(_getNamespace) + + def fromMessage(klass, message, op_endpoint): + """Construct me from an OpenID message. + + @raises ProtocolError: When not all required parameters are present + in the message. + + @raises MalformedReturnURL: When the C{return_to} URL is not a URL. + + @raises UntrustedReturnURL: When the C{return_to} URL is outside + the C{trust_root}. + + @param message: An OpenID checkid_* request Message + @type message: openid.message.Message + + @param op_endpoint: The endpoint URL of the server that this + message was sent to. + @type op_endpoint: str + + @returntype: L{CheckIDRequest} + """ + self = klass.__new__(klass) + self.message = message + self.op_endpoint = op_endpoint + mode = message.getArg(OPENID_NS, 'mode') + if mode == "checkid_immediate": + self.immediate = True + self.mode = "checkid_immediate" + else: + self.immediate = False + self.mode = "checkid_setup" + + self.return_to = message.getArg(OPENID_NS, 'return_to') + if message.isOpenID1() and not self.return_to: + fmt = "Missing required field 'return_to' from %r" + raise ProtocolError(message, text=fmt % (message,)) + + self.identity = message.getArg(OPENID_NS, 'identity') + self.claimed_id = message.getArg(OPENID_NS, 'claimed_id') + if message.isOpenID1(): + if self.identity is None: + s = "OpenID 1 message did not contain openid.identity" + raise ProtocolError(message, text=s) + else: + if self.identity and not self.claimed_id: + s = ("OpenID 2.0 message contained openid.identity but not " + "claimed_id") + raise ProtocolError(message, text=s) + elif self.claimed_id and not self.identity: + s = ("OpenID 2.0 message contained openid.claimed_id but not " + "identity") + raise ProtocolError(message, text=s) + + # There's a case for making self.trust_root be a TrustRoot + # here. But if TrustRoot isn't currently part of the "public" API, + # I'm not sure it's worth doing. + + if message.isOpenID1(): + trust_root_param = 'trust_root' + else: + trust_root_param = 'realm' + + # Using 'or' here is slightly different than sending a default + # argument to getArg, as it will treat no value and an empty + # string as equivalent. + self.trust_root = (message.getArg(OPENID_NS, trust_root_param) + or self.return_to) + + if not message.isOpenID1(): + if self.return_to is self.trust_root is None: + raise ProtocolError(message, "openid.realm required when " + + "openid.return_to absent") + + self.assoc_handle = message.getArg(OPENID_NS, 'assoc_handle') + + # Using TrustRoot.parse here is a bit misleading, as we're not + # parsing return_to as a trust root at all. However, valid URLs + # are valid trust roots, so we can use this to get an idea if it + # is a valid URL. Not all trust roots are valid return_to URLs, + # however (particularly ones with wildcards), so this is still a + # little sketchy. + if self.return_to is not None and \ + not TrustRoot.parse(self.return_to): + raise MalformedReturnURL(message, self.return_to) + + # I first thought that checking to see if the return_to is within + # the trust_root is premature here, a logic-not-decoding thing. But + # it was argued that this is really part of data validation. A + # request with an invalid trust_root/return_to is broken regardless of + # application, right? + if not self.trustRootValid(): + raise UntrustedReturnURL(message, self.return_to, self.trust_root) + + return self + + fromMessage = classmethod(fromMessage) + + def idSelect(self): + """Is the identifier to be selected by the IDP? + + @returntype: bool + """ + # So IDPs don't have to import the constant + return self.identity == IDENTIFIER_SELECT + + def trustRootValid(self): + """Is my return_to under my trust_root? + + @returntype: bool + """ + if not self.trust_root: + return True + tr = TrustRoot.parse(self.trust_root) + if tr is None: + raise MalformedTrustRoot(self.message, self.trust_root) + + if self.return_to is not None: + return tr.validateURL(self.return_to) + else: + return True + + def returnToVerified(self): + """Does the relying party publish the return_to URL for this + response under the realm? It is up to the provider to set a + policy for what kinds of realms should be allowed. This + return_to URL verification reduces vulnerability to data-theft + attacks based on open proxies, cross-site-scripting, or open + redirectors. + + This check should only be performed after making sure that the + return_to URL matches the realm. + + @see: L{trustRootValid} + + @raises openid.yadis.discover.DiscoveryFailure: if the realm + URL does not support Yadis discovery (and so does not + support the verification process). + + @raises openid.fetchers.HTTPFetchingError: if the realm URL + is not reachable. When this is the case, the RP may be hosted + on the user's intranet. + + @returntype: bool + + @returns: True if the realm publishes a document with the + return_to URL listed + + @since: 2.1.0 + """ + return verifyReturnTo(self.trust_root, self.return_to) + + def answer(self, allow, server_url=None, identity=None, claimed_id=None): + """Respond to this request. + + @param allow: Allow this user to claim this identity, and allow the + consumer to have this information? + @type allow: bool + + @param server_url: DEPRECATED. Passing C{op_endpoint} to the + L{Server} constructor makes this optional. + + When an OpenID 1.x immediate mode request does not succeed, + it gets back a URL where the request may be carried out + in a not-so-immediate fashion. Pass my URL in here (the + fully qualified address of this server's endpoint, i.e. + C{http://example.com/server}), and I will use it as a base for the + URL for a new request. + + Optional for requests where C{CheckIDRequest.immediate} is C{False} + or C{allow} is C{True}. + + @type server_url: str + + @param identity: The OP-local identifier to answer with. Only for use + when the relying party requested identifier selection. + @type identity: str or None + + @param claimed_id: The claimed identifier to answer with, for use + with identifier selection in the case where the claimed identifier + and the OP-local identifier differ, i.e. when the claimed_id uses + delegation. + + If C{identity} is provided but this is not, C{claimed_id} will + default to the value of C{identity}. When answering requests + that did not ask for identifier selection, the response + C{claimed_id} will default to that of the request. + + This parameter is new in OpenID 2.0. + @type claimed_id: str or None + + @returntype: L{OpenIDResponse} + + @change: Version 2.0 deprecates C{server_url} and adds C{claimed_id}. + + @raises NoReturnError: when I do not have a return_to. + """ + assert self.message is not None + + if not self.return_to: + raise NoReturnToError + + if not server_url: + if not self.message.isOpenID1() and not self.op_endpoint: + # In other words, that warning I raised in Server.__init__? + # You should pay attention to it now. + raise RuntimeError("%s should be constructed with op_endpoint " + "to respond to OpenID 2.0 messages." % + (self,)) + server_url = self.op_endpoint + + if allow: + mode = 'id_res' + elif self.message.isOpenID1(): + if self.immediate: + mode = 'id_res' + else: + mode = 'cancel' + else: + if self.immediate: + mode = 'setup_needed' + else: + mode = 'cancel' + + response = OpenIDResponse(self) + + if claimed_id and self.message.isOpenID1(): + namespace = self.message.getOpenIDNamespace() + raise VersionError("claimed_id is new in OpenID 2.0 and not " + "available for %s" % (namespace,)) + + if allow: + if self.identity == IDENTIFIER_SELECT: + if not identity: + raise ValueError( + "This request uses IdP-driven identifier selection." + "You must supply an identifier in the response.") + response_identity = identity + response_claimed_id = claimed_id or identity + + elif self.identity: + if identity and (self.identity != identity): + normalized_request_identity = urinorm(self.identity) + normalized_answer_identity = urinorm(identity) + + if (normalized_request_identity != + normalized_answer_identity): + raise ValueError( + "Request was for identity %r, cannot reply " + "with identity %r" % (self.identity, identity)) + + # The "identity" value in the response shall always be + # the same as that in the request, otherwise the RP is + # likely to not validate the response. + response_identity = self.identity + response_claimed_id = self.claimed_id + else: + if identity: + raise ValueError( + "This request specified no identity and you " + "supplied %r" % (identity,)) + response_identity = None + + if self.message.isOpenID1() and response_identity is None: + raise ValueError( + "Request was an OpenID 1 request, so response must " + "include an identifier." + ) + + response.fields.updateArgs(OPENID_NS, { + 'mode': mode, + 'return_to': self.return_to, + 'response_nonce': mkNonce(), + }) + + if server_url: + response.fields.setArg(OPENID_NS, 'op_endpoint', server_url) + + if response_identity is not None: + response.fields.setArg( + OPENID_NS, 'identity', response_identity) + if self.message.isOpenID2(): + response.fields.setArg( + OPENID_NS, 'claimed_id', response_claimed_id) + else: + response.fields.setArg(OPENID_NS, 'mode', mode) + if self.immediate: + if self.message.isOpenID1() and not server_url: + raise ValueError("setup_url is required for allow=False " + "in OpenID 1.x immediate mode.") + # Make a new request just like me, but with immediate=False. + setup_request = self.__class__( + self.identity, self.return_to, self.trust_root, + immediate=False, assoc_handle=self.assoc_handle, + op_endpoint=self.op_endpoint, claimed_id=self.claimed_id) + + # XXX: This API is weird. + setup_request.message = self.message + + setup_url = setup_request.encodeToURL(server_url) + response.fields.setArg(OPENID_NS, 'user_setup_url', setup_url) + + return response + + + def encodeToURL(self, server_url): + """Encode this request as a URL to GET. + + @param server_url: The URL of the OpenID server to make this request of. + @type server_url: str + + @returntype: str + + @raises NoReturnError: when I do not have a return_to. + """ + if not self.return_to: + raise NoReturnToError + + # Imported from the alternate reality where these classes are used + # in both the client and server code, so Requests are Encodable too. + # That's right, code imported from alternate realities all for the + # love of you, id_res/user_setup_url. + q = {'mode': self.mode, + 'identity': self.identity, + 'claimed_id': self.claimed_id, + 'return_to': self.return_to} + if self.trust_root: + if self.message.isOpenID1(): + q['trust_root'] = self.trust_root + else: + q['realm'] = self.trust_root + if self.assoc_handle: + q['assoc_handle'] = self.assoc_handle + + response = Message(self.message.getOpenIDNamespace()) + response.updateArgs(OPENID_NS, q) + return response.toURL(server_url) + + + def getCancelURL(self): + """Get the URL to cancel this request. + + Useful for creating a "Cancel" button on a web form so that operation + can be carried out directly without another trip through the server. + + (Except you probably want to make another trip through the server so + that it knows that the user did make a decision. Or you could simulate + this method by doing C{.answer(False).encodeToURL()}) + + @returntype: str + @returns: The return_to URL with openid.mode = cancel. + + @raises NoReturnError: when I do not have a return_to. + """ + if not self.return_to: + raise NoReturnToError + + if self.immediate: + raise ValueError("Cancel is not an appropriate response to " + "immediate mode requests.") + + response = Message(self.message.getOpenIDNamespace()) + response.setArg(OPENID_NS, 'mode', 'cancel') + return response.toURL(self.return_to) + + + def __repr__(self): + return '<%s id:%r im:%s tr:%r ah:%r>' % (self.__class__.__name__, + self.identity, + self.immediate, + self.trust_root, + self.assoc_handle) + + + +class OpenIDResponse(object): + """I am a response to an OpenID request. + + @ivar request: The request I respond to. + @type request: L{OpenIDRequest} + + @ivar fields: My parameters as a dictionary with each key mapping to + one value. Keys are parameter names with no leading "C{openid.}". + e.g. "C{identity}" and "C{mac_key}", never "C{openid.identity}". + @type fields: L{openid.message.Message} + + @ivar signed: The names of the fields which should be signed. + @type signed: list of str + """ + + # Implementer's note: In a more symmetric client/server + # implementation, there would be more types of OpenIDResponse + # object and they would have validated attributes according to the + # type of response. But as it is, Response objects in a server are + # basically write-only, their only job is to go out over the wire, + # so this is just a loose wrapper around OpenIDResponse.fields. + + def __init__(self, request): + """Make a response to an L{OpenIDRequest}. + + @type request: L{OpenIDRequest} + """ + self.request = request + self.fields = Message(request.namespace) + + def __str__(self): + return "%s for %s: %s" % ( + self.__class__.__name__, + self.request.__class__.__name__, + self.fields) + + + def toFormMarkup(self, form_tag_attrs=None): + """Returns the form markup for this response. + + @param form_tag_attrs: Dictionary of attributes to be added to + the form tag. 'accept-charset' and 'enctype' have defaults + that can be overridden. If a value is supplied for + 'action' or 'method', it will be replaced. + + @returntype: str + + @since: 2.1.0 + """ + return self.fields.toFormMarkup(self.request.return_to, + form_tag_attrs=form_tag_attrs) + + def toHTML(self, form_tag_attrs=None): + """Returns an HTML document that auto-submits the form markup + for this response. + + @returntype: str + + @see: toFormMarkup + + @since: 2.1.? + """ + return oidutil.autoSubmitHTML(self.toFormMarkup(form_tag_attrs)) + + def renderAsForm(self): + """Returns True if this response's encoding is + ENCODE_HTML_FORM. Convenience method for server authors. + + @returntype: bool + + @since: 2.1.0 + """ + return self.whichEncoding() == ENCODE_HTML_FORM + + + def needsSigning(self): + """Does this response require signing? + + @returntype: bool + """ + return self.fields.getArg(OPENID_NS, 'mode') == 'id_res' + + + # implements IEncodable + + def whichEncoding(self): + """How should I be encoded? + + @returns: one of ENCODE_URL, ENCODE_HTML_FORM, or ENCODE_KVFORM. + + @change: 2.1.0 added the ENCODE_HTML_FORM response. + """ + if self.request.mode in BROWSER_REQUEST_MODES: + if self.fields.getOpenIDNamespace() == OPENID2_NS and \ + len(self.encodeToURL()) > OPENID1_URL_LIMIT: + return ENCODE_HTML_FORM + else: + return ENCODE_URL + else: + return ENCODE_KVFORM + + + def encodeToURL(self): + """Encode a response as a URL for the user agent to GET. + + You will generally use this URL with a HTTP redirect. + + @returns: A URL to direct the user agent back to. + @returntype: str + """ + return self.fields.toURL(self.request.return_to) + + + def addExtension(self, extension_response): + """ + Add an extension response to this response message. + + @param extension_response: An object that implements the + extension interface for adding arguments to an OpenID + message. + @type extension_response: L{openid.extension} + + @returntype: None + """ + extension_response.toMessage(self.fields) + + + def encodeToKVForm(self): + """Encode a response in key-value colon/newline format. + + This is a machine-readable format used to respond to messages which + came directly from the consumer and not through the user agent. + + @see: OpenID Specs, + U{Key-Value Colon/Newline format<http://openid.net/specs.bml#keyvalue>} + + @returntype: str + """ + return self.fields.toKVForm() + + + +class WebResponse(object): + """I am a response to an OpenID request in terms a web server understands. + + I generally come from an L{Encoder}, either directly or from + L{Server.encodeResponse}. + + @ivar code: The HTTP code of this response. + @type code: int + + @ivar headers: Headers to include in this response. + @type headers: dict + + @ivar body: The body of this response. + @type body: str + """ + + def __init__(self, code=HTTP_OK, headers=None, body=""): + """Construct me. + + These parameters are assigned directly as class attributes, see + my L{class documentation<WebResponse>} for their descriptions. + """ + self.code = code + if headers is not None: + self.headers = headers + else: + self.headers = {} + self.body = body + + + +class Signatory(object): + """I sign things. + + I also check signatures. + + All my state is encapsulated in an + L{OpenIDStore<openid.store.interface.OpenIDStore>}, which means + I'm not generally pickleable but I am easy to reconstruct. + + @cvar SECRET_LIFETIME: The number of seconds a secret remains valid. + @type SECRET_LIFETIME: int + """ + + SECRET_LIFETIME = 14 * 24 * 60 * 60 # 14 days, in seconds + + # keys have a bogus server URL in them because the filestore + # really does expect that key to be a URL. This seems a little + # silly for the server store, since I expect there to be only one + # server URL. + _normal_key = 'http://localhost/|normal' + _dumb_key = 'http://localhost/|dumb' + + + def __init__(self, store): + """Create a new Signatory. + + @param store: The back-end where my associations are stored. + @type store: L{openid.store.interface.OpenIDStore} + """ + assert store is not None + self.store = store + + + def verify(self, assoc_handle, message): + """Verify that the signature for some data is valid. + + @param assoc_handle: The handle of the association used to sign the + data. + @type assoc_handle: str + + @param message: The signed message to verify + @type message: openid.message.Message + + @returns: C{True} if the signature is valid, C{False} if not. + @returntype: bool + """ + assoc = self.getAssociation(assoc_handle, dumb=True) + if not assoc: + oidutil.log("failed to get assoc with handle %r to verify " + "message %r" + % (assoc_handle, message)) + return False + + try: + valid = assoc.checkMessageSignature(message) + except ValueError, ex: + oidutil.log("Error in verifying %s with %s: %s" % (message, + assoc, + ex)) + return False + return valid + + + def sign(self, response): + """Sign a response. + + I take a L{OpenIDResponse}, create a signature for everything + in its L{signed<OpenIDResponse.signed>} list, and return a new + copy of the response object with that signature included. + + @param response: A response to sign. + @type response: L{OpenIDResponse} + + @returns: A signed copy of the response. + @returntype: L{OpenIDResponse} + """ + signed_response = deepcopy(response) + assoc_handle = response.request.assoc_handle + if assoc_handle: + # normal mode + # disabling expiration check because even if the association + # is expired, we still need to know some properties of the + # association so that we may preserve those properties when + # creating the fallback association. + assoc = self.getAssociation(assoc_handle, dumb=False, + checkExpiration=False) + + if not assoc or assoc.expiresIn <= 0: + # fall back to dumb mode + signed_response.fields.setArg( + OPENID_NS, 'invalidate_handle', assoc_handle) + assoc_type = assoc and assoc.assoc_type or 'HMAC-SHA1' + if assoc and assoc.expiresIn <= 0: + # now do the clean-up that the disabled checkExpiration + # code didn't get to do. + self.invalidate(assoc_handle, dumb=False) + assoc = self.createAssociation(dumb=True, assoc_type=assoc_type) + else: + # dumb mode. + assoc = self.createAssociation(dumb=True) + + try: + signed_response.fields = assoc.signMessage(signed_response.fields) + except kvform.KVFormError, err: + raise EncodingError(response, explanation=str(err)) + return signed_response + + + def createAssociation(self, dumb=True, assoc_type='HMAC-SHA1'): + """Make a new association. + + @param dumb: Is this association for a dumb-mode transaction? + @type dumb: bool + + @param assoc_type: The type of association to create. Currently + there is only one type defined, C{HMAC-SHA1}. + @type assoc_type: str + + @returns: the new association. + @returntype: L{openid.association.Association} + """ + secret = cryptutil.getBytes(getSecretSize(assoc_type)) + uniq = oidutil.toBase64(cryptutil.getBytes(4)) + handle = '{%s}{%x}{%s}' % (assoc_type, int(time.time()), uniq) + + assoc = Association.fromExpiresIn( + self.SECRET_LIFETIME, handle, secret, assoc_type) + + if dumb: + key = self._dumb_key + else: + key = self._normal_key + self.store.storeAssociation(key, assoc) + return assoc + + + def getAssociation(self, assoc_handle, dumb, checkExpiration=True): + """Get the association with the specified handle. + + @type assoc_handle: str + + @param dumb: Is this association used with dumb mode? + @type dumb: bool + + @returns: the association, or None if no valid association with that + handle was found. + @returntype: L{openid.association.Association} + """ + # Hmm. We've created an interface that deals almost entirely with + # assoc_handles. The only place outside the Signatory that uses this + # (and thus the only place that ever sees Association objects) is + # when creating a response to an association request, as it must have + # the association's secret. + + if assoc_handle is None: + raise ValueError("assoc_handle must not be None") + + if dumb: + key = self._dumb_key + else: + key = self._normal_key + assoc = self.store.getAssociation(key, assoc_handle) + if assoc is not None and assoc.expiresIn <= 0: + oidutil.log("requested %sdumb key %r is expired (by %s seconds)" % + ((not dumb) and 'not-' or '', + assoc_handle, assoc.expiresIn)) + if checkExpiration: + self.store.removeAssociation(key, assoc_handle) + assoc = None + return assoc + + + def invalidate(self, assoc_handle, dumb): + """Invalidates the association with the given handle. + + @type assoc_handle: str + + @param dumb: Is this association used with dumb mode? + @type dumb: bool + """ + if dumb: + key = self._dumb_key + else: + key = self._normal_key + self.store.removeAssociation(key, assoc_handle) + + + +class Encoder(object): + """I encode responses in to L{WebResponses<WebResponse>}. + + If you don't like L{WebResponses<WebResponse>}, you can do + your own handling of L{OpenIDResponses<OpenIDResponse>} with + L{OpenIDResponse.whichEncoding}, L{OpenIDResponse.encodeToURL}, and + L{OpenIDResponse.encodeToKVForm}. + """ + + responseFactory = WebResponse + + + def encode(self, response): + """Encode a response to a L{WebResponse}. + + @raises EncodingError: When I can't figure out how to encode this + message. + """ + encode_as = response.whichEncoding() + if encode_as == ENCODE_KVFORM: + wr = self.responseFactory(body=response.encodeToKVForm()) + if isinstance(response, Exception): + wr.code = HTTP_ERROR + elif encode_as == ENCODE_URL: + location = response.encodeToURL() + wr = self.responseFactory(code=HTTP_REDIRECT, + headers={'location': location}) + elif encode_as == ENCODE_HTML_FORM: + wr = self.responseFactory(code=HTTP_OK, + body=response.toFormMarkup()) + else: + # Can't encode this to a protocol message. You should probably + # render it to HTML and show it to the user. + raise EncodingError(response) + return wr + + + +class SigningEncoder(Encoder): + """I encode responses in to L{WebResponses<WebResponse>}, signing them when required. + """ + + def __init__(self, signatory): + """Create a L{SigningEncoder}. + + @param signatory: The L{Signatory} I will make signatures with. + @type signatory: L{Signatory} + """ + self.signatory = signatory + + + def encode(self, response): + """Encode a response to a L{WebResponse}, signing it first if appropriate. + + @raises EncodingError: When I can't figure out how to encode this + message. + + @raises AlreadySigned: When this response is already signed. + + @returntype: L{WebResponse} + """ + # the isinstance is a bit of a kludge... it means there isn't really + # an adapter to make the interfaces quite match. + if (not isinstance(response, Exception)) and response.needsSigning(): + if not self.signatory: + raise ValueError( + "Must have a store to sign this request: %s" % + (response,), response) + if response.fields.hasKey(OPENID_NS, 'sig'): + raise AlreadySigned(response) + response = self.signatory.sign(response) + return super(SigningEncoder, self).encode(response) + + + +class Decoder(object): + """I decode an incoming web request in to a L{OpenIDRequest}. + """ + + _handlers = { + 'checkid_setup': CheckIDRequest.fromMessage, + 'checkid_immediate': CheckIDRequest.fromMessage, + 'check_authentication': CheckAuthRequest.fromMessage, + 'associate': AssociateRequest.fromMessage, + } + + def __init__(self, server): + """Construct a Decoder. + + @param server: The server which I am decoding requests for. + (Necessary because some replies reference their server.) + @type server: L{Server} + """ + self.server = server + + def decode(self, query): + """I transform query parameters into an L{OpenIDRequest}. + + If the query does not seem to be an OpenID request at all, I return + C{None}. + + @param query: The query parameters as a dictionary with each + key mapping to one value. + @type query: dict + + @raises ProtocolError: When the query does not seem to be a valid + OpenID request. + + @returntype: L{OpenIDRequest} + """ + if not query: + return None + + try: + message = Message.fromPostArgs(query) + except InvalidOpenIDNamespace, err: + # It's useful to have a Message attached to a ProtocolError, so we + # override the bad ns value to build a Message out of it. Kinda + # kludgy, since it's made of lies, but the parts that aren't lies + # are more useful than a 'None'. + query = query.copy() + query['openid.ns'] = OPENID2_NS + message = Message.fromPostArgs(query) + raise ProtocolError(message, str(err)) + + mode = message.getArg(OPENID_NS, 'mode') + if not mode: + fmt = "No mode value in message %s" + raise ProtocolError(message, text=fmt % (message,)) + + handler = self._handlers.get(mode, self.defaultDecoder) + return handler(message, self.server.op_endpoint) + + + def defaultDecoder(self, message, server): + """Called to decode queries when no handler for that mode is found. + + @raises ProtocolError: This implementation always raises + L{ProtocolError}. + """ + mode = message.getArg(OPENID_NS, 'mode') + fmt = "Unrecognized OpenID mode %r" + raise ProtocolError(message, text=fmt % (mode,)) + + + +class Server(object): + """I handle requests for an OpenID server. + + Some types of requests (those which are not C{checkid} requests) may be + handed to my L{handleRequest} method, and I will take care of it and + return a response. + + For your convenience, I also provide an interface to L{Decoder.decode} + and L{SigningEncoder.encode} through my methods L{decodeRequest} and + L{encodeResponse}. + + All my state is encapsulated in an + L{OpenIDStore<openid.store.interface.OpenIDStore>}, which means + I'm not generally pickleable but I am easy to reconstruct. + + Example:: + + oserver = Server(FileOpenIDStore(data_path), "http://example.com/op") + request = oserver.decodeRequest(query) + if request.mode in ['checkid_immediate', 'checkid_setup']: + if self.isAuthorized(request.identity, request.trust_root): + response = request.answer(True) + elif request.immediate: + response = request.answer(False) + else: + self.showDecidePage(request) + return + else: + response = oserver.handleRequest(request) + + webresponse = oserver.encode(response) + + @ivar signatory: I'm using this for associate requests and to sign things. + @type signatory: L{Signatory} + + @ivar decoder: I'm using this to decode things. + @type decoder: L{Decoder} + + @ivar encoder: I'm using this to encode things. + @type encoder: L{Encoder} + + @ivar op_endpoint: My URL. + @type op_endpoint: str + + @ivar negotiator: I use this to determine which kinds of + associations I can make and how. + @type negotiator: L{openid.association.SessionNegotiator} + """ + + signatoryClass = Signatory + encoderClass = SigningEncoder + decoderClass = Decoder + + def __init__(self, store, op_endpoint=None): + """A new L{Server}. + + @param store: The back-end where my associations are stored. + @type store: L{openid.store.interface.OpenIDStore} + + @param op_endpoint: My URL, the fully qualified address of this + server's endpoint, i.e. C{http://example.com/server} + @type op_endpoint: str + + @change: C{op_endpoint} is new in library version 2.0. It + currently defaults to C{None} for compatibility with + earlier versions of the library, but you must provide it + if you want to respond to any version 2 OpenID requests. + """ + self.store = store + self.signatory = self.signatoryClass(self.store) + self.encoder = self.encoderClass(self.signatory) + self.decoder = self.decoderClass(self) + self.negotiator = default_negotiator.copy() + + if not op_endpoint: + warnings.warn("%s.%s constructor requires op_endpoint parameter " + "for OpenID 2.0 servers" % + (self.__class__.__module__, self.__class__.__name__), + stacklevel=2) + self.op_endpoint = op_endpoint + + + def handleRequest(self, request): + """Handle a request. + + Give me a request, I will give you a response. Unless it's a type + of request I cannot handle myself, in which case I will raise + C{NotImplementedError}. In that case, you can handle it yourself, + or add a method to me for handling that request type. + + @raises NotImplementedError: When I do not have a handler defined + for that type of request. + + @returntype: L{OpenIDResponse} + """ + handler = getattr(self, 'openid_' + request.mode, None) + if handler is not None: + return handler(request) + else: + raise NotImplementedError( + "%s has no handler for a request of mode %r." % + (self, request.mode)) + + + def openid_check_authentication(self, request): + """Handle and respond to C{check_authentication} requests. + + @returntype: L{OpenIDResponse} + """ + return request.answer(self.signatory) + + + def openid_associate(self, request): + """Handle and respond to C{associate} requests. + + @returntype: L{OpenIDResponse} + """ + # XXX: TESTME + assoc_type = request.assoc_type + session_type = request.session.session_type + if self.negotiator.isAllowed(assoc_type, session_type): + assoc = self.signatory.createAssociation(dumb=False, + assoc_type=assoc_type) + return request.answer(assoc) + else: + message = ('Association type %r is not supported with ' + 'session type %r' % (assoc_type, session_type)) + (preferred_assoc_type, preferred_session_type) = \ + self.negotiator.getAllowedType() + return request.answerUnsupported( + message, + preferred_assoc_type, + preferred_session_type) + + + def decodeRequest(self, query): + """Transform query parameters into an L{OpenIDRequest}. + + If the query does not seem to be an OpenID request at all, I return + C{None}. + + @param query: The query parameters as a dictionary with each + key mapping to one value. + @type query: dict + + @raises ProtocolError: When the query does not seem to be a valid + OpenID request. + + @returntype: L{OpenIDRequest} + + @see: L{Decoder.decode} + """ + return self.decoder.decode(query) + + + def encodeResponse(self, response): + """Encode a response to a L{WebResponse}, signing it first if appropriate. + + @raises EncodingError: When I can't figure out how to encode this + message. + + @raises AlreadySigned: When this response is already signed. + + @returntype: L{WebResponse} + + @see: L{SigningEncoder.encode} + """ + return self.encoder.encode(response) + + + +class ProtocolError(Exception): + """A message did not conform to the OpenID protocol. + + @ivar message: The query that is failing to be a valid OpenID request. + @type message: openid.message.Message + """ + + def __init__(self, message, text=None, reference=None, contact=None): + """When an error occurs. + + @param message: The message that is failing to be a valid + OpenID request. + @type message: openid.message.Message + + @param text: A message about the encountered error. Set as C{args[0]}. + @type text: str + """ + self.openid_message = message + self.reference = reference + self.contact = contact + assert type(message) not in [str, unicode] + Exception.__init__(self, text) + + + def getReturnTo(self): + """Get the return_to argument from the request, if any. + + @returntype: str + """ + if self.openid_message is None: + return None + else: + return self.openid_message.getArg(OPENID_NS, 'return_to') + + def hasReturnTo(self): + """Did this request have a return_to parameter? + + @returntype: bool + """ + return self.getReturnTo() is not None + + def toMessage(self): + """Generate a Message object for sending to the relying party, + after encoding. + """ + namespace = self.openid_message.getOpenIDNamespace() + reply = Message(namespace) + reply.setArg(OPENID_NS, 'mode', 'error') + reply.setArg(OPENID_NS, 'error', str(self)) + + if self.contact is not None: + reply.setArg(OPENID_NS, 'contact', str(self.contact)) + + if self.reference is not None: + reply.setArg(OPENID_NS, 'reference', str(self.reference)) + + return reply + + # implements IEncodable + + def encodeToURL(self): + return self.toMessage().toURL(self.getReturnTo()) + + def encodeToKVForm(self): + return self.toMessage().toKVForm() + + def toFormMarkup(self): + """Encode to HTML form markup for POST. + + @since: 2.1.0 + """ + return self.toMessage().toFormMarkup(self.getReturnTo()) + + def toHTML(self): + """Encode to a full HTML page, wrapping the form markup in a page + that will autosubmit the form. + + @since: 2.1.? + """ + return oidutil.autoSubmitHTML(self.toFormMarkup()) + + def whichEncoding(self): + """How should I be encoded? + + @returns: one of ENCODE_URL, ENCODE_KVFORM, or None. If None, + I cannot be encoded as a protocol message and should be + displayed to the user. + """ + if self.hasReturnTo(): + if self.openid_message.getOpenIDNamespace() == OPENID2_NS and \ + len(self.encodeToURL()) > OPENID1_URL_LIMIT: + return ENCODE_HTML_FORM + else: + return ENCODE_URL + + if self.openid_message is None: + return None + + mode = self.openid_message.getArg(OPENID_NS, 'mode') + if mode: + if mode not in BROWSER_REQUEST_MODES: + return ENCODE_KVFORM + + # According to the OpenID spec as of this writing, we are probably + # supposed to switch on request type here (GET versus POST) to figure + # out if we're supposed to print machine-readable or human-readable + # content at this point. GET/POST seems like a pretty lousy way of + # making the distinction though, as it's just as possible that the + # user agent could have mistakenly been directed to post to the + # server URL. + + # Basically, if your request was so broken that you didn't manage to + # include an openid.mode, I'm not going to worry too much about + # returning you something you can't parse. + return None + + + +class VersionError(Exception): + """Raised when an operation was attempted that is not compatible with + the protocol version being used.""" + + + +class NoReturnToError(Exception): + """Raised when a response to a request cannot be generated because + the request contains no return_to URL. + """ + pass + + + +class EncodingError(Exception): + """Could not encode this as a protocol message. + + You should probably render it and show it to the user. + + @ivar response: The response that failed to encode. + @type response: L{OpenIDResponse} + """ + + def __init__(self, response, explanation=None): + Exception.__init__(self, response) + self.response = response + self.explanation = explanation + + def __str__(self): + if self.explanation: + s = '%s: %s' % (self.__class__.__name__, + self.explanation) + else: + s = '%s for Response %s' % ( + self.__class__.__name__, self.response) + return s + + +class AlreadySigned(EncodingError): + """This response is already signed.""" + + + +class UntrustedReturnURL(ProtocolError): + """A return_to is outside the trust_root.""" + + def __init__(self, message, return_to, trust_root): + ProtocolError.__init__(self, message) + self.return_to = return_to + self.trust_root = trust_root + + def __str__(self): + return "return_to %r not under trust_root %r" % (self.return_to, + self.trust_root) + + +class MalformedReturnURL(ProtocolError): + """The return_to URL doesn't look like a valid URL.""" + def __init__(self, openid_message, return_to): + self.return_to = return_to + ProtocolError.__init__(self, openid_message) + + + +class MalformedTrustRoot(ProtocolError): + """The trust root is not well-formed. + + @see: OpenID Specs, U{openid.trust_root<http://openid.net/specs.bml#mode-checkid_immediate>} + """ + pass + + +#class IEncodable: # Interface +# def encodeToURL(return_to): +# """Encode a response as a URL for redirection. +# +# @returns: A URL to direct the user agent back to. +# @returntype: str +# """ +# pass +# +# def encodeToKvform(): +# """Encode a response in key-value colon/newline format. +# +# This is a machine-readable format used to respond to messages which +# came directly from the consumer and not through the user agent. +# +# @see: OpenID Specs, +# U{Key-Value Colon/Newline format<http://openid.net/specs.bml#keyvalue>} +# +# @returntype: str +# """ +# pass +# +# def whichEncoding(): +# """How should I be encoded? +# +# @returns: one of ENCODE_URL, ENCODE_KVFORM, or None. If None, +# I cannot be encoded as a protocol message and should be +# displayed to the user. +# """ +# pass diff --git a/askbot/deps/openid/server/trustroot.py b/askbot/deps/openid/server/trustroot.py new file mode 100644 index 00000000..84a100e9 --- /dev/null +++ b/askbot/deps/openid/server/trustroot.py @@ -0,0 +1,454 @@ +# -*- test-case-name: openid.test.test_rpverify -*- +""" +This module contains the C{L{TrustRoot}} class, which helps handle +trust root checking. This module is used by the +C{L{openid.server.server}} module, but it is also available to server +implementers who wish to use it for additional trust root checking. + +It also implements relying party return_to URL verification, based on +the realm. +""" + +__all__ = [ + 'TrustRoot', + 'RP_RETURN_TO_URL_TYPE', + 'extractReturnToURLs', + 'returnToMatches', + 'verifyReturnTo', + ] + +from openid import oidutil +from openid import urinorm +from openid.yadis import services + +from urlparse import urlparse, urlunparse +import re + +############################################ +_protocols = ['http', 'https'] +_top_level_domains = [ + 'ac', 'ad', 'ae', 'aero', 'af', 'ag', 'ai', 'al', 'am', 'an', + 'ao', 'aq', 'ar', 'arpa', 'as', 'asia', 'at', 'au', 'aw', + 'ax', 'az', 'ba', 'bb', 'bd', 'be', 'bf', 'bg', 'bh', 'bi', + 'biz', 'bj', 'bm', 'bn', 'bo', 'br', 'bs', 'bt', 'bv', 'bw', + 'by', 'bz', 'ca', 'cat', 'cc', 'cd', 'cf', 'cg', 'ch', 'ci', + 'ck', 'cl', 'cm', 'cn', 'co', 'com', 'coop', 'cr', 'cu', 'cv', + 'cx', 'cy', 'cz', 'de', 'dj', 'dk', 'dm', 'do', 'dz', 'ec', + 'edu', 'ee', 'eg', 'er', 'es', 'et', 'eu', 'fi', 'fj', 'fk', + 'fm', 'fo', 'fr', 'ga', 'gb', 'gd', 'ge', 'gf', 'gg', 'gh', + 'gi', 'gl', 'gm', 'gn', 'gov', 'gp', 'gq', 'gr', 'gs', 'gt', + 'gu', 'gw', 'gy', 'hk', 'hm', 'hn', 'hr', 'ht', 'hu', 'id', + 'ie', 'il', 'im', 'in', 'info', 'int', 'io', 'iq', 'ir', 'is', + 'it', 'je', 'jm', 'jo', 'jobs', 'jp', 'ke', 'kg', 'kh', 'ki', + 'km', 'kn', 'kp', 'kr', 'kw', 'ky', 'kz', 'la', 'lb', 'lc', + 'li', 'lk', 'lr', 'ls', 'lt', 'lu', 'lv', 'ly', 'ma', 'mc', + 'md', 'me', 'mg', 'mh', 'mil', 'mk', 'ml', 'mm', 'mn', 'mo', + 'mobi', 'mp', 'mq', 'mr', 'ms', 'mt', 'mu', 'museum', 'mv', + 'mw', 'mx', 'my', 'mz', 'na', 'name', 'nc', 'ne', 'net', 'nf', + 'ng', 'ni', 'nl', 'no', 'np', 'nr', 'nu', 'nz', 'om', 'org', + 'pa', 'pe', 'pf', 'pg', 'ph', 'pk', 'pl', 'pm', 'pn', 'pr', + 'pro', 'ps', 'pt', 'pw', 'py', 'qa', 're', 'ro', 'rs', 'ru', + 'rw', 'sa', 'sb', 'sc', 'sd', 'se', 'sg', 'sh', 'si', 'sj', + 'sk', 'sl', 'sm', 'sn', 'so', 'sr', 'st', 'su', 'sv', 'sy', + 'sz', 'tc', 'td', 'tel', 'tf', 'tg', 'th', 'tj', 'tk', 'tl', + 'tm', 'tn', 'to', 'tp', 'tr', 'travel', 'tt', 'tv', 'tw', + 'tz', 'ua', 'ug', 'uk', 'us', 'uy', 'uz', 'va', 'vc', 've', + 'vg', 'vi', 'vn', 'vu', 'wf', 'ws', 'xn--0zwm56d', + 'xn--11b5bs3a9aj6g', 'xn--80akhbyknj4f', 'xn--9t4b11yi5a', + 'xn--deba0ad', 'xn--g6w251d', 'xn--hgbk6aj7f53bba', + 'xn--hlcj6aya9esc7a', 'xn--jxalpdlp', 'xn--kgbechtv', + 'xn--zckzah', 'ye', 'yt', 'yu', 'za', 'zm', 'zw'] + +# Build from RFC3986, section 3.2.2. Used to reject hosts with invalid +# characters. +host_segment_re = re.compile( + r"(?:[-a-zA-Z0-9!$&'\(\)\*+,;=._~]|%[a-zA-Z0-9]{2})+$") + +class RealmVerificationRedirected(Exception): + """Attempting to verify this realm resulted in a redirect. + + @since: 2.1.0 + """ + def __init__(self, relying_party_url, rp_url_after_redirects): + self.relying_party_url = relying_party_url + self.rp_url_after_redirects = rp_url_after_redirects + + def __str__(self): + return ("Attempting to verify %r resulted in " + "redirect to %r" % + (self.relying_party_url, + self.rp_url_after_redirects)) + + +def _parseURL(url): + try: + url = urinorm.urinorm(url) + except ValueError: + return None + proto, netloc, path, params, query, frag = urlparse(url) + if not path: + # Python <2.4 does not parse URLs with no path properly + if not query and '?' in netloc: + netloc, query = netloc.split('?', 1) + + path = '/' + + path = urlunparse(('', '', path, params, query, frag)) + + if ':' in netloc: + try: + host, port = netloc.split(':') + except ValueError: + return None + + if not re.match(r'\d+$', port): + return None + else: + host = netloc + port = '' + + host = host.lower() + if not host_segment_re.match(host): + return None + + return proto, host, port, path + +class TrustRoot(object): + """ + This class represents an OpenID trust root. The C{L{parse}} + classmethod accepts a trust root string, producing a + C{L{TrustRoot}} object. The method OpenID server implementers + would be most likely to use is the C{L{isSane}} method, which + checks the trust root for given patterns that indicate that the + trust root is too broad or points to a local network resource. + + @sort: parse, isSane + """ + + def __init__(self, unparsed, proto, wildcard, host, port, path): + self.unparsed = unparsed + self.proto = proto + self.wildcard = wildcard + self.host = host + self.port = port + self.path = path + + def isSane(self): + """ + This method checks the to see if a trust root represents a + reasonable (sane) set of URLs. 'http://*.com/', for example + is not a reasonable pattern, as it cannot meaningfully specify + the site claiming it. This function attempts to find many + related examples, but it can only work via heuristics. + Negative responses from this method should be treated as + advisory, used only to alert the user to examine the trust + root carefully. + + + @return: Whether the trust root is sane + + @rtype: C{bool} + """ + + if self.host == 'localhost': + return True + + host_parts = self.host.split('.') + if self.wildcard: + assert host_parts[0] == '', host_parts + del host_parts[0] + + # If it's an absolute domain name, remove the empty string + # from the end. + if host_parts and not host_parts[-1]: + del host_parts[-1] + + if not host_parts: + return False + + # Do not allow adjacent dots + if '' in host_parts: + return False + + tld = host_parts[-1] + if tld not in _top_level_domains: + return False + + if len(host_parts) == 1: + return False + + if self.wildcard: + if len(tld) == 2 and len(host_parts[-2]) <= 3: + # It's a 2-letter tld with a short second to last segment + # so there needs to be more than two segments specified + # (e.g. *.co.uk is insane) + return len(host_parts) > 2 + + # Passed all tests for insanity. + return True + + def validateURL(self, url): + """ + Validates a URL against this trust root. + + + @param url: The URL to check + + @type url: C{str} + + + @return: Whether the given URL is within this trust root. + + @rtype: C{bool} + """ + + url_parts = _parseURL(url) + if url_parts is None: + return False + + proto, host, port, path = url_parts + + if proto != self.proto: + return False + + if port != self.port: + return False + + if '*' in host: + return False + + if not self.wildcard: + if host != self.host: + return False + elif ((not host.endswith(self.host)) and + ('.' + host) != self.host): + return False + + if path != self.path: + path_len = len(self.path) + trust_prefix = self.path[:path_len] + url_prefix = path[:path_len] + + # must be equal up to the length of the path, at least + if trust_prefix != url_prefix: + return False + + # These characters must be on the boundary between the end + # of the trust root's path and the start of the URL's + # path. + if '?' in self.path: + allowed = '&' + else: + allowed = '?/' + + return (self.path[-1] in allowed or + path[path_len] in allowed) + + return True + + def parse(cls, trust_root): + """ + This method creates a C{L{TrustRoot}} instance from the given + input, if possible. + + + @param trust_root: This is the trust root to parse into a + C{L{TrustRoot}} object. + + @type trust_root: C{str} + + + @return: A C{L{TrustRoot}} instance if trust_root parses as a + trust root, C{None} otherwise. + + @rtype: C{NoneType} or C{L{TrustRoot}} + """ + url_parts = _parseURL(trust_root) + if url_parts is None: + return None + + proto, host, port, path = url_parts + + # check for valid prototype + if proto not in _protocols: + return None + + # check for URI fragment + if path.find('#') != -1: + return None + + # extract wildcard if it is there + if host.find('*', 1) != -1: + # wildcard must be at start of domain: *.foo.com, not foo.*.com + return None + + if host.startswith('*'): + # Starts with star, so must have a dot after it (if a + # domain is specified) + if len(host) > 1 and host[1] != '.': + return None + + host = host[1:] + wilcard = True + else: + wilcard = False + + # we have a valid trust root + tr = cls(trust_root, proto, wilcard, host, port, path) + + return tr + + parse = classmethod(parse) + + def checkSanity(cls, trust_root_string): + """str -> bool + + is this a sane trust root? + """ + trust_root = cls.parse(trust_root_string) + if trust_root is None: + return False + else: + return trust_root.isSane() + + checkSanity = classmethod(checkSanity) + + def checkURL(cls, trust_root, url): + """quick func for validating a url against a trust root. See the + TrustRoot class if you need more control.""" + tr = cls.parse(trust_root) + return tr is not None and tr.validateURL(url) + + checkURL = classmethod(checkURL) + + def buildDiscoveryURL(self): + """Return a discovery URL for this realm. + + This function does not check to make sure that the realm is + valid. Its behaviour on invalid inputs is undefined. + + @rtype: str + + @returns: The URL upon which relying party discovery should be run + in order to verify the return_to URL + + @since: 2.1.0 + """ + if self.wildcard: + # Use "www." in place of the star + assert self.host.startswith('.'), self.host + www_domain = 'www' + self.host + return '%s://%s%s' % (self.proto, www_domain, self.path) + else: + return self.unparsed + + def __repr__(self): + return "TrustRoot(%r, %r, %r, %r, %r, %r)" % ( + self.unparsed, self.proto, self.wildcard, self.host, self.port, + self.path) + + def __str__(self): + return repr(self) + +# The URI for relying party discovery, used in realm verification. +# +# XXX: This should probably live somewhere else (like in +# openid.consumer or openid.yadis somewhere) +RP_RETURN_TO_URL_TYPE = 'http://specs.openid.net/auth/2.0/return_to' + +def _extractReturnURL(endpoint): + """If the endpoint is a relying party OpenID return_to endpoint, + return the endpoint URL. Otherwise, return None. + + This function is intended to be used as a filter for the Yadis + filtering interface. + + @see: C{L{openid.yadis.services}} + @see: C{L{openid.yadis.filters}} + + @param endpoint: An XRDS BasicServiceEndpoint, as returned by + performing Yadis dicovery. + + @returns: The endpoint URL or None if the endpoint is not a + relying party endpoint. + @rtype: str or NoneType + """ + if endpoint.matchTypes([RP_RETURN_TO_URL_TYPE]): + return endpoint.uri + else: + return None + +def returnToMatches(allowed_return_to_urls, return_to): + """Is the return_to URL under one of the supplied allowed + return_to URLs? + + @since: 2.1.0 + """ + + for allowed_return_to in allowed_return_to_urls: + # A return_to pattern works the same as a realm, except that + # it's not allowed to use a wildcard. We'll model this by + # parsing it as a realm, and not trying to match it if it has + # a wildcard. + + return_realm = TrustRoot.parse(allowed_return_to) + if (# Parses as a trust root + return_realm is not None and + + # Does not have a wildcard + not return_realm.wildcard and + + # Matches the return_to that we passed in with it + return_realm.validateURL(return_to) + ): + return True + + # No URL in the list matched + return False + +def getAllowedReturnURLs(relying_party_url): + """Given a relying party discovery URL return a list of return_to URLs. + + @since: 2.1.0 + """ + (rp_url_after_redirects, return_to_urls) = services.getServiceEndpoints( + relying_party_url, _extractReturnURL) + + if rp_url_after_redirects != relying_party_url: + # Verification caused a redirect + raise RealmVerificationRedirected( + relying_party_url, rp_url_after_redirects) + + return return_to_urls + +# _vrfy parameter is there to make testing easier +def verifyReturnTo(realm_str, return_to, _vrfy=getAllowedReturnURLs): + """Verify that a return_to URL is valid for the given realm. + + This function builds a discovery URL, performs Yadis discovery on + it, makes sure that the URL does not redirect, parses out the + return_to URLs, and finally checks to see if the current return_to + URL matches the return_to. + + @raises DiscoveryFailure: When Yadis discovery fails + @returns: True if the return_to URL is valid for the realm + + @since: 2.1.0 + """ + realm = TrustRoot.parse(realm_str) + if realm is None: + # The realm does not parse as a URL pattern + return False + + try: + allowable_urls = _vrfy(realm.buildDiscoveryURL()) + except RealmVerificationRedirected, err: + oidutil.log(str(err)) + return False + + if returnToMatches(allowable_urls, return_to): + return True + else: + oidutil.log("Failed to validate return_to %r for realm %r, was not " + "in %s" % (return_to, realm_str, allowable_urls)) + return False diff --git a/askbot/deps/openid/sreg.py b/askbot/deps/openid/sreg.py new file mode 100644 index 00000000..d665a5d0 --- /dev/null +++ b/askbot/deps/openid/sreg.py @@ -0,0 +1,7 @@ +"""moved to L{openid.extensions.sreg}""" + +import warnings +warnings.warn("openid.sreg has moved to openid.extensions.sreg", + DeprecationWarning) + +from openid.extensions.sreg import * diff --git a/askbot/deps/openid/store/__init__.py b/askbot/deps/openid/store/__init__.py new file mode 100644 index 00000000..76509b51 --- /dev/null +++ b/askbot/deps/openid/store/__init__.py @@ -0,0 +1,8 @@ +""" +This package contains the modules related to this library's use of +persistent storage. + +@sort: interface, filestore, sqlstore, memstore +""" + +__all__ = ['interface', 'filestore', 'sqlstore', 'memstore', 'nonce'] diff --git a/askbot/deps/openid/store/filestore.py b/askbot/deps/openid/store/filestore.py new file mode 100644 index 00000000..ced3cee4 --- /dev/null +++ b/askbot/deps/openid/store/filestore.py @@ -0,0 +1,426 @@ +""" +This module contains an C{L{OpenIDStore}} implementation backed by +flat files. +""" + +import string +import os +import os.path +import time + +from errno import EEXIST, ENOENT + +try: + from tempfile import mkstemp +except ImportError: + # Python < 2.3 + import warnings + warnings.filterwarnings("ignore", + "tempnam is a potential security risk", + RuntimeWarning, + "openid.store.filestore") + + def mkstemp(dir): + for _ in range(5): + name = os.tempnam(dir) + try: + fd = os.open(name, os.O_CREAT | os.O_EXCL | os.O_RDWR, 0600) + except OSError, why: + if why.errno != EEXIST: + raise + else: + return fd, name + + raise RuntimeError('Failed to get temp file after 5 attempts') + +from openid.association import Association +from openid.store.interface import OpenIDStore +from openid.store import nonce +from openid import cryptutil, oidutil + +_filename_allowed = string.ascii_letters + string.digits + '.' +try: + # 2.4 + set +except NameError: + try: + # 2.3 + import sets + except ImportError: + # Python < 2.2 + d = {} + for c in _filename_allowed: + d[c] = None + _isFilenameSafe = d.has_key + del d + else: + _isFilenameSafe = sets.Set(_filename_allowed).__contains__ +else: + _isFilenameSafe = set(_filename_allowed).__contains__ + +def _safe64(s): + h64 = oidutil.toBase64(cryptutil.sha1(s)) + h64 = h64.replace('+', '_') + h64 = h64.replace('/', '.') + h64 = h64.replace('=', '') + return h64 + +def _filenameEscape(s): + filename_chunks = [] + for c in s: + if _isFilenameSafe(c): + filename_chunks.append(c) + else: + filename_chunks.append('_%02X' % ord(c)) + return ''.join(filename_chunks) + +def _removeIfPresent(filename): + """Attempt to remove a file, returning whether the file existed at + the time of the call. + + str -> bool + """ + try: + os.unlink(filename) + except OSError, why: + if why.errno == ENOENT: + # Someone beat us to it, but it's gone, so that's OK + return 0 + else: + raise + else: + # File was present + return 1 + +def _ensureDir(dir_name): + """Create dir_name as a directory if it does not exist. If it + exists, make sure that it is, in fact, a directory. + + Can raise OSError + + str -> NoneType + """ + try: + os.makedirs(dir_name) + except OSError, why: + if why.errno != EEXIST or not os.path.isdir(dir_name): + raise + +class FileOpenIDStore(OpenIDStore): + """ + This is a filesystem-based store for OpenID associations and + nonces. This store should be safe for use in concurrent systems + on both windows and unix (excluding NFS filesystems). There are a + couple race conditions in the system, but those failure cases have + been set up in such a way that the worst-case behavior is someone + having to try to log in a second time. + + Most of the methods of this class are implementation details. + People wishing to just use this store need only pay attention to + the C{L{__init__}} method. + + Methods of this object can raise OSError if unexpected filesystem + conditions, such as bad permissions or missing directories, occur. + """ + + def __init__(self, directory): + """ + Initializes a new FileOpenIDStore. This initializes the + nonce and association directories, which are subdirectories of + the directory passed in. + + @param directory: This is the directory to put the store + directories in. + + @type directory: C{str} + """ + # Make absolute + directory = os.path.normpath(os.path.abspath(directory)) + + self.nonce_dir = os.path.join(directory, 'nonces') + + self.association_dir = os.path.join(directory, 'associations') + + # Temp dir must be on the same filesystem as the assciations + # directory + self.temp_dir = os.path.join(directory, 'temp') + + self.max_nonce_age = 6 * 60 * 60 # Six hours, in seconds + + self._setup() + + def _setup(self): + """Make sure that the directories in which we store our data + exist. + + () -> NoneType + """ + _ensureDir(self.nonce_dir) + _ensureDir(self.association_dir) + _ensureDir(self.temp_dir) + + def _mktemp(self): + """Create a temporary file on the same filesystem as + self.association_dir. + + The temporary directory should not be cleaned if there are any + processes using the store. If there is no active process using + the store, it is safe to remove all of the files in the + temporary directory. + + () -> (file, str) + """ + fd, name = mkstemp(dir=self.temp_dir) + try: + file_obj = os.fdopen(fd, 'wb') + return file_obj, name + except: + _removeIfPresent(name) + raise + + def getAssociationFilename(self, server_url, handle): + """Create a unique filename for a given server url and + handle. This implementation does not assume anything about the + format of the handle. The filename that is returned will + contain the domain name from the server URL for ease of human + inspection of the data directory. + + (str, str) -> str + """ + if server_url.find('://') == -1: + raise ValueError('Bad server URL: %r' % server_url) + + proto, rest = server_url.split('://', 1) + domain = _filenameEscape(rest.split('/', 1)[0]) + url_hash = _safe64(server_url) + if handle: + handle_hash = _safe64(handle) + else: + handle_hash = '' + + filename = '%s-%s-%s-%s' % (proto, domain, url_hash, handle_hash) + + return os.path.join(self.association_dir, filename) + + def storeAssociation(self, server_url, association): + """Store an association in the association directory. + + (str, Association) -> NoneType + """ + association_s = association.serialize() + filename = self.getAssociationFilename(server_url, association.handle) + tmp_file, tmp = self._mktemp() + + try: + try: + tmp_file.write(association_s) + os.fsync(tmp_file.fileno()) + finally: + tmp_file.close() + + try: + os.rename(tmp, filename) + except OSError, why: + if why.errno != EEXIST: + raise + + # We only expect EEXIST to happen only on Windows. It's + # possible that we will succeed in unlinking the existing + # file, but not in putting the temporary file in place. + try: + os.unlink(filename) + except OSError, why: + if why.errno == ENOENT: + pass + else: + raise + + # Now the target should not exist. Try renaming again, + # giving up if it fails. + os.rename(tmp, filename) + except: + # If there was an error, don't leave the temporary file + # around. + _removeIfPresent(tmp) + raise + + def getAssociation(self, server_url, handle=None): + """Retrieve an association. If no handle is specified, return + the association with the latest expiration. + + (str, str or NoneType) -> Association or NoneType + """ + if handle is None: + handle = '' + + # The filename with the empty handle is a prefix of all other + # associations for the given server URL. + filename = self.getAssociationFilename(server_url, handle) + + if handle: + return self._getAssociation(filename) + else: + association_files = os.listdir(self.association_dir) + matching_files = [] + # strip off the path to do the comparison + name = os.path.basename(filename) + for association_file in association_files: + if association_file.startswith(name): + matching_files.append(association_file) + + matching_associations = [] + # read the matching files and sort by time issued + for name in matching_files: + full_name = os.path.join(self.association_dir, name) + association = self._getAssociation(full_name) + if association is not None: + matching_associations.append( + (association.issued, association)) + + matching_associations.sort() + + # return the most recently issued one. + if matching_associations: + (_, assoc) = matching_associations[-1] + return assoc + else: + return None + + def _getAssociation(self, filename): + try: + assoc_file = file(filename, 'rb') + except IOError, why: + if why.errno == ENOENT: + # No association exists for that URL and handle + return None + else: + raise + else: + try: + assoc_s = assoc_file.read() + finally: + assoc_file.close() + + try: + association = Association.deserialize(assoc_s) + except ValueError: + _removeIfPresent(filename) + return None + + # Clean up expired associations + if association.getExpiresIn() == 0: + _removeIfPresent(filename) + return None + else: + return association + + def removeAssociation(self, server_url, handle): + """Remove an association if it exists. Do nothing if it does not. + + (str, str) -> bool + """ + assoc = self.getAssociation(server_url, handle) + if assoc is None: + return 0 + else: + filename = self.getAssociationFilename(server_url, handle) + return _removeIfPresent(filename) + + def useNonce(self, server_url, timestamp, salt): + """Return whether this nonce is valid. + + str -> bool + """ + if abs(timestamp - time.time()) > nonce.SKEW: + return False + + if server_url: + proto, rest = server_url.split('://', 1) + else: + # Create empty proto / rest values for empty server_url, + # which is part of a consumer-generated nonce. + proto, rest = '', '' + + domain = _filenameEscape(rest.split('/', 1)[0]) + url_hash = _safe64(server_url) + salt_hash = _safe64(salt) + + filename = '%08x-%s-%s-%s-%s' % (timestamp, proto, domain, + url_hash, salt_hash) + + filename = os.path.join(self.nonce_dir, filename) + try: + fd = os.open(filename, os.O_CREAT | os.O_EXCL | os.O_WRONLY, 0200) + except OSError, why: + if why.errno == EEXIST: + return False + else: + raise + else: + os.close(fd) + return True + + def _allAssocs(self): + all_associations = [] + + association_filenames = map( + lambda filename: os.path.join(self.association_dir, filename), + os.listdir(self.association_dir)) + for association_filename in association_filenames: + try: + association_file = file(association_filename, 'rb') + except IOError, why: + if why.errno == ENOENT: + oidutil.log("%s disappeared during %s._allAssocs" % ( + association_filename, self.__class__.__name__)) + else: + raise + else: + try: + assoc_s = association_file.read() + finally: + association_file.close() + + # Remove expired or corrupted associations + try: + association = Association.deserialize(assoc_s) + except ValueError: + _removeIfPresent(association_filename) + else: + all_associations.append( + (association_filename, association)) + + return all_associations + + def cleanup(self): + """Remove expired entries from the database. This is + potentially expensive, so only run when it is acceptable to + take time. + + () -> NoneType + """ + self.cleanupAssociations() + self.cleanupNonces() + + def cleanupAssociations(self): + removed = 0 + for assoc_filename, assoc in self._allAssocs(): + if assoc.getExpiresIn() == 0: + _removeIfPresent(assoc_filename) + removed += 1 + return removed + + def cleanupNonces(self): + nonces = os.listdir(self.nonce_dir) + now = time.time() + + removed = 0 + # Check all nonces for expiry + for nonce_fname in nonces: + timestamp = nonce_fname.split('-', 1)[0] + timestamp = int(timestamp, 16) + if abs(timestamp - now) > nonce.SKEW: + filename = os.path.join(self.nonce_dir, nonce_fname) + _removeIfPresent(filename) + removed += 1 + return removed diff --git a/askbot/deps/openid/store/interface.py b/askbot/deps/openid/store/interface.py new file mode 100644 index 00000000..bb90972f --- /dev/null +++ b/askbot/deps/openid/store/interface.py @@ -0,0 +1,197 @@ +""" +This module contains the definition of the C{L{OpenIDStore}} +interface. +""" + +class OpenIDStore(object): + """ + This is the interface for the store objects the OpenID library + uses. It is a single class that provides all of the persistence + mechanisms that the OpenID library needs, for both servers and + consumers. + + @change: Version 2.0 removed the C{storeNonce}, C{getAuthKey}, and C{isDumb} + methods, and changed the behavior of the C{L{useNonce}} method + to support one-way nonces. It added C{L{cleanupNonces}}, + C{L{cleanupAssociations}}, and C{L{cleanup}}. + + @sort: storeAssociation, getAssociation, removeAssociation, + useNonce + """ + + def storeAssociation(self, server_url, association): + """ + This method puts a C{L{Association + <openid.association.Association>}} object into storage, + retrievable by server URL and handle. + + + @param server_url: The URL of the identity server that this + association is with. Because of the way the server + portion of the library uses this interface, don't assume + there are any limitations on the character set of the + input string. In particular, expect to see unescaped + non-url-safe characters in the server_url field. + + @type server_url: C{str} + + + @param association: The C{L{Association + <openid.association.Association>}} to store. + + @type association: C{L{Association + <openid.association.Association>}} + + + @return: C{None} + + @rtype: C{NoneType} + """ + raise NotImplementedError + + def getAssociation(self, server_url, handle=None): + """ + This method returns an C{L{Association + <openid.association.Association>}} object from storage that + matches the server URL and, if specified, handle. It returns + C{None} if no such association is found or if the matching + association is expired. + + If no handle is specified, the store may return any + association which matches the server URL. If multiple + associations are valid, the recommended return value for this + method is the one most recently issued. + + This method is allowed (and encouraged) to garbage collect + expired associations when found. This method must not return + expired associations. + + + @param server_url: The URL of the identity server to get the + association for. Because of the way the server portion of + the library uses this interface, don't assume there are + any limitations on the character set of the input string. + In particular, expect to see unescaped non-url-safe + characters in the server_url field. + + @type server_url: C{str} + + + @param handle: This optional parameter is the handle of the + specific association to get. If no specific handle is + provided, any valid association matching the server URL is + returned. + + @type handle: C{str} or C{NoneType} + + + @return: The C{L{Association + <openid.association.Association>}} for the given identity + server. + + @rtype: C{L{Association <openid.association.Association>}} or + C{NoneType} + """ + raise NotImplementedError + + def removeAssociation(self, server_url, handle): + """ + This method removes the matching association if it's found, + and returns whether the association was removed or not. + + + @param server_url: The URL of the identity server the + association to remove belongs to. Because of the way the + server portion of the library uses this interface, don't + assume there are any limitations on the character set of + the input string. In particular, expect to see unescaped + non-url-safe characters in the server_url field. + + @type server_url: C{str} + + + @param handle: This is the handle of the association to + remove. If there isn't an association found that matches + both the given URL and handle, then there was no matching + handle found. + + @type handle: C{str} + + + @return: Returns whether or not the given association existed. + + @rtype: C{bool} or C{int} + """ + raise NotImplementedError + + def useNonce(self, server_url, timestamp, salt): + """Called when using a nonce. + + This method should return C{True} if the nonce has not been + used before, and store it for a while to make sure nobody + tries to use the same value again. If the nonce has already + been used or the timestamp is not current, return C{False}. + + You may use L{openid.store.nonce.SKEW} for your timestamp window. + + @change: In earlier versions, round-trip nonces were used and + a nonce was only valid if it had been previously stored + with C{storeNonce}. Version 2.0 uses one-way nonces, + requiring a different implementation here that does not + depend on a C{storeNonce} call. (C{storeNonce} is no + longer part of the interface.) + + @param server_url: The URL of the server from which the nonce + originated. + + @type server_url: C{str} + + @param timestamp: The time that the nonce was created (to the + nearest second), in seconds since January 1 1970 UTC. + @type timestamp: C{int} + + @param salt: A random string that makes two nonces from the + same server issued during the same second unique. + @type salt: str + + @return: Whether or not the nonce was valid. + + @rtype: C{bool} + """ + raise NotImplementedError + + def cleanupNonces(self): + """Remove expired nonces from the store. + + Discards any nonce from storage that is old enough that its + timestamp would not pass L{useNonce}. + + This method is not called in the normal operation of the + library. It provides a way for store admins to keep + their storage from filling up with expired data. + + @return: the number of nonces expired. + @returntype: int + """ + raise NotImplementedError + + def cleanupAssociations(self): + """Remove expired associations from the store. + + This method is not called in the normal operation of the + library. It provides a way for store admins to keep + their storage from filling up with expired data. + + @return: the number of associations expired. + @returntype: int + """ + raise NotImplementedError + + def cleanup(self): + """Shortcut for C{L{cleanupNonces}()}, C{L{cleanupAssociations}()}. + + This method is not called in the normal operation of the + library. It provides a way for store admins to keep + their storage from filling up with expired data. + """ + return self.cleanupNonces(), self.cleanupAssociations() diff --git a/askbot/deps/openid/store/memstore.py b/askbot/deps/openid/store/memstore.py new file mode 100644 index 00000000..e2748fb2 --- /dev/null +++ b/askbot/deps/openid/store/memstore.py @@ -0,0 +1,125 @@ +"""A simple store using only in-process memory.""" + +from openid.store import nonce + +import copy +import time + +class ServerAssocs(object): + def __init__(self): + self.assocs = {} + + def set(self, assoc): + self.assocs[assoc.handle] = assoc + + def get(self, handle): + return self.assocs.get(handle) + + def remove(self, handle): + try: + del self.assocs[handle] + except KeyError: + return False + else: + return True + + def best(self): + """Returns association with the oldest issued date. + + or None if there are no associations. + """ + best = None + for assoc in self.assocs.values(): + if best is None or best.issued < assoc.issued: + best = assoc + return best + + def cleanup(self): + """Remove expired associations. + + @return: tuple of (removed associations, remaining associations) + """ + remove = [] + for handle, assoc in self.assocs.iteritems(): + if assoc.getExpiresIn() == 0: + remove.append(handle) + for handle in remove: + del self.assocs[handle] + return len(remove), len(self.assocs) + + + +class MemoryStore(object): + """In-process memory store. + + Use for single long-running processes. No persistence supplied. + """ + def __init__(self): + self.server_assocs = {} + self.nonces = {} + + def _getServerAssocs(self, server_url): + try: + return self.server_assocs[server_url] + except KeyError: + assocs = self.server_assocs[server_url] = ServerAssocs() + return assocs + + def storeAssociation(self, server_url, assoc): + assocs = self._getServerAssocs(server_url) + assocs.set(copy.deepcopy(assoc)) + + def getAssociation(self, server_url, handle=None): + assocs = self._getServerAssocs(server_url) + if handle is None: + return assocs.best() + else: + return assocs.get(handle) + + def removeAssociation(self, server_url, handle): + assocs = self._getServerAssocs(server_url) + return assocs.remove(handle) + + def useNonce(self, server_url, timestamp, salt): + if abs(timestamp - time.time()) > nonce.SKEW: + return False + + anonce = (str(server_url), int(timestamp), str(salt)) + if anonce in self.nonces: + return False + else: + self.nonces[anonce] = None + return True + + def cleanupNonces(self): + now = time.time() + expired = [] + for anonce in self.nonces.iterkeys(): + if abs(anonce[1] - now) > nonce.SKEW: + # removing items while iterating over the set could be bad. + expired.append(anonce) + + for anonce in expired: + del self.nonces[anonce] + return len(expired) + + def cleanupAssociations(self): + remove_urls = [] + removed_assocs = 0 + for server_url, assocs in self.server_assocs.iteritems(): + removed, remaining = assocs.cleanup() + removed_assocs += removed + if not remaining: + remove_urls.append(server_url) + + # Remove entries from server_assocs that had none remaining. + for server_url in remove_urls: + del self.server_assocs[server_url] + return removed_assocs + + def __eq__(self, other): + return ((self.server_assocs == other.server_assocs) and + (self.nonces == other.nonces)) + + def __ne__(self, other): + return not (self == other) diff --git a/askbot/deps/openid/store/nonce.py b/askbot/deps/openid/store/nonce.py new file mode 100644 index 00000000..e9337a8a --- /dev/null +++ b/askbot/deps/openid/store/nonce.py @@ -0,0 +1,98 @@ +__all__ = [ + 'split', + 'mkNonce', + 'checkTimestamp', + ] + +from openid import cryptutil +from time import strptime, strftime, gmtime, time +from calendar import timegm +import string + +NONCE_CHARS = string.ascii_letters + string.digits + +# Keep nonces for five hours (allow five hours for the combination of +# request time and clock skew). This is probably way more than is +# necessary, but there is not much overhead in storing nonces. +SKEW = 60 * 60 * 5 + +time_fmt = '%Y-%m-%dT%H:%M:%SZ' +time_str_len = len('0000-00-00T00:00:00Z') + +def split(nonce_string): + """Extract a timestamp from the given nonce string + + @param nonce_string: the nonce from which to extract the timestamp + @type nonce_string: str + + @returns: A pair of a Unix timestamp and the salt characters + @returntype: (int, str) + + @raises ValueError: if the nonce does not start with a correctly + formatted time string + """ + timestamp_str = nonce_string[:time_str_len] + try: + timestamp = timegm(strptime(timestamp_str, time_fmt)) + except AssertionError: # Python 2.2 + timestamp = -1 + if timestamp < 0: + raise ValueError('time out of range') + return timestamp, nonce_string[time_str_len:] + +def checkTimestamp(nonce_string, allowed_skew=SKEW, now=None): + """Is the timestamp that is part of the specified nonce string + within the allowed clock-skew of the current time? + + @param nonce_string: The nonce that is being checked + @type nonce_string: str + + @param allowed_skew: How many seconds should be allowed for + completing the request, allowing for clock skew. + @type allowed_skew: int + + @param now: The current time, as a Unix timestamp + @type now: int + + @returntype: bool + @returns: Whether the timestamp is correctly formatted and within + the allowed skew of the current time. + """ + try: + stamp, _ = split(nonce_string) + except ValueError: + return False + else: + if now is None: + now = time() + + # Time after which we should not use the nonce + past = now - allowed_skew + + # Time that is too far in the future for us to allow + future = now + allowed_skew + + # the stamp is not too far in the future and is not too far in + # the past + return past <= stamp <= future + +def mkNonce(when=None): + """Generate a nonce with the current timestamp + + @param when: Unix timestamp representing the issue time of the + nonce. Defaults to the current time. + @type when: int + + @returntype: str + @returns: A string that should be usable as a one-way nonce + + @see: time + """ + salt = cryptutil.randomString(6, NONCE_CHARS) + if when is None: + t = gmtime() + else: + t = gmtime(when) + + time_str = strftime(time_fmt, t) + return time_str + salt diff --git a/askbot/deps/openid/store/sqlstore.py b/askbot/deps/openid/store/sqlstore.py new file mode 100644 index 00000000..58c4337e --- /dev/null +++ b/askbot/deps/openid/store/sqlstore.py @@ -0,0 +1,516 @@ +""" +This module contains C{L{OpenIDStore}} implementations that use +various SQL databases to back them. + +Example of how to initialize a store database:: + + python -c 'from openid.store import sqlstore; import pysqlite2.dbapi2; sqlstore.SQLiteStore(pysqlite2.dbapi2.connect("cstore.db")).createTables()' +""" +import re +import time + +from openid.association import Association +from openid.store.interface import OpenIDStore +from openid.store import nonce + +def _inTxn(func): + def wrapped(self, *args, **kwargs): + return self._callInTransaction(func, self, *args, **kwargs) + + if hasattr(func, '__name__'): + try: + wrapped.__name__ = func.__name__[4:] + except TypeError: + pass + + if hasattr(func, '__doc__'): + wrapped.__doc__ = func.__doc__ + + return wrapped + +class SQLStore(OpenIDStore): + """ + This is the parent class for the SQL stores, which contains the + logic common to all of the SQL stores. + + The table names used are determined by the class variables + C{L{associations_table}} and + C{L{nonces_table}}. To change the name of the tables used, pass + new table names into the constructor. + + To create the tables with the proper schema, see the + C{L{createTables}} method. + + This class shouldn't be used directly. Use one of its subclasses + instead, as those contain the code necessary to use a specific + database. + + All methods other than C{L{__init__}} and C{L{createTables}} + should be considered implementation details. + + + @cvar associations_table: This is the default name of the table to + keep associations in + + @cvar nonces_table: This is the default name of the table to keep + nonces in. + + + @sort: __init__, createTables + """ + + associations_table = 'oid_associations' + nonces_table = 'oid_nonces' + + def __init__(self, conn, associations_table=None, nonces_table=None): + """ + This creates a new SQLStore instance. It requires an + established database connection be given to it, and it allows + overriding the default table names. + + + @param conn: This must be an established connection to a + database of the correct type for the SQLStore subclass + you're using. + + @type conn: A python database API compatible connection + object. + + + @param associations_table: This is an optional parameter to + specify the name of the table used for storing + associations. The default value is specified in + C{L{SQLStore.associations_table}}. + + @type associations_table: C{str} + + + @param nonces_table: This is an optional parameter to specify + the name of the table used for storing nonces. The + default value is specified in C{L{SQLStore.nonces_table}}. + + @type nonces_table: C{str} + """ + self.conn = conn + self.cur = None + self._statement_cache = {} + self._table_names = { + 'associations': associations_table or self.associations_table, + 'nonces': nonces_table or self.nonces_table, + } + self.max_nonce_age = 6 * 60 * 60 # Six hours, in seconds + + # DB API extension: search for "Connection Attributes .Error, + # .ProgrammingError, etc." in + # http://www.python.org/dev/peps/pep-0249/ + if (hasattr(self.conn, 'IntegrityError') and + hasattr(self.conn, 'OperationalError')): + self.exceptions = self.conn + + if not (hasattr(self.exceptions, 'IntegrityError') and + hasattr(self.exceptions, 'OperationalError')): + raise RuntimeError("Error using database connection module " + "(Maybe it can't be imported?)") + + def blobDecode(self, blob): + """Convert a blob as returned by the SQL engine into a str object. + + str -> str""" + return blob + + def blobEncode(self, s): + """Convert a str object into the necessary object for storing + in the database as a blob.""" + return s + + def _getSQL(self, sql_name): + try: + return self._statement_cache[sql_name] + except KeyError: + sql = getattr(self, sql_name) + sql %= self._table_names + self._statement_cache[sql_name] = sql + return sql + + def _execSQL(self, sql_name, *args): + sql = self._getSQL(sql_name) + # Kludge because we have reports of postgresql not quoting + # arguments if they are passed in as unicode instead of str. + # Currently the strings in our tables just have ascii in them, + # so this ought to be safe. + def unicode_to_str(arg): + if isinstance(arg, unicode): + return str(arg) + else: + return arg + str_args = map(unicode_to_str, args) + self.cur.execute(sql, str_args) + + def __getattr__(self, attr): + # if the attribute starts with db_, use a default + # implementation that looks up the appropriate SQL statement + # as an attribute of this object and executes it. + if attr[:3] == 'db_': + sql_name = attr[3:] + '_sql' + def func(*args): + return self._execSQL(sql_name, *args) + setattr(self, attr, func) + return func + else: + raise AttributeError('Attribute %r not found' % (attr,)) + + def _callInTransaction(self, func, *args, **kwargs): + """Execute the given function inside of a transaction, with an + open cursor. If no exception is raised, the transaction is + comitted, otherwise it is rolled back.""" + # No nesting of transactions + self.conn.rollback() + + try: + self.cur = self.conn.cursor() + try: + ret = func(*args, **kwargs) + finally: + self.cur.close() + self.cur = None + except: + self.conn.rollback() + raise + else: + self.conn.commit() + + return ret + + def txn_createTables(self): + """ + This method creates the database tables necessary for this + store to work. It should not be called if the tables already + exist. + """ + self.db_create_nonce() + self.db_create_assoc() + + createTables = _inTxn(txn_createTables) + + def txn_storeAssociation(self, server_url, association): + """Set the association for the server URL. + + Association -> NoneType + """ + a = association + self.db_set_assoc( + server_url, + a.handle, + self.blobEncode(a.secret), + a.issued, + a.lifetime, + a.assoc_type) + + storeAssociation = _inTxn(txn_storeAssociation) + + def txn_getAssociation(self, server_url, handle=None): + """Get the most recent association that has been set for this + server URL and handle. + + str -> NoneType or Association + """ + if handle is not None: + self.db_get_assoc(server_url, handle) + else: + self.db_get_assocs(server_url) + + rows = self.cur.fetchall() + if len(rows) == 0: + return None + else: + associations = [] + for values in rows: + assoc = Association(*values) + assoc.secret = self.blobDecode(assoc.secret) + if assoc.getExpiresIn() == 0: + self.txn_removeAssociation(server_url, assoc.handle) + else: + associations.append((assoc.issued, assoc)) + + if associations: + associations.sort() + return associations[-1][1] + else: + return None + + getAssociation = _inTxn(txn_getAssociation) + + def txn_removeAssociation(self, server_url, handle): + """Remove the association for the given server URL and handle, + returning whether the association existed at all. + + (str, str) -> bool + """ + self.db_remove_assoc(server_url, handle) + return self.cur.rowcount > 0 # -1 is undefined + + removeAssociation = _inTxn(txn_removeAssociation) + + def txn_useNonce(self, server_url, timestamp, salt): + """Return whether this nonce is present, and if it is, then + remove it from the set. + + str -> bool""" + if abs(timestamp - time.time()) > nonce.SKEW: + return False + + try: + self.db_add_nonce(server_url, timestamp, salt) + except self.exceptions.IntegrityError: + # The key uniqueness check failed + return False + else: + # The nonce was successfully added + return True + + useNonce = _inTxn(txn_useNonce) + + def txn_cleanupNonces(self): + self.db_clean_nonce(int(time.time()) - nonce.SKEW) + return self.cur.rowcount + + cleanupNonces = _inTxn(txn_cleanupNonces) + + def txn_cleanupAssociations(self): + self.db_clean_assoc(int(time.time())) + return self.cur.rowcount + + cleanupAssociations = _inTxn(txn_cleanupAssociations) + + +class SQLiteStore(SQLStore): + """ + This is an SQLite-based specialization of C{L{SQLStore}}. + + To create an instance, see C{L{SQLStore.__init__}}. To create the + tables it will use, see C{L{SQLStore.createTables}}. + + All other methods are implementation details. + """ + + create_nonce_sql = """ + CREATE TABLE %(nonces)s ( + server_url VARCHAR, + timestamp INTEGER, + salt CHAR(40), + UNIQUE(server_url, timestamp, salt) + ); + """ + + create_assoc_sql = """ + CREATE TABLE %(associations)s + ( + server_url VARCHAR(2047), + handle VARCHAR(255), + secret BLOB(128), + issued INTEGER, + lifetime INTEGER, + assoc_type VARCHAR(64), + PRIMARY KEY (server_url, handle) + ); + """ + + set_assoc_sql = ('INSERT OR REPLACE INTO %(associations)s ' + '(server_url, handle, secret, issued, ' + 'lifetime, assoc_type) ' + 'VALUES (?, ?, ?, ?, ?, ?);') + get_assocs_sql = ('SELECT handle, secret, issued, lifetime, assoc_type ' + 'FROM %(associations)s WHERE server_url = ?;') + get_assoc_sql = ( + 'SELECT handle, secret, issued, lifetime, assoc_type ' + 'FROM %(associations)s WHERE server_url = ? AND handle = ?;') + + get_expired_sql = ('SELECT server_url ' + 'FROM %(associations)s WHERE issued + lifetime < ?;') + + remove_assoc_sql = ('DELETE FROM %(associations)s ' + 'WHERE server_url = ? AND handle = ?;') + + clean_assoc_sql = 'DELETE FROM %(associations)s WHERE issued + lifetime < ?;' + + add_nonce_sql = 'INSERT INTO %(nonces)s VALUES (?, ?, ?);' + + clean_nonce_sql = 'DELETE FROM %(nonces)s WHERE timestamp < ?;' + + def blobDecode(self, buf): + return str(buf) + + def blobEncode(self, s): + return buffer(s) + + def useNonce(self, *args, **kwargs): + # Older versions of the sqlite wrapper do not raise + # IntegrityError as they should, so we have to detect the + # message from the OperationalError. + try: + return super(SQLiteStore, self).useNonce(*args, **kwargs) + except self.exceptions.OperationalError, why: + if re.match('^columns .* are not unique$', why[0]): + return False + else: + raise + +class MySQLStore(SQLStore): + """ + This is a MySQL-based specialization of C{L{SQLStore}}. + + Uses InnoDB tables for transaction support. + + To create an instance, see C{L{SQLStore.__init__}}. To create the + tables it will use, see C{L{SQLStore.createTables}}. + + All other methods are implementation details. + """ + + try: + import MySQLdb as exceptions + except ImportError: + exceptions = None + + create_nonce_sql = """ + CREATE TABLE %(nonces)s ( + server_url BLOB NOT NULL, + timestamp INTEGER NOT NULL, + salt CHAR(40) NOT NULL, + PRIMARY KEY (server_url(255), timestamp, salt) + ) + ENGINE=InnoDB; + """ + + create_assoc_sql = """ + CREATE TABLE %(associations)s + ( + server_url BLOB NOT NULL, + handle VARCHAR(255) NOT NULL, + secret BLOB NOT NULL, + issued INTEGER NOT NULL, + lifetime INTEGER NOT NULL, + assoc_type VARCHAR(64) NOT NULL, + PRIMARY KEY (server_url(255), handle) + ) + ENGINE=InnoDB; + """ + + set_assoc_sql = ('REPLACE INTO %(associations)s ' + 'VALUES (%%s, %%s, %%s, %%s, %%s, %%s);') + get_assocs_sql = ('SELECT handle, secret, issued, lifetime, assoc_type' + ' FROM %(associations)s WHERE server_url = %%s;') + get_expired_sql = ('SELECT server_url ' + 'FROM %(associations)s WHERE issued + lifetime < %%s;') + + get_assoc_sql = ( + 'SELECT handle, secret, issued, lifetime, assoc_type' + ' FROM %(associations)s WHERE server_url = %%s AND handle = %%s;') + remove_assoc_sql = ('DELETE FROM %(associations)s ' + 'WHERE server_url = %%s AND handle = %%s;') + + clean_assoc_sql = 'DELETE FROM %(associations)s WHERE issued + lifetime < %%s;' + + add_nonce_sql = 'INSERT INTO %(nonces)s VALUES (%%s, %%s, %%s);' + + clean_nonce_sql = 'DELETE FROM %(nonces)s WHERE timestamp < %%s;' + + def blobDecode(self, blob): + if type(blob) is str: + # Versions of MySQLdb >= 1.2.2 + return blob + else: + # Versions of MySQLdb prior to 1.2.2 (as far as we can tell) + return blob.tostring() + +class PostgreSQLStore(SQLStore): + """ + This is a PostgreSQL-based specialization of C{L{SQLStore}}. + + To create an instance, see C{L{SQLStore.__init__}}. To create the + tables it will use, see C{L{SQLStore.createTables}}. + + All other methods are implementation details. + """ + + try: + import psycopg as exceptions + except ImportError: + # psycopg2 has the dbapi extension where the exception classes + # are available on the connection object. A psycopg2 + # connection will use the correct exception classes because of + # this, and a psycopg connection will fall through to use the + # psycopg imported above. + exceptions = None + + create_nonce_sql = """ + CREATE TABLE %(nonces)s ( + server_url VARCHAR(2047) NOT NULL, + timestamp INTEGER NOT NULL, + salt CHAR(40) NOT NULL, + PRIMARY KEY (server_url, timestamp, salt) + ); + """ + + create_assoc_sql = """ + CREATE TABLE %(associations)s + ( + server_url VARCHAR(2047) NOT NULL, + handle VARCHAR(255) NOT NULL, + secret BYTEA NOT NULL, + issued INTEGER NOT NULL, + lifetime INTEGER NOT NULL, + assoc_type VARCHAR(64) NOT NULL, + PRIMARY KEY (server_url, handle), + CONSTRAINT secret_length_constraint CHECK (LENGTH(secret) <= 128) + ); + """ + + def db_set_assoc(self, server_url, handle, secret, issued, lifetime, assoc_type): + """ + Set an association. This is implemented as a method because + REPLACE INTO is not supported by PostgreSQL (and is not + standard SQL). + """ + result = self.db_get_assoc(server_url, handle) + rows = self.cur.fetchall() + if len(rows): + # Update the table since this associations already exists. + return self.db_update_assoc(secret, issued, lifetime, assoc_type, + server_url, handle) + else: + # Insert a new record because this association wasn't + # found. + return self.db_new_assoc(server_url, handle, secret, issued, + lifetime, assoc_type) + + new_assoc_sql = ('INSERT INTO %(associations)s ' + 'VALUES (%%s, %%s, %%s, %%s, %%s, %%s);') + update_assoc_sql = ('UPDATE %(associations)s SET ' + 'secret = %%s, issued = %%s, ' + 'lifetime = %%s, assoc_type = %%s ' + 'WHERE server_url = %%s AND handle = %%s;') + get_assocs_sql = ('SELECT handle, secret, issued, lifetime, assoc_type' + ' FROM %(associations)s WHERE server_url = %%s;') + get_expired_sql = ('SELECT server_url ' + 'FROM %(associations)s WHERE issued + lifetime < %%s;') + + get_assoc_sql = ( + 'SELECT handle, secret, issued, lifetime, assoc_type' + ' FROM %(associations)s WHERE server_url = %%s AND handle = %%s;') + remove_assoc_sql = ('DELETE FROM %(associations)s ' + 'WHERE server_url = %%s AND handle = %%s;') + + clean_assoc_sql = 'DELETE FROM %(associations)s WHERE issued + lifetime < %%s;' + + add_nonce_sql = 'INSERT INTO %(nonces)s VALUES (%%s, %%s, %%s);' + + clean_nonce_sql = 'DELETE FROM %(nonces)s WHERE timestamp < %%s;' + + def blobEncode(self, blob): + try: + from psycopg2 import Binary + except ImportError: + from psycopg import Binary + + return Binary(blob) diff --git a/askbot/deps/openid/test/__init__.py b/askbot/deps/openid/test/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/askbot/deps/openid/test/__init__.py diff --git a/askbot/deps/openid/test/cryptutil.py b/askbot/deps/openid/test/cryptutil.py new file mode 100644 index 00000000..753596cb --- /dev/null +++ b/askbot/deps/openid/test/cryptutil.py @@ -0,0 +1,108 @@ +import sys +import random +import os.path + +from openid import cryptutil + +# Most of the purpose of this test is to make sure that cryptutil can +# find a good source of randomness on this machine. + +def test_cryptrand(): + # It's possible, but HIGHLY unlikely that a correct implementation + # will fail by returning the same number twice + + s = cryptutil.getBytes(32) + t = cryptutil.getBytes(32) + assert len(s) == 32 + assert len(t) == 32 + assert s != t + + a = cryptutil.randrange(2L ** 128) + b = cryptutil.randrange(2L ** 128) + assert type(a) is long + assert type(b) is long + assert b != a + + # Make sure that we can generate random numbers that are larger + # than platform int size + cryptutil.randrange(long(sys.maxint) + 1L) + +def test_reversed(): + if hasattr(cryptutil, 'reversed'): + cases = [ + ('', ''), + ('a', 'a'), + ('ab', 'ba'), + ('abc', 'cba'), + ('abcdefg', 'gfedcba'), + ([], []), + ([1], [1]), + ([1,2], [2,1]), + ([1,2,3], [3,2,1]), + (range(1000), range(999, -1, -1)), + ] + + for case, expected in cases: + expected = list(expected) + actual = list(cryptutil.reversed(case)) + assert actual == expected, (case, expected, actual) + twice = list(cryptutil.reversed(actual)) + assert twice == list(case), (actual, case, twice) + +def test_binaryLongConvert(): + MAX = sys.maxint + for iteration in xrange(500): + n = 0L + for i in range(10): + n += long(random.randrange(MAX)) + + s = cryptutil.longToBinary(n) + assert type(s) is str + n_prime = cryptutil.binaryToLong(s) + assert n == n_prime, (n, n_prime) + + cases = [ + ('\x00', 0L), + ('\x01', 1L), + ('\x7F', 127L), + ('\x00\xFF', 255L), + ('\x00\x80', 128L), + ('\x00\x81', 129L), + ('\x00\x80\x00', 32768L), + ('OpenID is cool', 1611215304203901150134421257416556L) + ] + + for s, n in cases: + n_prime = cryptutil.binaryToLong(s) + s_prime = cryptutil.longToBinary(n) + assert n == n_prime, (s, n, n_prime) + assert s == s_prime, (n, s, s_prime) + +def test_longToBase64(): + f = file(os.path.join(os.path.dirname(__file__), 'n2b64')) + try: + for line in f: + parts = line.strip().split(' ') + assert parts[0] == cryptutil.longToBase64(long(parts[1])) + finally: + f.close() + +def test_base64ToLong(): + f = file(os.path.join(os.path.dirname(__file__), 'n2b64')) + try: + for line in f: + parts = line.strip().split(' ') + assert long(parts[1]) == cryptutil.base64ToLong(parts[0]) + finally: + f.close() + + +def test(): + test_reversed() + test_binaryLongConvert() + test_cryptrand() + test_longToBase64() + test_base64ToLong() + +if __name__ == '__main__': + test() diff --git a/askbot/deps/openid/test/data/accept.txt b/askbot/deps/openid/test/data/accept.txt new file mode 100644 index 00000000..0853321a --- /dev/null +++ b/askbot/deps/openid/test/data/accept.txt @@ -0,0 +1,118 @@ +# Accept: [Accept: header value from RFC2616, +# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html] +# Available: [whitespace-separated content types] +# Expected: [Accept-header like list, containing the available content +# types with their q-values] + +Accept: */* +Available: text/plain +Expected: text/plain; q=1.0 + +Accept: */* +Available: text/plain, text/html +Expected: text/plain; q=1.0, text/html; q=1.0 + +# The order matters +Accept: */* +Available: text/html, text/plain +Expected: text/html; q=1.0, text/plain; q=1.0 + +Accept: text/*, */*; q=0.9 +Available: text/plain, image/jpeg +Expected: text/plain; q=1.0, image/jpeg; q=0.9 + +Accept: text/*, */*; q=0.9 +Available: image/jpeg, text/plain +Expected: text/plain; q=1.0, image/jpeg; q=0.9 + +# wildcard subtypes still reject differing main types +Accept: text/* +Available: image/jpeg, text/plain +Expected: text/plain; q=1.0 + +Accept: text/html +Available: text/html +Expected: text/html; q=1.0 + +Accept: text/html, text/* +Available: text/html +Expected: text/html; q=1.0 + +Accept: text/html, text/* +Available: text/plain, text/html +Expected: text/plain; q=1.0, text/html; q=1.0 + +Accept: text/html, text/*; q=0.9 +Available: text/plain, text/html +Expected: text/html; q=1.0, text/plain; q=0.9 + +# If a more specific type has a higher q-value, then the higher value wins +Accept: text/*; q=0.9, text/html +Available: text/plain, text/html +Expected: text/html; q=1.0, text/plain; q=0.9 + +Accept: */*, text/*; q=0.9, text/html; q=0.1 +Available: text/plain, text/html, image/monkeys +Expected: image/monkeys; q=1.0, text/plain; q=0.9, text/html; q=0.1 + +Accept: text/*, text/html; q=0 +Available: text/html +Expected: + +Accept: text/*, text/html; q=0 +Available: text/html, text/plain +Expected: text/plain; q=1.0 + +Accept: text/html +Available: text/plain +Expected: + +Accept: application/xrds+xml, text/html; q=0.9 +Available: application/xrds+xml, text/html +Expected: application/xrds+xml; q=1.0, text/html; q=0.9 + +Accept: application/xrds+xml, */*; q=0.9 +Available: application/xrds+xml, text/html +Expected: application/xrds+xml; q=1.0, text/html; q=0.9 + +Accept: application/xrds+xml, application/xhtml+xml; q=0.9, text/html; q=0.8, text/xml; q=0.7 +Available: application/xrds+xml, text/html +Expected: application/xrds+xml; q=1.0, text/html; q=0.8 + +# See http://www.rfc-editor.org/rfc/rfc3023.txt, section A.13 +Accept: application/xrds +Available: application/xrds+xml +Expected: + +Accept: application/xrds+xml +Available: application/xrds +Expected: + +Accept: application/xml +Available: application/xrds+xml +Expected: + +Available: application/xrds+xml +Accept: application/xml +Expected: + + + +################################################# +# The tests below this line are documentation of how this library +# works. If the implementation changes, it's acceptable to change the +# test to reflect that. These are specified so that we can make sure +# that the current implementation actually works the way that we +# expect it to given these inputs. + +Accept: text/html;level=1 +Available: text/html +Expected: text/html; q=1.0 + +Accept: text/html; level=1, text/html; level=9; q=0.1 +Available: text/html +Expected: text/html; q=1.0 + +Accept: text/html; level=9; q=0.1, text/html; level=1 +Available: text/html +Expected: text/html; q=1.0 diff --git a/askbot/deps/openid/test/data/example-xrds.xml b/askbot/deps/openid/test/data/example-xrds.xml new file mode 100644 index 00000000..101ba3bd --- /dev/null +++ b/askbot/deps/openid/test/data/example-xrds.xml @@ -0,0 +1,14 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- Sample XRDS file at: NAME --> +<xrds:XRDS + xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)"> + <XRD> + + <Service priority="0"> + <Type>http://example.com/</Type> + <URI>http://www.openidenabled.com/</URI> + </Service> + + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/openid-1.2-consumer-sqlitestore.db b/askbot/deps/openid/test/data/openid-1.2-consumer-sqlitestore.db Binary files differnew file mode 100644 index 00000000..11444b26 --- /dev/null +++ b/askbot/deps/openid/test/data/openid-1.2-consumer-sqlitestore.db diff --git a/askbot/deps/openid/test/data/test1-discover.txt b/askbot/deps/openid/test/data/test1-discover.txt new file mode 100644 index 00000000..7ec9b878 --- /dev/null +++ b/askbot/deps/openid/test/data/test1-discover.txt @@ -0,0 +1,137 @@ +equiv +Status: 200 OK +Content-Type: text/html + +<html> +<head> +<meta http-equiv="YADIS_HEADER" content="URL_BASE/xrds"> +<title>Joe Schmoe's Homepage</title> +</head> +<body> +<h1>Joe Schmoe's Homepage</h1> +<p>Blah blah blah blah blah blah blah</p> +</body> +</html> + +header +Status: 200 OK +Content-Type: text/html +YADIS_HEADER: URL_BASE/xrds + +<html> +<head> +<title>Joe Schmoe's Homepage</title> +</head> +<body> +<h1>Joe Schmoe's Homepage</h1> +<p>Blah blah blah blah blah blah blah</p> +</body> + +xrds +Status: 200 OK +Content-Type: application/xrds+xml + +<XRDS Content> + +xrds_ctparam +Status: 200 OK +Content-Type: application/xrds+xml; charset=UTF8 + +<XRDS Content> + +xrds_ctcase +Status: 200 OK +Content-Type: appliCATION/XRDS+xml + +<XRDS Content> + +xrds_html +Status: 200 OK +Content-Type: text/html + +<XRDS Content> + +redir_equiv +Status: 302 Found +Content-Type: text/plain +Location: URL_BASE/equiv + +You are presently being redirected. + +redir_header +Status: 302 Found +Content-Type: text/plain +Location: URL_BASE/header + +You are presently being redirected. + +redir_xrds +Status: 302 Found +Content-Type: application/xrds+xml +Location: URL_BASE/xrds + +<XRDS Content> + +redir_xrds_html +Status: 302 Found +Content-Type: text/plain +Location: URL_BASE/xrds_html + +You are presently being redirected. + +redir_redir_equiv +Status: 302 Found +Content-Type: text/plain +Location: URL_BASE/redir_equiv + +You are presently being redirected. + +lowercase_header +Status: 200 OK +Content-Type: text/html +x-xrds-location: URL_BASE/xrds + +<html> +<head> +<title>Joe Schmoe's Homepage</title> +</head> +<body> +<h1>Joe Schmoe's Homepage</h1> +<p>Blah blah blah blah blah blah blah</p> +</body> + +404_server_response +Status: 404 Not Found + +EEk! + +500_server_response +Status: 500 Server error + +EEk! + +201_server_response +Status: 201 Created + +EEk! + +404_with_header +Status: 404 Not Found +YADIS_HEADER: URL_BASE/xrds + +EEk! + +404_with_meta +Status: 404 Not Found +Content-Type: text/html + +<html> +<head> +<meta http-equiv="YADIS_HEADER" content="URL_BASE/xrds"> +<title>Joe Schmoe's Homepage</title> +</head> +<body> +<h1>Joe Schmoe's Homepage</h1> +<p>Blah blah blah blah blah blah blah</p> +</body> +</html> diff --git a/askbot/deps/openid/test/data/test1-parsehtml.txt b/askbot/deps/openid/test/data/test1-parsehtml.txt new file mode 100644 index 00000000..feee692e --- /dev/null +++ b/askbot/deps/openid/test/data/test1-parsehtml.txt @@ -0,0 +1,152 @@ +found +<!-- minimal well-formed success case --> +<html><head><meta http-equiv="X-XRDS-Location" content="found"></head></html> + +found +<!-- minimal well-formed success case, xhtml closing, whitespace --> +<html><head><meta http-equiv="X-XRDS-Location" content="found" /></head></html> + +found +<!-- minimal well-formed success case, xhtml closing, no whitespace --> +<html><head><meta http-equiv="X-XRDS-Location" content="found"/></head></html> + +found +<!-- minimal success case --> +<html><head><meta http-equiv="X-XRDS-Location" content="found"> + +found +<!-- ignore bogus top-level tags --> +</porky><html><head><meta http-equiv="X-XRDS-Location" content="found"> + +found +<!-- Case folding for header name --> +<html><head><meta http-equiv="x-xrds-location" content="found"> + +found +<!-- missing <html> tag --> +<head><meta http-equiv="X-XRDS-Location" content="found"> + +found +<!-- javascript in head --> +<html><head><script type="text/javascript">document.write("<body>");</script><META http-equiv="X-XRDS-Location" content="found"> + +EOF +<!-- no closing script tag --> +<html><head><script type="text/javascript">document.write("<body>");<META http-equiv="X-XRDS-Location" content="found"> + +found +<!-- case folding for tag names --> +<html><head><META http-equiv="X-XRDS-Location" content="found"> + +found +<!-- Stop after first one found --> +<html><head> +<meta http-equiv="x-xrds-location" content="found"> +<meta http-equiv="x-xrds-location" content="not-found"> + +& +<!-- standard entity --> +<head><meta http-equiv="X-XRDS-Location" content="&"> + +found +<!-- hex entity --> +<html> + <head> + <meta http-equiv="X-XRDS-Location" content="found"> + </head> +</html> + +found +<!-- decimal entity --> +<html> + <head> + <meta http-equiv="X-XRDS-Location" content="found"> + </head> +</html> + +/ +<!-- hex entity --> +<html> + <head> + <meta http-equiv="X-XRDS-Location" content="/"> + </head> +</html> + + +<!-- empty string --> +<html><head><meta http-equiv="X-XRDS-Location" content=""> + +EOF +<!-- No markup, except this comment --> + +None +<!-- No meta, just standard HTML --> +<html> + <head> + <title>A boring document</title> + </head> + <body> + <h1>A boring document</h1> + <p>There's really nothing interesting about this</p> + </body> +</html> + +EOF +<!-- No <html> or <head> --> +<meta http-equiv="X-XRDS-Location" content="found"> + +EOF +<!-- No <head> tag --> +<html><meta http-equiv="X-XRDS-Location" content="found"> + +None +<!-- No <html> or <head> and a <body> --> +<body><meta http-equiv="X-XRDS-Location" content="found"> + +None +<!-- <head> and <html> reversed --> +<head><html><meta http-equiv="X-XRDS-Location" content="found"> + +None +<!-- <meta> is inside of <body> --> +<html><head><body><meta http-equiv="X-XRDS-Location" content="found"> + +None +<!-- <meta> is inside comment --> +<html> + <head> + <!--<meta http-equiv="X-XRDS-Location" content="found">--> + </head> +</html> + +None +<!-- <meta> is inside of <body> --> +<html> + <head> + <title>Someone's blog</title> + </head> + <body> + <h1>My blog</h1> + <p>This is my blog</p> + <h2>Comments</h2> + <p><meta http-equiv="X-XRDS-Location" content="found"></p> + </body> +</html> + +None +<!-- short head tag --> +<html><head/> +<meta http-equiv="X-XRDS-Location" content="found"> + +None +<!-- <body> comes first --> +<body><html><head> +<meta http-equiv="X-XRDS-Location" content="found"> + +None +<!-- </body> comes first --> +</body><html><head> +<meta http-equiv="X-XRDS-Location" content="found"> + +None +<!bad processing instruction!> diff --git a/askbot/deps/openid/test/data/test_discover/openid.html b/askbot/deps/openid/test/data/test_discover/openid.html new file mode 100644 index 00000000..1a57d44f --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/openid.html @@ -0,0 +1,11 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> + <head> + <title>Identity Page for Smoker</title> + <link rel="openid.server" href="http://www.myopenid.com/server" /> + <link rel="openid.delegate" href="http://smoker.myopenid.com/" /> + </head> + <body> + <p>foo</p> + </body> +</html> diff --git a/askbot/deps/openid/test/data/test_discover/openid2.html b/askbot/deps/openid/test/data/test_discover/openid2.html new file mode 100644 index 00000000..a74c042e --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/openid2.html @@ -0,0 +1,11 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> + <head> + <title>Identity Page for Smoker</title> + <link rel="openid2.provider" href="http://www.myopenid.com/server" /> + <link rel="openid2.local_id" href="http://smoker.myopenid.com/" /> + </head> + <body> + <p>foo</p> + </body> +</html> diff --git a/askbot/deps/openid/test/data/test_discover/openid2_xrds.xml b/askbot/deps/openid/test/data/test_discover/openid2_xrds.xml new file mode 100644 index 00000000..8091ab94 --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/openid2_xrds.xml @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + > + <XRD> + <Service priority="10"> + <Type>http://specs.openid.net/auth/2.0/signon</Type> + <URI>http://www.myopenid.com/server</URI> + <LocalID>http://smoker.myopenid.com/</LocalID> + </Service> + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_discover/openid2_xrds_no_local_id.xml b/askbot/deps/openid/test/data/test_discover/openid2_xrds_no_local_id.xml new file mode 100644 index 00000000..e6a0eb97 --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/openid2_xrds_no_local_id.xml @@ -0,0 +1,11 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + > + <XRD> + <Service priority="10"> + <Type>http://specs.openid.net/auth/2.0/signon</Type> + <URI>http://www.myopenid.com/server</URI> + </Service> + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_discover/openid_1_and_2.html b/askbot/deps/openid/test/data/test_discover/openid_1_and_2.html new file mode 100644 index 00000000..5e581287 --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/openid_1_and_2.html @@ -0,0 +1,11 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> + <head> + <title>Identity Page for Smoker</title> + <link rel="openid2.provider openid.server" href="http://www.myopenid.com/server" /> + <link rel="openid2.local_id openid.delegate" href="http://smoker.myopenid.com/" /> + </head> + <body> + <p>foo</p> + </body> +</html> diff --git a/askbot/deps/openid/test/data/test_discover/openid_1_and_2_xrds.xml b/askbot/deps/openid/test/data/test_discover/openid_1_and_2_xrds.xml new file mode 100644 index 00000000..6d85d57e --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/openid_1_and_2_xrds.xml @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + xmlns:openid="http://openid.net/xmlns/1.0" + > + <XRD> + + <Service priority="10"> + <Type>http://specs.openid.net/auth/2.0/signon</Type> + <Type>http://openid.net/signon/1.1</Type> + <URI>http://www.myopenid.com/server</URI> + <LocalID>http://smoker.myopenid.com/</LocalID> + <openid:Delegate>http://smoker.myopenid.com/</openid:Delegate> + </Service> + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_discover/openid_1_and_2_xrds_bad_delegate.xml b/askbot/deps/openid/test/data/test_discover/openid_1_and_2_xrds_bad_delegate.xml new file mode 100644 index 00000000..db7282e2 --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/openid_1_and_2_xrds_bad_delegate.xml @@ -0,0 +1,17 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + xmlns:openid="http://openid.net/xmlns/1.0" + > + <XRD> + + <Service priority="10"> + <Type>http://specs.openid.net/auth/2.0/signon</Type> + <Type>http://openid.net/signon/1.0</Type> + <Type>http://openid.net/signon/1.1</Type> + <URI>http://www.myopenid.com/server</URI> + <LocalID>http://smoker.myopenid.com/</LocalID> + <openid:Delegate>http://localid.mismatch.invalid/</openid:Delegate> + </Service> + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_discover/openid_and_yadis.html b/askbot/deps/openid/test/data/test_discover/openid_and_yadis.html new file mode 100644 index 00000000..3befa6fc --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/openid_and_yadis.html @@ -0,0 +1,12 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> + <head> + <title>Identity Page for Smoker</title> + <meta http-equiv="X-XRDS-Location" content="http://someuser.unittest/xrds" /> + <link rel="openid.server" href="http://www.myopenid.com/server" /> + <link rel="openid.delegate" href="http://smoker.myopenid.com/" /> + </head> + <body> + <p>foo</p> + </body> +</html> diff --git a/askbot/deps/openid/test/data/test_discover/openid_no_delegate.html b/askbot/deps/openid/test/data/test_discover/openid_no_delegate.html new file mode 100644 index 00000000..f5180b3d --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/openid_no_delegate.html @@ -0,0 +1,10 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> + <head> + <title>Identity Page for Smoker</title> + <link rel="openid.server" href="http://www.myopenid.com/server" /> + </head> + <body> + <p>foo</p> + </body> +</html> diff --git a/askbot/deps/openid/test/data/test_discover/yadis_0entries.xml b/askbot/deps/openid/test/data/test_discover/yadis_0entries.xml new file mode 100644 index 00000000..f161a0b3 --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/yadis_0entries.xml @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + xmlns:openid="http://openid.net/xmlns/1.0" + > + <XRD> + <Service > + <Type>http://is-not-openid.unittest/</Type> + <URI>http://noffing.unittest./</URI> + </Service> + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_discover/yadis_2_bad_local_id.xml b/askbot/deps/openid/test/data/test_discover/yadis_2_bad_local_id.xml new file mode 100644 index 00000000..68c2ce1f --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/yadis_2_bad_local_id.xml @@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + xmlns:openid="http://openid.net/xmlns/1.0" + > + <XRD> + + <Service priority="10"> + <Type>http://specs.openid.net/auth/2.0/signon</Type> + <URI>http://www.myopenid.com/server</URI> + <LocalID>http://smoker.myopenid.com/</LocalID> + <LocalID>http://localid.mismatch.invalid/</LocalID> + </Service> + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_discover/yadis_2entries_delegate.xml b/askbot/deps/openid/test/data/test_discover/yadis_2entries_delegate.xml new file mode 100644 index 00000000..372955b0 --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/yadis_2entries_delegate.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + xmlns:openid="http://openid.net/xmlns/1.0" + > + <XRD> + <CanonicalID>=!1000</CanonicalID> + + <Service priority="10"> + <Type>http://openid.net/signon/1.0</Type> + <URI>http://www.myopenid.com/server</URI> + <openid:Delegate>http://smoker.myopenid.com/</openid:Delegate> + </Service> + + <Service priority="20"> + <Type>http://openid.net/signon/1.0</Type> + <URI>http://www.livejournal.com/openid/server.bml</URI> + <openid:Delegate>http://frank.livejournal.com/</openid:Delegate> + </Service> + + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_discover/yadis_2entries_idp.xml b/askbot/deps/openid/test/data/test_discover/yadis_2entries_idp.xml new file mode 100644 index 00000000..9a07b3d4 --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/yadis_2entries_idp.xml @@ -0,0 +1,21 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + xmlns:openid="http://openid.net/xmlns/1.0" + > + <XRD> + <CanonicalID>=!1000</CanonicalID> + + <Service priority="10"> + <Type>http://specs.openid.net/auth/2.0/signon</Type> + <URI>http://www.myopenid.com/server</URI> + <openid:LocalID>http://smoker.myopenid.com/</openid:LocalID> + </Service> + + <Service priority="20"> + <Type>http://specs.openid.net/auth/2.0/server</Type> + <URI>http://www.livejournal.com/openid/server.bml</URI> + </Service> + + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_discover/yadis_another_delegate.xml b/askbot/deps/openid/test/data/test_discover/yadis_another_delegate.xml new file mode 100644 index 00000000..2f3b9af3 --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/yadis_another_delegate.xml @@ -0,0 +1,14 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + xmlns:openid="http://openid.net/xmlns/1.0" + > + <XRD> + + <Service priority="10"> + <Type>http://openid.net/signon/1.0</Type> + <URI>http://vroom.unittest/server</URI> + <openid:Delegate>http://smoker.myopenid.com/</openid:Delegate> + </Service> + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_discover/yadis_idp.xml b/askbot/deps/openid/test/data/test_discover/yadis_idp.xml new file mode 100644 index 00000000..f570d043 --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/yadis_idp.xml @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + xmlns:openid="http://openid.net/xmlns/1.0" + > + <XRD> + <Service priority="10"> + <Type>http://specs.openid.net/auth/2.0/server</Type> + <URI>http://www.myopenid.com/server</URI> + </Service> + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_discover/yadis_idp_delegate.xml b/askbot/deps/openid/test/data/test_discover/yadis_idp_delegate.xml new file mode 100644 index 00000000..54106005 --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/yadis_idp_delegate.xml @@ -0,0 +1,13 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + xmlns:openid="http://openid.net/xmlns/1.0" + > + <XRD> + <Service> + <Type>http://specs.openid.net/auth/2.0/server</Type> + <URI>http://www.myopenid.com/server</URI> + <openid:Delegate>http://smoker.myopenid.com/</openid:Delegate> + </Service> + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_discover/yadis_no_delegate.xml b/askbot/deps/openid/test/data/test_discover/yadis_no_delegate.xml new file mode 100644 index 00000000..fbd67349 --- /dev/null +++ b/askbot/deps/openid/test/data/test_discover/yadis_no_delegate.xml @@ -0,0 +1,11 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + > + <XRD> + <Service priority="10"> + <Type>http://openid.net/signon/1.0</Type> + <URI>http://www.myopenid.com/server</URI> + </Service> + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_etxrd/README b/askbot/deps/openid/test/data/test_etxrd/README new file mode 100644 index 00000000..3739cf1c --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/README @@ -0,0 +1,12 @@ +delegated-20060809.xrds - results from proxy.xri.net, determined by + Drummond and Kevin to be incorrect. +delegated-20060809-r1.xrds - Drummond's 1st correction +delegated-20060809-r2.xrds - Drummond's 2nd correction + +spoofs: keturn's (=!E4)'s attempts to log in with Drummond's i-number (=!D2) +spoof1.xrds +spoof2.xrds +spoof3.xrds - attempt to steal @!C0!D2 by having "at least one" CanonicalID + match the $res service ProviderID. + +ref.xrds - resolving @ootao*test.ref, which refers to a neustar XRI. diff --git a/askbot/deps/openid/test/data/test_etxrd/delegated-20060809-r1.xrds b/askbot/deps/openid/test/data/test_etxrd/delegated-20060809-r1.xrds new file mode 100644 index 00000000..f994b140 --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/delegated-20060809-r1.xrds @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XRDS ref="xri://@ootao*test1" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*ootao</Query> + <Status code="100"/> + <Expires>2006-08-09T22:07:13.000Z</Expires> + <ProviderID>xri://@</ProviderID> + <LocalID priority="10">!5BAD.2AA.3C72.AF46</LocalID> + <CanonicalID priority="10">@!5BAD.2AA.3C72.AF46</CanonicalID> + <Service priority="10"> + <Type>xri://$res*auth*($v*2.0)</Type> + <ProviderID>xri://!!1003</ProviderID> + <MediaType>application/xrds+xml;trust=none</MediaType> + <URI priority="10">http://resolve.ezibroker.net/resolve/@ootao/</URI> + </Service> + <Service priority="10"> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*test1</Query> + <Status code="100">SUCCESS</Status> + <ProviderID>xri://!!1003</ProviderID> + <LocalID>!0000.0000.3B9A.CA01</LocalID> + <CanonicalID>@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01</CanonicalID> + <Service> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> +</XRDS> diff --git a/askbot/deps/openid/test/data/test_etxrd/delegated-20060809-r2.xrds b/askbot/deps/openid/test/data/test_etxrd/delegated-20060809-r2.xrds new file mode 100644 index 00000000..68c08dc4 --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/delegated-20060809-r2.xrds @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XRDS ref="xri://@ootao*test1" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*ootao</Query> + <Status code="100"/> + <Expires>2006-08-09T22:07:13.000Z</Expires> + <ProviderID>xri://@</ProviderID> + <LocalID priority="10">!5BAD.2AA.3C72.AF46</LocalID> + <CanonicalID priority="10">@!5BAD.2AA.3C72.AF46</CanonicalID> + <Service priority="10"> + <Type>xri://$res*auth*($v*2.0)</Type> + <ProviderID>xri://@!5BAD.2AA.3C72.AF46</ProviderID> + <MediaType>application/xrds+xml;trust=none</MediaType> + <URI priority="10">http://resolve.ezibroker.net/resolve/@ootao/</URI> + </Service> + <Service priority="10"> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*test1</Query> + <Status code="100">SUCCESS</Status> + <ProviderID>xri://@!5BAD.2AA.3C72.AF46</ProviderID> + <LocalID>!0000.0000.3B9A.CA01</LocalID> + <CanonicalID>@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01</CanonicalID> + <Service> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> +</XRDS> diff --git a/askbot/deps/openid/test/data/test_etxrd/delegated-20060809.xrds b/askbot/deps/openid/test/data/test_etxrd/delegated-20060809.xrds new file mode 100644 index 00000000..073ee688 --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/delegated-20060809.xrds @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XRDS ref="xri://@ootao*test1" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*ootao</Query> + <Status code="100"/> + <Expires>2006-08-09T22:07:13.000Z</Expires> + <ProviderID>xri://@</ProviderID> + <LocalID priority="10">!5BAD.2AA.3C72.AF46</LocalID> + <CanonicalID priority="10">@!5BAD.2AA.3C72.AF46</CanonicalID> + <Service priority="10"> + <Type>xri://$res*auth*($v*2.0)</Type> + <ProviderID/> + <MediaType>application/xrds+xml;trust=none</MediaType> + <URI priority="10">http://resolve.ezibroker.net/resolve/@ootao/</URI> + </Service> + <Service priority="10"> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*test1</Query> + <Status code="100">SUCCESS</Status> + <ProviderID>xri://!!1003</ProviderID> + <LocalID>!0000.0000.3B9A.CA01</LocalID> + <CanonicalID>@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01</CanonicalID> + <Service> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> +</XRDS> diff --git a/askbot/deps/openid/test/data/test_etxrd/no-xrd.xml b/askbot/deps/openid/test/data/test_etxrd/no-xrd.xml new file mode 100644 index 00000000..ca66f735 --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/no-xrd.xml @@ -0,0 +1,7 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS + xmlns:xrds="xri://$xrds" + xmlns:openid="http://openid.net/xmlns/1.0" + xmlns:typekey="http://typekey.com/xmlns/1.0" + xmlns="xri://$xrd*($v*2.0)"> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/test_etxrd/not-xrds.xml b/askbot/deps/openid/test/data/test_etxrd/not-xrds.xml new file mode 100644 index 00000000..7f5bfd51 --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/not-xrds.xml @@ -0,0 +1,2 @@ +<?xml version="1.0" encoding="UTF-8"?> +<x></x> diff --git a/askbot/deps/openid/test/data/test_etxrd/prefixsometimes.xrds b/askbot/deps/openid/test/data/test_etxrd/prefixsometimes.xrds new file mode 100644 index 00000000..5522a6e5 --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/prefixsometimes.xrds @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XRDS ref="xri://@ootao*test1" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*ootao</Query> + <Status code="100"/> + <Expires>2006-08-09T22:07:13.000Z</Expires> + <ProviderID>xri://@</ProviderID> + <LocalID priority="10">!5BAD.2AA.3C72.AF46</LocalID> + <CanonicalID priority="10">@!5BAD.2AA.3C72.AF46</CanonicalID> + <Service priority="10"> + <Type>xri://$res*auth*($v*2.0)</Type> + <ProviderID>xri://@!5BAD.2AA.3C72.AF46</ProviderID> + <MediaType>application/xrds+xml;trust=none</MediaType> + <URI priority="10">http://resolve.ezibroker.net/resolve/@ootao/</URI> + </Service> + <Service priority="10"> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*test1</Query> + <Status code="100">SUCCESS</Status> + <ProviderID>xri://@!5BAD.2AA.3C72.AF46</ProviderID> + <LocalID>!0000.0000.3B9A.CA01</LocalID> + <CanonicalID>xri://@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01</CanonicalID> + <Service> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> +</XRDS> diff --git a/askbot/deps/openid/test/data/test_etxrd/ref.xrds b/askbot/deps/openid/test/data/test_etxrd/ref.xrds new file mode 100644 index 00000000..69cf683d --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/ref.xrds @@ -0,0 +1,109 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XRDS ref="xri://@ootao*test.ref" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*ootao</Query> + <Status code="100"/> + <Expires>2006-08-15T18:56:09.000Z</Expires> + <ProviderID>xri://@</ProviderID> + <LocalID priority="10">!5BAD.2AA.3C72.AF46</LocalID> + <CanonicalID priority="10">@!5BAD.2AA.3C72.AF46</CanonicalID> + <Service priority="10"> + <Type>xri://$res*auth*($v*2.0)</Type> + <ProviderID/> + <MediaType>application/xrds+xml;trust=none</MediaType> + <URI priority="10">http://resolve.ezibroker.net/resolve/@ootao/</URI> + </Service> + <Service priority="10"> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*test.ref</Query> + <Status code="100">SUCCESS</Status> + <ProviderID>xri://!!1003</ProviderID> + <LocalID>!0000.0000.3B9A.CA03</LocalID> + <CanonicalID>@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA03</CanonicalID> + <Ref>@!BAE.A650.823B.2475</Ref> + <Service> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> + <XRDS ref="xri://@!BAE.A650.823B.2475" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>!BAE.A650.823B.2475</Query> + <Status code="100"/> + <Expires>2006-08-15T18:56:10.000Z</Expires> + <ProviderID>xri://@</ProviderID> + <LocalID priority="10">!BAE.A650.823B.2475</LocalID> + <CanonicalID priority="10">@!BAE.A650.823B.2475</CanonicalID> + <Service priority="10"> + <Type select="true">(+wdnc)</Type> + <ProviderID/> + <Path select="true">(+wdnc)</Path> + <URI append="none" priority="10">http://www.tcpacompliance.us</URI> + </Service> + <Service priority="10"> + <Type match="content" select="true">xri://$res*auth*($v*2.0)</Type> + <ProviderID/> + <MediaType match="content" select="false">application/xrds+xml;trust=none</MediaType> + <URI priority="10">http://dev.dready.org/cgi-bin/xri</URI> + </Service> + <Service priority="10"> + <Type match="content" select="true">(+i-name)</Type> + <ProviderID/> + <Path match="content" select="true">(+i-name)</Path> + <URI append="none" priority="10">http://www.inames.net</URI> + </Service> + <Service priority="10"> + <Type select="true">xri://+i-service*(+contact)*($v*1.0)</Type> + <Type match="default" select="false"/> + <ProviderID>xri://!!1001</ProviderID> + <Path select="true">(+contact)</Path> + <Path match="null" select="false"/> + <MediaType select="false">text/html</MediaType> + <MediaType match="default" select="false"/> + <URI append="none" priority="10">http://www.neustar.biz</URI> + </Service> + </XRD> + </XRDS> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>!BAE.A650.823B.2475</Query> + <Status code="100"/> + <Expires>2006-08-15T18:56:10.000Z</Expires> + <ProviderID>xri://@</ProviderID> + <LocalID priority="10">!BAE.A650.823B.2475</LocalID> + <CanonicalID priority="10">@!BAE.A650.823B.2475</CanonicalID> + <Service priority="10"> + <Type select="true">(+wdnc)</Type> + <ProviderID/> + <Path select="true">(+wdnc)</Path> + <URI append="none" priority="10">http://www.tcpacompliance.us</URI> + </Service> + <Service priority="10"> + <Type match="content" select="true">xri://$res*auth*($v*2.0)</Type> + <ProviderID/> + <MediaType match="content" select="false">application/xrds+xml;trust=none</MediaType> + <URI priority="10">http://dev.dready.org/cgi-bin/xri</URI> + </Service> + <Service priority="10"> + <Type match="content" select="true">(+i-name)</Type> + <ProviderID/> + <Path match="content" select="true">(+i-name)</Path> + <URI append="none" priority="10">http://www.inames.net</URI> + </Service> + <Service priority="10"> + <Type select="true">xri://+i-service*(+contact)*($v*1.0)</Type> + <Type match="default" select="false"/> + <ProviderID>xri://!!1001</ProviderID> + <Path select="true">(+contact)</Path> + <Path match="null" select="false"/> + <MediaType select="false">text/html</MediaType> + <MediaType match="default" select="false"/> + <URI append="none" priority="10">http://www.neustar.biz</URI> + </Service> + </XRD> +</XRDS>
\ No newline at end of file diff --git a/askbot/deps/openid/test/data/test_etxrd/sometimesprefix.xrds b/askbot/deps/openid/test/data/test_etxrd/sometimesprefix.xrds new file mode 100644 index 00000000..eff75554 --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/sometimesprefix.xrds @@ -0,0 +1,34 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XRDS ref="xri://@ootao*test1" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*ootao</Query> + <Status code="100"/> + <Expires>2006-08-09T22:07:13.000Z</Expires> + <ProviderID>xri://@</ProviderID> + <LocalID priority="10">!5BAD.2AA.3C72.AF46</LocalID> + <CanonicalID priority="10">xri://@!5BAD.2AA.3C72.AF46</CanonicalID> + <Service priority="10"> + <Type>xri://$res*auth*($v*2.0)</Type> + <ProviderID>xri://@!5BAD.2AA.3C72.AF46</ProviderID> + <MediaType>application/xrds+xml;trust=none</MediaType> + <URI priority="10">http://resolve.ezibroker.net/resolve/@ootao/</URI> + </Service> + <Service priority="10"> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*test1</Query> + <Status code="100">SUCCESS</Status> + <ProviderID>xri://@!5BAD.2AA.3C72.AF46</ProviderID> + <LocalID>!0000.0000.3B9A.CA01</LocalID> + <CanonicalID>@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01</CanonicalID> + <Service> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID/> + <URI append="qxri" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + </XRD> +</XRDS> diff --git a/askbot/deps/openid/test/data/test_etxrd/spoof1.xrds b/askbot/deps/openid/test/data/test_etxrd/spoof1.xrds new file mode 100644 index 00000000..8e870c81 --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/spoof1.xrds @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XRDS ref="xri://=keturn*isDrummond" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*keturn</Query> + <ProviderID>xri://=</ProviderID> + <LocalID>!E4</LocalID> + <CanonicalID>=!E4</CanonicalID> + + <Service> + <Type>xri://$res*auth*($v*2.0)</Type> + <URI>http://keturn.example.com/resolve/</URI> + <ProviderID>=!E4</ProviderID> + </Service> + </XRD> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*isDrummond</Query> + <ProviderID>=!E4</ProviderID> + <LocalID>!D2</LocalID> + <CanonicalID>=!D2</CanonicalID> + <Service> + <Type>http://openid.net/signon/1.0</Type> + <URI>http://keturn.example.com/openid</URI> + </Service> + </XRD> +</XRDS> diff --git a/askbot/deps/openid/test/data/test_etxrd/spoof2.xrds b/askbot/deps/openid/test/data/test_etxrd/spoof2.xrds new file mode 100644 index 00000000..7547561e --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/spoof2.xrds @@ -0,0 +1,25 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XRDS ref="xri://=keturn*isDrummond" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*keturn</Query> + <ProviderID>xri://=</ProviderID> + <LocalID>!E4</LocalID> + <CanonicalID>=!E4</CanonicalID> + + <Service> + <Type>xri://$res*auth*($v*2.0)</Type> + <URI>http://keturn.example.com/resolve/</URI> + <ProviderID>xri://=</ProviderID> + </Service> + </XRD> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*isDrummond</Query> + <ProviderID>xri://=</ProviderID> + <LocalID>!D2</LocalID> + <CanonicalID>=!D2</CanonicalID> + <Service> + <Type>http://openid.net/signon/1.0</Type> + <URI>http://keturn.example.com/openid</URI> + </Service> + </XRD> +</XRDS> diff --git a/askbot/deps/openid/test/data/test_etxrd/spoof3.xrds b/askbot/deps/openid/test/data/test_etxrd/spoof3.xrds new file mode 100644 index 00000000..f4c43c9b --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/spoof3.xrds @@ -0,0 +1,37 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XRDS ref="xri://=keturn*isDrummond" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*keturn</Query> + <ProviderID>xri://@</ProviderID> + <LocalID>@E4</LocalID> + <CanonicalID>@!E4</CanonicalID> + + <Service> + <Type>xri://$res*auth*($v*2.0)</Type> + <URI>http://keturn.example.com/resolve/</URI> + <ProviderID>@!E4</ProviderID> + </Service> + </XRD> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*is</Query> + <ProviderID>@!E4</ProviderID> + <LocalID>!D2</LocalID> + <CanonicalID>=!C0</CanonicalID> + <CanonicalID>=!E4!01</CanonicalID> + <Service> + <Type>xri://$res*auth*($v*2.0)</Type> + <URI>http://keturn.example.com/resolve/</URI> + <ProviderID>@!C0</ProviderID> + </Service> + </XRD> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*drummond</Query> + <ProviderID>@!C0</ProviderID> + <LocalID>!D2</LocalID> + <CanonicalID>@!C0!D2</CanonicalID> + <Service> + <Type>http://openid.net/signon/1.0</Type> + <URI>http://keturn.example.com/openid</URI> + </Service> + </XRD> +</XRDS> diff --git a/askbot/deps/openid/test/data/test_etxrd/status222.xrds b/askbot/deps/openid/test/data/test_etxrd/status222.xrds new file mode 100644 index 00000000..84cd5c90 --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/status222.xrds @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XRDS ref="xri://=x" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*x</Query> + <Status code="222">The subsegment does not exist</Status> + <Expires>2006-08-18T00:02:35.000Z</Expires> + <ProviderID>xri://=</ProviderID> + </XRD> +</XRDS>
\ No newline at end of file diff --git a/askbot/deps/openid/test/data/test_etxrd/subsegments.xrds b/askbot/deps/openid/test/data/test_etxrd/subsegments.xrds new file mode 100644 index 00000000..11d2e912 --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/subsegments.xrds @@ -0,0 +1,58 @@ +<?xml version="1.0" encoding="UTF-8"?> +<XRDS ref="xri://=nishitani*masaki" xmlns="xri://$xrds"> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*nishitani</Query> + <Status code="100"/> + <Expires>2007-12-25T11:33:39.000Z</Expires> + <ProviderID>xri://=</ProviderID> + <LocalID priority="10">!E117.EF2F.454B.C707</LocalID> + <CanonicalID priority="10">=!E117.EF2F.454B.C707</CanonicalID> + <Service priority="10"> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID>xri://!!1003!103</ProviderID> + <URI append="none" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + <Service priority="10"> + <Type select="true">xri://$res*auth*($v*2.0)</Type> + <ProviderID>xri://!!1003!103</ProviderID> + <MediaType>application/xrds+xml;trust=none</MediaType> + <URI priority="10">http://resolve.ezibroker.net/resolve/=nishitani/</URI> + </Service> + <Service priority="1"> + <Type match="content" select="true">xri://+i-service*(+forwarding)*($v*1.0)</Type> + <Type match="null" select="false"/> + <ProviderID>xri://!!1003!103</ProviderID> + <Path match="content">(+index)</Path> + <Path match="default"/> + <URI append="qxri" priority="1">http://linksafe-forward.ezibroker.net/forwarding/</URI> + </Service> + </XRD> + <XRD xmlns="xri://$xrd*($v*2.0)"> + <Query>*masaki</Query> + <Status code="100">SUCCESS</Status> + <ProviderID>xri://!!1003</ProviderID> + <LocalID>!0000.0000.3B9A.CA01</LocalID> + <CanonicalID>=!E117.EF2F.454B.C707!0000.0000.3B9A.CA01</CanonicalID> + <Service> + <Type select="true">http://openid.net/signon/1.0</Type> + <ProviderID>xri://!!1003!103</ProviderID> + <URI append="none" priority="1">https://linksafe.ezibroker.net/server/</URI> + </Service> + <Service> + <Type select="true">xri://+i-service*(+contact)*($v*1.0)</Type> + <Type match="null"/> + <ProviderID>xri://!!1003!103</ProviderID> + <Path select="true">(+contact)</Path> + <Path match="null"/> + <URI append="authority" priority="1">http://linksafe-contact.ezibroker.net/contact/</URI> + </Service> + <Service priority="1"> + <Type match="content" select="true">xri://+i-service*(+forwarding)*($v*1.0)</Type> + <Type match="null" select="false"/> + <ProviderID>xri://!!1003!103</ProviderID> + <Path match="content">(+index)</Path> + <Path match="default"/> + <URI append="qxri" priority="1">http://linksafe-forward.ezibroker.net/forwarding/</URI> + </Service> + </XRD> +</XRDS> diff --git a/askbot/deps/openid/test/data/test_etxrd/valid-populated-xrds.xml b/askbot/deps/openid/test/data/test_etxrd/valid-populated-xrds.xml new file mode 100644 index 00000000..60e5ca7b --- /dev/null +++ b/askbot/deps/openid/test/data/test_etxrd/valid-populated-xrds.xml @@ -0,0 +1,39 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS + xmlns:xrds="xri://$xrds" + xmlns:openid="http://openid.net/xmlns/1.0" + xmlns:typekey="http://typekey.com/xmlns/1.0" + xmlns="xri://$xrd*($v*2.0)"> + <XRD> + + <Service priority="0"> + <Type>http://openid.net/signon/1.0</Type> + <URI>http://www.myopenid.com/server</URI> + <openid:Delegate>http://josh.myopenid.com/</openid:Delegate> + </Service> + + <Service priority="20"> + <Type>http://lid.netmesh.org/sso/2.0b5</Type> + <Type>http://lid.netmesh.org/2.0b5</Type> + <URI>http://mylid.net/josh</URI> + </Service> + + <Service priority="10"> + <Type>http://openid.net/signon/1.0</Type> + <URI>http://www.livejournal.com/openid/server.bml</URI> + <openid:Delegate>http://www.livejournal.com/users/nedthealpaca/</openid:Delegate> + </Service> + + <Service priority="15"> + <Type>http://typekey.com/services/1.0</Type> + <typekey:MemberName>joshhoyt</typekey:MemberName> + </Service> + + <Service priority="5"> + <Type>http://openid.net/signon/1.0</Type> + <URI>http://www.schtuff.com/openid</URI> + <openid:Delegate>http://users.schtuff.com/josh</openid:Delegate> + </Service> + + </XRD> +</xrds:XRDS> diff --git a/askbot/deps/openid/test/data/trustroot.txt b/askbot/deps/openid/test/data/trustroot.txt new file mode 100644 index 00000000..3d948a4f --- /dev/null +++ b/askbot/deps/openid/test/data/trustroot.txt @@ -0,0 +1,150 @@ +======================================== +Trust root parsing checking +======================================== + +---------------------------------------- +21: Does not parse +---------------------------------------- +baz.org +*.foo.com +http://*.schtuff.*/ +ftp://foo.com +ftp://*.foo.com +http://*.foo.com:80:90/ +http:/// +http:// +foo.*.com +http://foo.*.com +http://www.* +http://*foo.com/ +http://foo.com\/ +http://localhost:1900foo/ +http://foo.com/invalid#fragment +http://Ï€.pi.com/ +http://lambda.com/Λ + + + +5 + +---------------------------------------- +15: Insane +---------------------------------------- +http://*/ +https://*/ +http://*.com +http://*.com/ +https://*.com/ +http://*.com.au/ +http://*.co.uk/ +http://*.foo.notatld/ +https://*.foo.notatld/ +http://*.museum/ +https://*.museum/ +http://www.schtuffcom/ +http://it/ +http://..it/ +http://.it/ + +---------------------------------------- +18: Sane +---------------------------------------- +http://*.schtuff.com./ +http://*.schtuff.com/ +http://*.foo.schtuff.com/ +http://*.schtuff.com +http://www.schtuff.com/ +http://www.schtuff.com./ +http://www.schutff.com +http://*.this.that.schtuff.com/ +http://*.foo.com/path +http://*.foo.com/path?action=foo2 +http://x.foo.com/path?action=foo2 +http://x.foo.com/path?action=%3D +http://localhost:8081/ +http://localhost:8082/?action=openid +https://foo.com/ +http://kink.fm/should/be/sane +http://beta.lingu.no/ +http://goathack.livejournal.org:8020/openid/login.bml + +======================================== +return_to matching +======================================== + +---------------------------------------- +45: matches +---------------------------------------- +http://*/ http://cnn.com/ +http://*/ http://livejournal.com/ +http://*/ http://met.museum/ +http://*:8081/ http://met.museum:8081/ +http://localhost:8081/x?action=openid http://localhost:8081/x?action=openid +http://*.foo.com http://b.foo.com +http://*.foo.com http://b.foo.com/ +http://*.foo.com/ http://b.foo.com +http://b.foo.com http://b.foo.com +http://b.foo.com http://b.foo.com/ +http://b.foo.com/ http://b.foo.com +http://*.b.foo.com http://b.foo.com +http://*.b.foo.com http://b.foo.com/ +http://*.b.foo.com/ http://b.foo.com +http://*.b.foo.com http://x.b.foo.com +http://*.b.foo.com http://w.x.b.foo.com +http://*.bar.co.uk http://www.bar.co.uk +http://*.uoregon.edu http://x.cs.uoregon.edu +http://x.com/abc http://x.com/abc +http://127.1/abc http://127.1/abc +http://10.0.0.1/abc http://10.0.0.1/abc +http://x.com/abc http://x.com/abc/def +http://*.x.com http://x.com/gallery +http://*.x.com http://foo.x.com/gallery +http://foo.x.com http://foo.x.com/gallery/xxx +http://*.x.com/gallery http://foo.x.com/gallery +http://localhost:8082/?action=openid http://localhost:8082/?action=openid +http://goathack.livejournal.org:8020/ http://goathack.livejournal.org:8020/openid/login.bml +https://foo.com https://foo.com +http://Foo.com http://foo.com +http://foo.com http://Foo.com +http://foo.com:80/ http://foo.com/ +http://foo.com/?x=y http://foo.com/?x=y&a=b +http://foo.com/x http://foo.com/x?y +http://mylid.net/j3h. http://mylid.net/j3h.?x=y +http://j3h.us http://j3h.us?ride=unicycle +https://www.filmclans.com:443/mattmartin/FilmClans https://www.filmclans.com/mattmartin/FilmClans/Logon.aspx?nonce=BVjqSOee +http://foo.com:80 http://foo.com +http://foo.com http://foo.com:80 +http://foo.com http://foo.com/ +http://foo.com/ http://foo.com +http://foo.com/ http://foo.com:80 +http://foo.com:80/ http://foo.com:80/stuff +http://foo.com:80/ http://foo.com/stuff +http://foo.com/ HTTP://foo.com/ + +---------------------------------------- +24: does not match +---------------------------------------- +http://*/ ftp://foo.com/ +http://*/ xxx +http://*.x.com/abc http://foo.x.com +http://*.x.com/abc http://*.x.com +http://*.com/ http://*.com/ +http://x.com/abc http://x.com/ +http://x.com/abc http://x.com/a +http://x.com/abc http://x.com/ab +http://x.com/abc http://x.com/abcd +http://*.cs.uoregon.edu http://x.uoregon.edu +http://*.foo.com http://bar.com +http://*.foo.com http://www.bar.com +http://*.bar.co.uk http://xxx.co.uk +https://foo.com http://foo.com +http://foo.com https://foo.com +http://foo.com:81 http://foo.com:80 +http://*:80 http://foo.com:81 +http://foo.com/?a=b http://foo.com/?x=y +http://foo.com/?a=b http://foo.com/?x=y&a=b +http://foo.com/?a=b http://foo.com/ +http://*.oo.com/ http://foo.com/ +http://foo.com/* http://foo.com/anything +http://foo.com http://foo.com:443 +https://foo.com https://foo.com:80 diff --git a/askbot/deps/openid/test/datadriven.py b/askbot/deps/openid/test/datadriven.py new file mode 100644 index 00000000..2dbcfd0d --- /dev/null +++ b/askbot/deps/openid/test/datadriven.py @@ -0,0 +1,47 @@ +import unittest +import types + +class DataDrivenTestCase(unittest.TestCase): + cases = [] + + def generateCases(cls): + return cls.cases + + generateCases = classmethod(generateCases) + + def loadTests(cls): + tests = [] + for case in cls.generateCases(): + if isinstance(case, tuple): + test = cls(*case) + elif isinstance(case, dict): + test = cls(**case) + else: + test = cls(case) + tests.append(test) + return tests + + loadTests = classmethod(loadTests) + + def __init__(self, description): + unittest.TestCase.__init__(self, 'runOneTest') + self.description = description + + def shortDescription(self): + return '%s for %s' % (self.__class__.__name__, self.description) + +def loadTests(module_name): + loader = unittest.defaultTestLoader + this_module = __import__(module_name, {}, {}, [None]) + + tests = [] + for name in dir(this_module): + obj = getattr(this_module, name) + if (isinstance(obj, (type, types.ClassType)) and + issubclass(obj, unittest.TestCase)): + if hasattr(obj, 'loadTests'): + tests.extend(obj.loadTests()) + else: + tests.append(loader.loadTestsFromTestCase(obj)) + + return unittest.TestSuite(tests) diff --git a/askbot/deps/openid/test/dh.py b/askbot/deps/openid/test/dh.py new file mode 100644 index 00000000..16b8d560 --- /dev/null +++ b/askbot/deps/openid/test/dh.py @@ -0,0 +1,70 @@ +import os.path +from openid.dh import DiffieHellman, strxor + +def test_strxor(): + NUL = '\x00' + + cases = [ + (NUL, NUL, NUL), + ('\x01', NUL, '\x01'), + ('a', 'a', NUL), + ('a', NUL, 'a'), + ('abc', NUL * 3, 'abc'), + ('x' * 10, NUL * 10, 'x' * 10), + ('\x01', '\x02', '\x03'), + ('\xf0', '\x0f', '\xff'), + ('\xff', '\x0f', '\xf0'), + ] + + for aa, bb, expected in cases: + actual = strxor(aa, bb) + assert actual == expected, (aa, bb, expected, actual) + + exc_cases = [ + ('', 'a'), + ('foo', 'ba'), + (NUL * 3, NUL * 4), + (''.join(map(chr, xrange(256))), + ''.join(map(chr, xrange(128)))), + ] + + for aa, bb in exc_cases: + try: + unexpected = strxor(aa, bb) + except ValueError: + pass + else: + assert False, 'Expected ValueError, got %r' % (unexpected,) + +def test1(): + dh1 = DiffieHellman.fromDefaults() + dh2 = DiffieHellman.fromDefaults() + secret1 = dh1.getSharedSecret(dh2.public) + secret2 = dh2.getSharedSecret(dh1.public) + assert secret1 == secret2 + return secret1 + +def test_exchange(): + s1 = test1() + s2 = test1() + assert s1 != s2 + +def test_public(): + f = file(os.path.join(os.path.dirname(__file__), 'dhpriv')) + dh = DiffieHellman.fromDefaults() + try: + for line in f: + parts = line.strip().split(' ') + dh._setPrivate(long(parts[0])) + + assert dh.public == long(parts[1]) + finally: + f.close() + +def test(): + test_exchange() + test_public() + test_strxor() + +if __name__ == '__main__': + test() diff --git a/askbot/deps/openid/test/dhpriv b/askbot/deps/openid/test/dhpriv new file mode 100644 index 00000000..0fa52314 --- /dev/null +++ b/askbot/deps/openid/test/dhpriv @@ -0,0 +1,29 @@ +130706940119084053627151828062879423433929180135817317038378606310097533503449582079984816816837125851552273641820339909167103200910805078308128174143174269944095368580519322913514764528012639683546377014716235962867583443566164615728897857285824741767070432119909660645255499710701356135207437699643611094585 139808169914464096465921128085565621767096724855516655439365028496569658038844954238931647642811548254956660405394116677296461848124300258439895306367561416289126854788101396379292925819850897858045772500578222021901631436550118958972312221974009238050517034542286574826081826542722270952769078386418682059418 +91966407878983240112417790733941098492087186469785726449910011271065622315680646030230288265496017310433513856308693810812043160919214636748486185212617634222158204354206411031403206076739932806412551605172319515223573351072757800448643935018534945933808900467686115619932664888581913179496050117713298715475 88086484332488517006277516020842172054013692832175783214603951240851750819999098631851571207693874357651112736088114133607400684776234181681933311972926752846692615822043533641407510569745606256772455614745111122033229877596984718963046218854103292937700694160593653595134512369959987897086639788909618660591 +94633950701209990078055218830969910271587805983595045023718108184189787131629772007048606080263109446462048743696369276578815611098215686598630889831104860221067872883514840819381234786050098278403321905311637820524177879167250981289318356078312300538871435101338967079907049912435983871847334104247675360099 136836393035803488129856151345450008294260680733328546556640578838845312279198933806383329293483852515700876505956362639881210101974254765087350842271260064592406308509078284840473735904755203614987286456952991025347168970462354352741159076541157478949094536405618626397435745496863324654768971213730622037771 +24685127248019769965088146297942173464487677364928435784091685260262292485380918213538979925891771204729738138857126454465630594391449913947358655368215901119137728648638547728497517587701248406019427282237279437409508871300675355166059811431191200555457304463617727969228965042729205402243355816702436970430 103488011917988946858248200111251786178288940265978921633592888293430082248387786443813155999158786903216094876295371112716734481877806417714913656921169196196571699893360825510307056269738593971532017994987406325068886420548597161498019372380511676314312298122272401348856314619382867707981701472607230523868 +116791045850880292989786005885944774698035781824784400772676299590038746153860847252706167458966356897309533614849402276819438194497464696186624618374179812548893947178936305721131565012344462048549467883494038577857638815386798694225798517783768606048713198211730870155881426709644960689953998714045816205549 25767875422998856261320430397505398614439586659207416236135894343577952114994718158163212134503751463610021489053571733974769536157057815413209619147486931502025658987681202196476489081257777148377685478756033509708349637895740799542063593586769082830323796978935454479273531157121440998804334199442003857410 +75582226959658406842894734694860761896800153014775231713388264961517169436476322183886891849966756849783437334069692683523296295601533803799559985845105706728538458624387103621364117548643541824878550074680443708148686601108223917493525070861593238005735446708555769966855130921562955491250908613793521520082 51100990616369611694975829054222013346248289055987940844427061856603230021472379888102172458517294080775792439385531234808129302064303666640376750139242970123503857186428797403843206765926798353022284672682073397573130625177187185114726049347844460311761033584101482859992951420083621362870301150543916815123 +22852401165908224137274273646590366934616265607879280260563022941455466297431255072303172649495519837876946233272420969249841381161312477263365567831938496555136366981954001163034914812189448922853839616662859772087929140818377228980710884492996109434435597500854043325062122184466315338260530734979159890875 35017410720028595029711778101507729481023945551700945988329114663345341120595162378885287946069695772429641825579528116641336456773227542256911497084242947904528367986325800537695079726856460817606404224094336361853766354225558025931211551975334149258299477750615397616908655079967952372222383056221992235704 +37364490883518159794654045194678325635036705086417851509136183713863262621334636905291385255662750747808690129471989906644041585863034419130023070856805511017402434123099100618568335168939301014148587149578150068910141065808373976114927339040964292334109797421173369274978107389084873550233108940239410902552 40916262212189137562350357241447034318002130016858244002788189310078477605649010031339865625243230798681216437501833540185827501244378529230150467789369234869122179247196276164931090039290879808162629109742198951942358028123056268054775108592325500609335947248599688175189333996086475013450537086042387719925 +42030470670714872936404499074069849778147578537708230270030877866700844337372497704027708080369726758812896818567830863540507961487472657570488625639077418109017434494794778542739932765561706796300920251933107517954265066804108669800167526425723377411855061131982689717887180411017924173629124764378241885274 124652439272864857598747946875599560379786580730218192165733924418687522301721706620565030507816884907589477351553268146177293719586287258662025940181301472851649975563004543250656807255226609296537922304346339513054316391667044301386950180277940536542183725690479451746977789001659540839582630251935163344393 +33176766914206542084736303652243484580303865879984981189372762326078776390896986743451688462101732968104375838228070296418541745483112261133079756514082093269959937647525005374035326747696591842313517634077723301677759648869372517403529488493581781546743147639937580084065663597330159470577639629864369972900 67485835091897238609131069363014775606263390149204621594445803179810038685760826651889895397414961195533694176706808504447269558421955735607423135937153901140512527504198912146656610630396284977496295289999655140295415981288181545277299615922576281262872097567020980675200178329219970170480653040350512964539 +131497983897702298481056962402569646971797912524360547236788650961059980711719600424210346263081838703940277066368168874781981151411096949736205282734026497995296147418292226818536168555712128736975034272678008697869326747592750850184857659420541708058277866000692785617873742438060271311159568468507825422571 5400380840349873337222394910303409203226429752629134721503171858543984393161548520471799318518954232197106728096866840965784563043721652790856860155702760027304915133166173298206604451826182024471262142046935060360564569939062438160049193241369468208458085699995573492688298015026628427440418009025072261296 +83265103005695640943261961853521077357830295830250157593141844209296716788437615940096402365505416686459260302419338241462783388722843946886845478224048360927114533590583464979009731440049610985062455108831881153988321298531365779084012803908832525921630534096740755274371500276660832724874701671184539131864 141285570207910287798371174771658911045525474449663877845558585668334618068814605961306961485855329182957174312715910923324965889174835444049526313968571611940626279733302104955951067959291852710640374412577070764165811275030632465290729619533330733368808295932659463215921521905553936914975786500018720073003 +68435028583616495789148116911096163791710022987677894923742899873596891423986951658100606742052014161171185231735413902875605720814417622409817842932759492013585936536452615480700628719795872201528559780249210820284350401473564919576289210869896327937002173624497942136329576506818749730506884927872345019446 134655528287263100540003157571441260698452262106680191153945271167894435782028803135774578949200580551016388918860856991026082917835209212892423567114480975540305860034439015788120390011692862968771136814777768281366591257663821495720134621172848947971117885754539770645621669309650476331439675400544167728223 +97765390064836080322590528352647421920257073063706996347334558390461274981996865736612531330863478931481491964338380362350271734683183807511097331539820133036984271653285063355715726806139083282458695728902452215405696318402583540317419929113959816258829534543044153959951908676300847164682178008704099351835 92552521881196975294401505656851872247567784546370503402756239533783651371688190302773864319828182042605239246779598629409815474038541272600580320815319709309111399294952620375093803971373108792300726524826209329889463854451846561437729676142864421966497641824498079067929811613947148353921163336822026640804 +145767094672933012300753301037546647564595762930138884463767054235112032706630891961371504668013023047595721138624016493638510710257541241706724342585654715468628355455898091951826598092812212209834746162089753649871544789379424903025374228231365026585872808685759231756517703720396301355299998059523896918448 116669462839999965355861187716880953863237226719689755457884414384663576662696981997535568446560375442532084973721539944428004043491468494548231348032618218312515409944970197902589794303562379864012797605284844016184274353252071642511293089390472576498394410829972525726474727579603392265177009323768966538608 +34172517877854802711907683049441723730724885305592620486269966708379625109832852005775048584124451699198484092407720344962116726808090368739361658889584507734617844212547181476646725256303630128954338675520938806905779837227983648887192531356390902975904503218654196581612781227843742951241442641220856414232 126013077261793777773236390821108423367648447987653714614732477073177878509574051196587476846560696305938891953527959347566502332765820074506907037627115954790645652211088723122982633069089920979477728376746424256704724173255656757918995039125823421607024407307091796807227896314403153380323770001854211384322 +9979624731056222925878866378063961280844793874828281622845276060532093809300121084179730782833657205171434732875093693074415298975346410131191865198158876447591891117577190438695367929923494177555818480377241891190442070100052523008290671797937772993634966511431668500154258765510857129203107386972819651767 76559085024395996164590986654274454741199399364851956129137304209855150918182685643729981600389513229011956888957763987167398150792454613751473654448162776379362213885827651020309844507723069713820393068520302223477225569348080362344052033711960892643036147232270133731530049660264526964146237693063093765111 +18162696663677410793062235946366423954875282212790518677684260521370996677183041664345920941714064628111537529793170736292618705900247450994864220481135611781148410617609559050220262121494712903009168783279356915189941268264177631458029177102542745167475619936272581126346266816618866806564180995726437177435 63244550218824945129624987597134280916829928261688093445040235408899092619821698537312158783367974202557699994650667088974727356690181336666077506063310290098995215324552449858513870629176838494348632073938023916155113126203791709810160925798130199717340478393420816876665127594623142175853115698049952126277 +4817943161362708117912118300716778687157593557807116683477307391846133734701449509121209661982298574607233039490570567781316652698287671086985501523197566560479906850423709894582834963398034434055472063156147829131181965140631257939036683622084290629927807369457311894970308590034407761706800045378158588657 61612160237840981966750225147965256022861527286827877531373888434780789812764688703260066154973576040405676432586962624922734102370509771313805122788566405984830112657060375568510809122230960988304085950306616401218206390412815884549481965750553137717475620505076144744211331973240555181377832337912951699135 +36363324947629373144612372870171042343590861026293829791335153646774927623889458346817049419803031378037141773848560341251355283891019532059644644509836766167835557471311319194033709837770615526356168418160386395260066262292757953919140150454538786106958252854181965875293629955562111756775391296856504912587 86831561031659073326747216166881733513938228972332631084118628692228329095617884068498116676787029033973607066377816508795286358748076949738854520048303930186595481606562375516134920902325649683618195251332651685732712539073110524182134321873838204219194459231650917098791250048469346563303077080880339797744 +26406869969418301728540993821409753036653370247174689204659006239823766914991146853283367848649039747728229875444327879875275718711878211919734397349994000106499628652960403076186651083084423734034070082770589453774926850920776427074440483233447839259180467805375782600203654373428926653730090468535611335253 100139935381469543084506312717977196291289016554846164338908226931204624582010530255955411615528804421371905642197394534614355186795223905217732992497673429554618838376065777445760355552020655667172127543653684405493978325270279321013143828897100500212200358450649158287605846102419527584313353072518101626851 +92613116984760565837109105383781193800503303131143575169488835702472221039082994091847595094556327985517286288659598094631489552181233202387028607421487026032402972597880028640156629614572656967808446397456622178472130864873587747608262139844319805074476178618930354824943672367046477408898479503054125369731 30023391082615178562263328892343821010986429338255434046051061316154579824472412477397496718186615690433045030046315908170615910505869972621853946234911296439134838951047107272129711854649412919542407760508235711897489847951451200722151978578883748353566191421685659370090024401368356823252748749449302536931 +31485815361342085113278193504381994806529237123359718043079410511224607873725611862217941085749929342777366642477711445011074784469367917758629403998067347054115844421430072631339788256386509261291675080191633908849638316409182455648806133048549359800886124554879661473112614246869101243501787363247762961784 114503770698890543429251666713050844656853278831559195214556474458830029271801818536133531843456707474500106283648085144619097572354066554819887152106174400667929098257361286338795493838820850475790977445807435511982704395422526800272723708548541616513134676140304653112325071112865020365664833601046215694089 +76882090884790547431641385530818076533805072109483843307806375918023300052767710853172670987385376253156912268523505310624133905633437815297307463917718596711590885553760690350221265675690787249135345226947453988081566088302642706234126002514517416493192624887800567412565527886687096028028124049522890448168 15056463217273240496622619354104573042767532856243223052125822509781815362480522535564283485059790932505429110157271454207173426525345813426696743168079246510944969446574354255284952839036431873039487144279164893710061580467579842173706653409487110282515691099753380094215805485573768509475850463001549608836 +52345178981230648108672997265819959243255047568833938156267924185186047373470984278294897653277996726416846430969793375429223610099546622112048283560483136389901514170116723365811871938630317974150540909650396429631704968748113009366339718498979597226137532343384889080245796447593572468846438769413505393967 32148494517199936472358017244372701214529606506776255341152991328091526865643069587953759877295255050519124541457805199596762210567333445908166076384465183589342153762720515477404466193879418014196727238972417616122646440870364200208488239778452378059236162633837824948613596114768455832408342040970780086 +41095268619128788015767564971105114602454449306041732792746397800275041704886345704294273937217484580365505320134717320083763349380629342859670693445658118959823430378844830923452105707338162448974869312012791385772125813291388247857971218575518319578818336960572244046567099555399203328678654466958536663208 92166550199033418923713824997841892577149715275633481076285269142670107687867024550593869464613175882141630640739938334001211714884975032600306279287443909448541179109981755796752132502127330056736913454039526413284519137059580845856736918773597087836203497066909257930043736166431682872083389105176299181629 +40049143661018504441607875135884755310012910557581028447435354354754245291878800571089144452035026644953322330676651798951447670184106450649737772686119714700743396359069052813433030118630105307022867200053964644574786137276428546712005171080129190959914708907200288299169344380390093918556722227705114244981 108159089972386282154772900619022507336076619354549601813179459338897131937353741544606392560724999980281424266891537298473163753022749859939445293926707568015958367188089915420630082556748668489756475027008449860889202622698060097015044886961901650857610841562477736791450080980702347705778074391774667412741 +69905259478181995876884927656894491893594530150260951315109404530530357998889589977208787140430938039028941393673520799460431992051993157468616168400324834880926190141581037597526917869362292931957289043707855837933490285814769110495657056206391880865972389421774822461752702336812585852278453803972600333734 71821415380277072313878763768684432371552628204186742842154591000123020597011744840460964835414360968627162765288463383113375595799297552681618876474019263288277398833725479226930770694271622605114061622753165584075733358178384410640349907375170170910499615355511313349300918885560131539570707695789106185664 +26945345439378873515011714350080059082081595419023056538696949766471272811362104837806324694947413603019863785876836706911406330379274553386254346050697348395574746891556054334903838949157798006141473389066020212044825140294048709654273698482867946522782450500680195477050110145664069582549935651920545151500 80313315938584480048642653013876614091607852535582224914294013785054094052454758327935781971746329853786568549510067442145637007308960551652864942042189241081946607011847245280773379099020221884296226818685556430275385068764313042226925852500883894269809033380734632866477789520106865758504064806906234130588 diff --git a/askbot/deps/openid/test/discoverdata.py b/askbot/deps/openid/test/discoverdata.py new file mode 100644 index 00000000..78b18f73 --- /dev/null +++ b/askbot/deps/openid/test/discoverdata.py @@ -0,0 +1,125 @@ +"""Module to make discovery data test cases available""" +import urlparse +import os.path + +from openid.yadis.discover import DiscoveryResult, DiscoveryFailure +from openid.yadis.constants import YADIS_HEADER_NAME + +tests_dir = os.path.dirname(__file__) +data_path = os.path.join(tests_dir, 'data') + +testlist = [ +# success, input_name, id_name, result_name + (True, "equiv", "equiv", "xrds"), + (True, "header", "header", "xrds"), + (True, "lowercase_header", "lowercase_header", "xrds"), + (True, "xrds", "xrds", "xrds"), + (True, "xrds_ctparam", "xrds_ctparam", "xrds_ctparam"), + (True, "xrds_ctcase", "xrds_ctcase", "xrds_ctcase"), + (False, "xrds_html", "xrds_html", "xrds_html"), + (True, "redir_equiv", "equiv", "xrds"), + (True, "redir_header", "header", "xrds"), + (True, "redir_xrds", "xrds", "xrds"), + (False, "redir_xrds_html", "xrds_html", "xrds_html"), + (True, "redir_redir_equiv", "equiv", "xrds"), + (False, "404_server_response", None, None), + (False, "404_with_header", None, None), + (False, "404_with_meta", None, None), + (False, "201_server_response", None, None), + (False, "500_server_response", None, None), + ] + +def getDataName(*components): + sanitized = [] + for part in components: + if part in ['.', '..']: + raise ValueError + elif part: + sanitized.append(part) + + if not sanitized: + raise ValueError + + return os.path.join(data_path, *sanitized) + +def getExampleXRDS(): + filename = getDataName('example-xrds.xml') + return file(filename).read() + +example_xrds = getExampleXRDS() +default_test_file = getDataName('test1-discover.txt') + +discover_tests = {} + +def readTests(filename): + data = file(filename).read() + tests = {} + for case in data.split('\f\n'): + (name, content) = case.split('\n', 1) + tests[name] = content + return tests + +def getData(filename, name): + global discover_tests + try: + file_tests = discover_tests[filename] + except KeyError: + file_tests = discover_tests[filename] = readTests(filename) + return file_tests[name] + +def fillTemplate(test_name, template, base_url, example_xrds): + mapping = [ + ('URL_BASE/', base_url), + ('<XRDS Content>', example_xrds), + ('YADIS_HEADER', YADIS_HEADER_NAME), + ('NAME', test_name), + ] + + for k, v in mapping: + template = template.replace(k, v) + + return template + +def generateSample(test_name, base_url, + example_xrds=example_xrds, + filename=default_test_file): + try: + template = getData(filename, test_name) + except IOError, why: + import errno + if why[0] == errno.ENOENT: + raise KeyError(filename) + else: + raise + + return fillTemplate(test_name, template, base_url, example_xrds) + +def generateResult(base_url, input_name, id_name, result_name, success): + input_url = urlparse.urljoin(base_url, input_name) + + # If the name is None then we expect the protocol to fail, which + # we represent by None + if id_name is None: + assert result_name is None + return input_url, DiscoveryFailure + + result = generateSample(result_name, base_url) + headers, content = result.split('\n\n', 1) + header_lines = headers.split('\n') + for header_line in header_lines: + if header_line.startswith('Content-Type:'): + _, ctype = header_line.split(':', 1) + ctype = ctype.strip() + break + else: + ctype = None + + id_url = urlparse.urljoin(base_url, id_name) + + result = DiscoveryResult(input_url) + result.normalized_uri = id_url + if success: + result.xrds_uri = urlparse.urljoin(base_url, result_name) + result.content_type = ctype + result.response_text = content + return input_url, result diff --git a/askbot/deps/openid/test/kvform.py b/askbot/deps/openid/test/kvform.py new file mode 100644 index 00000000..a83a62be --- /dev/null +++ b/askbot/deps/openid/test/kvform.py @@ -0,0 +1,174 @@ +from openid import kvform +from openid import oidutil +import unittest + +class KVBaseTest(unittest.TestCase): + def shortDescription(self): + return '%s test for %r' % (self.__class__.__name__, self.kvform) + + def log(self, message, unused_priority=None): + self.warnings.append(message) + + def checkWarnings(self, num_warnings): + self.failUnlessEqual(num_warnings, len(self.warnings), repr(self.warnings)) + + def setUp(self): + self.warnings = [] + self.old_log = oidutil.log + self.log_func = oidutil.log = self.log + self.failUnless(self.log_func is oidutil.log, + (oidutil.log, self.log_func)) + + def tearDown(self): + oidutil.log = self.old_log + +class KVDictTest(KVBaseTest): + def __init__(self, kv, dct, warnings): + unittest.TestCase.__init__(self) + self.kvform = kv + self.dict = dct + self.expected_warnings = warnings + + def runTest(self): + # Convert KVForm to dict + d = kvform.kvToDict(self.kvform) + + # make sure it parses to expected dict + self.failUnlessEqual(self.dict, d) + + # Check to make sure we got the expected number of warnings + self.checkWarnings(self.expected_warnings) + + # Convert back to KVForm and round-trip back to dict to make + # sure that *** dict -> kv -> dict is identity. *** + kv = kvform.dictToKV(d) + d2 = kvform.kvToDict(kv) + self.failUnlessEqual(d, d2) + +class KVSeqTest(KVBaseTest): + def __init__(self, seq, kv, expected_warnings): + unittest.TestCase.__init__(self) + self.kvform = kv + self.seq = seq + self.expected_warnings = expected_warnings + + def cleanSeq(self, seq): + """Create a new sequence by stripping whitespace from start + and end of each value of each pair""" + clean = [] + for k, v in self.seq: + if type(k) is str: + k = k.decode('utf8') + if type(v) is str: + v = v.decode('utf8') + clean.append((k.strip(), v.strip())) + return clean + + def runTest(self): + # seq serializes to expected kvform + actual = kvform.seqToKV(self.seq) + self.failUnlessEqual(self.kvform, actual) + self.failUnless(type(actual) is str) + + # Parse back to sequence. Expected to be unchanged, except + # stripping whitespace from start and end of values + # (i. e. ordering, case, and internal whitespace is preserved) + seq = kvform.kvToSeq(actual) + clean_seq = self.cleanSeq(seq) + + self.failUnlessEqual(seq, clean_seq) + self.checkWarnings(self.expected_warnings) + +kvdict_cases = [ + # (kvform, parsed dictionary, expected warnings) + ('', {}, 0), + ('college:harvey mudd\n', {'college':'harvey mudd'}, 0), + ('city:claremont\nstate:CA\n', + {'city':'claremont', 'state':'CA'}, 0), + ('is_valid:true\ninvalidate_handle:{HMAC-SHA1:2398410938412093}\n', + {'is_valid':'true', + 'invalidate_handle':'{HMAC-SHA1:2398410938412093}'}, 0), + + # Warnings from lines with no colon: + ('x\n', {}, 1), + ('x\nx\n', {}, 2), + ('East is least\n', {}, 1), + + # But not from blank lines (because LJ generates them) + ('x\n\n', {}, 1), + + # Warning from empty key + (':\n', {'':''}, 1), + (':missing key\n', {'':'missing key'}, 1), + + # Warnings from leading or trailing whitespace in key or value + (' street:foothill blvd\n', {'street':'foothill blvd'}, 1), + ('major: computer science\n', {'major':'computer science'}, 1), + (' dorm : east \n', {'dorm':'east'}, 2), + + # Warnings from missing trailing newline + ('e^(i*pi)+1:0', {'e^(i*pi)+1':'0'}, 1), + ('east:west\nnorth:south', {'east':'west', 'north':'south'}, 1), + ] + +kvseq_cases = [ + ([], '', 0), + + # Make sure that we handle non-ascii characters (also wider than 8 bits) + ([(u'\u03bbx', u'x')], '\xce\xbbx:x\n', 0), + + # If it's a UTF-8 str, make sure that it's equivalent to the same + # string, decoded. + ([('\xce\xbbx', 'x')], '\xce\xbbx:x\n', 0), + + ([('openid', 'useful'), ('a', 'b')], 'openid:useful\na:b\n', 0), + + # Warnings about leading whitespace + ([(' openid', 'useful'), ('a', 'b')], ' openid:useful\na:b\n', 2), + + # Warnings about leading and trailing whitespace + ([(' openid ', ' useful '), + (' a ', ' b ')], ' openid : useful \n a : b \n', 8), + + # warnings about leading and trailing whitespace, but not about + # internal whitespace. + ([(' open id ', ' use ful '), + (' a ', ' b ')], ' open id : use ful \n a : b \n', 8), + + ([(u'foo', 'bar')], 'foo:bar\n', 0), + ] + +kvexc_cases = [ + [('openid', 'use\nful')], + [('open\nid', 'useful')], + [('open\nid', 'use\nful')], + [('open:id', 'useful')], + [('foo', 'bar'), ('ba\n d', 'seed')], + [('foo', 'bar'), ('bad:', 'seed')], + ] + +class KVExcTest(unittest.TestCase): + def __init__(self, seq): + unittest.TestCase.__init__(self) + self.seq = seq + + def shortDescription(self): + return 'KVExcTest for %r' % (self.seq,) + + def runTest(self): + self.failUnlessRaises(ValueError, kvform.seqToKV, self.seq) + +class GeneralTest(KVBaseTest): + kvform = '<None>' + + def test_convert(self): + result = kvform.seqToKV([(1,1)]) + self.failUnlessEqual(result, '1:1\n') + self.checkWarnings(2) + +def pyUnitTests(): + tests = [KVDictTest(*case) for case in kvdict_cases] + tests.extend([KVSeqTest(*case) for case in kvseq_cases]) + tests.extend([KVExcTest(case) for case in kvexc_cases]) + tests.append(unittest.defaultTestLoader.loadTestsFromTestCase(GeneralTest)) + return unittest.TestSuite(tests) diff --git a/askbot/deps/openid/test/linkparse.py b/askbot/deps/openid/test/linkparse.py new file mode 100644 index 00000000..04475b7a --- /dev/null +++ b/askbot/deps/openid/test/linkparse.py @@ -0,0 +1,109 @@ +from openid.consumer.html_parse import parseLinkAttrs +import os.path +import codecs +import unittest + +def parseLink(line): + parts = line.split() + optional = parts[0] == 'Link*:' + assert optional or parts[0] == 'Link:' + + attrs = {} + for attr in parts[1:]: + k, v = attr.split('=', 1) + if k[-1] == '*': + attr_optional = 1 + k = k[:-1] + else: + attr_optional = 0 + + attrs[k] = (attr_optional, v) + + return (optional, attrs) + +def parseCase(s): + header, markup = s.split('\n\n', 1) + lines = header.split('\n') + name = lines.pop(0) + assert name.startswith('Name: ') + desc = name[6:] + return desc, markup, map(parseLink, lines) + +def parseTests(s): + tests = [] + + cases = s.split('\n\n\n') + header = cases.pop(0) + tests_line, _ = header.split('\n', 1) + k, v = tests_line.split(': ') + assert k == 'Num Tests' + num_tests = int(v) + + for case in cases[:-1]: + desc, markup, links = parseCase(case) + tests.append((desc, markup, links, case)) + + return num_tests, tests + +class _LinkTest(unittest.TestCase): + def __init__(self, desc, case, expected, raw): + unittest.TestCase.__init__(self) + self.desc = desc + self.case = case + self.expected = expected + self.raw = raw + + def shortDescription(self): + return self.desc + + def runTest(self): + actual = parseLinkAttrs(self.case) + i = 0 + for optional, exp_link in self.expected: + if optional: + if i >= len(actual): + continue + + act_link = actual[i] + for k, (o, v) in exp_link.items(): + if o: + act_v = act_link.get(k) + if act_v is None: + continue + else: + act_v = act_link[k] + + if optional and v != act_v: + break + + self.assertEqual(v, act_v) + else: + i += 1 + + assert i == len(actual) + +def pyUnitTests(): + here = os.path.dirname(os.path.abspath(__file__)) + test_data_file_name = os.path.join(here, 'linkparse.txt') + test_data_file = codecs.open(test_data_file_name, 'r', 'utf-8') + test_data = test_data_file.read() + test_data_file.close() + + num_tests, test_cases = parseTests(test_data) + + tests = [_LinkTest(*case) for case in test_cases] + + def test_parseSucceeded(): + assert len(test_cases) == num_tests, (len(test_cases), num_tests) + + check_desc = 'Check that we parsed the correct number of test cases' + check = unittest.FunctionTestCase( + test_parseSucceeded, description=check_desc) + tests.insert(0, check) + + return unittest.TestSuite(tests) + +if __name__ == '__main__': + suite = pyUnitTests() + runner = unittest.TextTestRunner() + runner.run(suite) diff --git a/askbot/deps/openid/test/linkparse.txt b/askbot/deps/openid/test/linkparse.txt new file mode 100644 index 00000000..74c63ca7 --- /dev/null +++ b/askbot/deps/openid/test/linkparse.txt @@ -0,0 +1,584 @@ +Num Tests: 72 + +OpenID link parsing test cases +Copyright (C) 2005-2008, JanRain, Inc. +See COPYING for license information. + +File format +----------- + +All text before the first triple-newline (this chunk) should be ignored. + +This file may be interpreted as Latin-1 or UTF-8. + +Test cases separated by three line separators (`\n\n\n'). The test +cases consist of a headers section followed by a data block. These are +separated by a double newline. The headers consist of the header name, +followed by a colon, a space, the value, and a newline. There must be +one, and only one, `Name' header for a test case. There may be zero or +more link headers. The `Link' header consists of whitespace-separated +attribute pairs. A link header with an empty string as a value +indicates an empty but present link tag. The attribute pairs are `=' +separated and not quoted. + +Optional Links and attributes have a trailing `*'. A compilant +implementation may produce this as output or may not. A compliant +implementation will not produce any output that is absent from this +file. + + +Name: No link tag at all + +<html> +<head> +</head> +</html> + + +Name: Link element first + +<link> + + +Name: Link inside HTML, not head + +<html> +<link> + + +Name: Link inside head, not html + +<head> +<link> + + +Name: Link inside html, after head + +<html> +<head> +</head> +<link> + + +Name: Link inside html, before head + +<html> +<link> +<head> + + +Name: Link before html and head + +<link> +<html> +<head> + + +Name: Link after html document with head + +<html> +<head> +</head> +</html> +<link> + + +Name: Link inside html inside head, inside another html + +<html> +<head> +<html> +<link> + + +Name: Link inside html inside head + +<head> +<html> +<link> + + +Name: link inside body inside head inside html + +<html> +<head> +<body> +<link> + + +Name: Link inside head inside head inside html + +<html> +<head> +<head> +<link> + + +Name: Link inside script inside head inside html + +<html> +<head> +<script> +<link> +</script> + + +Name: Link inside comment inside head inside html + +<html> +<head/> +<link> + + +Name: Link inside of head after short head + +<html> +<head/> +<head> +<link> + + +Name: Plain vanilla +Link: + +<html> +<head> +<link> + + +Name: Ignore tags in the <script:... > namespace +Link*: + +<html> +<head> +<script:paddypan> +<link> +</script:paddypan> + + +Name: Short link tag +Link: + +<html> +<head> +<link/> + + +Name: Spaces in the HTML tag +Link: + +<html > +<head> +<link> + + +Name: Spaces in the head tag +Link: + +<html> +<head > +<link> + + +Name: Spaces in the link tag +Link: + +<html> +<head> +<link > + + +Name: No whitespace +Link: + +<html><head><link> + + +Name: Closed head tag +Link: + +<html> +<head> +<link> +</head> + + +Name: One good, one bad (after close head) +Link: + +<html> +<head> +<link> +</head> +<link> + + +Name: One good, one bad (after open body) +Link: + +<html> +<head> +<link> +<body> +<link> + + +Name: ill formed (missing close head) +Link: + +<html> +<head> +<link> +</html> + + +Name: Ill formed (no close head, link after </html>) +Link: + +<html> +<head> +<link> +</html> +<link> + + +Name: Ignore random tags inside of html +Link: + +<html> +<delicata> +<head> +<title> +<link> + + +Name: case-folding +Link*: + +<HtMl> +<hEaD> +<LiNk> + + +Name: unexpected tags +Link: + +<butternut> +<html> +<summer> +<head> +<turban> +<link> + + +Name: un-closed script tags +Link*: + +<html> +<head> +<script> +<link> + + +Name: un-closed script tags (no whitespace) +Link*: + +<html><head><script><link> + + +Name: un-closed comment +Link*: + +<html> +<head> +<!-- +<link> + + +Name: un-closed CDATA +Link*: + +<html> +<head> +<![CDATA[ +<link> + + +Name: cdata-like +Link*: + +<html> +<head> +<![ACORN[ +<link> +]]> + + +Name: comment close only +Link: + +<html> +<head> +<link> +--> + + +Name: Vanilla, two links +Link: +Link: + +<html> +<head> +<link> +<link> + + +Name: extra tag, two links +Link: +Link: + +<html> +<gold nugget> +<head> +<link> +<link> + + +Name: case-fold, body ends, two links +Link: +Link*: + +<html> +<head> +<link> +<LiNk> +<body> +<link> + + +Name: simple, non-quoted rel +Link: rel=openid.server + +<html><head><link rel=openid.server> + + +Name: short tag has rel +Link: rel=openid.server + +<html><head><link rel=openid.server/> + + +Name: short tag w/space has rel +Link: rel=openid.server + +<html><head><link rel=openid.server /> + + +Name: extra non-attribute, has rel +Link: rel=openid.server + +<html><head><link hubbard rel=openid.server> + + +Name: non-attr, has rel, short +Link: rel=openid.server + +<html><head><link hubbard rel=openid.server/> + + +Name: non-attr, has rel, short, space +Link: rel=openid.server + +<html><head><link hubbard rel=openid.server /> + + +Name: misplaced slash has rel +Link: rel=openid.server + +<html><head><link / rel=openid.server> + + +Name: quoted rel +Link: rel=openid.server + +<html><head><link rel="openid.server"> + + +Name: single-quoted rel +Link: rel=openid.server + +<html><head><link rel='openid.server'> + + +Name: two links w/ rel +Link: x=y +Link: a=b + +<html><head><link x=y><link a=b> + + +Name: non-entity +Link: x=&y + +<html><head><link x=&y> + + +Name: quoted non-entity +Link: x=&y + +<html><head><link x="&y"> + + +Name: quoted entity +Link: x=& + +<html><head><link x="&"> + + +Name: entity not processed +Link: x= + +<html><head><link x=""> + + +Name: < +Link: x=< + +<html><head><link x="<"> + + +Name: > +Link: x=> + +<html><head><link x=">"> + + +Name: " +Link: x=" + +<html><head><link x="""> + + +Name: &" +Link: x=&" + +<html><head><link x="&""> + + +Name: mixed entity and non-entity +Link: x=&"…> + +<html><head><link x="&"…>"> + + +Name: mixed entity and non-entity (w/normal chars) +Link: x=x&"…>x + +<html><head><link x="x&"…>x"> + + +Name: broken tags +Link*: x=y + +<html><head><link x=y<> + + +Name: missing close pointy +Link*: x=y +Link: z=y + +<html><head><link x=y<link z=y /> + + +Name: missing attribute value +Link: x=y y*= +Link: x=y + +<html><head><link x=y y=><link x=y /> + + +Name: Missing close pointy (no following) +Link*: x=y + +<html><head><link x=y + + +Name: Should be quoted +Link*: x=< + +<html><head><link x="<"> + + +Name: Should be quoted (2) +Link*: x=> + +<html><head><link x=">"> + + +Name: Repeated attribute +Link: x=y + +<html><head><link x=z x=y> + + +Name: Repeated attribute (2) +Link: x=y + +<html><head><link x=y x=y> + + +Name: Two attributes +Link: x=y y=z + +<html><head><link x=y y=z> + + +Name: Well-formed link rel="openid.server" +Link: rel=openid.server href=http://www.myopenid.com/server + +<html> + <head> + <link rel="openid.server" + href="http://www.myopenid.com/server" /> + </head> +</html> + + +Name: Well-formed link rel="openid.server" and "openid.delegate" +Link: rel=openid.server href=http://www.myopenid.com/server +Link: rel=openid.delegate href=http://example.myopenid.com/ + +<html><head><link rel="openid.server" + href="http://www.myopenid.com/server" /> + <link rel="openid.delegate" href="http://example.myopenid.com/" /> +</head></html> + + +Name: from brian's livejournal page +Link: rel=stylesheet href=http://www.livejournal.com/~serotta/res/319998/stylesheet?1130478711 type=text/css +Link: rel=openid.server href=http://www.livejournal.com/openid/server.bml + +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <link rel="stylesheet" + href="http://www.livejournal.com/~serotta/res/319998/stylesheet?1130478711" + type="text/css" /> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + <meta name="foaf:maker" + content="foaf:mbox_sha1sum '12f8abdacb5b1a806711e23249da592c0d316260'" /> + <meta name="robots" content="noindex, nofollow, noarchive" /> + <meta name="googlebot" content="nosnippet" /> + <link rel="openid.server" + href="http://www.livejournal.com/openid/server.bml" /> + <title>Brian</title> + </head> + + +Name: non-ascii (Latin-1 or UTF8) +Link: x=® + +<html><head><link x="®"> + + diff --git a/askbot/deps/openid/test/n2b64 b/askbot/deps/openid/test/n2b64 new file mode 100644 index 00000000..b12a2460 --- /dev/null +++ b/askbot/deps/openid/test/n2b64 @@ -0,0 +1,650 @@ +AA== 0 +AQ== 1 +Ag== 2 +Aw== 3 +BA== 4 +BQ== 5 +Bg== 6 +Bw== 7 +CA== 8 +CQ== 9 +Cg== 10 +Cw== 11 +DA== 12 +DQ== 13 +Dg== 14 +Dw== 15 +EA== 16 +EQ== 17 +Eg== 18 +Ew== 19 +FA== 20 +FQ== 21 +Fg== 22 +Fw== 23 +GA== 24 +GQ== 25 +Gg== 26 +Gw== 27 +HA== 28 +HQ== 29 +Hg== 30 +Hw== 31 +IA== 32 +IQ== 33 +Ig== 34 +Iw== 35 +JA== 36 +JQ== 37 +Jg== 38 +Jw== 39 +KA== 40 +KQ== 41 +Kg== 42 +Kw== 43 +LA== 44 +LQ== 45 +Lg== 46 +Lw== 47 +MA== 48 +MQ== 49 +Mg== 50 +Mw== 51 +NA== 52 +NQ== 53 +Ng== 54 +Nw== 55 +OA== 56 +OQ== 57 +Og== 58 +Ow== 59 +PA== 60 +PQ== 61 +Pg== 62 +Pw== 63 +QA== 64 +QQ== 65 +Qg== 66 +Qw== 67 +RA== 68 +RQ== 69 +Rg== 70 +Rw== 71 +SA== 72 +SQ== 73 +Sg== 74 +Sw== 75 +TA== 76 +TQ== 77 +Tg== 78 +Tw== 79 +UA== 80 +UQ== 81 +Ug== 82 +Uw== 83 +VA== 84 +VQ== 85 +Vg== 86 +Vw== 87 +WA== 88 +WQ== 89 +Wg== 90 +Ww== 91 +XA== 92 +XQ== 93 +Xg== 94 +Xw== 95 +YA== 96 +YQ== 97 +Yg== 98 +Yw== 99 +ZA== 100 +ZQ== 101 +Zg== 102 +Zw== 103 +aA== 104 +aQ== 105 +ag== 106 +aw== 107 +bA== 108 +bQ== 109 +bg== 110 +bw== 111 +cA== 112 +cQ== 113 +cg== 114 +cw== 115 +dA== 116 +dQ== 117 +dg== 118 +dw== 119 +eA== 120 +eQ== 121 +eg== 122 +ew== 123 +fA== 124 +fQ== 125 +fg== 126 +fw== 127 +AIA= 128 +AIE= 129 +AII= 130 +AIM= 131 +AIQ= 132 +AIU= 133 +AIY= 134 +AIc= 135 +AIg= 136 +AIk= 137 +AIo= 138 +AIs= 139 +AIw= 140 +AI0= 141 +AI4= 142 +AI8= 143 +AJA= 144 +AJE= 145 +AJI= 146 +AJM= 147 +AJQ= 148 +AJU= 149 +AJY= 150 +AJc= 151 +AJg= 152 +AJk= 153 +AJo= 154 +AJs= 155 +AJw= 156 +AJ0= 157 +AJ4= 158 +AJ8= 159 +AKA= 160 +AKE= 161 +AKI= 162 +AKM= 163 +AKQ= 164 +AKU= 165 +AKY= 166 +AKc= 167 +AKg= 168 +AKk= 169 +AKo= 170 +AKs= 171 +AKw= 172 +AK0= 173 +AK4= 174 +AK8= 175 +ALA= 176 +ALE= 177 +ALI= 178 +ALM= 179 +ALQ= 180 +ALU= 181 +ALY= 182 +ALc= 183 +ALg= 184 +ALk= 185 +ALo= 186 +ALs= 187 +ALw= 188 +AL0= 189 +AL4= 190 +AL8= 191 +AMA= 192 +AME= 193 +AMI= 194 +AMM= 195 +AMQ= 196 +AMU= 197 +AMY= 198 +AMc= 199 +AMg= 200 +AMk= 201 +AMo= 202 +AMs= 203 +AMw= 204 +AM0= 205 +AM4= 206 +AM8= 207 +ANA= 208 +ANE= 209 +ANI= 210 +ANM= 211 +ANQ= 212 +ANU= 213 +ANY= 214 +ANc= 215 +ANg= 216 +ANk= 217 +ANo= 218 +ANs= 219 +ANw= 220 +AN0= 221 +AN4= 222 +AN8= 223 +AOA= 224 +AOE= 225 +AOI= 226 +AOM= 227 +AOQ= 228 +AOU= 229 +AOY= 230 +AOc= 231 +AOg= 232 +AOk= 233 +AOo= 234 +AOs= 235 +AOw= 236 +AO0= 237 +AO4= 238 +AO8= 239 +APA= 240 +APE= 241 +API= 242 +APM= 243 +APQ= 244 +APU= 245 +APY= 246 +APc= 247 +APg= 248 +APk= 249 +APo= 250 +APs= 251 +APw= 252 +AP0= 253 +AP4= 254 +AP8= 255 +AQA= 256 +AQE= 257 +AQI= 258 +AQM= 259 +AQQ= 260 +AQU= 261 +AQY= 262 +AQc= 263 +AQg= 264 +AQk= 265 +AQo= 266 +AQs= 267 +AQw= 268 +AQ0= 269 +AQ4= 270 +AQ8= 271 +ARA= 272 +ARE= 273 +ARI= 274 +ARM= 275 +ARQ= 276 +ARU= 277 +ARY= 278 +ARc= 279 +ARg= 280 +ARk= 281 +ARo= 282 +ARs= 283 +ARw= 284 +AR0= 285 +AR4= 286 +AR8= 287 +ASA= 288 +ASE= 289 +ASI= 290 +ASM= 291 +ASQ= 292 +ASU= 293 +ASY= 294 +ASc= 295 +ASg= 296 +ASk= 297 +ASo= 298 +ASs= 299 +ASw= 300 +AS0= 301 +AS4= 302 +AS8= 303 +ATA= 304 +ATE= 305 +ATI= 306 +ATM= 307 +ATQ= 308 +ATU= 309 +ATY= 310 +ATc= 311 +ATg= 312 +ATk= 313 +ATo= 314 +ATs= 315 +ATw= 316 +AT0= 317 +AT4= 318 +AT8= 319 +AUA= 320 +AUE= 321 +AUI= 322 +AUM= 323 +AUQ= 324 +AUU= 325 +AUY= 326 +AUc= 327 +AUg= 328 +AUk= 329 +AUo= 330 +AUs= 331 +AUw= 332 +AU0= 333 +AU4= 334 +AU8= 335 +AVA= 336 +AVE= 337 +AVI= 338 +AVM= 339 +AVQ= 340 +AVU= 341 +AVY= 342 +AVc= 343 +AVg= 344 +AVk= 345 +AVo= 346 +AVs= 347 +AVw= 348 +AV0= 349 +AV4= 350 +AV8= 351 +AWA= 352 +AWE= 353 +AWI= 354 +AWM= 355 +AWQ= 356 +AWU= 357 +AWY= 358 +AWc= 359 +AWg= 360 +AWk= 361 +AWo= 362 +AWs= 363 +AWw= 364 +AW0= 365 +AW4= 366 +AW8= 367 +AXA= 368 +AXE= 369 +AXI= 370 +AXM= 371 +AXQ= 372 +AXU= 373 +AXY= 374 +AXc= 375 +AXg= 376 +AXk= 377 +AXo= 378 +AXs= 379 +AXw= 380 +AX0= 381 +AX4= 382 +AX8= 383 +AYA= 384 +AYE= 385 +AYI= 386 +AYM= 387 +AYQ= 388 +AYU= 389 +AYY= 390 +AYc= 391 +AYg= 392 +AYk= 393 +AYo= 394 +AYs= 395 +AYw= 396 +AY0= 397 +AY4= 398 +AY8= 399 +AZA= 400 +AZE= 401 +AZI= 402 +AZM= 403 +AZQ= 404 +AZU= 405 +AZY= 406 +AZc= 407 +AZg= 408 +AZk= 409 +AZo= 410 +AZs= 411 +AZw= 412 +AZ0= 413 +AZ4= 414 +AZ8= 415 +AaA= 416 +AaE= 417 +AaI= 418 +AaM= 419 +AaQ= 420 +AaU= 421 +AaY= 422 +Aac= 423 +Aag= 424 +Aak= 425 +Aao= 426 +Aas= 427 +Aaw= 428 +Aa0= 429 +Aa4= 430 +Aa8= 431 +AbA= 432 +AbE= 433 +AbI= 434 +AbM= 435 +AbQ= 436 +AbU= 437 +AbY= 438 +Abc= 439 +Abg= 440 +Abk= 441 +Abo= 442 +Abs= 443 +Abw= 444 +Ab0= 445 +Ab4= 446 +Ab8= 447 +AcA= 448 +AcE= 449 +AcI= 450 +AcM= 451 +AcQ= 452 +AcU= 453 +AcY= 454 +Acc= 455 +Acg= 456 +Ack= 457 +Aco= 458 +Acs= 459 +Acw= 460 +Ac0= 461 +Ac4= 462 +Ac8= 463 +AdA= 464 +AdE= 465 +AdI= 466 +AdM= 467 +AdQ= 468 +AdU= 469 +AdY= 470 +Adc= 471 +Adg= 472 +Adk= 473 +Ado= 474 +Ads= 475 +Adw= 476 +Ad0= 477 +Ad4= 478 +Ad8= 479 +AeA= 480 +AeE= 481 +AeI= 482 +AeM= 483 +AeQ= 484 +AeU= 485 +AeY= 486 +Aec= 487 +Aeg= 488 +Aek= 489 +Aeo= 490 +Aes= 491 +Aew= 492 +Ae0= 493 +Ae4= 494 +Ae8= 495 +AfA= 496 +AfE= 497 +AfI= 498 +AfM= 499 +AfQ= 500 +AfU= 501 +AfY= 502 +Afc= 503 +Afg= 504 +Afk= 505 +Afo= 506 +Afs= 507 +Afw= 508 +Af0= 509 +Af4= 510 +Af8= 511 +AgA= 512 +ALDs7paJl5xPh6ORH61iDA6pONpV0rTjGiTkLEW2JsVsRKaRiS4AGn2PTR1UZXP0vXAmRXwdSegQgWPUp3Hm3RofRcDh1SykZBLif7ulau1hVO+rhwRyKc7F8F+7LcMf/v+s73eOXUDbbI2r52wfr7skZy/IELhsC8EK6HzhACI3 124241322153253947064453752054205174382289463089695815605736438952932114700118408072544073767229325045596832952652232288773280299665950768731398747700657715829631597019676014848183966683866396215048196276450953653433516126074463193382764063985175903718735372053536664711482497859539116009770850968340298474039 +AOzgU1s6Pd2IkrJlvGND8legXTe50nyDCocI5mwT9rW0YsisY5jaaEOcu51BAq9MmXBPeVX0k/jlXwH4Pn3mCpUAU1rEOsTdcmSJp35siKliDdhTZHHdZNMW+igfXGX5OCsA/BaBcGnE6NnrGWXKyTOoVUGQLEkL2T5yhNUaCT83 166340174936369324883416612727439279977041963320514134445183426741643586944819834936989524033374309932122967866930503619179389342537723598234062828695747850043368572301869699886931403612266216965783079972698791813140295203826980649434652168563255385527187360027803388963151668338040517316899628026707657178935 +AO8hrpw+lDiJ13JahLtCb1RenupQcNd0wlTSck9OLL8wB/x6gAoj0PTLV05eZIbz43N3GUSDmmckjlxdHXiBJ9rsoB0P95l1CWIV+4rXblCqxmOdmlm6VZ13bqbI0x7l0cjeMrkmk+yJ067WqUolqQBlUWMTuJVfkxALJYH5xr/C 167923899524385316022824282304301434707626789716026029252173742527362300338760906999615029022863637963070711762128687835779073122264515776657475985362344360699359591353388569856862973447791264902182048648600267737826849280828116753682917256540180401899752566540869918949003470368970029744573140084219550547906 +QxAn7yrdVs5tlHV+Glbqdaj67c6Ni8am3bBLOL8PV5HbdrLf2xIPmNugo6MfUwFSnT+ZPJ51+VTOsItaNwCFju0Eh1cqyP3JWyLRPE7emKuo6xRhf+5ik0pTg77LEF4JXW6ofDqirpR4alFi0G2d9yImQPphsYJwYGF/nNT8u0Q= 47093316905427544098193936500644355852669366083115552072584429220248776817916430034648347490325490701471113667554329499736495877969341478442613611948220957798780043076906836236556612316544460763366275536846463456405604189392790111985912854476264292503164100482712281088955640964034295834935468665872932715332 +AI9PVzrbJUvmCihwSFans1lBKwudGEZpWWu8pkSK2zVgzGhMvUoGgMp6TG2zsUd1tV8zv7KsVD2t6pXmjT1wPUynufq97GVHI06SGpflDTt30WboYRh3DgYxvso1sOjUXpnDezcaqc2Aiz4nV5MSShkBlyBjA8z2worHDE+uXqw0 100635651531872121827765663065728398779771663753008344681972226973080394359405041113312675686974926993279775427390065833081040771269307007695807025882757371805607979134114890454059957194316765342461291139168706134406917264848659448693866813989352429841300235734400772946895458374870482441457514575059390213172 +FiinVicXOqqRLpxcGTorQpSAGeQ/PfDOuzYK9ViFtmPv6D0cYPfhUH4qXEHOejvmX+0b4lfaX8MWPVZxlqpfXiU9BhG76HJxkLF4ysipukeOvhoHzvcxE5bnhSF1i//bOSifATBLBEZInwqSVg5tHHPuuCkwTL91NqhOulp7Lsk= 15560440884463435471963622630292643727112462888414585143143739400703889930416938984547754943252935620248108237258540176511252143752416771350868493435174026287082706690332705481726295797196444796135827460509780634261726494455068460028424141500629527968240913757449787164107068039175831847071025316475940056777 +aYrxyQN/hkBne2ayqo2/iDLF3DZGgk080SOMJfsj9h3Z1OfFZM7TJA+y+/O7niqatosvKrfHrAw+Qs7c6tCZ6NPwYJ4QJLOF9bqH2u2a3fkI954voNUctlUagYUJsZXV8hdhLM6NwUyIZ3ZFkPcpTZp7nKQQ84tr1a8VjDIT5/o= 74114640794666001532816944350975062126079079113921109750255283189037502412929005615388097912507598112836936032143435813588205939470002911374442844578739574773399427907766548612582213272643279263782396527705126350063372192910060171635870872236876399794128383338399728947176692692942605589343038282957050865658 +AMpCUeKUX/vtRslWiUUuXNl1KA9uDAWjMUkTrdsxxRDESI7iZIn3TR9lW+0kV5fzkLF18iYLAwSGBmX1PS/T0UVFmoBPJ9yS7yktNL0lpQ3noyGFn8HHZ6XB3FkH3jegIfGbvwwhnhhFzpHPrXlpO5iU5Y+rexzp2XHWt4yJGuIL 142031143422642739313498629438991149460874309300342349421794421544918823888598660275343727563280565210534243383322796489809683834300630555650331646026843796764549231159336347965502383849513994449309613369541991287590422095953275586374371960367000083487965487661436037637475372929033613295072397262739084075531 +AIMIQVz0JIEKEI+PREu94m3v9XoiU/Q0CpsSuqkwSSje+Wyul5ea9oU5qgtOpdkMUOW91BJo0DW/GMZ8v3C4qyyP29TtjCcAHObJi9hfLSlnTSuzXZnDStooYYKqzfToLToCaAJKCXiXAVW0vWtapLnyqafrf/KgyGZ5u4HfXKY0 92013973253053602863003242446596060337454881568126916916519869242232429836082762281129448384605359749247852792606718908482332975424967542242332487707042773885428473061056052851768940900752317020681189773407893371297668591494665352294885305475871917069040377145530889271334616499701769138948975263435137525300 +ANfP+zPBTR27afneyac1KJhOB5Pq3AXB+SoAXJvQI/GkSoNhw5KdfqoIkLcoJi8wClCm424Gm1AdrdGwDFOM/iKTSPkrvMag93+b2EbQGX66/n2X3YRFNkgq/Gtb+2M8oCcAL054Z/iiMD67aU5RWzjqS64ePHsn01bJ7dqLgpMO 151548639867177154896951257541227014781655576169318283047778755573323724856619156348444192550664853912434681577093459933599575436686424046466113215132845213008587152894642577278656978304699131916299275797578171518984206145555369576872231567191579337901913492071976578289189524123204040497290426960375042970382 +AK0kHtacLGu1NFWMADq2rG8hpzM4UEYyPOL+aMJbnwXcUYptRIxb0YFZg35RN/RiZs4lQsiq+kEJKzMMV71TsJq59vMkIZhZoB3t8g9ZqBZuq0JYcTICDwRpNSttJidVpJ6P9sR3s1xPMYKdlSwt6EEc9htOXfZU+yHKYgn98X60 121583812047864398969816595368193171848971298823388059338224714026742264861090347096116404814514279627148994345584790617974476594451626305761040465570524035369799925437276511604752129817947910677564301623631349399504187314174538914591944778074509068973226322566160587813128746039859381466427380402262866230964 +W3sZlWW1Aev3x/DiH9MzwCAZzBj++x9cknLfGAHwgFqkLH6vimEH/r8hi85hzlCOG5CjwhoZ0D/Hsfr26ZJ3X4chG84byrfDnek1V9mm1++v+clJvlYgcuVgn2Opsba2TILTm1MDB+Ujs9brJ2AAKrE9+ep5nvtQVeG9PUGtdlo= 64240043913835461386212515483198059541440539167395859777194837833769712010594411295323900074066077107346806786205590345517755715510695858065925747020336398305793661773798243627926904542715123849691490667964262778804487343218972081260210371192903128886030021862362141928329650003493687310970684093289133340250 +FTQRk9/BIj21gbLwI22fHJWYj+8Ghdcc613hOtJ+/hQmh73HwTXLpaGK9aCptxVbpjW0r/bxaRjmgxu9u1CCZh5yRd7Z46Wk/LIPXGd3ycQzqRMFB7TISFQGJIcFoxRp3Eb5wa2OyrUg7c/D+kb7oFJq9P7mEwIh8TpLzwmu4SU= 14889529068556301710329043521845510156960298822469914567758538023025100741826628180855835334285179977296740667353391766487166458692144569279381035582718738461626140662441222061900764829681913534146898551570916312642104487829660946024590782808750587095559047648957238487820069966851521487428624726655438348581 +APYXO6uGvs9qWiEAkcWsaCaCrGJJCP2Z1g++XlJ67oZIgEoWITn3T/R2/c4edAfwUUzNHAYZN1h2dSrRoqlrRXrbxFtGOuRCUrXcGLFFcEbTrtm+z5z8xGRfcorx7Cu3FIBPMK5XcGPcbRZdyP1gBkeDMvuBNAo0/To+LP/dhCNM 172810804474418448604443090732221483571611665465870520701624598983692130272337358406272727413570938793741430131635927237320173996217984860203754686741782921346604605228620148450611724714868551781003004492587584071978757421616871762681049508123223983431502852926521520561941051298696758046005573332373854233420 +AIDNxhnDEe1kTJ3XGfTS8zKXeXPRdw5yifm8j8Ibzj/quExy7hFPtKct8hRskPR2qwTlMiW9Ra8Npg2USsqHV0rBoIkX7E3psxq5LBfp/q00l3SEBuLL4K2FGR87bPgU+Duk3RVrNMnColiTcnAR5XkoeWhn/r9MfJMIN9Y0FEh8 90449107125498302548188660544012777357148118984122992664008792590422284061463729084479315745509706793674355738023180454297730948397413371686013210006834869294564190666543874617716180411178090109573192518129248278410216362657350215009192850017507998797754539132540293137589672869131300859207213449571846080636 +AIRWavxYRsGlH0Yr0DudwrpYtbrByf9ZsDawKom7ubiRfepqYzcBlwt4adMMnkYSaXeYtOsD4KBm2ZvLKN3++RkYNmxgkyarORBEg7ERyiThBj7Ksw57pNHCAoHtBEhH7Wp9mHhuZtPvPgCEptmwCu9rYhLt4zZp+Zq8a02dkXvM 92930601962515884925250459851491509622611227724602941760145671636277317511265759558869239180653492283311584982044597979173761619470326096725838197524704577188104121460089235709339932110663536557497112887112782062772810759971739760085128369628777812332518137107605855679096146402427144185104230596200130247628 +AMNJGLcAiJtL5fUfkesWKYJurdYSnvsOZeZcrg7bemkEVjF6S9CcojimUl+ncr/YY5/EXnU0mg84fObtDxWWdJ7z7l0CFcoALTyEatDYKshT0xvdKY3u+LUShxIAyk8EcGnf+KoEaa4Mx3tg2oTBnVegXClOakNTWw8bu2ItagoQ 137134165107366719462230252606689766470445826753581409513106273517221906418464863733870948759313279128624638614534848890858250894834883265387344539280755177217350585564186248554307335197387734431939154077778003706720017441895613190141376534460438929588407764609772857975000507660651583780079804513519571438096 +BmGPZt8XqqI1PuLN4K1/PZMi2rfOYtHEMrcwZdSjKRm5qTkd0Pbb/5zPV07TnM0uLRvIQYTLloEY+GYyn0K5gDTEZpEtQ8ee6Y87zYGDwcf20eqYNxkA7FVV71vqCP/Uw3Oi6B+hMvsWZbvv2vH6MkAeADCrezOtwqVS+irftyc= 4480956865245875120472829476982311611308898564405318773810939350829150182630548948231116574193987272498161864310429976564278532538229396846813874244969927890037756969704618336242255039858182439641759659872128285423988638335967412040624105824571426792562334458751137508116412821914961236269913776304372561703 +APqFgCIYbJWuRyEGuOStPvcprj2PILQ0JpgwQ2jLKn3DvkWSd83qh7PWGKozGavsjh803K+ZzI7P2wP+Nc0r0El3q4nzaHvKaCtVRyMwbXv9wYLFZICeM6J1l9ljUMts4tbDoPzkIy3ScU7pYxarBWqMkcBU8qL6NN1vEdkeu0fW 175922170410080716883576123079908758276229469783745771772401183721225804343343063277676406040455068452258961299511343441961963941297631097736305638850193978800615558067791016294285848963023036905095022181004058235239390870177623185946205281141386416867569004073524130001309977475780893497185890756991672600534 +APA/rCcGeH6A+6ZwaBBDM6mB6tTD8mjkrOWEo/pK3MCZ+rrErMBnFp2S19GhlLOfuY8BHS+D834Fdm8+3wKYkWnXZpGb+e3v8ofOQ34G1HvzULOYtrEiC4ISZRt2SSyz2hU+PBXjVnplsHWTRxZDmBxTJdgli4ItAqxGCxj/aJ9m 168708388929747822981923386197903561880341990893945097067702518857172133291360611402092714329372304718329568897960770488377524912057166920574319430820488930520807742026377043178502591886293565177404635365772829346030773275726024973460121300339258054215286249329967181244588558220467488638468686270735376228198 +AKmwrLP108dCGWOWxE/6woJVLRi/Kra/DvdsPkkrZQmWIlUT7IvwM4gU6bUr4f6wpT08cIQls2cGh7dbSEaO0xLa3mmtKhPiAlzSnz0wuifF3JT9U3uXgUfCZuFtE0z7Oi7WTOrpl3k3GA7JFvXnY0lwblIQALVf6oWyNETnajGl 119160465301384937485959146028591622947513292915838943629387700439301197965652871741710280647524383590817798553034250156068573474278225305190573334054718387045488098320076877626430189054572361967283632592181431701411266656256255758079114072932140551282607247364388070762970060420036793573956057551235306893733 +VTe3rCzAL1Sljo3QAXEkAdBy1ZARHZwtrj6ZNRa5ttqd6/l21g4z3iHCeGo4rnE2F8wYTy+NlugjXw86OS+XojW5y6UzTtx0HX5IJ4POqN64aXWmaklGzroBEYWeuFFKcgQN3NOxkuJoDQ6VElP7Epz69kj5CsKJUwL0SjbNrFY= 59841866347633473702601462509811342285929528424012250265905695635971518533504187799047710303717472950129869674786231155102509311322791323986824635569605105662070745033595366004805920086888891275288347907772640070278731650628917037915863439204501060041944275512863990729926528905725569467329169134226609384534 +AIZt1xGhC/HrvpPASsvVIVdsu//tn0noyJmVYh3FdQ6yIh1uce47iCsrV1yvYqx5ZTbC0vnfnbjFcWqH+HtLX/DelgvhEwzqJ8hwQrfE1ShLG4ZjAVo1Z4GCjrDcEUMlwKcunuSJssuxeQuXwTLS92+q6QeBSS7OmfxPX29CLb4B 94399298271083745508290936113986978382457275531684761701599029877008571741877683365769553170771833981099580359640421358853566501815723434822307977440496208486103754978934472597505865596938563438311337045817621762649604204720249750058676095769230214181772215323235427976398686727606000594646472236822594174465 +NIhTPpWXS82VTA0LTd6TfM+HgLgUcmvnMYtLqPpuqCKZwalAycwl0XFYNyVvaY21J94j92ts/lRYgVtHDhk7/9nLXq5js/lsUnG8rWPHJo11JTxvW+df88aX0pw8u+biOWt87vc1MW1dsMTTsJFJAeBx77qU/Cwto95IVqM7vSE= 36889590210230649939994518345793530042252563793069578097360569338647730438860274349862767107939590441616825589851005429465345268710487649366046960918184701290985280638488938340668212498212581853679035928093386035688597446809895381618260692378376844452061580510108168030682664507293277674052032318576713776417 +KXdi4A2Z7tSiiX9YGtDtxUXIfQvPhcc48rUH+Q2SnXL7fLNmr+F4Rf3RiFBRiHKocPfE94pothop5qQJ5X221/DbEKWK6s+ChfQ636jvRxojoLMab3dPtaAPpDJHrfZMxbT4ZaDJT0tpA2e+zZrzBuDs+UUgCpty9nxtdm1gS7A= 29118662951481660380477444121362422614202367719725087486810943918529894738076273660245405874301505615796632229852040910511025841576465052938308369421493312085081188509808322692130449282585522349552501983296872614029139293444558468751646868108213623606366977549477663987815308260383403466635254115908032940976 +AIOTBZQR2EJJRmoWdRNFLG4fceoS3KnRTHRpPdllhHODqdg+QxTOcOvqIzBqgdD0JgO12SuNAjLQOiz0jhd02qkXw9Y1adGuKvL97ARFtNEuJiNzFAj7KpDLy2zk2rPJp4Lp7cjQs0fe8BQYnTzTsNRGm+4ybln/gse1YWu9w8y5 92394618277596007469808288231093678404089765494062813665106014405059399079199990128824492247005602685377185496959522609467906358619318009231448503013528692450191782140091818984176967246749464502089280153086163239846744554575017530385347720563798041108608545014076448155956762636929707905789978331102411214009 +NzfbJRBF4pqEeborJrjoknJgpfK+DZh2k9cE5dcElMPZ2Zn9im7desWGiBSQnu3KbTO4L/t4+m6nFTNcbIJnqbVSMDHdsfG72rG/t89aOuECQw0HMVVgONNNa6i/mw0jZSWnRLD4fa1YgbUlMd8jeqO9XcBDB4mVtDTxyeGa3vU= 38775530011374537813502898274019389132620116890266344603221997943675706375698597061571989090674289834838060050848545748579361837989319487970580969082824601965845786771062335733318139530316825802589479118956745739691326447349403950997231306042638797277408335778415717988679050762936401945487285814799382535925 +Y4BVPZ6necuLSwaqYEPeZp0lt9tTGFl/WCJJbwg7XpyvuwYKtzagC1NLzY5ymBfwGFw1yRlQuyGsYd9mBfC99DuVCIeh0JNrhJN1bNfoSzy5UO5+dmTr+dm66VGSRS0tFcViDTfCIleTV+zxo/xuZT+Bjxq7kZue8zGkjp42Kmo= 69872189501616471647606976308259279995249122669120675885925763529037695584466011511740991152346215507625265226811128801733353566555339153627478941716586678793853828514394269931890370517258825006937741437480128878717892485074131232336852490940507703859793477547154689914725314529986438108117871674332626168426 +AKCP9Mto4q/a2xNqM4N7PekbKspwt48OGPre+iqVwPrSP/jWKxg3CvvLNZzN5P+/FiUGIklMMFJ8w76OaHIPqKuwckj1gvCLECJEE+UAZWrNKPmpzd/ootN9/kQhNMuloTFCyhXAUUOXJ7Z0WVLb2u6fn4zroszSMBoWQEKC6lcq 112750701794692134675959811050012620191158543234019977304167102486465198271340022889272244811582365901584420008564301920174477182946432553537794834985703732129975734658113610563794129371053853971031300761815004524681756388784922001759202643614966614186697992611399618828963452661554240362943588548146868410154 +APOTAFA2waoAODECaGNgCHa8dNN+cjMnD01M+IeQFytzo9RLMzzzg/gpTUFpyLtFMcfbCkDYQMLXwE4crTimdz5sVvjGQ+5fSFQjoDY6Bw7MO6NAcLzlV/sI/1WyNBKaLQbcl2720n16tdUcdckQNnV+cC2J48CVxYM1c7QQlxA0 171043636512232272455501595416608280460445723238023572475354665686544174728784633443479486247342724860289312593374524429736857970220153680852977711594899595712511352458264354251161579203922747468321999465061463474727943140910084880926005209538535217464825087114791420210981711903880998556269523363208766099508 +AMGpxRlB8WVnsGqyyiy3/mzrPymtJW1o1HcDErK11ZwQV5PwTF3c0THwlnxDmcziLWHSWgPQwfRddVDCXMGW9BffJn+XO6aTcWDPmDAh+1DbWJPE1aqApGbHvQ8HONy90dQMZf1ayuwceWCVTuU1wnHdo9F/sIsRbuu7ic2OJDzY 135994898408425255747055209966103741651849229328236418804928584233229830656742052333413774490626915784901255640138520158698845938184666683995579777154437927013722740366497459963753542029774185193376253885864514386760437194444013834088425088260658670140534670789371556026135595577395047002643901630053097946328 +AJAw4uDYdSYkOrjtwJVWLv3pi1+UxWge4RmkWKqVquTsAVcT2tRZ+MFdHM457Hl7fmFIyxvGZQy4c2v1AbHEfPR8ID2sCRQpdcfrxEUZPMDqxfnHHm0ziny6W4X6ggdBzMp/sBWaVNTBL0e61/pELBGYNRGFMzGws7HQkr/sro1D 101254336834199527040756567675327011562230719161388328289463594628690618298993695452746353237675715087353241661592074446889034411683413957950360025295995263477031608845241728493807755308798509893719674568267846671753070163272328014412744008880395248474446310603301447848026040555910147467745595720879397834051 +AM09TdtXgYL4FI5CGNiVjf0T/AN/pZ5zZsBOi1MAUKMURiXnc1x8VKYTqM9Xb86mqNBBqphynIQG6/3e/YbGJgHlsSdrmKbo+P9daMr02I/7Z76/7Osa8+7Ky6lhVCbU3F0tBH4WvopkCQmuJ267afgvDD5kB+9uNr28deMH00cY 144124056591600568767398029380314564902309327093641173350205276895603332085753288682409279238417493662029954512382520307259348748813767324609446500382301421328754981718014234615523158887865271179104711373675849713359713282937065993613915015084108700238420759344034475478243507306107546245540340758766909867800 +AKDhK+/BKGXbrbBh2vM61OP8LN81YwlJKe68KNwUu4tjXlQg7i49Jis7QKPI/YFPUpSNTu5N2iCgeMnCX4+r3NAfivOao9lw4N3nc9bi839SIWdlokhwBHBYmCIgjehUeBAdkU4jKqlE06pIrpRmSvBtn7O4aWTbT+C++ViYAcGF 112973480670453665543892521898882856059335781900313607790238402438320486344365203510769919022496690291280873287383392088872774202832124927485754495093552572232234532821756395965072330282810574669371524103814871172318519695921477775100282448247625395376072233777533359104085023946019406729587713120941266551173 +ALxDiSxHjfxvP8ETvpE+SyDPTS7q3o3zCK519WTepygC58KSRfvDnIVIyV3toQKzgqD50kF1Ni5D/wuaSs62y3zg3kELX1g+WuBCc8+x50+kDtbHXa1Me3et/OqVS/QeppkcjK1UZMU29fXze6P/w6aQfvKQkE7koeQtZBKkYc0p 132203344567902304830160099595561253300484092355345272411265169562971473393256361094745618829297250316196312398486598077249124198329075791740755862221465178128527292695331061023291345396067863215552021206609309872689233899464919108147533679134727064586730810633196817136739658243232643507412032417747255282985 +VF0YUTvy8Mfi5o6X06DEvLm87r72mAtTdyyLNr0/GXlk0Xj3L2Oi2bVUMtcXQNRXg/mkdGP88pgdaP/eMzqkUU++vJ7t3UgOC1i3SHegpiBhhZh+aZHH/wjFV8Mz2XZB5z8MpMgN+QwALK1TT2Pyt/feQTsOy0imVanB5+OvCeQ= 59242171319056188000481457618922567543461456096441095927600135114274111606802456239311634638536207588762066940095527920532936960549439269891703098017342732142860571277442598349453761561189719823290643146391349978698217357430495238876700400634593256155537598291759795109752990651995982467695091946768443574756 +ezpwBt0N6QhTusiPcKrBvSB6yuk/KShTLUFQHdf5J1u1fgDYrp+aOWuXOFVfOd0bweiG4UxBQNXB2IDFWfYON0fBoaDqNk/41YyqXBSkKbiNWLi1y3zPmwTAiwK0PzYp2EPfk/t/j0HsDbvebu0ygcxb2tPqj4EQ1TXEdD007kU= 86533835313999945727720083706940213467453975054116752898416709637030456504024135513972566184073843025739226187558143854850980654667596935003124034699919861200483994576288766702308068265526535622439762454501169018136389983894783905946543636163866717367545972667876983557989192393479830223914708619684891389509 +U8BT26zT46tTZnkmTNxGUAlXbJhk5cNi4AMSd8fSvZHm55siMFGJ8Jl7mtdzEFR1UFAyEztf2fUhxdtMLe8ei/OJgM0j7myQ9STucEwnsShT7QS/DjBmfvcC42sl1CRpXkb0ZLrEJCPf+crtLKGrG7ExS1oawIAgALBiMQIL6mE= 58812148564290791415180898639607206220554150794356494356250223429674091688305329629529905854147200457536549527135776329004085047145097927266797668252160196098870200925284256433894773392353678965699083286106628662506590268955650280670838340651598082083455821825076016227525614626726458235627297885815646710369 +HfYii3U1SIkBZl09RHaGGA7H3np+qxyNeeCNY07PDl8LwZAaaYk/bHPeBVboan0I2X4o78zCD/gFXFBJ4rxwwUsVjHEioyO2JcpV2/oDOelJBD//78WzBMMSWt7ZKbJV9uYr9ZUM0BUD3fsk1esFCEdnDJdr86U0UMmiig2R+ME= 21039655953870571289679214995029926285040274249531458675115179004718812090027267801012507748013357317597416722235988917212676802092082137617336199787762782958420742299451435320649616271885264333948336627286638368859041172783505464468640994920853000441536629081040963398001710173320125308624362209157720438977 +AICOlee3daFyqTrTdtWjVb5M2rclh9BpIo1CRvKo2bF7NYcjrU0/VvbOnTVXDwdeGMLupbi76f0BrfDxYtkzMXvIZlgoTit4g5ennnklDHFBC5cogaGlri8U28w4/h5oMunZ1O4ezdpRgVJe9nTP/sSEMYiNS5IA7Zshdvm/XccF 90275777798511290102824338787811725003177532250296755103300529948194832904403489332420505850668003332750291879153080212231952155092379375422537931240723308384652734942204313672973885652497290433943089371705605128843469306776615573873479312715317072986990219294942040272550822460408702072075001377245051602693 +L0QUSVIjxvE201b1ztRZyOOxy8vkUz6626TH4tbLwXjjc+AhmrvplaVlavnOgHqve+/L18XNuAYP4BqdxIcWTx+yxBKm4ZS92dRJdcAtccvZpEJtYjdJvI6qbL5Ph6HluaVZwp4dyFyXuZOJGTfYdTb7PUWM0jNT/xsqyjxSQ2U= 33191267986826803728285073844005357792766429917696698533494382218509532051029343127452480789088572904364699220151221680328978554239767633887572649589456766209242252549993823283929686430100804479376247660556781589549613316880150951333982646510273364068770923588389668733632648346075516618646974067295703417701 +APlD9ECKJuACUmQUsbd2GTOpb2PgQVT08C/5hyNEVdA5bWoICX7epmoCKCybdolk+cfEBP6fSz33j+Vn8MbeiHBLdmF6ETbmcyOjldJ902MDvU8dqAa8IgEZN5Uh5x/xzN+3dqk9o0ji7yi291u90rpfIh85PPpDat2B4l5zs9i5 175040148659257809883308984693597046378367187659749953472629929701758633206586720399909808941145946314755491399962797299295431089674294356220216615950668954164397362123668926410543898553191541662075745481299747832013627018846822876386760538344447600390187421938699064459451308870669878673306013635576901916857 +KB7N0tE+A5vFhyrd/m6Qe1wTihkjqmBn+rinfmMAzRlvtxIBSyDLzQsOQs7L4oTG64ABU+YwcWVijvoeZNamaxGl4hatAH1pRqmC/r8FMvC4vqiFTbFHzQhkjM7uoHD1aKnxyBVgjMj0E0KZjrRxydZjIR2p13FXjLP3UQSFtII= 28173452509830313810392326357601136401754938805266458365469366750775669869895498658593356375710132149836430968810246171974040975430205200958564616924399794768861923079158311829444850822144940112488994119845741191519421434257276977333662656888696213514226866147767570046232093727585815615828360199830275208322 +bxFgV7eXwnbQScl4VzS3RTdcMW+NY6pcGkT1UsqHIeDVyBb8DnH/2/Z+DX3zniR1iW6FPdvhJJeQyPIax1ohILa11R27C1TLxGvTrRBGUycxjEcBIxamHveBsXbECWusYLEakeSDg9x4BTWMz1rTQajkorBoeEjYuW+xBxQtXME= 77994515143740690952370766995249847650881300682406161400195705464876513409097078624084133111941171517535435606295232558665316819077765607639545069239931096306624817379462598756505457054433358548941076472902905065316335603665413114267741896000877284610377452471067725794013283338924419969559537339967562669249 +AOH6E2eBzD76QdTJ6QbR/7OeF7AagUif9pEYx7fMqrIsXCJKKpLV/RHIItCDYP2WO4URCaVueoAJe3M/Shj4o6efvH9pf5Q8MLM0rn5MTHWhThivqYQDwjCp1ZsPgq1VFS+gcnmwgHhj2W7XzJxiNPeRXlxI2vL+XTT/wPBYhqEP 158686346608862569574095184731081143351413141116869402750758091813874232272198082464382169470744476593016502816563462778075467588097653320101723165887488327616477297401486647183409348122990505635004320879840358339260797834264972100385692477324858942142372580281421734058008608134075577990829273447077276721423 +ANDDgNXOB/rXwmS4KEjiHj7RCDocVrMv5SU0aw6AJzNTBfseFngqidXx2AJKOEeG7RDDN2gzn4K4qJktF0AIPG2JbELlLUu0MFlpOLxamp586qyp67Cl9OuPq3UZTyQhIsSIE3VQkvxuQkGsaV1owDV3BKIWQbQEqMQI3yT4ELHm 146598844784260148346676185962272439320781765598895126402049215152385925250917998794921584290777625240122575975327405909800121511343265147922400813488099624745229653124857224399973509428158163452130086943873214460600035260925149630502192183407327427517292065083168010281295559088633086659209316582810260124134 +Vprr6oBnWuxIzyTZjuxlKSdZhBc0upeNBHVIlXpQEnN1Q+XURKzp4/6Vg/koITftr3SMSgGpE7LkrERMGFgYaqM5XZ1RXYFKT9dRJnz9VRDITVZtdkDrU04bqo2Ur+jvZhvg/oHBDTgQ4nPLJfHO3+GEmUtck+g/wOVozMMgufY= 60816213163057201559480662231646403262735082707152897397414589876256824040344252799972529759737904461369360580708093117244392116003622336721789703580184437841209963565058475060017600871779929808204093448248984201640754565635410002090180110910120481044515630478472999135146756643143415057403006410330361346550 +do4LGsm0afQLHl9alWF2RVyEKPxLIErsf4pTPgScRE7ZiTSVErbCDeyzd/KHzhBLQs/DhHHcw+OXj541cIRm6jaLVKiT8EwLW/dVG0AkVli83sFh2f56Kk+bCGSKvfGEQcGLY2k7nQ06zoMlYR/xbZCka6Q6kSq4YBDQgigQ1lU= 83252051731120517035090523892596419800592471447735288551342681962005778435125655090199060145942826521644585427683714084736143440310518046334877897672493531918539106001203807757254797471481884534543367685912500572052457610702790097953420236852480969038388056545966568595395722585797418296411673622376893961813 +OL2Qoj4xkqRrQmuuLwrABG3BMMBNGjfBtVBNTdBf7g027Ghkk/z3aK3jKT1EPpdiOdn8zXYBSO1mTRGyK3n7Jo8ICOcnlBOF6cZtDsb9bvSVE26MOD2wzl6irU7vzS+s3vGBkN3AazrxPD4czk3xezA9y13DJVnNzgAgIQHEols= 39844525812817530522650122383059885756573694015271773938493414420875846359054562126060762455794481186614035892021706051863945033061233991184379580556219478200155757966121832613842937722944431875100059046588723473670448006803481527981834627086055642349130254917244469014754132003347635357123155857820000494171 +Ljgn+3Hcg5DOf6usRumk7P+ZrdTBRmo968HdZU1mS7LwLW3Hii2KNkwMV7J77zA0P1pnvhMSEEeh1RbCUjLtSIbt3RIcOEoc+aO0eINF8r99l83xF57CBI3MDA3AAbtaYATy/NUXSC2h4W5kdsQuR88139MFi5y8E5njqxHu3UI= 32456338403763561215581247445990611953939298888251578685087656354454727113846722731945605696397627662593375001096230320486703167389461057538581895745078593206660798580358701927596287363374862536765135996838944212622199018632046955402325290145163082309469649329852148345837780541107029165352782710901375425858 +AMt5/u+ZUNm+Xsucr4RQPUu6ExAOq/Jbcjm/Kb2YIAaEQ1czIL82wsu6YmpHcfMaxLjY+EnaaF+eCWQPeGd1av919+QFbQPeh5DT7ZT9klK7BFyVsN0nEDJQ3AMMJqq6lm4sUeVxDVTmMypYnkzRl7jqzyCRY1MHA+o2LyMECdOg 142886089970163885609957244378225169093559131065687633458877059657380607541767850701139140472705242750285722732461954100519608059127637509286558848391554697942686619832870045594188204522385787253648018847569919409782188708374165437385572046835539379151066214153911415525465041951116179326632238059135825466272 +AMvXeHCaa+zk5VdB27KoS8XpjSUngaw7Gwlq6e2RrkEOxBhU2rGWGJ3fhq1HBNRxDf0quqfYTMd1speisaEr3cIyx9BhYwB6A+Nex/Sf9DSixezhcgEz6c5CfwUYP0QTTOiZDqzz+GcjKikjN7DKJTO0WSXMRG8qX8FBbH0rlc9l 143142496664357119491819741364830737485524654099662921673419335301323845847085335210884201567922636945282124120681371777665458057821603161276185071778040317947168899788341482064834489328957963447735297898161379277478278414388733161844053774747425459239004132791029364174047523473372650441001639174571312926565 +AMxoMXHfE2i4khsAkv/lPtLQhbWUjP3kxYmlJkpacpicBB6z/TmG5zjmTC/sqzBvBn3J4UvMzKYFyk9/l7Wnuc480500a3S4HRVtMtirPueV8v/SPktL67eN2zoj1VZA/Rex0aRGjW2CzEKGwEn3G2bZSgdT8hKv7AypF69ppjz6 143539479941314279463880342636704987025205547180882175105616955926182352311179043850344463145750154442573797875223178075233807385237935671604701513551125937539235111702655902037518920150424691586943553275517626347557879039695678271564616114192941679606063184290901862703975921261779714258077775731727612132602 +ODvOKg7l9RCn5CePG1FfMitkR5l9+7JK67eU+WeA5p1YXCcKS8GbYAKCtXPD2QfxmQcrNYfAc6Yb/kksaq29oW7MzZuTDzK0HXY5xBc/fJzEuvU51gaI0PR3cuU1qRlLqwmIlyt16gto+2E64BgPgIKJcAjx+TfH/EqNeJ77/W4= 39488587053253042573878502921384752550143716864908041972426777545317969264945056510991363961916339225192727727267483337259701961148978214005913510275048195308792987888118270387288989623193626554910652030960235845935461155296845475356011099372367616732243132816329531758943935324760665826550992788664237161838 +AKkznyQtB+PGvbVroM5nUIzhJUjiNj7q4fC9sSFbmDgvehnwPElVlie6PimH2FKonGV4GSaxZ+osil+9omfkb4rO3pq8fy5KcFSw/gs09X/U2eEEcUt/4oSbjs2NaMIxQftM2CauULiwfkWdkMFTBkHnh7Bbyocc8dtmrBDdoI8a 118817437232756222334188081193205110010964766506378146125932730686679941224328135190204402802650523704343176483564284220367074983943319572348376466341132480772885833789613392397284313483009178508647973749522358005819092779831781339778163122774381387989185969990310049504391258988402795259963134610905036263194 +AJfwWA7XnYbTjlJt+9hO/Q/OubHkUkyMYrN6Jd0cN5MG9Rg8W3i8U6oJxT18p4XozkiOgPlF1lE7hIAW9KRKJKGTue+iw0okLq5UNMu2Ha6l5/wzKi0QzRVTBnQm2zjPlQpgUorBBty5mcbt/B/Y3vOE4I3iVXklVtjQ7zIBHaNK 106695084438708194568048926154027115609888551145480521213711726807296356271397749432698558860759334362315257102647885062353922543502466463770991058956633500180245599467233361812610650830611712448187310827443315947425061886163301613989593906515923245020641415290300558869209909418659128196109640872398602216266 +aCXItk5XhuNrbrqJr1Qm04U4y4AzSKDMms11PgVcdf5fCGdizibh6/oZqx5OitM26nRz2vob8F+ZIP0CIyIJU0T1M50dVTbbpwuVNdv/XI6gHekQt0d2g34x1TQJIcsT1VWwGWTPNMtht1hezBAYxwv105AGKnqdLiz04YAdEk0= 73134927546833985031652237686088635686032103401394612286045377544136784429757461671691980910279873140130943470029643791712859175007885735170485461366406852784845528918253441791024065848540598601036357817496637108534035807393364939272891745520961269029038360205258229770737579266643408540634722493263322616397 +APNeoaWlyNa554OtHP8F7GAY5V9F7LMoF2ssg5wBmsgGFktrRH1C4FdyD0COrzIb0Vcko1/HiTnA9JXlfGKc3gTHEnO0gxBSDjK41L+EIgUfR0EhAD9iftTaCoBM7qZN3R1MYrSz3sevQZNMFOOnRrzwWEXnJaPKAZXvsqPzOIF9 170899982929163229592439208307232242235219591108657660041403142612622997092685093132858257827585941687488772925553142105567685213341947938835403410054637382864108739466539574004149772568683507025358331323655651148107044968424043673850583150424463706583215452211942132017052425497789362680979074312857823248765 +ALhwBfBYpOk1pfJcNut0C2fEAd4hhYU03/ZQBqVe/7MgpEDjro7oMvSdba5kjH/VBssmZVqpvuZ5lG+vI9lXLukhwRKJg7m67HG8lZXvjDmjU/PCjxBPNt5r8/DziETYmMa+fhaMTw4hedZcwDe37t1VPIflvM94sBKu6be9yJAn 129516480651398210587505113546142851617282590236388547627336279692965778911450075230961856270046942312918567973875005814982283590898552829322178788678196583244198944578081007477482775130405341039067711963061287597331433268366003672643052056973656674139309732186091974604170508497340243515339072325943686631463 +c9vpoiZvtnj71b8XguD67WayOF57QgOX4V4L++nG2u/RY9VT2+0tJ/C4NIawVa7ScQZAPVLuhV4J50HJX7FZgtY5n+lwMzNo0av7i0IqTS+1BBO8eNJy2wkCbWWBxNybuNnF6OK7eXdPb2Mmwm2OmhN2/j7HAr0cD7rK/Hnif7I= 81358980280155473712258342299472964374474635149963153129588784719499494479288254287754874893180126149146558961101860327826747785201363745989346818037655063262173536227595206355647880155693272153902647256175878517626925488264893732295267833614283963802283320574654949992393798458265266551024756663538388467634 +APArEXNLzDydcHrieLDReJryWxFzcsN1dxjpJIVGeJp6itsJOrUtnmXVnETtaZhWsmN3/Zh0R7TgJ253f7PZ/Z2xCEdqF0hs2MmnERSywdWZQ0a0McbDUUaDjBNYFht1wvS6djbI1b8RfayrnEZ0miYdzrrP1ntU+5cM1QBAvj6T 168651870043094856205824264282870999215855903395882323164614939540734011037112413507417141209480771157672307388419164831992909066097194364645695794831939514470650008210390333649278806163193463937050083854756730458780288720541495880958909249273048328511615821480782977316719631334570687241232556472064072892051 +RhGyx6xibf0OvY1XjnmX5na3G7emG8PWbvEa1kIjR6pK6K1MrMZnxFefXpHWInFS7ADESNI9LHjZB8VW5QrjRVPMksgdEAlkhY7MyQxaclUlShFl2AfKYBfIIro+vg7mUMzMctD+07BLk+jejRHtPVIxHmNnZrZYds80ve5z3Xw= 49204219353786910100605282012781696579642953908541693903348594981245301165936599174304121350092894937817100350990938057159324959104937469442065996667276651025661016077514839755853073999975805394464570132481314896694678249282338429544941873047382467276103868995474424700207571657816852575364781281563515280764 +AKbFfU3GL6NILVyONPVD/X0tffk5HS//7FBp7n6JKMXu3VXvWnfTl32R0WyVHk2yP0iIyi6SUusSicOH9ncO8KJHmaoMGN9Fn+Zq94FTFqZne5NxHmCtwRAbFNDVGg4FeemGXEe1S5Kk1VcvWqnp+QgY0uwa7RtT8C7/T+1pZlwq 117110890075563714812929271250884717870581483065920538069845585667296154465072587148155060755111295509684258790280104272121160614620669593483929827848744548171793187278583947500205314283462739235860439216105116687015890394925743036369717346234391524403038196640934551590543386844279091801685432977718405127210 +AJ0xZ9dfRc6P4W31bMHBymgOq+38ETEIMvMtr+wB5WTcsquZY1IUB4IVkrHaOo3W2SIr479IfJOOQhmvyRS4iB05yDI88Z/fJfXarkH53gDivECuo+5+JmV7e0S6gCvOuVamwoQjlK3G32bCV2946ry4EyIsVZ6Alk9xk7X5HfGU 110384671994603894282707302829898242894456931176497230904862171369974466400767175784681299142670706023468915238955836087425993929524341269289746060546848852729416925808186253355106621584826213979718185296723694190658548757311188764342751280681935289121682174507629679900374674992438818324999211250580434317716 +fjzmb1D+YBU5Wn1GlwhxjiJS07k+fXxjeNRbOv5SjktzxOXmautO8xZ5ACOlYrTt5G2gzW2PU6sYNfByQ0xoUSyutOuQlD2r+8MnDrxCo6RxT3P0dUSX7q0IVj+oLK4GPbscnKLfe6KqUcYLMgKnDYnc+ztFD+csL6BQnM9WMLk= 88647261832601702291191332432291274285041869480562430895152086741320122435409959711452438332192792226899741738806447713240934608106883094466050154088410020909933636902495700779087737304255058561688767369900548260278700135161077055869478387490726087630962098228537973426295306997128615315548440548541717688505 +YDg99aHkQSh9RjytWknbXzcgLD8MrWUEHF46yQLHYANKXaQYyf3yGM9TYPCDUqWbOapqQe+XfOCoACLyRg7vVDsnOPRDI9ZFUgCQBNG06ZOxzktEhnNJoRC99da8jyodFqqk2f9UD1lVa8tsQdatjUDocwgJaDAOpYEyGnUlbXo= 67567767932654827067250684965667741848878457020992905661955722020937161710030993261011062929936964216357930453809610708591260182295097124272956485574313839759737390934220465669626974544253750900911093325004172643146669082793591441922014060981070503803266774197958528843445580649512373693546027107823355522426 +ANdsfO+cNtWsbT/QJHGkYAL2WCHWVPrX6oEz78pO8lUwiigVEow5roLI5Tm7GP7XffjF95z5WDxzpoam+Bfp4za75D6ZEHQmuFnpWQAmNLUHdKUE6UcsWN1rbV1uY+x+Nr5Vni/M7PfQi1yRTTJTYav40tFPb9rY48FsUotivoxd 151275723772668372472508916060743043308364940375633847663054782759325087560768667906829087958412643723335046123025802453213225972572697773468957759328009026531148112732519692142632237595562259864125679649273054426879080697360204352423668940795473103047320116317252295126635024518179060076282921965794883439709 +D2Z8YA0G/vzEVVQ6itLPUC92r9n9FKRpf6lDPWIgpZOOfIkukPp7zzTlo9Ej5IsBrZBbtGz/eYmlHeZ8Y9pQj8HFW24HeKYqjmR0ujbNxI0QgoE+VUwPVg0HhoQsOGmq47zpXpkDwpOAZbMh/t1Bafq6r2zM0qmiwOacJ8KFUas= 10814483230552506566705634583020057064935800294861277580077052473134972003523900930560478187758928889017740705417070994563709463926267126567504805864719383185267204810142444719634360655595490833208838383875687102074846353850310954150927702228780599083427768247170427544730791038729428517279760042619935478187 +XoZpSMHqlOyPYJS7dWSRNDJHCkjbo6+DECzu0FpB9O8bftcxan/06Twbo5d1lEqPlLx3w0XeWtrmCSCaeVcXVtlY3QuPjdKPv8LBnnhslPOVcbGyflaTPXU+ITWE6rwnIF+yWQl3NIwCV4EBtCT+3U//Dt/Ebif9gzfKpKltD6U= 66377743237695515693282032069691369056215169443985727092982918806809030742478033317158686828712146024066618073633406428345129492010236994055590530566431286733776441810601990431112187030942086686719669823512292071202675269428014136307286941704297995292544712278047959299939833088742083527714893795660235870117 +QUbbkyJQ0Nru9c/nPbphM6VxHp5DWlai6407KIDbTGvUReVYI7de1gO/BFphL9GA7gDareYoMuej3/SVp8lEujXywtXzjiI+j2TzR3YYiMBAMhsJO1wU9pxy69Cj5xeFFlrOycjE9sPS9nrqnEEEFNPiK/GDDTHj0KuNbWSCLrI= 45838919357034925862751142472777409057791233610959872523563363744902783251621354580995921495295078179996083468819097423327554678806691589090814275138081407920379810144694354354954459732280968086760894209634364189264517251735804373673532012530665557440070501687207620525228416650281363557992436992284712644274 +F+uI7ARCeAlnPLO1YR7RJj8LyhtE/EJMcY45lsNMff0YeENe8KOITZVxNA55FcxDYpg9sKi1UV3/ASqkqpH8MOxWpBdT2UwSX3oBkp6ETfJKqiag0C4MS8cQVsfcKF39BJ6KUE7X6KUEj11j2YIIRREmLPyZ0LatG7dN7Rmv2iI= 16797235966984072293396362937533957334369977688369659112225970370748312376722010874726300554329794854683394163379447263409228872034356195791733533528404245739693397078461712458035888813157166614479153484688995068722288153129390850561042173295997770817893349738328312152341860704179681230323810266038959856162 +ALkEoXznA7BJlBIfA3Avl9kygQcxexEMApwduVRiXeYG0uEXMQU4rgMJBlPqs+ly8LTIcLFaLnJAG2KFQn2GXz2TNa7w4xkegkrslIJEtBWX/lc7VzRtcLbhaXEs0Ci1ValnW9Up7dYOj3Qw9eNo/9M9b1fD9TI+0QXFtp1ge728 129924120553920201168632484268654219915712271781591182777925696006023100660478316445751842982460082888615429513674356810187315558964251402722465707617058251479494744427428152566665405423424700027316505872162698141109433045594670140335040479559124757490095995568556894332243767736124299898808796118800328801724 +Ki3FNTEE870E9GaNtbT418CLSmf++s6Di3hzAy8NgiDOFo+uuicJa54V3JNRxOBc99sl/chfZuaBQt14BFOQ0i+9rm2KD82okNABd+SNfXOb0Ow2taZX8CpkVJYDyphFPyHbPIKmzwMShNx9X2z9w4++tJgzBzGcFTPv1nhAlxc= 29618953883711174042338818332957726953262658484143534778541769862244883781157097499904047532839425875312731531093860721544220959674634750905085721866390609141599426547378130082409488797303960018348798930232014390380383063108812922828160584483043190739354817699497573863286563890071313017508437166939160221463 +AJq8tcSnAq6M32ViO4hVGiHY7Tb08cLVyxpl/v0Y5adYblvjrbsFcCmsNDi5PnBOBl5awR7KZdQ1xgq6jIs+SQbccEMvJvGUZW5MgcHrXBj9XVd+8oB0z0eahqXpgYBqLDeHLU6238xR3dJYFf+Xrcrzjg8swx66OmQKkAQVJtdq 108660120968150664552423780971948386965268856900017812123107864829782135741514930439461240950044759098603910762272795612101834680870627850178371693837566833495418727543557712057554231215186486008080050486837716071537742708913279026303380104388546316647349432118287628353129105425052237438199445863950767806314 +AI3mfrgcRwtE3mA12gSoQV1xyIGy/YA4pCCvja4mTjvzQOAfiZL0efadxZH5awohCC1SpZDCFsE9yYp4LugHKu/A8zMcp4k5ena8sTPDkSod1yucjybgmVJ5h17Pru28AzHQ/YUmCnojQv55aV2+AUhxzIfojY+NT2PKRqr+vuf+ 99645829268436288676280252226747461064597487404802430565833102291706103139410465131373666856042539909746769688396958963177805479987372681967013633920910376342526433530508868114301205524789149997372160919406352823342811006288909548557622230243808373083272214426118230701324879006645047374853535922112549545982 +TmXQ+D8XFKSclXwnTIH8d+sb1IV0gfm7GagJahaFL6A9rvYaZ0NTizkG5DQ0RmXyo0wPmLork/296whsdNdUxVAwnGFlWWvMV0ftR1fOvN9KoT0WtVZ4Rmu6Fuc7q1PskAZzIp7MkOAxILO4iX5dNuVC+GLZYIbpTel3Ga8fXuU= 55052751096768041533898435453266875315629605001878362193939750978427494147944918632414581744895066623527980497732722163665712245580312596487741856071020477624754815927936394948233480228964159047139170955663289543349257377302556035170334384320502468579367401821986660515827461352578142560630318492817238744805 +EF6KIBWQiQoHOnBdJs1p+WIcAv9ILt0cnQVo+o/2niOtI0C+eFBSiNgeddhotkQFgHvGUjq8BPYgtLC8A5IFKGzXu4SYj5ziagka0hqfhVs9zVHKNx2NUoMhPDG5R7+giwEGGPOayGHVNbsBf1FBYG91+mwy8hnNbhcHSnvLGk4= 11494909948912248031301686864833544028186348338729984264372557659364976118965740281229664413031002362633393381744365783802034700038490736736266032000546393704814403638058993380993275865674190555703046732456017652317200288968188655019374159412919163798248766655991273308390043613040731449231289437754791500366 +AL7wCh8tkFe07qChFAzRkrnNehvda/Teroj65X1Bmcr14+/zeJlZDObYRYBOm8YYSYNgJekcL3o9lLFE34sCMbSJgm4dGwpEVexiLVi+zc8ndnqBDSAnRqtC+3jbInm/v8l6cUvuzrUNtzXIQ/H4FrmPMiVy0EMerkMtkfw5GBsd 134080980697158076909534078193319899756347955848461100874771253577754225619652121295523443912922220564492468474647193062555347746840044705102003079330399499915801536721237211615317000955332058281901995149084303143543150689010335818219129745452688372571010816270728441637278434982752674030696337642893239393053 +APunLhlblRi3bbRBwSV8dsw8h5SvT8ncAmXPnca+e1dLzrQZzL7P2OhFope0mW1MCDl2kJPiGTdK3SiYJVsAFeR3r/0z96g3oq+8uS66T6VaJym0QToMsqQF4/fUMaTo9HsukyPyOgjVIU+6TiFd3SxQKIu1/GpQWVQIP2pkHFKM 176716779397275986910036615967409090183531310366246043951791503601618945774743601662530806467045971394247287367421508126613573039423674729894091424105133906122821596079925540513892022311039293333114333317886304014722168786051080135090242879622144693440448171583324154550086458411590240882982297314605229953676 +MM6B5AgdJKe5OLlPzcXwi9WhqQjx5KsnBYxxa3kWdGNTdk/IN6TVd4Ptn8lWkLm78mw3DXP4Ol1sQbIfkHRoKFUN6TaWg5aDCJBDXyHSTZI2FDc1di0Te1SwziYn0sIOe+R+rfuLuHlcT1xaZBgL6+dDLAZaZza36UEjn5i/pTs= 34273208848307582992498656582721015257885595139328466874135636009184357438445251703533153492315835793684794951576799764181908090765379592683793969576893243386892292517067596035059342970830813419330530731370385186653239446376170533147020072285887964430731437765184844167400169982662183791828762458682426369339 +AJK1dx77ZA4F0sYCgRL1LKSTvjGTKBHd4QBeVnE6FKJxIow82puqtsVZ7TBxbECex+LkLQPrEbuQaVr3giUDjg0aJCE0D9ZVXCUS06qulqcCCdWgGFHXDOQzTWDn6TlJCGxtTEMbMxSlUq1q0iKZ19kwMHiT3GydBn8/G7tIYd23 103022457217861194294329435482792508957642944252832971366936865663608381648431732294396977429863681671686490913575377744795372643599438468695483808375208871881849232129651519218503507811863794426234594709451104684234156597418383183271923307418704786548452806494411689822939919114966188329657999811363991575991 +fPZNsqUYBbVGA2FAiglnByxGJOZkVSpj8Y4QNW5wq6o/1e/PRwp0TLYJXIoCJRs82pAj0QDpQbHl5lCZmNxEIQP8o8xI//HCPxPIdgBJmSfm3VGetrOpqEGU0KJJqK4IsjoVpAfPFMUMOpGNz9CSvCHGk1AKrtYvrTJEKmETuig= 87751387019308584846595931543798879607048239290774788042055795835726250309378365187899578817976976035304304847968410200168743967600896348021636654074952051821111673620467434295067182213181329543946368332581250062140819766061014427755090798550122401239987766844126425179573454145697756278292448630509686471208 +EmT6DUd0bxcdprYhAnycQaxm89kltJOlIOGFFRmEK90H3RhzBGr5PRVTJVqemFVpVliO1gy1nPHgqDGVNIE1GXhrhyFJU6m+HJeNcduippRe38xPCiuraRkXao79X7WAiVYUq6RIH+UIRnfTvHBgzTwjrOvKJ5853hYmGaanjh0= 12917015385266582065020051081997430892582163827812227349569911846746592973268746845211126663077128575098045461893559476227689488349263954564361736197688317585888118974603264677576027836032271531903881104937422976121352854003385726888601980526287956222142458858211589791399646989299770657341412683499692330525 +APtOYyWzdY1A/YU0SGrtjPdMZA5E50Y3hJVXppwuuSk04TjXzcbu2Sqp7sMnKYbToRW4nB5p2UnaLPhTRy0yszOd1auLngW+0ttCybD6nTcVoP65gYOwXGfSEQysqKLb1OfV8kYq5Ba92Efn+CcWWWuS0wEr97W5M/Hccx9bGu0r 176473215292413922394356058789571494026727424839036665031567966488209592078148711908841964690807374236235612412767651029865069639786447019874344449598703213025389428836803984245755885691094364960118900160737925054803955567361126391353868279642836569627177281508980029006921064654964339077608785831304875404587 +Vs6bjpYfFA1R/QTeCfhMuZLZ+Zxo6wxq1jFZpi5SBR1LaUwAtOAj38OJC8L7zmxSOj/RGEmJHkulI3E1MH7P7xlWbY468/azfot5fX9BgHrtptV6Q0dkBUg7H91+tcxdbm4/V0HGQGa2rZp+XK1rO+U/d0ki6iNbsCsCR+OeyvI= 60957991334776853645581868230398759578123373154273044785333939425321390401088800849629483265841435899835570419798325123273632247193463641611211088549152950252041797959644227170492417662363676228611376046334386877555777556575818860902071813120592757466883038430756577949025778080997296219236534786815367760626 +GiauT9A+wmwJsFbS2OPIM6ultIbU+kT2NgACn1jFAy+vNBahdfHMCH0jJdCs5TbmKTCeiEf3ITc5TV1OSvIejJ0GRkTf80nY47TAhiP1aehZvMAv59NQHHTDUE1U4TPVYKIyFpm1V1A+JBHKJzuGrB4lvqB2ed7k4m/ZD5lFLMM= 18363925023885496669420377869542744504974590667921570026763131637088916425434675950812384919000566852243714758512996458727914094904422651029609645299422563453163291342992902510788457007623888307499601267675322986672697397389663297565071582648674012080122614260400848960757021864980761735684874056409664531651 +AL/9KOZLtZu4+ZQYQsmOgbST8F4RV4N/Z+l8qsbCFlHdXHqTTkcN0chsccE/3KkVTZsAnAyJqogbAvB/RZqttaK5a8iKlOEoerUS92FVQw/42WhsVaFggR9cHVuvCD6QqclZjSBQKQzUMy0YWPWlycAZDIv96tooA+V+Fk0jbcFs 134819194171226950171930028888667967094069342154233489571728632904658607624703819928943642011918061760802468868660586005724399808048609316802502143143910585363214684061242274402109137825176291816945489430125510625857564490981683683589784133305376252294774711594646923226452625156299996630452243345104727556460 +AK5x2N/4+PKlsW/fNrw76CnE+nS76Rd7Ugo3IKhMTB/IuCc5xG4MQHo5MlWE0oVkZ+Gs4CxUpvD/WCCjHHFlSxKG4mC6ehz3NVLglBt+f1RWfPkF28JPd0UaIOG3um8kG4J3JDN48PXOPP86A0H8ZYbE5+ImmXsGAcwvScUQRInU 122499245103202714319465533564374494931278163571999934877854825659720649344163774228004853964635693562785966889622928722984134944784141208867445419597834322541679973956606275877526560988151196822256754309120410807075405427166696093800381410682490767468563176131997424692783482903880902119461752084196789357012 +ALZ12i0hqFhwRAikcoahYzH/BUolhgZ9Jz6adLvvTO4wk6LLOpNC/zCz+LjM7HazZomT1SqeYJ2X+WeGFLADHuWo+Gp/I3S0UEneYHKJxoU7OoOtE0mB0BCncLckHao/LmbpnQpS+Lx5bRsr0yE6oWNea6gbyRm/R0to74MI3/KK 128128022342420083856194424802390993133863171077961467523372211039771843125192435716337829530528063182315478279257832480290950255315151577221042903861075751839976362752440630888566422581799720709574650482021111126414843635330535518992034746102956214991673417580508389225948159518319625680855827280146399752842 +APXxvLifWgehdwdTRAJP5KrchRzgbUsyMWKcPGm2ZkwGDJjoTl2LIOOGVFiL4CyPBxahkEHf0nMxBN5oNGX/Y4W4PuOAC8gMgHzdLkPWkpnTcyoe5DD+fQsqNuKVw9nvyB15fx8k0d6b056nfFjnnRqgybby7MSllAWSKRYRdxVm 172707950911363219032118650562553641123743396229371815589867086054370029540557395298194067635069298952836929253340374819975848769009260895874615676938511747311585257140973518651959463416682165208985512233703837931718385346209362040743041262031997793519095342415901373534535662377972036003546589624834285049190 +O+9ohtZ9SzGLJoZM8IRQAjhc/GPt2X5G+M22ZidYjx9WgOTrZDXorSyxLuHxay6djsJSgjxYMj8MuanYSn/DzPWBB1Gn4cDmIsfeYuzO+vUJ4l6d0nIvBg9Iqs61/PGFd46YxhnDiVQ9HEznyTjzESnNqc0+/OkQVJcwNHAcZBg= 42087920806448980363073662127262313840530298932643042322138035915324224188032438119079107631420338701086802583985117830416851550991102672642532160807467909040086448764318690465254898516502941122327185894900817634110254371864896139724173087625913998657136384357741816102965779105122269429701537815263708996632 +VJOZmvqrqsIUTQSSJpZPhbQIYN2tsfBhAciWnfAYpwjK9/ts7OP4Qgdp6T/V2EsSRPnfZ0VKdLg1CnEWDhfcODo+/BZcUrJ0AviFAEtdeUhoMSWXtjel9Ln2guHY4s33z2cN70+e8gfjes65lCzrxUIXEF4nKxzKBnScoooQP5k= 59391682001673484862915842850714742391303140646889359425353339320546979084250010101273851580028171449840778038774656177449549941659895629203970455580974953864068394275066532699748911169800076515776388213090834432354601344176559839798153004796057709798368011673585434643656820656931921831615507416411999846297 +FRyJCOgPziO6RDHX1JgYGZRcSAuoQFIZM4niD/B0twK3l+TRpmVigKZAJnZZFtmX+0JQkDwQn3lcBGQIL6mgy+j0hD58U2/Wd6xebuHSzf4OHVGo1cYoqZLplszA+hVCoDVTHi2YAZ+GtfQEggumcNVxqfEZd6D9Nu//hm0t21M= 14824975573460749317081504809641216868382341402512168178334301409725840669112911061147252565570697788806398498723577368905065980113760265945344671897779830912242224090954834750057278285419880820811348943398148063418809729356397202526234113316098584002071850758705282845646489058224513019380757604894853946195 +dUk5LyS7mduFJlvh5o8R73kJIeeTh0Zli/y3XjtIXfCaNRf+wDlD/pX91JEwsQ5Mvj8yq/Uq13QyWhoNwsPpXVcJtJ+02wtIn5darsBDfzcD/LbWhl7zTRUeMjZ72gAWi1djx94SWjrZJS2oWZU92Og1yOyKRG+ua0AhHfYYh6g= 82361050315899968537319599868832189063658136463903643442673674137187842597528653416212822014359684261704550279153006971937114135373937934986951573613797195556144113400128502946618028800530164890707031379614952207482505803377774320259789692177752930767589642007257364960987343146063216186985472686575891023784 +AI6rejwEznR35rIPuIz0CP2aWyhRUR3unJ90YfxyuVYxrqOJQGSDTSf6SGDDw5MqpZXa9pWuwpyrb6smOq4ZtC3Er7lipJfXDjhy+0k1qcfMjmqbATUscwXGpgW+MO71cttccEz6vhbjndi8gvG5M/vfL2l1jA8nXuBd4e254dbz 100186164434910864539376019601151338080943067893748898987236087770762310617199833479771711726248130012472861788210345311298499515751355424063761182369333224929721733015910055321263016834247318907562652286587380604998130368845939290804442878127169587599285040969551065995197981341260363722618429042861484922611 +AJ5vLZX0fSs8dUSBqd5hki48T9cYuR0atxR+qv7cRu9nD1vP8uNVR8dLitg3XH0RARt3ZmOgi/AuggZt6tTxuIBg+9JhBY9WW+BLL5CnYWHC3AKMi7MQBWciLtmBpyF152bDaEcV1PXxtml2KxX0Ba0C+hGVDmJSdi8Kjd4AkfU6 111256341508463539324514225759801553679558662737345522765042612717818066374840372549356543720386819501973783940451033901079765311790026584654529398345993992144903839534037331533660672892487693477412528974248713261092693018326068480417183236210881306241164169849090833681510163753605662526243408192127670285626 +ZhXtSzn1GiFfHHnSKUYZiTcEWqlI8owyCKFjCQ+VEvkdk50m8uN7RCQ6ZhI545tN7Uy0WdLstJhgJETBYLHHIoWsJn07mgPxuyO0XsqNroICMQEOO/YWQFk1c0VqZifcohQAwJj7fONzM7hTcA22/7gVigJ3iLq178jZOJsEPQs= 71686982768953132894579286530164112027530221141251507987469672039995314435159469907420372652392376452531392493658576814100773556880394271726970628960571077839124343525055625420896355363707908511865700866168843075071778015504724409171911254647909938237551680861008772396291072284353858575645679153885560978699 +Vc8Cw5m5yI+bJ5sUJYm/F2wyZ5x3D4ydyL0uU/3eVF2ZJu55OOlC9pUyyv7WGExClHvWpR9mhMnsqCLyseLfM2Q/YXJ7cjGPKp2xd+fvwHa4hRi1FdOxs96rJnb+HUt9hTwQByXgzpnUfs7AqrqaNf4WSlBNMu0IOOqDdB4iVHU= 60256873326783629723455608618518793848697944184579877638436234491615392142659293975260290798403892159720925893207048153291000664050780029732557737984085196691225472664027706406879051455184548871511448456651238810812870905640934953489289909009741493031472382758586341375517766302753448531830002512912250459253 +QmeUn6cbpE8YrDfMETz/+KVFaK+d4NHHzcdj/MnjcmqQSLpP/XwCW/aeudlN3SfKd6rNo1XZefunZO/ek+PHEIy899WzjiJaajhf2X05fl9WuPEaMES3Yrr+ClogFNQ+9jL8+7L+J8lDuqQzvchT0U0RPay5HSNZw+ZouVCiQ18= 46630904037845609335515965570673490721137364238213103678233212262384415738654627185220187275286458759154841820256007930773120637898228224906635911124921895934056288121005350040349882413280772888907627838315559544636626856478316691755270725623680935763476199888127096014398699432042227882284223578563208692575 +ALUBYIShA4w5kRUa6iNF8S33DqaprdOWjVBnO+j9CCGtUh+NNwfpKR8AKf536MtuFFtwaQvRIlkLpaTYXuRxzyU/YG2+UfRQF3pEmXQhcMxJqFzqZ5nWCIWlJ/KtYS4lcC/B7hD2UGAktnIdjVUTSxX60VzA+zxeunV2iBZXQlEs 127106299687401374061881872616647348819431126560557369258073443762502337592227172639640997680536372567116568811258505773087926491911004324918919511363985868314578663758269650473780772688462266790559846182685481907703974916356209771821075179827563487466641669110315430790405454641953880582274165368514679034156 +ANyAdMnVCVjmUZGiVdyvGE5mUQpKoJOJINqMAfzVUGvvxXFmGdoAx+xsDRNAP4KoijpXk6E3yPBPBZEWyhiHnyjEkktK/gX6gnb745afS0QIlsjhKCk/W/BHXkzC862Llnc1ZGAIsERnGceEoZHdICfDUh/7nMFp5WuSMzPB7nEO 154841617115465511611746667401422322067517612306328612547616471923266281876818466022676728696273611923942543658633762267658490816264271663863494188027433799849037906883352478212451733963905925106470599843045599411842850386623187980045961158399934160107237440980574028985561404965317132715808604373199725949198 +AJ4nfhDe+HojR2YrprDHW9FVUxsZvoIekwlNL2iKFRFcTB9IcEdh6QnGcaRinev7yEYUsL6saSxUj39uWlqo8udJFdszuuQUmnloIi34L5uj0m1OpLy2dawpFQr8pqyA7go4ugMMj6XCtiVnISUcK8wjHgY3Jed/EKK8k5ce0Jxt 111059703393618496515021583605572584329116596402705082562306930876194742195701060137568030171429700588269665205795898835699633817098262654446852249498668467827435829513531633390969638488553144849154126899372953755511962841193763362947708260103832329116485114451074371844037650417731807385491783373627950406765 +AL+heSTflb2MkRYFTKghfzqlVQ1oE5vcx0eCIsy9NJ2NGFXCRRvoGDVoB8UEsUWIRnaA+MIpwDKGpbOS8kRQrvBvPe/xM/t3jrGkaS6pN064+bCBx8Y/Jq31ZXNG8oUol+y1Eo6fkUKNl4EOetmZWK8VmhVwol5YngDffj4Q8ned 134567692290185631768518572983694048149859804864902017394351513816079806629664302312927579302025923096596995134868068794900003728293470554490807959649153000914807604036531509869958441069678002226922395630284261949256022972967357884468325217602330254290548618134453007903724438628204981673400911693835033278365 +AI272d2sbYIi637kHZC+6lievgcDvT5VKaCnus3fHwm2vfao7oYu31P4st9DlqPWJ635X6QtLkU5HgvVSy66MDj2fcOfwVL09ffkZYnoGNdhMADVgOq62Ro5cCpOdw8Ko0cCyVpVIaSysPuqY7kiClf9GTdyZz/uYHDgwWeNrc4R 99528854246023003959943182132914587584844397870416002887630245681136432049666385367430032197518895755482367603560037194955739661569172773017279832774100155646116233705958563163070414171045438199561777058338188494271322834524386565519620661180246416329082614115142485663975718653564590519408413408765689056785 +AN9S8vPzo4SkyKsk07nfyD0um1riJzRqqWF9KCL+kWMHajurgPACikYzu61tL7l1mNEaIU16Ndz541o+y76DgsTLYszu4KXUOEt1Gu3eHy05Fq18zCDlNesSVjkZjPmuJr2ku+p0cP0TLLMn7/KuVOm4GlEVc6OvBNZuEzRriSYZ 156823459768092337875922818543729136404805918580285507923139232733465414368775678369646914249412830351437211620056021568154043505276475345347569200977945836210758870414054407438380975491139001471954448623922841964684437333066353208837709613982022690623722155151315252634380695513434502419141555410441456920089 +AMc5H8kywLgiT4zz5xgoI90jejsHorbqUGtBeX9wke7zyvEKyWxRKScZwzRbinjDZzN48eg/30qTZOV2Rw97JFg+EA63iZ0vqfF8jErIt3hODniKX8zayCuNmiSb5kiZL0UDU1SNh8ER4m6o5vshBKkmqs0PeozfCGQtR3bZXlx4 139899247405256530335276706333424670310599977544642091674186635734421385499036688803073040921114325725234673132788498809189814711681909865484671959982394306416477300458309408833281654917008031099378445580498219376391819745965887864647387211647794422908411100892195529730435423964537342228510107659017578765432 +AKv+3H/TruTX3wdMWnLzD05em8u/QMl6lCHT4VkK+uZwBXoLeji54Tcs/hZIhj0Bdj0URrRt+7JdGSTy4Sr986AtVFxBJZA3lT+JT4JSrq3oY1Tv+tX/yg8ZodQmbpQyyfaFg3BgeHNmsUoCrdqhj4IwBqEXoOBRIXnzaTuqqSEw 120779384043726135670909127168686589868907326577918074234323699599475436892003731971700278391108690400460261929381703781833059801757700386671579819341589048987186473249926590758009001670959004477454905417357202448886738669226760846888369186457452643053236389556969071303251275912453385963613554945645058007344 +ANXIB+HxOyJd3YYsscMpqZpi/eYjZi5q6A0MohU4BiWEJK/E4uIObLJDH5yd4ng+hn7UMhc+R/AxG88hIdOc5NyG/QyFs95ZLUC26F9rkRifu2CBkgqR5EQi2cgwC8jGxQOkC62YND6cAn/ILsKTYaH0iavtO9Tz04vQp9Ypc82H 150122383481070201614242107655752525590609186454390549085509458064289390813495886095936526832230958746095739308601699615024239939948911472291507190108935262129646691795733786714291498653838550751365834947465294261687773081563139416397262227609481906371677917295227469553787085145970923979142676551778927103367 +ZQLFoW+dJ7vrHdMlcLRGKY6T6PZKnE2L3NjXymS/55my2CDBLdDf3oXwLlRjVt9KnEiXyQzLhyY2PrFA4k3N/3P5lVDLHero5c36TMshbHgbIKRGN2CGWPEFeQ4j040IwVbQCPJeuF3jL5ikCxWZFXfeEnTL6TqumLfD9yLQfKA= 70932215714423143395949105745758445705072524008235214324766464113352968998429901322485575506330607802260244612268338586532462314021433435523464635419846126736185176246740838082062856583684393425704173881940108783636582561707441482446854068022535943408999200681879161519209676205165680598258447492092651404448 +LzzvPw0FdtM2G/RRiqoajJiIH+Lw3jpL4H+08yOpp1bNITR2Aq0beu2nP0H4o2Z1/FNr2hzuGakkAhVbmmRXc8keoOkeaAQAP/8OYxHpjrqou3WPWaKx+vUCTSqVYYf8gnVKpAAC2cD+3lW+/ZJ538o+c0ovbUKNu1u1j1OBtA0= 33171669664542509840621265032202455391098253465550501094201777336478104142847268103467889435377685359857979277521589539506627375165485879405453566052091202280471235979376217319335800766353336252760793484157724210008639813552207624049019149744883918494762511376489708611103181576211531366514802868659603747853 +APrGj1lIIlxA57DNh+bTEAFbJK2Y2P3MxLShb4fPx2aY6j88k3umoe07ISQLf9PzNPeml4/0I3w0KNd2x4s9KHbj7NsIT64lhO6eQSEteqZXZGXUYUyNzhrTbAjt+Q9LVKItQhsTkTW2HTQ5RQZfGrkL118b/I18J4P+T8CGZdDz 176100632478477421621142147788721746818712752858710594712903769452749028606541677227413333567013253138397373757811889654342173021761934591400685421771460440213093509170325205622261487145789848227404883040799927313402244625239515162996390018403365063394514244196976794479529075569412676472840544017222373593331 +Fvcl/LemWk29I5LCjU1QedTjGlkvFF/kZXNkRJv+vNZ7qgq6pX8WB9yVkk6AoclDYAhCRfKTKuEpR23iafVuHpprPfNXcqBH8n01kq3U27xqIy2hS+D6BRBK67PQaekq31EB0aOcEb/DuNaXakS9+mtTMx6BKt+WoEY+NkzHK6c= 16126868736093163702771491576570380743773057522016869811780571865928979861357811080042796140032050364543242385458140594532945509386155523162799601656485075247603490060565663264947465987286983338572455184901756399862440455644131755848583379822279676555143231305246033911608913609591095831135803702269767527335 +AKW8tvaB8YZ7J5W2lmquBniJzUhRfqFdPZPqvBoMzR4cRh1CMNdSFsYsnsaF3KolNzogdsxFpHAaEMG6zSvpNJAoi4nixCqb5SETXrSLASXvNjI9MvCoE2JCRq7kMbjPL7cem+mBPWZITGUI6KVlJPLxQngHYSFxukqlx7jznwJH 116384596458828069344020651216200368975621068920641012055593076864629080375946542748377736186556382088448816531408136815533164209947323588157210859294774679831647934533061547276394884474877353537242203645373945111105805934070657589374883764420038511061919092743520704686962593876316976299391579463759429567047 +D5N2P4FrqDf7/2Z2BJsqah4SjUtolic/yNqdNzvNEogDKZKAJyGq4zhnHvkYXkEm2ueU/FDPJRqisszG0oULdU6c7p8acirEwsGLVh4RamnFRgmQSK1vbiYB3bR+P+iFX/bZ+TWjN2Y3YMa5UB//I6Zb5kEIjmTpjY2LEPI1e6s= 10937855369372570149476727082965401421189236366492771695094788039313362971972373068736123833330006002198346944149230147444718818161877123407713821100752433128205189334393732633989950841577315682292180735057952587083688644195300641998709155269462601925653013312848413290208844194513502358901613104779186502571 +V/A1ktS0xrcwlI8xrYqvlLCFYrdVp8tEzZaZ9iNNpPH/pzVsA0WbnnUeHbdilkje+4OdoX9C4U2xaOuWOfvqLR0c7GeCkSffCqyf4ZsBmjy/BQL6rCpxMF0gIHXO5O8aJ1h17hy9LTuNzWm4zVh4pNFuHC9L6nAcf92udMiIQzk= 61752386563628388546439207444896778638632243226541303179646524864765343154194512297447627825411023405896612559648434895675553567405277169056807223959390559391191382555701580549902639604424290133917402316755076644943742815711432111554988540913643347167948778404861099845961151998728662878854088239266688156473 +APoPgEKA0/r1FYmt/Iso6ChYK6dDU62Y+vH5h/LVE00biBYG1f7aL3GdllUTN+XQSHpqlDw8CD+9xojwZIMfgpgjOwLbbe7Aso460zLrg3R8aHBpbVt8iZUgjACwPYr5UyKbFzIAWaXcnYYQ+tCO9aDIuOz+/7eIF62C81zXFJVZ 175598490446477604563905754135475294999639698464908622773037381109011373179895295130424828038708319325919451724985361900259676699137657615076219968061941008972496322083528922054390781811699677037439989404270415929836486610353098273115864435328533577114470407444852521009919911888840405368858409835197558461785 +cL54ymLJhRx3U20Y9aUTIsXy9Ags+XHy4qk3F7uJyO46eiXSL7VrrR9vTQXAbETbu1YiVWfslsPht810eUDUVaVir6yLnXkywn46Ci42FEvVoTEFjO22uYcCh8nqB8H589w/+lVSlNrcILugwfdfCvK1iZzVimOO6l3qzfXToOU= 79171550718114578361958369278761819285111811576818442980166457146638966315793211967882077899426611721874954146020093740153495693185472340728106727284441726113022873005252623222594060645383105757498856463065370975867121188445567981809371870213273555432308279508351518168027875538720367440153667708369625129189 +QdQN4qW2QZq8/fmSaqlRiPSoDbhmF0oYjaY29HcKYGHdlOH0AMJb+RUIq1aszvVtjh7AYay2TNhaZMWQ6Qi3c42SNk3A1MVknT6zqiRCGjNFfxf/matbRLbTFQF832MAId708vrFLF/o2HpekMkc5hcHB6bkUUhEI1NLcMXwGck= 46226230186280253581676626651942823886592433541360244612432763620730826574920825070086312767146345247802570752482654580909236388357139147786783758670999083804670979821212991224400629053427330483809790366665043598754931511997925850227997764381723288657884346974360232490075739442406431704368767588177525348809 +cxHvCK/dyVDvaqCCQyLeaiBGA36mV5el+1lc2eUTkHGUzX5gU0QQCEp+iSXNJhIOON8VFpKOFsziuV0Z+3cegWRw/VnxnjXcBh6IDKdupzOPB+Yl8MA1ti/GrQjLC6ikcNYNjQT0ZThL7KTqEvvZJH68WYmD0IuK26swjNGIGaI= 80804939616399473443737611589382762718815989847332356984276911837267997590368701684135326680567847542004499684038240485603420973682522792156533112356849436451918522884749244246467852622918805139990256619014116276456718693703261686778030658826952213058982142604346352178078750879100976710761147710018148637090 +AIQ3OIZevkYoRGBmsFaXJobSfLeInuKKReVYNjP5VEPoMq0mXTltY6l09/rQ3d1JjsMD1PfA7emhxex+H9t3leBIfCi6Ux34GQEjXWpQc4awuiy9tbR077HaJyecvb8Qy1FTnOHoH5C043QJzrKYT/sFXjgB60piI8Y0R/hwxO4r 92845026347218330987427785323244729176754623818531419911990153715676845614711324345879159989637824921793015074978358052562420379797956750450245721653716740651389924718711940869162230097839047895842495414221110468446944827052871968998907462191349838598297775847512250220907563815783358238473966349820476321323 +LoG6ib5lUh57rdmSkZSWzBoudytFohS4uoU/uly6OaQDOi34GeNVxu/yr6RszJyL9JWkGNgFaBIv/HirH5zA9VQAL/6kpL93a0/GQ/nuHkHy3GWZPF/2+yJ0PfazQ40fWhHZfRxBngWslbguFPjj1XaJ37YzpQAYb/+QcUai9ic= 32658152290878644668906121702816147999633088014476055330179597550087921141413344679134407016170035735846077181424615228657687216737432274043674411132745299610950657139041836412322040866250189120286839287690983293111362228893996267791120043532014262644480689231457941173330523718758287779526551822788227954215 +AKu2jgOQCCfYZ3CLkXEH44aO4TtwMPeK/eq4FtNj9HZ9FxT0LLNJh0ZXPOaPJjgznvIw5C7/hNm7rUs1JeV8I8dj3nbS3EVERQz1gc/ckYB3H1bViWREOD5+TScDusi86YO/z4ar3dauKkg5kT1kKDuU/OP5kNMWvtJjHc4Vd3L3 120581042599355202025471829872601846477331097842315143148145881424071317426176264583672725691485724160094190478865850305422057632110749683552966861219554215519032344086824849470294473808177223497912069335635933312949412445851201918768630656712413082629164792850095444166888072453190903931430551124946191872759 +ANLs7OsR7oBM5jSjVADrk+Mx9d0TeieTIkxwWiJ5STKNQmW2EzPOjgbfcLhbYEhzzDFJveXO2dzz6/c8V5oW2yqg7VMx88DzEbpQnQpk/rOQRw9jbI4fxXNJHkNZCeysEVvFfLJb4ecsGA0xJ3Aylny/jP10ahPv2z5K99edGZSU 148116916208650944522110872759145096907599612943009577897396622287067669897712748449324334650112672914917664881091633448764667172850435775162090891556266912697811031318228334453406561952979778127173704706529448647577013482442758465809198730066784986763500579667100246958959793527011919373534159474250508506260 +AL+Er3n1qj+SBsZVtOMJYg4m0CN+DE6gRnC1F7nPvd2XnBe+QE0+LKfcpUDHVNxoydW4BDzNVwnUNbyjXZ+iuddPtO9hchVEI36UiuL0ydeldFpOZ9mtHJaAF6abd0MlHw4vXRf8CbOvXb5N4s76ggijlZBjRtU563sSmBcyq6Zt 134488725667189507159811764480908602790838430340670328479145818969651133017546803581865897303917708192047926432630297993507146075655594931523561067937580218599890162311074002344315818494246433967228889645359283635389151927472221799543158424012020308449895562192866672439712148770104592027035768027605661099629 +AK/04XOBSjjPpuFXTDF82RNWnKqZz9mJQbS2B5bn0ehFnBa6j+B+MazX+AxXTL/d5+hPLT1uexcnSMl3DcGGwKipOXg7Dtuj3pfJXHTrCqXAUYrIXI+8vKVQO55yQPGfzIg9SVgetwW1sDk+a28ZhJ5a9OddqNoi5C+dLce7ZtNb 123560902006294001923570614486104726169564351074482936927091682096999779538353161007361361829586988452098646362280351148131540524964916445100589671458589346440250329883789099771417949746709217272531950438336245613419967556433467843237384555807236658182067742367748737224684334525934210197178231424396818830171 +PzOEGHlihiveoWFAALY+LOfkRJfm0NUF/uR6cSU/tbpGAq4onNpr+iZIzEP5o3JBLOtDC595/NBPI0fzaXl0vQvgJs6KG8iKANjsLKQjIpZBkoKhdbG9MzTVQuAeuDW0w3sn2iMZ/v2dgAzRwfqmQYXJr3I2BbcwWraIJuZXw5A= 44381416070253681813077725822442106641846565789204187691647505370231831464947935035197059366680327425453811558282831465960889061956588244308214943856009686127871667376028831540813257349779756631357122923723235595360268572998278795110672666089470210929411514949652537714634611421849780859192966935514197771152 +APnuduN01GS9dO2m2uCLs400AR2lX7elOnIPC5U6e17qbukxWYzNhilZlM4kdGXAIeYpzFdSIW/gxRMZe6TXq9krFWRaaPyT2QwRfGHYnazS9F1QNYmW1zXdt+qVp0JGxmh5PyDstbP8Z3x50/E8Mb0gLLPhNAvzY2Jnr9A8Q1Hy 175507868985304663005133968393406051624825489142498103948374797086106732382869120248515993626061853699363294022457032257026588816021007648668265488426495800459085474654859258116280251546902009156490112550154951965894022789029787886785376415437170872937201839249103828294508088966180386198213606090453461193202 +QHEhL4iVzNdUsfG0izTEepwTOvxka8t/9MwuF1Ey6kxsI+ry4g4sJPgR2xMnbtOmvQn2NitAkfvA8JPCiL7a8+gmf+DVRDjKDfpfrtgAVmo+3rH+uJYTrKhAp8R7ggU2xIrvbIrgeUj7ieThPI3Rtap+IdkPCL853JC/+oKtytM= 45252649968839515171157821292772647085425694172492111870169593872127007254353374581972876464918186509502070064028725519394859148593053614163356612260257013360168930649423732336969778875205250872728821432415158634190866775855521719727700464116412886964736859295086745723651735554245035077902615220578218265299 +APeaekK4mVhEShCfM0mkRebcg1Iq5CgrFIEGOoh1nHzgebr5A9Wrhm9yD1Vd3e+fFD9urDRB4y5MHPJHX1U2NFToC+H8nQkFXL8bfd/9Wl2c7y8m0Mxwi53pLIdzETLbbfeOOtJvuSYYT3n8+/PeMnJ46UD8OfqtnFuS0/bVpFLS 173873040145444066957050580959132871919216036714423404143335635770937773583761934638398867981658394368476005882852706046614562314432695052874974848076542261910660410561876043187368112065303981001507235893831108658530338308496461162623683138693880482650786841100027392293758260448606244283355655751440485602002 +FqC/wgZDPTUoObPFSH5w4QR79zj/O+ZiHGTEnsBMwNZD3Gl/ClRDIsFMDDupNLgwgXsqCQbpwSOHOtAvUuAFwRpzt5B7lwIgtP5ism/AZRno5p+9WVSmUAM3glHsNtvYydz2MkXtnXzSMIR1ZVoLrdwMnckE4pbMzggqz+JZqxw= 15889870005716350976759704672045310928616256175405784574141006779373730686049218680335525720670897894546334915362899913262232170795516176419192840427996647372619000239408311568577050460995518058850793096827271653902583271225799114408537346367483775593212272587811309978019791973449354003275559762102731778844 +AJXNbv2AMWadF5h99ZAUy5gLnVK/hMaakFo0ZedtPNRJobxPmwj+h52G+Czd0U48G0V0wpdeUJC9v/4BhjzhCvNhNsdAT1+vQXDuteYQ1aspsEKLQ6b+NknO88QSbRJw53+KeOY2xe7PKOa4V89XnFFBF7wljRnIYrM8vvcqVQDk 105194875227030598769888785590198577650278341586165110611689226597424766274486797264032300493674927704016605741286512271390703088626381669060095573361828932336327125438452066548897528158329044309005232090053420259033538936293519762277428283316506398965916381374819450858053512398634116052299066189424983605476 +AIDRnUpBHepjBqYAlU4MG/8JxzX1mPxVNHpWvnEVgvqTQx/bisFPpXrYs3jAKIR/lzevYwhH0K/8Vvw4NK9iTMFqgSnU44AZztKsoxUXsEsl1UU56UscY5C7ciKU6vjjWI7nm/uHNOXdE82TQXkk2WX8ferNqZU5DaLFCb+zxb7w 90459642084794142567976043425270153270545560059973413835786695756473295513758287577749768786155290305189883600338986370836806413936196854410098516254596146039255388020628703824195128439558127783534033672712705194483515442668075394018677699876614329419492391568463215822656901183478205197671375262145069825776 +AIdvVNzJqWPgAShvi3GhbhMQft+SLigKGrhoqas2Saz/bA9u9Td6fAxa2LjrAqshW6cnm2aalc3Yv6RW/Y8vg7Ho31NSaRjT4zMUenykcC0/Y88UNxREi85wdnHwGytms6Lq49H8/7EFGJIyL1PLRWPmZn6XFkegscI/HUq/hiKm 95105613103051650721863964216778532448106311156426028879315612217763044797186635476805213120469258258125661666950525364331551671653846368977016286153840829836509696804585927581668281228810410814602664419962214359687545209312836366693384158782798559255789953908588601637765910472073600954502095647132310971046 +DdchOPjXrI6lpV84IdKCisPmdqZan8AARXRLADEhixsfXCYuO+WhNatI/fM1vgv+/TxwwIQjIfG1vOZcB36JUfjHYdItYQ70vUXaVFdpqvoBGyfOTU50Ds/11iGPCF8mWiQwR30/XAXytqDZtaVJVWsgHD3RigBSnSHhnvZAWYg= 9719024770319024562623340689338530708271347986326272393419504304391837979619189392867902307307106771234732135400958362219711925045600118964223238147375808749507928768896918369395426933218443166133187066167663170936604731896932630589251946733237697936733924510107175304126061649311812536190882160340308613512 +I+Z6rdTOt26/v3dtUP1plITb15fjb6aMDvqFS3AD1+nxBqnnk7ISGE9j6dv762EIWQpMzcCG5NCCq35KOHEwRXP28zup6olOMt3CBFgYVcBE2pWOpGiO19G/iFweYZXZPY5HgIkex7HBbb7l6HhomPc2sLL/IRhh2oogyHx2JMM= 25210054612455888156900839678249806510561198051210010474517915819801056434402727631042894881559517808906460418029149538469607239850657781476308872923928122553395468026744382526167194202058040459679991391557937527079948356545086684521068912222036707113005006607012596093923970784177288565193670152033981048003 +ALbBoyelCs4UkfnPjMT3S67ujhBHBEE0uxLx6kSGZq2IOMU/QdWYPFElRgYC/y++334FSEycjS6NAJJo2ITpZCO5AjNJ93J3WYgbDLiwu1VzKHX6ItfFNEk45km+QTi07+pDKcKNd1k0mxqpLd/PuZd5hRpPDDoKBb6i+mrCb2yF 128335905497646745013379107761994003743181143126608677203818152878840562628631384684712779135591095534911406031545494164782375276574093777950840330452805743803067864740000758175436633463846967335728314347497013853264454015790847388463800323796888198433722196292529074568758149650782323407298620158495364705413 +ANwlxEkeqmqYTxw1ZwMi1v2wo4ntPaEYZYoTLTJQfa+kuIksnHW9va243HAiOixd+rviVdm1dEwzESBbX0wiJNtRBpP+bnRxy4xOBjNoOB0c/tfka5JVwu5eeskyHx4V3inLviUaj86Yck42n5NaJFMfBvhzVftZ/YF9WBITI8g6 154592850289860621115358362871905683265658659789986179554827712019629689749439795961607030363152337159590319622241556795951071651584979664762468782303706550885785493534656062553770262954861884613383561063525714923031691298088562054236178003658891902606245782350998076658704876516153027797371814038658244397114 diff --git a/askbot/deps/openid/test/oidutil.py b/askbot/deps/openid/test/oidutil.py new file mode 100644 index 00000000..fbeadf25 --- /dev/null +++ b/askbot/deps/openid/test/oidutil.py @@ -0,0 +1,176 @@ +import unittest +import codecs +import string +import random +from openid import oidutil + +def test_base64(): + allowed_s = string.ascii_letters + string.digits + '+/=' + allowed_d = {} + for c in allowed_s: + allowed_d[c] = None + isAllowed = allowed_d.has_key + + def checkEncoded(s): + for c in s: + assert isAllowed(c), s + + cases = [ + '', + 'x', + '\x00', + '\x01', + '\x00' * 100, + ''.join(map(chr, range(256))), + ] + + for s in cases: + b64 = oidutil.toBase64(s) + checkEncoded(b64) + s_prime = oidutil.fromBase64(b64) + assert s_prime == s, (s, b64, s_prime) + + # Randomized test + for _ in xrange(50): + n = random.randrange(2048) + s = ''.join(map(chr, map(lambda _: random.randrange(256), range(n)))) + b64 = oidutil.toBase64(s) + checkEncoded(b64) + s_prime = oidutil.fromBase64(b64) + assert s_prime == s, (s, b64, s_prime) + +class AppendArgsTest(unittest.TestCase): + def __init__(self, desc, args, expected): + unittest.TestCase.__init__(self) + self.desc = desc + self.args = args + self.expected = expected + + def runTest(self): + result = oidutil.appendArgs(*self.args) + self.assertEqual(self.expected, result, self.args) + + def shortDescription(self): + return self.desc + + + +class TestSymbol(unittest.TestCase): + def testCopyHash(self): + import copy + s = oidutil.Symbol("Foo") + d = {s: 1} + d_prime = copy.deepcopy(d) + self.failUnless(s in d_prime, "%r isn't in %r" % (s, d_prime)) + + t = oidutil.Symbol("Bar") + self.failIfEqual(hash(s), hash(t)) + + +def buildAppendTests(): + simple = 'http://www.example.com/' + cases = [ + ('empty list', + (simple, []), + simple), + + ('empty dict', + (simple, {}), + simple), + + ('one list', + (simple, [('a', 'b')]), + simple + '?a=b'), + + ('one dict', + (simple, {'a':'b'}), + simple + '?a=b'), + + ('two list (same)', + (simple, [('a', 'b'), ('a', 'c')]), + simple + '?a=b&a=c'), + + ('two list', + (simple, [('a', 'b'), ('b', 'c')]), + simple + '?a=b&b=c'), + + ('two list (order)', + (simple, [('b', 'c'), ('a', 'b')]), + simple + '?b=c&a=b'), + + ('two dict (order)', + (simple, {'b':'c', 'a':'b'}), + simple + '?a=b&b=c'), + + ('escape', + (simple, [('=', '=')]), + simple + '?%3D=%3D'), + + ('escape (URL)', + (simple, [('this_url', simple)]), + simple + '?this_url=http%3A%2F%2Fwww.example.com%2F'), + + ('use dots', + (simple, [('openid.stuff', 'bother')]), + simple + '?openid.stuff=bother'), + + ('args exist (empty)', + (simple + '?stuff=bother', []), + simple + '?stuff=bother'), + + ('args exist', + (simple + '?stuff=bother', [('ack', 'ack')]), + simple + '?stuff=bother&ack=ack'), + + ('args exist', + (simple + '?stuff=bother', [('ack', 'ack')]), + simple + '?stuff=bother&ack=ack'), + + ('args exist (dict)', + (simple + '?stuff=bother', {'ack': 'ack'}), + simple + '?stuff=bother&ack=ack'), + + ('args exist (dict 2)', + (simple + '?stuff=bother', {'ack': 'ack', 'zebra':'lion'}), + simple + '?stuff=bother&ack=ack&zebra=lion'), + + ('three args (dict)', + (simple, {'stuff': 'bother', 'ack': 'ack', 'zebra':'lion'}), + simple + '?ack=ack&stuff=bother&zebra=lion'), + + ('three args (list)', + (simple, [('stuff', 'bother'), ('ack', 'ack'), ('zebra', 'lion')]), + simple + '?stuff=bother&ack=ack&zebra=lion'), + ] + + tests = [] + + for name, args, expected in cases: + test = AppendArgsTest(name, args, expected) + tests.append(test) + + return unittest.TestSuite(tests) + +def pyUnitTests(): + some = buildAppendTests() + some.addTest(unittest.defaultTestLoader.loadTestsFromTestCase(TestSymbol)) + return some + +def test_appendArgs(): + suite = buildAppendTests() + suite.addTest(unittest.defaultTestLoader.loadTestsFromTestCase(TestSymbol)) + runner = unittest.TextTestRunner() + result = runner.run(suite) + assert result.wasSuccessful() + +# XXX: there are more functions that could benefit from being better +# specified and tested in oidutil.py These include, but are not +# limited to appendArgs + +def test(skipPyUnit=True): + test_base64() + if not skipPyUnit: + test_appendArgs() + +if __name__ == '__main__': + test(skipPyUnit=False) diff --git a/askbot/deps/openid/test/storetest.py b/askbot/deps/openid/test/storetest.py new file mode 100644 index 00000000..e428c36d --- /dev/null +++ b/askbot/deps/openid/test/storetest.py @@ -0,0 +1,397 @@ +from openid.association import Association +from openid.cryptutil import randomString +from openid.store.nonce import mkNonce, split + +import unittest +import string +import time +import socket +import random +import os + +db_host = 'dbtest' + +allowed_handle = [] +for c in string.printable: + if c not in string.whitespace: + allowed_handle.append(c) +allowed_handle = ''.join(allowed_handle) + +def generateHandle(n): + return randomString(n, allowed_handle) + +generateSecret = randomString + +def getTmpDbName(): + hostname = socket.gethostname() + hostname = hostname.replace('.', '_') + hostname = hostname.replace('-', '_') + return "%s_%d_%s_openid_test" % \ + (hostname, os.getpid(), \ + random.randrange(1, int(time.time()))) + +def testStore(store): + """Make sure a given store has a minimum of API compliance. Call + this function with an empty store. + + Raises AssertionError if the store does not work as expected. + + OpenIDStore -> NoneType + """ + ### Association functions + now = int(time.time()) + + server_url = 'http://www.myopenid.com/openid' + def genAssoc(issued, lifetime=600): + sec = generateSecret(20) + hdl = generateHandle(128) + return Association(hdl, sec, now + issued, lifetime, 'HMAC-SHA1') + + def checkRetrieve(url, handle=None, expected=None): + retrieved_assoc = store.getAssociation(url, handle) + assert retrieved_assoc == expected, (retrieved_assoc, expected) + if expected is not None: + if retrieved_assoc is expected: + print ('Unexpected: retrieved a reference to the expected ' + 'value instead of a new object') + assert retrieved_assoc.handle == expected.handle + assert retrieved_assoc.secret == expected.secret + + def checkRemove(url, handle, expected): + present = store.removeAssociation(url, handle) + assert bool(expected) == bool(present) + + assoc = genAssoc(issued=0) + + # Make sure that a missing association returns no result + checkRetrieve(server_url) + + # Check that after storage, getting returns the same result + store.storeAssociation(server_url, assoc) + checkRetrieve(server_url, None, assoc) + + # more than once + checkRetrieve(server_url, None, assoc) + + # Storing more than once has no ill effect + store.storeAssociation(server_url, assoc) + checkRetrieve(server_url, None, assoc) + + # Removing an association that does not exist returns not present + checkRemove(server_url, assoc.handle + 'x', False) + + # Removing an association that does not exist returns not present + checkRemove(server_url + 'x', assoc.handle, False) + + # Removing an association that is present returns present + checkRemove(server_url, assoc.handle, True) + + # but not present on subsequent calls + checkRemove(server_url, assoc.handle, False) + + # Put assoc back in the store + store.storeAssociation(server_url, assoc) + + # More recent and expires after assoc + assoc2 = genAssoc(issued=1) + store.storeAssociation(server_url, assoc2) + + # After storing an association with a different handle, but the + # same server_url, the handle with the later issue date is returned. + checkRetrieve(server_url, None, assoc2) + + # We can still retrieve the older association + checkRetrieve(server_url, assoc.handle, assoc) + + # Plus we can retrieve the association with the later issue date + # explicitly + checkRetrieve(server_url, assoc2.handle, assoc2) + + # More recent, and expires earlier than assoc2 or assoc. Make sure + # that we're picking the one with the latest issued date and not + # taking into account the expiration. + assoc3 = genAssoc(issued=2, lifetime=100) + store.storeAssociation(server_url, assoc3) + + checkRetrieve(server_url, None, assoc3) + checkRetrieve(server_url, assoc.handle, assoc) + checkRetrieve(server_url, assoc2.handle, assoc2) + checkRetrieve(server_url, assoc3.handle, assoc3) + + checkRemove(server_url, assoc2.handle, True) + + checkRetrieve(server_url, None, assoc3) + checkRetrieve(server_url, assoc.handle, assoc) + checkRetrieve(server_url, assoc2.handle, None) + checkRetrieve(server_url, assoc3.handle, assoc3) + + checkRemove(server_url, assoc2.handle, False) + checkRemove(server_url, assoc3.handle, True) + + checkRetrieve(server_url, None, assoc) + checkRetrieve(server_url, assoc.handle, assoc) + checkRetrieve(server_url, assoc2.handle, None) + checkRetrieve(server_url, assoc3.handle, None) + + checkRemove(server_url, assoc2.handle, False) + checkRemove(server_url, assoc.handle, True) + checkRemove(server_url, assoc3.handle, False) + + checkRetrieve(server_url, None, None) + checkRetrieve(server_url, assoc.handle, None) + checkRetrieve(server_url, assoc2.handle, None) + checkRetrieve(server_url, assoc3.handle, None) + + checkRemove(server_url, assoc2.handle, False) + checkRemove(server_url, assoc.handle, False) + checkRemove(server_url, assoc3.handle, False) + + ### test expired associations + # assoc 1: server 1, valid + # assoc 2: server 1, expired + # assoc 3: server 2, expired + # assoc 4: server 3, valid + assocValid1 = genAssoc(issued=-3600,lifetime=7200) + assocValid2 = genAssoc(issued=-5) + assocExpired1 = genAssoc(issued=-7200,lifetime=3600) + assocExpired2 = genAssoc(issued=-7200,lifetime=3600) + + store.cleanupAssociations() + store.storeAssociation(server_url + '1', assocValid1) + store.storeAssociation(server_url + '1', assocExpired1) + store.storeAssociation(server_url + '2', assocExpired2) + store.storeAssociation(server_url + '3', assocValid2) + + cleaned = store.cleanupAssociations() + assert cleaned == 2, cleaned + + ### Nonce functions + + def checkUseNonce(nonce, expected, server_url, msg=''): + stamp, salt = split(nonce) + actual = store.useNonce(server_url, stamp, salt) + assert bool(actual) == bool(expected), "%r != %r: %s" % (actual, expected, + msg) + + for url in [server_url, '']: + # Random nonce (not in store) + nonce1 = mkNonce() + + # A nonce is allowed by default + checkUseNonce(nonce1, True, url) + + # Storing once causes useNonce to return True the first, and only + # the first, time it is called after the store. + checkUseNonce(nonce1, False, url) + checkUseNonce(nonce1, False, url) + + # Nonces from when the universe was an hour old should not pass these days. + old_nonce = mkNonce(3600) + checkUseNonce(old_nonce, False, url, "Old nonce (%r) passed." % (old_nonce,)) + + + old_nonce1 = mkNonce(now - 20000) + old_nonce2 = mkNonce(now - 10000) + recent_nonce = mkNonce(now - 600) + + from openid.store import nonce as nonceModule + orig_skew = nonceModule.SKEW + try: + nonceModule.SKEW = 0 + store.cleanupNonces() + # Set SKEW high so stores will keep our nonces. + nonceModule.SKEW = 100000 + assert store.useNonce(server_url, *split(old_nonce1)) + assert store.useNonce(server_url, *split(old_nonce2)) + assert store.useNonce(server_url, *split(recent_nonce)) + + nonceModule.SKEW = 3600 + cleaned = store.cleanupNonces() + assert cleaned == 2, "Cleaned %r nonces." % (cleaned,) + + nonceModule.SKEW = 100000 + # A roundabout method of checking that the old nonces were cleaned is + # to see if we're allowed to add them again. + assert store.useNonce(server_url, *split(old_nonce1)) + assert store.useNonce(server_url, *split(old_nonce2)) + # The recent nonce wasn't cleaned, so it should still fail. + assert not store.useNonce(server_url, *split(recent_nonce)) + finally: + nonceModule.SKEW = orig_skew + + +def test_filestore(): + from openid.store import filestore + import tempfile + import shutil + try: + temp_dir = tempfile.mkdtemp() + except AttributeError: + import os + temp_dir = os.tmpnam() + os.mkdir(temp_dir) + + store = filestore.FileOpenIDStore(temp_dir) + try: + testStore(store) + store.cleanup() + except: + raise + else: + shutil.rmtree(temp_dir) + +def test_sqlite(): + from openid.store import sqlstore + try: + from pysqlite2 import dbapi2 as sqlite + except ImportError: + pass + else: + conn = sqlite.connect(':memory:') + store = sqlstore.SQLiteStore(conn) + store.createTables() + testStore(store) + +def test_mysql(): + from openid.store import sqlstore + try: + import MySQLdb + except ImportError: + pass + else: + db_user = 'openid_test' + db_passwd = '' + db_name = getTmpDbName() + + from MySQLdb.constants import ER + + # Change this connect line to use the right user and password + try: + conn = MySQLdb.connect(user=db_user, passwd=db_passwd, host = db_host) + except MySQLdb.OperationalError, why: + if why[0] == 2005: + print ('Skipping MySQL store test (cannot connect ' + 'to test server on host %r)' % (db_host,)) + return + else: + raise + + conn.query('CREATE DATABASE %s;' % db_name) + try: + conn.query('USE %s;' % db_name) + + # OK, we're in the right environment. Create store and + # create the tables. + store = sqlstore.MySQLStore(conn) + store.createTables() + + # At last, we get to run the test. + testStore(store) + finally: + # Remove the database. If you want to do post-mortem on a + # failing test, comment out this line. + conn.query('DROP DATABASE %s;' % db_name) + +def test_postgresql(): + """ + Tests the PostgreSQLStore on a locally-hosted PostgreSQL database + cluster, version 7.4 or later. To run this test, you must have: + + - The 'psycopg' python module (version 1.1) installed + + - PostgreSQL running locally + + - An 'openid_test' user account in your database cluster, which + you can create by running 'createuser -Ad openid_test' as the + 'postgres' user + + - Trust auth for the 'openid_test' account, which you can activate + by adding the following line to your pg_hba.conf file: + + local all openid_test trust + + This test connects to the database cluster three times: + + - To the 'template1' database, to create the test database + + - To the test database, to run the store tests + + - To the 'template1' database once more, to drop the test database + """ + from openid.store import sqlstore + try: + import psycopg + except ImportError: + pass + else: + db_name = getTmpDbName() + db_user = 'openid_test' + + # Connect once to create the database; reconnect to access the + # new database. + conn_create = psycopg.connect(database = 'template1', user = db_user, + host = db_host) + conn_create.autocommit() + + # Create the test database. + cursor = conn_create.cursor() + cursor.execute('CREATE DATABASE %s;' % (db_name,)) + conn_create.close() + + # Connect to the test database. + conn_test = psycopg.connect(database = db_name, user = db_user, + host = db_host) + + # OK, we're in the right environment. Create the store + # instance and create the tables. + store = sqlstore.PostgreSQLStore(conn_test) + store.createTables() + + # At last, we get to run the test. + testStore(store) + + # Disconnect. + conn_test.close() + + # It takes a little time for the close() call above to take + # effect, so we'll wait for a second before trying to remove + # the database. (Maybe this is because we're using a UNIX + # socket to connect to postgres rather than TCP?) + import time + time.sleep(1) + + # Remove the database now that the test is over. + conn_remove = psycopg.connect(database = 'template1', user = db_user, + host = db_host) + conn_remove.autocommit() + + cursor = conn_remove.cursor() + cursor.execute('DROP DATABASE %s;' % (db_name,)) + conn_remove.close() + +def test_memstore(): + from openid.store import memstore + testStore(memstore.MemoryStore()) + +test_functions = [ + test_filestore, + test_sqlite, + test_mysql, + test_postgresql, + test_memstore, + ] + +def pyUnitTests(): + tests = map(unittest.FunctionTestCase, test_functions) + load = unittest.defaultTestLoader.loadTestsFromTestCase + return unittest.TestSuite(tests) + +if __name__ == '__main__': + import sys + suite = pyUnitTests() + runner = unittest.TextTestRunner() + result = runner.run(suite) + if result.wasSuccessful(): + sys.exit(0) + else: + sys.exit(1) diff --git a/askbot/deps/openid/test/support.py b/askbot/deps/openid/test/support.py new file mode 100644 index 00000000..dbf8881e --- /dev/null +++ b/askbot/deps/openid/test/support.py @@ -0,0 +1,51 @@ +from openid import message +from openid import oidutil + +class OpenIDTestMixin(object): + def failUnlessOpenIDValueEquals(self, msg, key, expected, ns=None): + if ns is None: + ns = message.OPENID_NS + + actual = msg.getArg(ns, key) + error_format = 'Wrong value for openid.%s: expected=%s, actual=%s' + error_message = error_format % (key, expected, actual) + self.failUnlessEqual(expected, actual, error_message) + + def failIfOpenIDKeyExists(self, msg, key, ns=None): + if ns is None: + ns = message.OPENID_NS + + actual = msg.getArg(ns, key) + error_message = 'openid.%s unexpectedly present: %s' % (key, actual) + self.failIf(actual is not None, error_message) + +class CatchLogs(object): + def setUp(self): + self.old_logger = oidutil.log + oidutil.log = self.gotLogMessage + self.messages = [] + + def gotLogMessage(self, message): + self.messages.append(message) + + def tearDown(self): + oidutil.log = self.old_logger + + def failUnlessLogMatches(self, *prefixes): + """ + Check that the log messages contained in self.messages have + prefixes in *prefixes. Raise AssertionError if not, or if the + number of prefixes is different than the number of log + messages. + """ + assert len(prefixes) == len(self.messages), \ + "Expected log prefixes %r, got %r" % (prefixes, + self.messages) + + for prefix, message in zip(prefixes, self.messages): + assert message.startswith(prefix), \ + "Expected log prefixes %r, got %r" % (prefixes, + self.messages) + + def failUnlessLogEmpty(self): + self.failUnlessLogMatches() diff --git a/askbot/deps/openid/test/test_accept.py b/askbot/deps/openid/test/test_accept.py new file mode 100644 index 00000000..3cc36025 --- /dev/null +++ b/askbot/deps/openid/test/test_accept.py @@ -0,0 +1,127 @@ +import unittest +import os.path +from openid.yadis import accept + +def getTestData(): + """Read the test data off of disk + + () -> [(int, str)] + """ + filename = os.path.join(os.path.dirname(__file__), 'data', 'accept.txt') + i = 1 + lines = [] + for line in file(filename): + lines.append((i, line)) + i += 1 + return lines + +def chunk(lines): + """Return groups of lines separated by whitespace or comments + + [(int, str)] -> [[(int, str)]] + """ + chunks = [] + chunk = [] + for lineno, line in lines: + stripped = line.strip() + if not stripped or stripped[0] == '#': + if chunk: + chunks.append(chunk) + chunk = [] + else: + chunk.append((lineno, stripped)) + + if chunk: + chunks.append(chunk) + + return chunks + +def parseLines(chunk): + """Take the given chunk of lines and turn it into a test data dictionary + + [(int, str)] -> {str:(int, str)} + """ + items = {} + for (lineno, line) in chunk: + header, data = line.split(':', 1) + header = header.lower() + items[header] = (lineno, data.strip()) + + return items + +def parseAvailable(available_text): + """Parse an Available: line's data + + str -> [str] + """ + return [s.strip() for s in available_text.split(',')] + +def parseExpected(expected_text): + """Parse an Expected: line's data + + str -> [(str, float)] + """ + expected = [] + if expected_text: + for chunk in expected_text.split(','): + chunk = chunk.strip() + mtype, qstuff = chunk.split(';') + mtype = mtype.strip() + assert '/' in mtype + qstuff = qstuff.strip() + q, qstr = qstuff.split('=') + assert q == 'q' + qval = float(qstr) + expected.append((mtype, qval)) + + return expected + +class MatchAcceptTest(unittest.TestCase): + def __init__(self, descr, accept_header, available, expected): + unittest.TestCase.__init__(self) + self.accept_header = accept_header + self.available = available + self.expected = expected + self.descr = descr + + def shortDescription(self): + return self.descr + + def runTest(self): + accepted = accept.parseAcceptHeader(self.accept_header) + actual = accept.matchTypes(accepted, self.available) + self.failUnlessEqual(self.expected, actual) + +def pyUnitTests(): + lines = getTestData() + chunks = chunk(lines) + data_sets = map(parseLines, chunks) + cases = [] + for data in data_sets: + lnos = [] + lno, header = data['accept'] + lnos.append(lno) + lno, avail_data = data['available'] + lnos.append(lno) + try: + available = parseAvailable(avail_data) + except: + print 'On line', lno + raise + + lno, exp_data = data['expected'] + lnos.append(lno) + try: + expected = parseExpected(exp_data) + except: + print 'On line', lno + raise + + descr = 'MatchAcceptTest for lines %r' % (lnos,) + case = MatchAcceptTest(descr, header, available, expected) + cases.append(case) + return unittest.TestSuite(cases) + +if __name__ == '__main__': + runner = unittest.TextTestRunner() + runner.run(loadTests()) diff --git a/askbot/deps/openid/test/test_association.py b/askbot/deps/openid/test/test_association.py new file mode 100644 index 00000000..6404a008 --- /dev/null +++ b/askbot/deps/openid/test/test_association.py @@ -0,0 +1,183 @@ +from openid.test import datadriven + +import unittest + +from openid.message import Message, BARE_NS, OPENID_NS, OPENID2_NS +from openid import association +import time +from openid import cryptutil +import warnings + +class AssociationSerializationTest(unittest.TestCase): + def test_roundTrip(self): + issued = int(time.time()) + lifetime = 600 + assoc = association.Association( + 'handle', 'secret', issued, lifetime, 'HMAC-SHA1') + s = assoc.serialize() + assoc2 = association.Association.deserialize(s) + self.failUnlessEqual(assoc.handle, assoc2.handle) + self.failUnlessEqual(assoc.issued, assoc2.issued) + self.failUnlessEqual(assoc.secret, assoc2.secret) + self.failUnlessEqual(assoc.lifetime, assoc2.lifetime) + self.failUnlessEqual(assoc.assoc_type, assoc2.assoc_type) + +from openid.server.server import \ + DiffieHellmanSHA1ServerSession, \ + DiffieHellmanSHA256ServerSession, \ + PlainTextServerSession + +from openid.consumer.consumer import \ + DiffieHellmanSHA1ConsumerSession, \ + DiffieHellmanSHA256ConsumerSession, \ + PlainTextConsumerSession + +from openid.dh import DiffieHellman + +def createNonstandardConsumerDH(): + nonstandard_dh = DiffieHellman(1315291, 2) + return DiffieHellmanSHA1ConsumerSession(nonstandard_dh) + +class DiffieHellmanSessionTest(datadriven.DataDrivenTestCase): + secrets = [ + '\x00' * 20, + '\xff' * 20, + ' ' * 20, + 'This is a secret....', + ] + + session_factories = [ + (DiffieHellmanSHA1ConsumerSession, DiffieHellmanSHA1ServerSession), + (createNonstandardConsumerDH, DiffieHellmanSHA1ServerSession), + (PlainTextConsumerSession, PlainTextServerSession), + ] + + def generateCases(cls): + return [(c, s, sec) + for c, s in cls.session_factories + for sec in cls.secrets] + + generateCases = classmethod(generateCases) + + def __init__(self, csess_fact, ssess_fact, secret): + datadriven.DataDrivenTestCase.__init__(self, csess_fact.__name__) + self.secret = secret + self.csess_fact = csess_fact + self.ssess_fact = ssess_fact + + def runOneTest(self): + csess = self.csess_fact() + msg = Message.fromOpenIDArgs(csess.getRequest()) + ssess = self.ssess_fact.fromMessage(msg) + check_secret = csess.extractSecret( + Message.fromOpenIDArgs(ssess.answer(self.secret))) + self.failUnlessEqual(self.secret, check_secret) + + + +class TestMakePairs(unittest.TestCase): + """Check the key-value formatting methods of associations. + """ + + def setUp(self): + self.message = m = Message(OPENID2_NS) + m.updateArgs(OPENID2_NS, { + 'mode': 'id_res', + 'identifier': '=example', + 'signed': 'identifier,mode', + 'sig': 'cephalopod', + }) + m.updateArgs(BARE_NS, {'xey': 'value'}) + self.assoc = association.Association.fromExpiresIn( + 3600, '{sha1}', 'very_secret', "HMAC-SHA1") + + + def testMakePairs(self): + """Make pairs using the OpenID 1.x type signed list.""" + pairs = self.assoc._makePairs(self.message) + expected = [ + ('identifier', '=example'), + ('mode', 'id_res'), + ] + self.failUnlessEqual(pairs, expected) + + + +class TestMac(unittest.TestCase): + def setUp(self): + self.pairs = [('key1', 'value1'), + ('key2', 'value2')] + + + def test_sha1(self): + assoc = association.Association.fromExpiresIn( + 3600, '{sha1}', 'very_secret', "HMAC-SHA1") + expected = ('\xe0\x1bv\x04\xf1G\xc0\xbb\x7f\x9a\x8b' + '\xe9\xbc\xee}\\\xe5\xbb7*') + sig = assoc.sign(self.pairs) + self.failUnlessEqual(sig, expected) + + if cryptutil.SHA256_AVAILABLE: + def test_sha256(self): + assoc = association.Association.fromExpiresIn( + 3600, '{sha256SA}', 'very_secret', "HMAC-SHA256") + expected = ('\xfd\xaa\xfe;\xac\xfc*\x988\xad\x05d6-\xeaVy' + '\xd5\xa5Z.<\xa9\xed\x18\x82\\$\x95x\x1c&') + sig = assoc.sign(self.pairs) + self.failUnlessEqual(sig, expected) + + + +class TestMessageSigning(unittest.TestCase): + def setUp(self): + self.message = m = Message(OPENID2_NS) + m.updateArgs(OPENID2_NS, {'mode': 'id_res', + 'identifier': '=example'}) + m.updateArgs(BARE_NS, {'xey': 'value'}) + self.args = {'openid.mode': 'id_res', + 'openid.identifier': '=example', + 'xey': 'value'} + + + def test_signSHA1(self): + assoc = association.Association.fromExpiresIn( + 3600, '{sha1}', 'very_secret', "HMAC-SHA1") + signed = assoc.signMessage(self.message) + self.failUnless(signed.getArg(OPENID_NS, "sig")) + self.failUnlessEqual(signed.getArg(OPENID_NS, "signed"), + "assoc_handle,identifier,mode,ns,signed") + self.failUnlessEqual(signed.getArg(BARE_NS, "xey"), "value", + signed) + + if cryptutil.SHA256_AVAILABLE: + def test_signSHA256(self): + assoc = association.Association.fromExpiresIn( + 3600, '{sha1}', 'very_secret', "HMAC-SHA256") + signed = assoc.signMessage(self.message) + self.failUnless(signed.getArg(OPENID_NS, "sig")) + self.failUnlessEqual(signed.getArg(OPENID_NS, "signed"), + "assoc_handle,identifier,mode,ns,signed") + self.failUnlessEqual(signed.getArg(BARE_NS, "xey"), "value", + signed) + + +class TestCheckMessageSignature(unittest.TestCase): + def test_aintGotSignedList(self): + m = Message(OPENID2_NS) + m.updateArgs(OPENID2_NS, {'mode': 'id_res', + 'identifier': '=example', + 'sig': 'coyote', + }) + m.updateArgs(BARE_NS, {'xey': 'value'}) + assoc = association.Association.fromExpiresIn( + 3600, '{sha1}', 'very_secret', "HMAC-SHA1") + self.failUnlessRaises(ValueError, assoc.checkMessageSignature, m) + + +def pyUnitTests(): + return datadriven.loadTests(__name__) + +if __name__ == '__main__': + suite = pyUnitTests() + runner = unittest.TextTestRunner() + runner.run(suite) diff --git a/askbot/deps/openid/test/test_association_response.py b/askbot/deps/openid/test/test_association_response.py new file mode 100644 index 00000000..cf9d0147 --- /dev/null +++ b/askbot/deps/openid/test/test_association_response.py @@ -0,0 +1,340 @@ +"""Tests for consumer handling of association responses + +This duplicates some things that are covered by test_consumer, but +this works for now. +""" +from openid import oidutil +from openid.test.test_consumer import CatchLogs +from openid.message import Message, OPENID2_NS, OPENID_NS, no_default +from openid.server.server import DiffieHellmanSHA1ServerSession +from openid.consumer.consumer import GenericConsumer, \ + DiffieHellmanSHA1ConsumerSession, ProtocolError +from openid.consumer.discover import OpenIDServiceEndpoint, OPENID_1_1_TYPE, OPENID_2_0_TYPE +from openid.store import memstore +import unittest + +# Some values we can use for convenience (see mkAssocResponse) +association_response_values = { + 'expires_in': '1000', + 'assoc_handle':'a handle', + 'assoc_type':'a type', + 'session_type':'a session type', + 'ns':OPENID2_NS, + } + +def mkAssocResponse(*keys): + """Build an association response message that contains the + specified subset of keys. The values come from + `association_response_values`. + + This is useful for testing for missing keys and other times that + we don't care what the values are.""" + args = dict([(key, association_response_values[key]) for key in keys]) + return Message.fromOpenIDArgs(args) + +class BaseAssocTest(CatchLogs, unittest.TestCase): + def setUp(self): + CatchLogs.setUp(self) + self.store = memstore.MemoryStore() + self.consumer = GenericConsumer(self.store) + self.endpoint = OpenIDServiceEndpoint() + + def failUnlessProtocolError(self, str_prefix, func, *args, **kwargs): + try: + result = func(*args, **kwargs) + except ProtocolError, e: + message = 'Expected prefix %r, got %r' % (str_prefix, e[0]) + self.failUnless(e[0].startswith(str_prefix), message) + else: + self.fail('Expected ProtocolError, got %r' % (result,)) + +def mkExtractAssocMissingTest(keys): + """Factory function for creating test methods for generating + missing field tests. + + Make a test that ensures that an association response that + is missing required fields will short-circuit return None. + + According to 'Association Session Response' subsection 'Common + Response Parameters', the following fields are required for OpenID + 2.0: + + * ns + * session_type + * assoc_handle + * assoc_type + * expires_in + + If 'ns' is missing, it will fall back to OpenID 1 checking. In + OpenID 1, everything except 'session_type' and 'ns' are required. + """ + + def test(self): + msg = mkAssocResponse(*keys) + + self.failUnlessRaises(KeyError, + self.consumer._extractAssociation, msg, None) + + return test + +class TestExtractAssociationMissingFieldsOpenID2(BaseAssocTest): + """Test for returning an error upon missing fields in association + responses for OpenID 2""" + + test_noFields_openid2 = mkExtractAssocMissingTest(['ns']) + + test_missingExpires_openid2 = mkExtractAssocMissingTest( + ['assoc_handle', 'assoc_type', 'session_type', 'ns']) + + test_missingHandle_openid2 = mkExtractAssocMissingTest( + ['expires_in', 'assoc_type', 'session_type', 'ns']) + + test_missingAssocType_openid2 = mkExtractAssocMissingTest( + ['expires_in', 'assoc_handle', 'session_type', 'ns']) + + test_missingSessionType_openid2 = mkExtractAssocMissingTest( + ['expires_in', 'assoc_handle', 'assoc_type', 'ns']) + +class TestExtractAssociationMissingFieldsOpenID1(BaseAssocTest): + """Test for returning an error upon missing fields in association + responses for OpenID 2""" + + test_noFields_openid1 = mkExtractAssocMissingTest([]) + + test_missingExpires_openid1 = mkExtractAssocMissingTest( + ['assoc_handle', 'assoc_type']) + + test_missingHandle_openid1 = mkExtractAssocMissingTest( + ['expires_in', 'assoc_type']) + + test_missingAssocType_openid1 = mkExtractAssocMissingTest( + ['expires_in', 'assoc_handle']) + +class DummyAssocationSession(object): + def __init__(self, session_type, allowed_assoc_types=()): + self.session_type = session_type + self.allowed_assoc_types = allowed_assoc_types + +class ExtractAssociationSessionTypeMismatch(BaseAssocTest): + def mkTest(requested_session_type, response_session_type, openid1=False): + def test(self): + assoc_session = DummyAssocationSession(requested_session_type) + keys = association_response_values.keys() + if openid1: + keys.remove('ns') + msg = mkAssocResponse(*keys) + msg.setArg(OPENID_NS, 'session_type', response_session_type) + self.failUnlessProtocolError('Session type mismatch', + self.consumer._extractAssociation, msg, assoc_session) + + return test + + test_typeMismatchNoEncBlank_openid2 = mkTest( + requested_session_type='no-encryption', + response_session_type='', + ) + + test_typeMismatchDHSHA1NoEnc_openid2 = mkTest( + requested_session_type='DH-SHA1', + response_session_type='no-encryption', + ) + + test_typeMismatchDHSHA256NoEnc_openid2 = mkTest( + requested_session_type='DH-SHA256', + response_session_type='no-encryption', + ) + + test_typeMismatchNoEncDHSHA1_openid2 = mkTest( + requested_session_type='no-encryption', + response_session_type='DH-SHA1', + ) + + test_typeMismatchDHSHA1NoEnc_openid1 = mkTest( + requested_session_type='DH-SHA1', + response_session_type='DH-SHA256', + openid1=True, + ) + + test_typeMismatchDHSHA256NoEnc_openid1 = mkTest( + requested_session_type='DH-SHA256', + response_session_type='DH-SHA1', + openid1=True, + ) + + test_typeMismatchNoEncDHSHA1_openid1 = mkTest( + requested_session_type='no-encryption', + response_session_type='DH-SHA1', + openid1=True, + ) + + +class TestOpenID1AssociationResponseSessionType(BaseAssocTest): + def mkTest(expected_session_type, session_type_value): + """Return a test method that will check what session type will + be used if the OpenID 1 response to an associate call sets the + 'session_type' field to `session_type_value` + """ + def test(self): + self._doTest(expected_session_type, session_type_value) + self.failUnlessEqual(0, len(self.messages)) + + return test + + def _doTest(self, expected_session_type, session_type_value): + # Create a Message with just 'session_type' in it, since + # that's all this function will use. 'session_type' may be + # absent if it's set to None. + args = {} + if session_type_value is not None: + args['session_type'] = session_type_value + message = Message.fromOpenIDArgs(args) + self.failUnless(message.isOpenID1()) + + actual_session_type = self.consumer._getOpenID1SessionType(message) + error_message = ('Returned sesion type parameter %r was expected ' + 'to yield session type %r, but yielded %r' % + (session_type_value, expected_session_type, + actual_session_type)) + self.failUnlessEqual( + expected_session_type, actual_session_type, error_message) + + test_none = mkTest( + session_type_value=None, + expected_session_type='no-encryption', + ) + + test_empty = mkTest( + session_type_value='', + expected_session_type='no-encryption', + ) + + # This one's different because it expects log messages + def test_explicitNoEncryption(self): + self._doTest( + session_type_value='no-encryption', + expected_session_type='no-encryption', + ) + self.failUnlessEqual(1, len(self.messages)) + self.failUnless(self.messages[0].startswith( + 'WARNING: OpenID server sent "no-encryption"')) + + test_dhSHA1 = mkTest( + session_type_value='DH-SHA1', + expected_session_type='DH-SHA1', + ) + + # DH-SHA256 is not a valid session type for OpenID1, but this + # function does not test that. This is mostly just to make sure + # that it will pass-through stuff that is not explicitly handled, + # so it will get handled the same way as it is handled for OpenID + # 2 + test_dhSHA256 = mkTest( + session_type_value='DH-SHA256', + expected_session_type='DH-SHA256', + ) + +class DummyAssociationSession(object): + secret = "shh! don't tell!" + extract_secret_called = False + + session_type = None + + allowed_assoc_types = None + + def extractSecret(self, message): + self.extract_secret_called = True + return self.secret + +class TestInvalidFields(BaseAssocTest): + def setUp(self): + BaseAssocTest.setUp(self) + self.session_type = 'testing-session' + + # This must something that works for Association.fromExpiresIn + self.assoc_type = 'HMAC-SHA1' + + self.assoc_handle = 'testing-assoc-handle' + + # These arguments should all be valid + self.assoc_response = Message.fromOpenIDArgs({ + 'expires_in': '1000', + 'assoc_handle':self.assoc_handle, + 'assoc_type':self.assoc_type, + 'session_type':self.session_type, + 'ns':OPENID2_NS, + }) + + self.assoc_session = DummyAssociationSession() + + # Make the session for the response's session type + self.assoc_session.session_type = self.session_type + self.assoc_session.allowed_assoc_types = [self.assoc_type] + + def test_worksWithGoodFields(self): + """Handle a full successful association response""" + assoc = self.consumer._extractAssociation( + self.assoc_response, self.assoc_session) + self.failUnless(self.assoc_session.extract_secret_called) + self.failUnlessEqual(self.assoc_session.secret, assoc.secret) + self.failUnlessEqual(1000, assoc.lifetime) + self.failUnlessEqual(self.assoc_handle, assoc.handle) + self.failUnlessEqual(self.assoc_type, assoc.assoc_type) + + def test_badAssocType(self): + # Make sure that the assoc type in the response is not valid + # for the given session. + self.assoc_session.allowed_assoc_types = [] + self.failUnlessProtocolError('Unsupported assoc_type for session', + self.consumer._extractAssociation, + self.assoc_response, self.assoc_session) + + def test_badExpiresIn(self): + # Invalid value for expires_in should cause failure + self.assoc_response.setArg(OPENID_NS, 'expires_in', 'forever') + self.failUnlessProtocolError('Invalid expires_in', + self.consumer._extractAssociation, + self.assoc_response, self.assoc_session) + + +# XXX: This is what causes most of the imports in this file. It is +# sort of a unit test and sort of a functional test. I'm not terribly +# fond of it. +class TestExtractAssociationDiffieHellman(BaseAssocTest): + secret = 'x' * 20 + + def _setUpDH(self): + sess, message = self.consumer._createAssociateRequest( + self.endpoint, 'HMAC-SHA1', 'DH-SHA1') + + # XXX: this is testing _createAssociateRequest + self.failUnlessEqual(self.endpoint.compatibilityMode(), + message.isOpenID1()) + + server_sess = DiffieHellmanSHA1ServerSession.fromMessage(message) + server_resp = server_sess.answer(self.secret) + server_resp['assoc_type'] = 'HMAC-SHA1' + server_resp['assoc_handle'] = 'handle' + server_resp['expires_in'] = '1000' + server_resp['session_type'] = 'DH-SHA1' + return sess, Message.fromOpenIDArgs(server_resp) + + def test_success(self): + sess, server_resp = self._setUpDH() + ret = self.consumer._extractAssociation(server_resp, sess) + self.failIf(ret is None) + self.failUnlessEqual(ret.assoc_type, 'HMAC-SHA1') + self.failUnlessEqual(ret.secret, self.secret) + self.failUnlessEqual(ret.handle, 'handle') + self.failUnlessEqual(ret.lifetime, 1000) + + def test_openid2success(self): + # Use openid 2 type in endpoint so _setUpDH checks + # compatibility mode state properly + self.endpoint.type_uris = [OPENID_2_0_TYPE, OPENID_1_1_TYPE] + self.test_success() + + def test_badDHValues(self): + sess, server_resp = self._setUpDH() + server_resp.setArg(OPENID_NS, 'enc_mac_key', '\x00\x00\x00') + self.failUnlessProtocolError('Malformed response for', + self.consumer._extractAssociation, server_resp, sess) diff --git a/askbot/deps/openid/test/test_auth_request.py b/askbot/deps/openid/test/test_auth_request.py new file mode 100644 index 00000000..d9e72332 --- /dev/null +++ b/askbot/deps/openid/test/test_auth_request.py @@ -0,0 +1,206 @@ +import cgi +import unittest + +from openid.consumer import consumer +from openid import message +from openid.test import support + +class DummyEndpoint(object): + preferred_namespace = None + local_id = None + server_url = None + is_op_identifier = False + + def preferredNamespace(self): + return self.preferred_namespace + + def getLocalID(self): + return self.local_id + + def isOPIdentifier(self): + return self.is_op_identifier + +class DummyAssoc(object): + handle = "assoc-handle" + +class TestAuthRequestMixin(support.OpenIDTestMixin): + """Mixin for AuthRequest tests for OpenID 1 and 2; DON'T add + unittest.TestCase as a base class here.""" + + preferred_namespace = None + immediate = False + expected_mode = 'checkid_setup' + + def setUp(self): + self.endpoint = DummyEndpoint() + self.endpoint.local_id = 'http://server.unittest/joe' + self.endpoint.claimed_id = 'http://joe.vanity.example/' + self.endpoint.server_url = 'http://server.unittest/' + self.endpoint.preferred_namespace = self.preferred_namespace + self.realm = 'http://example/' + self.return_to = 'http://example/return/' + self.assoc = DummyAssoc() + self.authreq = consumer.AuthRequest(self.endpoint, self.assoc) + + def failUnlessAnonymous(self, msg): + for key in ['claimed_id', 'identity']: + self.failIfOpenIDKeyExists(msg, key) + + def failUnlessHasRequiredFields(self, msg): + self.failUnlessEqual(self.preferred_namespace, + self.authreq.message.getOpenIDNamespace()) + + self.failUnlessEqual(self.preferred_namespace, + msg.getOpenIDNamespace()) + + self.failUnlessOpenIDValueEquals(msg, 'mode', + self.expected_mode) + + # Implement these in subclasses because they depend on + # protocol differences! + self.failUnlessHasRealm(msg) + self.failUnlessIdentifiersPresent(msg) + + # TESTS + + def test_checkNoAssocHandle(self): + self.authreq.assoc = None + msg = self.authreq.getMessage(self.realm, self.return_to, + self.immediate) + + self.failIfOpenIDKeyExists(msg, 'assoc_handle') + + def test_checkWithAssocHandle(self): + msg = self.authreq.getMessage(self.realm, self.return_to, + self.immediate) + + self.failUnlessOpenIDValueEquals(msg, 'assoc_handle', + self.assoc.handle) + + def test_addExtensionArg(self): + self.authreq.addExtensionArg('bag:', 'color', 'brown') + self.authreq.addExtensionArg('bag:', 'material', 'paper') + self.failUnless('bag:' in self.authreq.message.namespaces) + self.failUnlessEqual(self.authreq.message.getArgs('bag:'), + {'color': 'brown', + 'material': 'paper'}) + msg = self.authreq.getMessage(self.realm, self.return_to, + self.immediate) + + # XXX: this depends on the way that Message assigns + # namespaces. Really it doesn't care that it has alias "0", + # but that is tested anyway + post_args = msg.toPostArgs() + self.failUnlessEqual('brown', post_args['openid.ext0.color']) + self.failUnlessEqual('paper', post_args['openid.ext0.material']) + + def test_standard(self): + msg = self.authreq.getMessage(self.realm, self.return_to, + self.immediate) + + self.failUnlessHasIdentifiers( + msg, self.endpoint.local_id, self.endpoint.claimed_id) + +class TestAuthRequestOpenID2(TestAuthRequestMixin, unittest.TestCase): + preferred_namespace = message.OPENID2_NS + + def failUnlessHasRealm(self, msg): + # check presence of proper realm key and absence of the wrong + # one. + self.failUnlessOpenIDValueEquals(msg, 'realm', self.realm) + self.failIfOpenIDKeyExists(msg, 'trust_root') + + def failUnlessIdentifiersPresent(self, msg): + identity_present = msg.hasKey(message.OPENID_NS, 'identity') + claimed_present = msg.hasKey(message.OPENID_NS, 'claimed_id') + + self.failUnlessEqual(claimed_present, identity_present) + + def failUnlessHasIdentifiers(self, msg, op_specific_id, claimed_id): + self.failUnlessOpenIDValueEquals(msg, 'identity', op_specific_id) + self.failUnlessOpenIDValueEquals(msg, 'claimed_id', claimed_id) + + # TESTS + + def test_setAnonymousWorksForOpenID2(self): + """OpenID AuthRequests should be able to set 'anonymous' to true.""" + self.failUnless(self.authreq.message.isOpenID2()) + self.authreq.setAnonymous(True) + self.authreq.setAnonymous(False) + + def test_userAnonymousIgnoresIdentfier(self): + self.authreq.setAnonymous(True) + msg = self.authreq.getMessage(self.realm, self.return_to, + self.immediate) + self.failUnlessHasRequiredFields(msg) + self.failUnlessAnonymous(msg) + + def test_opAnonymousIgnoresIdentifier(self): + self.endpoint.is_op_identifier = True + self.authreq.setAnonymous(True) + msg = self.authreq.getMessage(self.realm, self.return_to, + self.immediate) + self.failUnlessHasRequiredFields(msg) + self.failUnlessAnonymous(msg) + + def test_opIdentifierSendsIdentifierSelect(self): + self.endpoint.is_op_identifier = True + msg = self.authreq.getMessage(self.realm, self.return_to, + self.immediate) + self.failUnlessHasRequiredFields(msg) + self.failUnlessHasIdentifiers( + msg, message.IDENTIFIER_SELECT, message.IDENTIFIER_SELECT) + +class TestAuthRequestOpenID1(TestAuthRequestMixin, unittest.TestCase): + preferred_namespace = message.OPENID1_NS + + def setUpEndpoint(self): + TestAuthRequestBase.setUpEndpoint(self) + self.endpoint.preferred_namespace = message.OPENID1_NS + + def failUnlessHasIdentifiers(self, msg, op_specific_id, claimed_id): + """Make sure claimed_is is *absent* in request.""" + self.failUnlessOpenIDValueEquals(msg, 'identity', op_specific_id) + self.failIfOpenIDKeyExists(msg, 'claimed_id') + + def failUnlessIdentifiersPresent(self, msg): + self.failIfOpenIDKeyExists(msg, 'claimed_id') + self.failUnless(msg.hasKey(message.OPENID_NS, 'identity')) + + def failUnlessHasRealm(self, msg): + # check presence of proper realm key and absence of the wrong + # one. + self.failUnlessOpenIDValueEquals(msg, 'trust_root', self.realm) + self.failIfOpenIDKeyExists(msg, 'realm') + + # TESTS + + def test_setAnonymousFailsForOpenID1(self): + """OpenID 1 requests MUST NOT be able to set anonymous to True""" + self.failUnless(self.authreq.message.isOpenID1()) + self.failUnlessRaises(ValueError, self.authreq.setAnonymous, True) + self.authreq.setAnonymous(False) + + def test_identifierSelect(self): + """Identfier select SHOULD NOT be sent, but this pathway is in + here in case some special discovery stuff is done to trigger + it with OpenID 1. If it is triggered, it will send + identifier_select just like OpenID 2. + """ + self.endpoint.is_op_identifier = True + msg = self.authreq.getMessage(self.realm, self.return_to, + self.immediate) + self.failUnlessHasRequiredFields(msg) + self.failUnlessEqual(message.IDENTIFIER_SELECT, + msg.getArg(message.OPENID1_NS, 'identity')) + +class TestAuthRequestOpenID1Immediate(TestAuthRequestOpenID1): + immediate = True + expected_mode = 'checkid_immediate' + +class TestAuthRequestOpenID2Immediate(TestAuthRequestOpenID2): + immediate = True + expected_mode = 'checkid_immediate' + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_ax.py b/askbot/deps/openid/test/test_ax.py new file mode 100644 index 00000000..9c349a78 --- /dev/null +++ b/askbot/deps/openid/test/test_ax.py @@ -0,0 +1,626 @@ +"""Tests for the attribute exchange extension module +""" + +import unittest +from openid.extensions import ax +from openid.message import NamespaceMap, Message, OPENID2_NS +from openid.consumer.consumer import SuccessResponse + +class BogusAXMessage(ax.AXMessage): + mode = 'bogus' + + getExtensionArgs = ax.AXMessage._newArgs + +class DummyRequest(object): + def __init__(self, message): + self.message = message + +class AXMessageTest(unittest.TestCase): + def setUp(self): + self.bax = BogusAXMessage() + + def test_checkMode(self): + check = self.bax._checkMode + self.failUnlessRaises(ax.NotAXMessage, check, {}) + self.failUnlessRaises(ax.AXError, check, {'mode':'fetch_request'}) + + # does not raise an exception when the mode is right + check({'mode':self.bax.mode}) + + def test_checkMode_newArgs(self): + """_newArgs generates something that has the correct mode""" + # This would raise AXError if it didn't like the mode newArgs made. + self.bax._checkMode(self.bax._newArgs()) + + +class AttrInfoTest(unittest.TestCase): + def test_construct(self): + self.failUnlessRaises(TypeError, ax.AttrInfo) + type_uri = 'a uri' + ainfo = ax.AttrInfo(type_uri) + + self.failUnlessEqual(type_uri, ainfo.type_uri) + self.failUnlessEqual(1, ainfo.count) + self.failIf(ainfo.required) + self.failUnless(ainfo.alias is None) + + +class ToTypeURIsTest(unittest.TestCase): + def setUp(self): + self.aliases = NamespaceMap() + + def test_empty(self): + for empty in [None, '']: + uris = ax.toTypeURIs(self.aliases, empty) + self.failUnlessEqual([], uris) + + def test_undefined(self): + self.failUnlessRaises( + KeyError, + ax.toTypeURIs, self.aliases, 'http://janrain.com/') + + def test_one(self): + uri = 'http://janrain.com/' + alias = 'openid_hackers' + self.aliases.addAlias(uri, alias) + uris = ax.toTypeURIs(self.aliases, alias) + self.failUnlessEqual([uri], uris) + + def test_two(self): + uri1 = 'http://janrain.com/' + alias1 = 'openid_hackers' + self.aliases.addAlias(uri1, alias1) + + uri2 = 'http://jyte.com/' + alias2 = 'openid_hack' + self.aliases.addAlias(uri2, alias2) + + uris = ax.toTypeURIs(self.aliases, ','.join([alias1, alias2])) + self.failUnlessEqual([uri1, uri2], uris) + +class ParseAXValuesTest(unittest.TestCase): + """Testing AXKeyValueMessage.parseExtensionArgs.""" + + def failUnlessAXKeyError(self, ax_args): + msg = ax.AXKeyValueMessage() + self.failUnlessRaises(KeyError, msg.parseExtensionArgs, ax_args) + + def failUnlessAXValues(self, ax_args, expected_args): + """Fail unless parseExtensionArgs(ax_args) == expected_args.""" + msg = ax.AXKeyValueMessage() + msg.parseExtensionArgs(ax_args) + self.failUnlessEqual(expected_args, msg.data) + + def test_emptyIsValid(self): + self.failUnlessAXValues({}, {}) + + def test_missingValueForAliasExplodes(self): + self.failUnlessAXKeyError({'type.foo':'urn:foo'}) + + def test_countPresentButNotValue(self): + self.failUnlessAXKeyError({'type.foo':'urn:foo', + 'count.foo':'1'}) + + def test_invalidCountValue(self): + msg = ax.FetchRequest() + self.failUnlessRaises(ax.AXError, + msg.parseExtensionArgs, + {'type.foo':'urn:foo', + 'count.foo':'bogus'}) + + def test_requestUnlimitedValues(self): + msg = ax.FetchRequest() + + msg.parseExtensionArgs( + {'mode':'fetch_request', + 'required':'foo', + 'type.foo':'urn:foo', + 'count.foo':ax.UNLIMITED_VALUES}) + + attrs = list(msg.iterAttrs()) + foo = attrs[0] + + self.failUnless(foo.count == ax.UNLIMITED_VALUES) + self.failUnless(foo.wantsUnlimitedValues()) + + def test_longAlias(self): + # Spec minimum length is 32 characters. This is a silly test + # for this library, but it's here for completeness. + alias = 'x' * ax.MINIMUM_SUPPORTED_ALIAS_LENGTH + + msg = ax.AXKeyValueMessage() + msg.parseExtensionArgs( + {'type.%s' % (alias,): 'urn:foo', + 'count.%s' % (alias,): '1', + 'value.%s.1' % (alias,): 'first'} + ) + + def test_invalidAlias(self): + types = [ + ax.AXKeyValueMessage, + ax.FetchRequest + ] + + inputs = [ + {'type.a.b':'urn:foo', + 'count.a.b':'1'}, + {'type.a,b':'urn:foo', + 'count.a,b':'1'}, + ] + + for typ in types: + for input in inputs: + msg = typ() + self.failUnlessRaises(ax.AXError, msg.parseExtensionArgs, + input) + + def test_countPresentAndIsZero(self): + self.failUnlessAXValues( + {'type.foo':'urn:foo', + 'count.foo':'0', + }, {'urn:foo':[]}) + + def test_singletonEmpty(self): + self.failUnlessAXValues( + {'type.foo':'urn:foo', + 'value.foo':'', + }, {'urn:foo':[]}) + + def test_doubleAlias(self): + self.failUnlessAXKeyError( + {'type.foo':'urn:foo', + 'value.foo':'', + 'type.bar':'urn:foo', + 'value.bar':'', + }) + + def test_doubleSingleton(self): + self.failUnlessAXValues( + {'type.foo':'urn:foo', + 'value.foo':'', + 'type.bar':'urn:bar', + 'value.bar':'', + }, {'urn:foo':[], 'urn:bar':[]}) + + def test_singletonValue(self): + self.failUnlessAXValues( + {'type.foo':'urn:foo', + 'value.foo':'Westfall', + }, {'urn:foo':['Westfall']}) + + +class FetchRequestTest(unittest.TestCase): + def setUp(self): + self.msg = ax.FetchRequest() + self.type_a = 'http://janrain.example.com/a' + self.alias_a = 'a' + + + def test_mode(self): + self.failUnlessEqual(self.msg.mode, 'fetch_request') + + def test_construct(self): + self.failUnlessEqual({}, self.msg.requested_attributes) + self.failUnlessEqual(None, self.msg.update_url) + + msg = ax.FetchRequest('hailstorm') + self.failUnlessEqual({}, msg.requested_attributes) + self.failUnlessEqual('hailstorm', msg.update_url) + + def test_add(self): + uri = 'mud://puddle' + + # Not yet added: + self.failIf(uri in self.msg) + + attr = ax.AttrInfo(uri) + self.msg.add(attr) + + # Present after adding + self.failUnless(uri in self.msg) + + def test_addTwice(self): + uri = 'lightning://storm' + + attr = ax.AttrInfo(uri) + self.msg.add(attr) + self.failUnlessRaises(KeyError, self.msg.add, attr) + + def test_getExtensionArgs_empty(self): + expected_args = { + 'mode':'fetch_request', + } + self.failUnlessEqual(expected_args, self.msg.getExtensionArgs()) + + def test_getExtensionArgs_noAlias(self): + attr = ax.AttrInfo( + type_uri = 'type://of.transportation', + ) + self.msg.add(attr) + ax_args = self.msg.getExtensionArgs() + for k, v in ax_args.iteritems(): + if v == attr.type_uri and k.startswith('type.'): + alias = k[5:] + break + else: + self.fail("Didn't find the type definition") + + self.failUnlessExtensionArgs({ + 'type.' + alias:attr.type_uri, + 'if_available':alias, + }) + + def test_getExtensionArgs_alias_if_available(self): + attr = ax.AttrInfo( + type_uri = 'type://of.transportation', + alias = 'transport', + ) + self.msg.add(attr) + self.failUnlessExtensionArgs({ + 'type.' + attr.alias:attr.type_uri, + 'if_available':attr.alias, + }) + + def test_getExtensionArgs_alias_req(self): + attr = ax.AttrInfo( + type_uri = 'type://of.transportation', + alias = 'transport', + required = True, + ) + self.msg.add(attr) + self.failUnlessExtensionArgs({ + 'type.' + attr.alias:attr.type_uri, + 'required':attr.alias, + }) + + def failUnlessExtensionArgs(self, expected_args): + """Make sure that getExtensionArgs has the expected result + + This method will fill in the mode. + """ + expected_args = dict(expected_args) + expected_args['mode'] = self.msg.mode + self.failUnlessEqual(expected_args, self.msg.getExtensionArgs()) + + def test_isIterable(self): + self.failUnlessEqual([], list(self.msg)) + self.failUnlessEqual([], list(self.msg.iterAttrs())) + + def test_getRequiredAttrs_empty(self): + self.failUnlessEqual([], self.msg.getRequiredAttrs()) + + def test_parseExtensionArgs_extraType(self): + extension_args = { + 'mode':'fetch_request', + 'type.' + self.alias_a:self.type_a, + } + self.failUnlessRaises(ValueError, + self.msg.parseExtensionArgs, extension_args) + + def test_parseExtensionArgs(self): + extension_args = { + 'mode':'fetch_request', + 'type.' + self.alias_a:self.type_a, + 'if_available':self.alias_a + } + self.msg.parseExtensionArgs(extension_args) + self.failUnless(self.type_a in self.msg) + self.failUnlessEqual([self.type_a], list(self.msg)) + attr_info = self.msg.requested_attributes.get(self.type_a) + self.failUnless(attr_info) + self.failIf(attr_info.required) + self.failUnlessEqual(self.type_a, attr_info.type_uri) + self.failUnlessEqual(self.alias_a, attr_info.alias) + self.failUnlessEqual([attr_info], list(self.msg.iterAttrs())) + + def test_extensionArgs_idempotent(self): + extension_args = { + 'mode':'fetch_request', + 'type.' + self.alias_a:self.type_a, + 'if_available':self.alias_a + } + self.msg.parseExtensionArgs(extension_args) + self.failUnlessEqual(extension_args, self.msg.getExtensionArgs()) + self.failIf(self.msg.requested_attributes[self.type_a].required) + + def test_extensionArgs_idempotent_count_required(self): + extension_args = { + 'mode':'fetch_request', + 'type.' + self.alias_a:self.type_a, + 'count.' + self.alias_a:'2', + 'required':self.alias_a + } + self.msg.parseExtensionArgs(extension_args) + self.failUnlessEqual(extension_args, self.msg.getExtensionArgs()) + self.failUnless(self.msg.requested_attributes[self.type_a].required) + + def test_extensionArgs_count1(self): + extension_args = { + 'mode':'fetch_request', + 'type.' + self.alias_a:self.type_a, + 'count.' + self.alias_a:'1', + 'if_available':self.alias_a, + } + extension_args_norm = { + 'mode':'fetch_request', + 'type.' + self.alias_a:self.type_a, + 'if_available':self.alias_a, + } + self.msg.parseExtensionArgs(extension_args) + self.failUnlessEqual(extension_args_norm, self.msg.getExtensionArgs()) + + def test_openidNoRealm(self): + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'checkid_setup', + 'ns': OPENID2_NS, + 'ns.ax': ax.AXMessage.ns_uri, + 'ax.update_url': 'http://different.site/path', + 'ax.mode': 'fetch_request', + }) + self.failUnlessRaises(ax.AXError, + ax.FetchRequest.fromOpenIDRequest, + DummyRequest(openid_req_msg)) + + def test_openidUpdateURLVerificationError(self): + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'checkid_setup', + 'ns': OPENID2_NS, + 'realm': 'http://example.com/realm', + 'ns.ax': ax.AXMessage.ns_uri, + 'ax.update_url': 'http://different.site/path', + 'ax.mode': 'fetch_request', + }) + + self.failUnlessRaises(ax.AXError, + ax.FetchRequest.fromOpenIDRequest, + DummyRequest(openid_req_msg)) + + def test_openidUpdateURLVerificationSuccess(self): + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'checkid_setup', + 'ns': OPENID2_NS, + 'realm': 'http://example.com/realm', + 'ns.ax': ax.AXMessage.ns_uri, + 'ax.update_url': 'http://example.com/realm/update_path', + 'ax.mode': 'fetch_request', + }) + + fr = ax.FetchRequest.fromOpenIDRequest(DummyRequest(openid_req_msg)) + + def test_openidUpdateURLVerificationSuccessReturnTo(self): + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'checkid_setup', + 'ns': OPENID2_NS, + 'return_to': 'http://example.com/realm', + 'ns.ax': ax.AXMessage.ns_uri, + 'ax.update_url': 'http://example.com/realm/update_path', + 'ax.mode': 'fetch_request', + }) + + fr = ax.FetchRequest.fromOpenIDRequest(DummyRequest(openid_req_msg)) + + def test_fromOpenIDRequestWithoutExtension(self): + """return None for an OpenIDRequest without AX paramaters.""" + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'checkid_setup', + 'ns': OPENID2_NS, + }) + oreq = DummyRequest(openid_req_msg) + r = ax.FetchRequest.fromOpenIDRequest(oreq) + self.failUnless(r is None, "%s is not None" % (r,)) + + def test_fromOpenIDRequestWithoutData(self): + """return something for SuccessResponse with AX paramaters, + even if it is the empty set.""" + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'checkid_setup', + 'realm': 'http://example.com/realm', + 'ns': OPENID2_NS, + 'ns.ax': ax.AXMessage.ns_uri, + 'ax.mode': 'fetch_request', + }) + oreq = DummyRequest(openid_req_msg) + r = ax.FetchRequest.fromOpenIDRequest(oreq) + self.failUnless(r is not None) + + +class FetchResponseTest(unittest.TestCase): + def setUp(self): + self.msg = ax.FetchResponse() + self.value_a = 'monkeys' + self.type_a = 'http://phone.home/' + self.alias_a = 'robocop' + self.request_update_url = 'http://update.bogus/' + + def test_construct(self): + self.failUnless(self.msg.update_url is None) + self.failUnlessEqual({}, self.msg.data) + + def test_getExtensionArgs_empty(self): + expected_args = { + 'mode':'fetch_response', + } + self.failUnlessEqual(expected_args, self.msg.getExtensionArgs()) + + def test_getExtensionArgs_empty_request(self): + expected_args = { + 'mode':'fetch_response', + } + req = ax.FetchRequest() + msg = ax.FetchResponse(request=req) + self.failUnlessEqual(expected_args, msg.getExtensionArgs()) + + def test_getExtensionArgs_empty_request_some(self): + uri = 'http://not.found/' + alias = 'ext0' + + expected_args = { + 'mode':'fetch_response', + 'type.%s' % (alias,): uri, + 'count.%s' % (alias,): '0' + } + req = ax.FetchRequest() + req.add(ax.AttrInfo(uri)) + msg = ax.FetchResponse(request=req) + self.failUnlessEqual(expected_args, msg.getExtensionArgs()) + + def test_updateUrlInResponse(self): + uri = 'http://not.found/' + alias = 'ext0' + + expected_args = { + 'mode':'fetch_response', + 'update_url': self.request_update_url, + 'type.%s' % (alias,): uri, + 'count.%s' % (alias,): '0' + } + req = ax.FetchRequest(update_url=self.request_update_url) + req.add(ax.AttrInfo(uri)) + msg = ax.FetchResponse(request=req) + self.failUnlessEqual(expected_args, msg.getExtensionArgs()) + + def test_getExtensionArgs_some_request(self): + expected_args = { + 'mode':'fetch_response', + 'type.' + self.alias_a:self.type_a, + 'value.' + self.alias_a + '.1':self.value_a, + 'count.' + self.alias_a: '1' + } + req = ax.FetchRequest() + req.add(ax.AttrInfo(self.type_a, alias=self.alias_a)) + msg = ax.FetchResponse(request=req) + msg.addValue(self.type_a, self.value_a) + self.failUnlessEqual(expected_args, msg.getExtensionArgs()) + + def test_getExtensionArgs_some_not_request(self): + req = ax.FetchRequest() + msg = ax.FetchResponse(request=req) + msg.addValue(self.type_a, self.value_a) + self.failUnlessRaises(KeyError, msg.getExtensionArgs) + + def test_getSingle_success(self): + req = ax.FetchRequest() + self.msg.addValue(self.type_a, self.value_a) + self.failUnlessEqual(self.value_a, self.msg.getSingle(self.type_a)) + + def test_getSingle_none(self): + self.failUnlessEqual(None, self.msg.getSingle(self.type_a)) + + def test_getSingle_extra(self): + self.msg.setValues(self.type_a, ['x', 'y']) + self.failUnlessRaises(ax.AXError, self.msg.getSingle, self.type_a) + + def test_get(self): + self.failUnlessRaises(KeyError, self.msg.get, self.type_a) + + def test_fromSuccessResponseWithoutExtension(self): + """return None for SuccessResponse with no AX paramaters.""" + args = { + 'mode': 'id_res', + 'ns': OPENID2_NS, + } + sf = ['openid.' + i for i in args.keys()] + msg = Message.fromOpenIDArgs(args) + class Endpoint: + claimed_id = 'http://invalid.' + + oreq = SuccessResponse(Endpoint(), msg, signed_fields=sf) + r = ax.FetchResponse.fromSuccessResponse(oreq) + self.failUnless(r is None, "%s is not None" % (r,)) + + def test_fromSuccessResponseWithoutData(self): + """return something for SuccessResponse with AX paramaters, + even if it is the empty set.""" + args = { + 'mode': 'id_res', + 'ns': OPENID2_NS, + 'ns.ax': ax.AXMessage.ns_uri, + 'ax.mode': 'fetch_response', + } + sf = ['openid.' + i for i in args.keys()] + msg = Message.fromOpenIDArgs(args) + class Endpoint: + claimed_id = 'http://invalid.' + + oreq = SuccessResponse(Endpoint(), msg, signed_fields=sf) + r = ax.FetchResponse.fromSuccessResponse(oreq) + self.failUnless(r is not None) + + def test_fromSuccessResponseWithData(self): + name = 'ext0' + value = 'snozzberry' + uri = "http://willy.wonka.name/" + args = { + 'mode': 'id_res', + 'ns': OPENID2_NS, + 'ns.ax': ax.AXMessage.ns_uri, + 'ax.update_url': 'http://example.com/realm/update_path', + 'ax.mode': 'fetch_response', + 'ax.type.'+name: uri, + 'ax.count.'+name: '1', + 'ax.value.%s.1'%name: value, + } + sf = ['openid.' + i for i in args.keys()] + msg = Message.fromOpenIDArgs(args) + class Endpoint: + claimed_id = 'http://invalid.' + + resp = SuccessResponse(Endpoint(), msg, signed_fields=sf) + ax_resp = ax.FetchResponse.fromSuccessResponse(resp) + values = ax_resp.get(uri) + self.failUnlessEqual([value], values) + + +class StoreRequestTest(unittest.TestCase): + def setUp(self): + self.msg = ax.StoreRequest() + self.type_a = 'http://three.count/' + self.alias_a = 'juggling' + + def test_construct(self): + self.failUnlessEqual({}, self.msg.data) + + def test_getExtensionArgs_empty(self): + args = self.msg.getExtensionArgs() + expected_args = { + 'mode':'store_request', + } + self.failUnlessEqual(expected_args, args) + + def test_getExtensionArgs_nonempty(self): + aliases = NamespaceMap() + aliases.addAlias(self.type_a, self.alias_a) + msg = ax.StoreRequest(aliases=aliases) + msg.setValues(self.type_a, ['foo', 'bar']) + args = msg.getExtensionArgs() + expected_args = { + 'mode':'store_request', + 'type.' + self.alias_a: self.type_a, + 'count.' + self.alias_a: '2', + 'value.%s.1' % (self.alias_a,):'foo', + 'value.%s.2' % (self.alias_a,):'bar', + } + self.failUnlessEqual(expected_args, args) + +class StoreResponseTest(unittest.TestCase): + def test_success(self): + msg = ax.StoreResponse() + self.failUnless(msg.succeeded()) + self.failIf(msg.error_message) + self.failUnlessEqual({'mode':'store_response_success'}, + msg.getExtensionArgs()) + + def test_fail_nomsg(self): + msg = ax.StoreResponse(False) + self.failIf(msg.succeeded()) + self.failIf(msg.error_message) + self.failUnlessEqual({'mode':'store_response_failure'}, + msg.getExtensionArgs()) + + def test_fail_msg(self): + reason = 'no reason, really' + msg = ax.StoreResponse(False, reason) + self.failIf(msg.succeeded()) + self.failUnlessEqual(reason, msg.error_message) + self.failUnlessEqual({'mode':'store_response_failure', + 'error':reason}, msg.getExtensionArgs()) diff --git a/askbot/deps/openid/test/test_consumer.py b/askbot/deps/openid/test/test_consumer.py new file mode 100644 index 00000000..33a75647 --- /dev/null +++ b/askbot/deps/openid/test/test_consumer.py @@ -0,0 +1,2097 @@ +import urlparse +import cgi +import time +import warnings + +from openid.message import Message, OPENID_NS, OPENID2_NS, IDENTIFIER_SELECT, \ + OPENID1_NS, BARE_NS +from openid import cryptutil, dh, oidutil, kvform +from openid.store.nonce import mkNonce, split as splitNonce +from openid.consumer.discover import OpenIDServiceEndpoint, OPENID_2_0_TYPE, \ + OPENID_1_1_TYPE +from openid.consumer.consumer import \ + AuthRequest, GenericConsumer, SUCCESS, FAILURE, CANCEL, SETUP_NEEDED, \ + SuccessResponse, FailureResponse, SetupNeededResponse, CancelResponse, \ + DiffieHellmanSHA1ConsumerSession, Consumer, PlainTextConsumerSession, \ + SetupNeededError, DiffieHellmanSHA256ConsumerSession, ServerError, \ + ProtocolError, _httpResponseToMessage +from openid import association +from openid.server.server import \ + PlainTextServerSession, DiffieHellmanSHA1ServerSession +from openid.yadis.manager import Discovery +from openid.yadis.discover import DiscoveryFailure +from openid.dh import DiffieHellman + +from openid.fetchers import HTTPResponse, HTTPFetchingError +from openid import fetchers +from openid.store import memstore + +from support import CatchLogs + +assocs = [ + ('another 20-byte key.', 'Snarky'), + ('\x00' * 20, 'Zeros'), + ] + +def mkSuccess(endpoint, q): + """Convenience function to create a SuccessResponse with the given + arguments, all signed.""" + signed_list = ['openid.' + k for k in q.keys()] + return SuccessResponse(endpoint, Message.fromOpenIDArgs(q), signed_list) + +def parseQuery(qs): + q = {} + for (k, v) in cgi.parse_qsl(qs): + assert not q.has_key(k) + q[k] = v + return q + +def associate(qs, assoc_secret, assoc_handle): + """Do the server's half of the associate call, using the given + secret and handle.""" + q = parseQuery(qs) + assert q['openid.mode'] == 'associate' + assert q['openid.assoc_type'] == 'HMAC-SHA1' + reply_dict = { + 'assoc_type':'HMAC-SHA1', + 'assoc_handle':assoc_handle, + 'expires_in':'600', + } + + if q.get('openid.session_type') == 'DH-SHA1': + assert len(q) == 6 or len(q) == 4 + message = Message.fromPostArgs(q) + session = DiffieHellmanSHA1ServerSession.fromMessage(message) + reply_dict['session_type'] = 'DH-SHA1' + else: + assert len(q) == 2 + session = PlainTextServerSession.fromQuery(q) + + reply_dict.update(session.answer(assoc_secret)) + return kvform.dictToKV(reply_dict) + + +GOODSIG = "[A Good Signature]" + + +class GoodAssociation: + expiresIn = 3600 + handle = "-blah-" + + def getExpiresIn(self): + return self.expiresIn + + def checkMessageSignature(self, message): + return message.getArg(OPENID_NS, 'sig') == GOODSIG + + +class GoodAssocStore(memstore.MemoryStore): + def getAssociation(self, server_url, handle=None): + return GoodAssociation() + + +class TestFetcher(object): + def __init__(self, user_url, user_page, (assoc_secret, assoc_handle)): + self.get_responses = {user_url:self.response(user_url, 200, user_page)} + self.assoc_secret = assoc_secret + self.assoc_handle = assoc_handle + self.num_assocs = 0 + + def response(self, url, status, body): + return HTTPResponse( + final_url=url, status=status, headers={}, body=body) + + def fetch(self, url, body=None, headers=None): + if body is None: + if url in self.get_responses: + return self.get_responses[url] + else: + try: + body.index('openid.mode=associate') + except ValueError: + pass # fall through + else: + assert body.find('DH-SHA1') != -1 + response = associate( + body, self.assoc_secret, self.assoc_handle) + self.num_assocs += 1 + return self.response(url, 200, response) + + return self.response(url, 404, 'Not found') + +def makeFastConsumerSession(): + """ + Create custom DH object so tests run quickly. + """ + dh = DiffieHellman(100389557, 2) + return DiffieHellmanSHA1ConsumerSession(dh) + +def setConsumerSession(con): + con.session_types = {'DH-SHA1': makeFastConsumerSession} + +def _test_success(server_url, user_url, delegate_url, links, immediate=False): + store = memstore.MemoryStore() + if immediate: + mode = 'checkid_immediate' + else: + mode = 'checkid_setup' + + endpoint = OpenIDServiceEndpoint() + endpoint.claimed_id = user_url + endpoint.server_url = server_url + endpoint.local_id = delegate_url + endpoint.type_uris = [OPENID_1_1_TYPE] + + fetcher = TestFetcher(None, None, assocs[0]) + fetchers.setDefaultFetcher(fetcher, wrap_exceptions=False) + + def run(): + trust_root = consumer_url + + consumer = GenericConsumer(store) + setConsumerSession(consumer) + + request = consumer.begin(endpoint) + return_to = consumer_url + + m = request.getMessage(trust_root, return_to, immediate) + + redirect_url = request.redirectURL(trust_root, return_to, immediate) + + parsed = urlparse.urlparse(redirect_url) + qs = parsed[4] + q = parseQuery(qs) + new_return_to = q['openid.return_to'] + del q['openid.return_to'] + assert q == { + 'openid.mode':mode, + 'openid.identity':delegate_url, + 'openid.trust_root':trust_root, + 'openid.assoc_handle':fetcher.assoc_handle, + }, (q, user_url, delegate_url, mode) + + assert new_return_to.startswith(return_to) + assert redirect_url.startswith(server_url) + + parsed = urlparse.urlparse(new_return_to) + query = parseQuery(parsed[4]) + query.update({ + 'openid.mode':'id_res', + 'openid.return_to':new_return_to, + 'openid.identity':delegate_url, + 'openid.assoc_handle':fetcher.assoc_handle, + }) + + assoc = store.getAssociation(server_url, fetcher.assoc_handle) + + message = Message.fromPostArgs(query) + message = assoc.signMessage(message) + info = consumer.complete(message, request.endpoint, new_return_to) + assert info.status == SUCCESS, info.message + assert info.identity_url == user_url + + assert fetcher.num_assocs == 0 + run() + assert fetcher.num_assocs == 1 + + # Test that doing it again uses the existing association + run() + assert fetcher.num_assocs == 1 + + # Another association is created if we remove the existing one + store.removeAssociation(server_url, fetcher.assoc_handle) + run() + assert fetcher.num_assocs == 2 + + # Test that doing it again uses the existing association + run() + assert fetcher.num_assocs == 2 + +import unittest + +http_server_url = 'http://server.example.com/' +consumer_url = 'http://consumer.example.com/' +https_server_url = 'https://server.example.com/' + +class TestSuccess(unittest.TestCase, CatchLogs): + server_url = http_server_url + user_url = 'http://www.example.com/user.html' + delegate_url = 'http://consumer.example.com/user' + + def setUp(self): + CatchLogs.setUp(self) + self.links = '<link rel="openid.server" href="%s" />' % ( + self.server_url,) + + self.delegate_links = ('<link rel="openid.server" href="%s" />' + '<link rel="openid.delegate" href="%s" />') % ( + self.server_url, self.delegate_url) + + def tearDown(self): + CatchLogs.tearDown(self) + + def test_nodelegate(self): + _test_success(self.server_url, self.user_url, + self.user_url, self.links) + + def test_nodelegateImmediate(self): + _test_success(self.server_url, self.user_url, + self.user_url, self.links, True) + + def test_delegate(self): + _test_success(self.server_url, self.user_url, + self.delegate_url, self.delegate_links) + + def test_delegateImmediate(self): + _test_success(self.server_url, self.user_url, + self.delegate_url, self.delegate_links, True) + + +class TestSuccessHTTPS(TestSuccess): + server_url = https_server_url + + +class TestConstruct(unittest.TestCase): + def setUp(self): + self.store_sentinel = object() + + def test_construct(self): + oidc = GenericConsumer(self.store_sentinel) + self.failUnless(oidc.store is self.store_sentinel) + + def test_nostore(self): + self.failUnlessRaises(TypeError, GenericConsumer) + + +class TestIdRes(unittest.TestCase, CatchLogs): + consumer_class = GenericConsumer + + def setUp(self): + CatchLogs.setUp(self) + + self.store = memstore.MemoryStore() + self.consumer = self.consumer_class(self.store) + self.return_to = "nonny" + self.endpoint = OpenIDServiceEndpoint() + self.endpoint.claimed_id = self.consumer_id = "consu" + self.endpoint.server_url = self.server_url = "serlie" + self.endpoint.local_id = self.server_id = "sirod" + self.endpoint.type_uris = [OPENID_1_1_TYPE] + + def disableDiscoveryVerification(self): + """Set the discovery verification to a no-op for test cases in + which we don't care.""" + def dummyVerifyDiscover(_, endpoint): + return endpoint + self.consumer._verifyDiscoveryResults = dummyVerifyDiscover + + def disableReturnToChecking(self): + def checkReturnTo(unused1, unused2): + return True + self.consumer._checkReturnTo = checkReturnTo + complete = self.consumer.complete + def callCompleteWithoutReturnTo(message, endpoint): + return complete(message, endpoint, None) + self.consumer.complete = callCompleteWithoutReturnTo + +class TestIdResCheckSignature(TestIdRes): + def setUp(self): + TestIdRes.setUp(self) + self.assoc = GoodAssociation() + self.assoc.handle = "{not_dumb}" + self.store.storeAssociation(self.endpoint.server_url, self.assoc) + + self.message = Message.fromPostArgs({ + 'openid.mode': 'id_res', + 'openid.identity': '=example', + 'openid.sig': GOODSIG, + 'openid.assoc_handle': self.assoc.handle, + 'openid.signed': 'mode,identity,assoc_handle,signed', + 'frobboz': 'banzit', + }) + + + def test_sign(self): + # assoc_handle to assoc with good sig + self.consumer._idResCheckSignature(self.message, + self.endpoint.server_url) + + + def test_signFailsWithBadSig(self): + self.message.setArg(OPENID_NS, 'sig', 'BAD SIGNATURE') + self.failUnlessRaises( + ProtocolError, self.consumer._idResCheckSignature, + self.message, self.endpoint.server_url) + + + def test_stateless(self): + # assoc_handle missing assoc, consumer._checkAuth returns goodthings + self.message.setArg(OPENID_NS, "assoc_handle", "dumbHandle") + self.consumer._processCheckAuthResponse = ( + lambda response, server_url: True) + self.consumer._makeKVPost = lambda args, server_url: {} + self.consumer._idResCheckSignature(self.message, + self.endpoint.server_url) + + def test_statelessRaisesError(self): + # assoc_handle missing assoc, consumer._checkAuth returns goodthings + self.message.setArg(OPENID_NS, "assoc_handle", "dumbHandle") + self.consumer._checkAuth = lambda unused1, unused2: False + self.failUnlessRaises( + ProtocolError, self.consumer._idResCheckSignature, + self.message, self.endpoint.server_url) + + def test_stateless_noStore(self): + # assoc_handle missing assoc, consumer._checkAuth returns goodthings + self.message.setArg(OPENID_NS, "assoc_handle", "dumbHandle") + self.consumer.store = None + self.consumer._processCheckAuthResponse = ( + lambda response, server_url: True) + self.consumer._makeKVPost = lambda args, server_url: {} + self.consumer._idResCheckSignature(self.message, + self.endpoint.server_url) + + def test_statelessRaisesError_noStore(self): + # assoc_handle missing assoc, consumer._checkAuth returns goodthings + self.message.setArg(OPENID_NS, "assoc_handle", "dumbHandle") + self.consumer._checkAuth = lambda unused1, unused2: False + self.consumer.store = None + self.failUnlessRaises( + ProtocolError, self.consumer._idResCheckSignature, + self.message, self.endpoint.server_url) + + +class TestQueryFormat(TestIdRes): + def test_notAList(self): + # XXX: should be a Message object test, not a consumer test + + # Value should be a single string. If it's a list, it should generate + # an exception. + query = {'openid.mode': ['cancel']} + try: + r = Message.fromPostArgs(query) + except TypeError, err: + self.failUnless(str(err).find('values') != -1, err) + else: + self.fail("expected TypeError, got this instead: %s" % (r,)) + +class TestComplete(TestIdRes): + """Testing GenericConsumer.complete. + + Other TestIdRes subclasses test more specific aspects. + """ + + def test_setupNeededIdRes(self): + message = Message.fromOpenIDArgs({'mode': 'id_res'}) + setup_url_sentinel = object() + + def raiseSetupNeeded(msg): + self.failUnless(msg is message) + raise SetupNeededError(setup_url_sentinel) + + self.consumer._checkSetupNeeded = raiseSetupNeeded + + response = self.consumer.complete(message, None, None) + self.failUnlessEqual(SETUP_NEEDED, response.status) + self.failUnless(setup_url_sentinel is response.setup_url) + + def test_cancel(self): + message = Message.fromPostArgs({'openid.mode': 'cancel'}) + self.disableReturnToChecking() + r = self.consumer.complete(message, self.endpoint) + self.failUnlessEqual(r.status, CANCEL) + self.failUnless(r.identity_url == self.endpoint.claimed_id) + + def test_cancel_with_return_to(self): + message = Message.fromPostArgs({'openid.mode': 'cancel'}) + r = self.consumer.complete(message, self.endpoint, self.return_to) + self.failUnlessEqual(r.status, CANCEL) + self.failUnless(r.identity_url == self.endpoint.claimed_id) + + def test_error(self): + msg = 'an error message' + message = Message.fromPostArgs({'openid.mode': 'error', + 'openid.error': msg, + }) + self.disableReturnToChecking() + r = self.consumer.complete(message, self.endpoint) + self.failUnlessEqual(r.status, FAILURE) + self.failUnless(r.identity_url == self.endpoint.claimed_id) + self.failUnlessEqual(r.message, msg) + + def test_errorWithNoOptionalKeys(self): + msg = 'an error message' + contact = 'some contact info here' + message = Message.fromPostArgs({'openid.mode': 'error', + 'openid.error': msg, + 'openid.contact': contact, + }) + self.disableReturnToChecking() + r = self.consumer.complete(message, self.endpoint) + self.failUnlessEqual(r.status, FAILURE) + self.failUnless(r.identity_url == self.endpoint.claimed_id) + self.failUnless(r.contact == contact) + self.failUnless(r.reference is None) + self.failUnlessEqual(r.message, msg) + + def test_errorWithOptionalKeys(self): + msg = 'an error message' + contact = 'me' + reference = 'support ticket' + message = Message.fromPostArgs({'openid.mode': 'error', + 'openid.error': msg, 'openid.reference': reference, + 'openid.contact': contact, 'openid.ns': OPENID2_NS, + }) + r = self.consumer.complete(message, self.endpoint, None) + self.failUnlessEqual(r.status, FAILURE) + self.failUnless(r.identity_url == self.endpoint.claimed_id) + self.failUnless(r.contact == contact) + self.failUnless(r.reference == reference) + self.failUnlessEqual(r.message, msg) + + def test_noMode(self): + message = Message.fromPostArgs({}) + r = self.consumer.complete(message, self.endpoint, None) + self.failUnlessEqual(r.status, FAILURE) + self.failUnless(r.identity_url == self.endpoint.claimed_id) + + def test_idResMissingField(self): + # XXX - this test is passing, but not necessarily by what it + # is supposed to test for. status in FAILURE, but it's because + # *check_auth* failed, not because it's missing an arg, exactly. + message = Message.fromPostArgs({'openid.mode': 'id_res'}) + self.failUnlessRaises(ProtocolError, self.consumer._doIdRes, + message, self.endpoint, None) + + def test_idResURLMismatch(self): + class VerifiedError(Exception): pass + + def discoverAndVerify(claimed_id, _to_match_endpoints): + raise VerifiedError + + self.consumer._discoverAndVerify = discoverAndVerify + self.disableReturnToChecking() + + message = Message.fromPostArgs( + {'openid.mode': 'id_res', + 'openid.return_to': 'return_to (just anything)', + 'openid.identity': 'something wrong (not self.consumer_id)', + 'openid.assoc_handle': 'does not matter', + 'openid.sig': GOODSIG, + 'openid.signed': 'identity,return_to', + }) + self.consumer.store = GoodAssocStore() + + self.failUnlessRaises(VerifiedError, + self.consumer.complete, + message, self.endpoint) + + self.failUnlessLogMatches('Error attempting to use stored', + 'Attempting discovery') + +class TestCompleteMissingSig(unittest.TestCase, CatchLogs): + + def setUp(self): + self.store = GoodAssocStore() + self.consumer = GenericConsumer(self.store) + self.server_url = "http://idp.unittest/" + CatchLogs.setUp(self) + + claimed_id = 'bogus.claimed' + + self.message = Message.fromOpenIDArgs( + {'mode': 'id_res', + 'return_to': 'return_to (just anything)', + 'identity': claimed_id, + 'assoc_handle': 'does not matter', + 'sig': GOODSIG, + 'response_nonce': mkNonce(), + 'signed': 'identity,return_to,response_nonce,assoc_handle,claimed_id,op_endpoint', + 'claimed_id': claimed_id, + 'op_endpoint': self.server_url, + 'ns':OPENID2_NS, + }) + + self.endpoint = OpenIDServiceEndpoint() + self.endpoint.server_url = self.server_url + self.endpoint.claimed_id = claimed_id + self.consumer._checkReturnTo = lambda unused1, unused2 : True + + def tearDown(self): + CatchLogs.tearDown(self) + + + def test_idResMissingNoSigs(self): + def _vrfy(resp_msg, endpoint=None): + return endpoint + + self.consumer._verifyDiscoveryResults = _vrfy + r = self.consumer.complete(self.message, self.endpoint, None) + self.failUnlessSuccess(r) + + + def test_idResNoIdentity(self): + self.message.delArg(OPENID_NS, 'identity') + self.message.delArg(OPENID_NS, 'claimed_id') + self.endpoint.claimed_id = None + self.message.setArg(OPENID_NS, 'signed', 'return_to,response_nonce,assoc_handle,op_endpoint') + r = self.consumer.complete(self.message, self.endpoint, None) + self.failUnlessSuccess(r) + + + def test_idResMissingIdentitySig(self): + self.message.setArg(OPENID_NS, 'signed', 'return_to,response_nonce,assoc_handle,claimed_id') + r = self.consumer.complete(self.message, self.endpoint, None) + self.failUnlessEqual(r.status, FAILURE) + + + def test_idResMissingReturnToSig(self): + self.message.setArg(OPENID_NS, 'signed', 'identity,response_nonce,assoc_handle,claimed_id') + r = self.consumer.complete(self.message, self.endpoint, None) + self.failUnlessEqual(r.status, FAILURE) + + + def test_idResMissingAssocHandleSig(self): + self.message.setArg(OPENID_NS, 'signed', 'identity,response_nonce,return_to,claimed_id') + r = self.consumer.complete(self.message, self.endpoint, None) + self.failUnlessEqual(r.status, FAILURE) + + + def test_idResMissingClaimedIDSig(self): + self.message.setArg(OPENID_NS, 'signed', 'identity,response_nonce,return_to,assoc_handle') + r = self.consumer.complete(self.message, self.endpoint, None) + self.failUnlessEqual(r.status, FAILURE) + + + def failUnlessSuccess(self, response): + if response.status != SUCCESS: + self.fail("Non-successful response: %s" % (response,)) + + + +class TestCheckAuthResponse(TestIdRes, CatchLogs): + def setUp(self): + CatchLogs.setUp(self) + TestIdRes.setUp(self) + + def tearDown(self): + CatchLogs.tearDown(self) + + def _createAssoc(self): + issued = time.time() + lifetime = 1000 + assoc = association.Association( + 'handle', 'secret', issued, lifetime, 'HMAC-SHA1') + store = self.consumer.store + store.storeAssociation(self.server_url, assoc) + assoc2 = store.getAssociation(self.server_url) + self.failUnlessEqual(assoc, assoc2) + + def test_goodResponse(self): + """successful response to check_authentication""" + response = Message.fromOpenIDArgs({'is_valid':'true',}) + r = self.consumer._processCheckAuthResponse(response, self.server_url) + self.failUnless(r) + + def test_missingAnswer(self): + """check_authentication returns false when the server sends no answer""" + response = Message.fromOpenIDArgs({}) + r = self.consumer._processCheckAuthResponse(response, self.server_url) + self.failIf(r) + + def test_badResponse(self): + """check_authentication returns false when is_valid is false""" + response = Message.fromOpenIDArgs({'is_valid':'false',}) + r = self.consumer._processCheckAuthResponse(response, self.server_url) + self.failIf(r) + + def test_badResponseInvalidate(self): + """Make sure that the handle is invalidated when is_valid is false + + From "Verifying directly with the OpenID Provider":: + + If the OP responds with "is_valid" set to "true", and + "invalidate_handle" is present, the Relying Party SHOULD + NOT send further authentication requests with that handle. + """ + self._createAssoc() + response = Message.fromOpenIDArgs({ + 'is_valid':'false', + 'invalidate_handle':'handle', + }) + r = self.consumer._processCheckAuthResponse(response, self.server_url) + self.failIf(r) + self.failUnless( + self.consumer.store.getAssociation(self.server_url) is None) + + def test_invalidateMissing(self): + """invalidate_handle with a handle that is not present""" + response = Message.fromOpenIDArgs({ + 'is_valid':'true', + 'invalidate_handle':'missing', + }) + r = self.consumer._processCheckAuthResponse(response, self.server_url) + self.failUnless(r) + self.failUnlessLogMatches( + 'Received "invalidate_handle"' + ) + + def test_invalidateMissing_noStore(self): + """invalidate_handle with a handle that is not present""" + response = Message.fromOpenIDArgs({ + 'is_valid':'true', + 'invalidate_handle':'missing', + }) + self.consumer.store = None + r = self.consumer._processCheckAuthResponse(response, self.server_url) + self.failUnless(r) + self.failUnlessLogMatches( + 'Received "invalidate_handle"', + 'Unexpectedly got invalidate_handle without a store') + + def test_invalidatePresent(self): + """invalidate_handle with a handle that exists + + From "Verifying directly with the OpenID Provider":: + + If the OP responds with "is_valid" set to "true", and + "invalidate_handle" is present, the Relying Party SHOULD + NOT send further authentication requests with that handle. + """ + self._createAssoc() + response = Message.fromOpenIDArgs({ + 'is_valid':'true', + 'invalidate_handle':'handle', + }) + r = self.consumer._processCheckAuthResponse(response, self.server_url) + self.failUnless(r) + self.failUnless( + self.consumer.store.getAssociation(self.server_url) is None) + +class TestSetupNeeded(TestIdRes): + def failUnlessSetupNeeded(self, expected_setup_url, message): + try: + self.consumer._checkSetupNeeded(message) + except SetupNeededError, why: + self.failUnlessEqual(expected_setup_url, why.user_setup_url) + else: + self.fail("Expected to find an immediate-mode response") + + def test_setupNeededOpenID1(self): + """The minimum conditions necessary to trigger Setup Needed""" + setup_url = 'http://unittest/setup-here' + message = Message.fromPostArgs({ + 'openid.mode': 'id_res', + 'openid.user_setup_url': setup_url, + }) + self.failUnless(message.isOpenID1()) + self.failUnlessSetupNeeded(setup_url, message) + + def test_setupNeededOpenID1_extra(self): + """Extra stuff along with setup_url still trigger Setup Needed""" + setup_url = 'http://unittest/setup-here' + message = Message.fromPostArgs({ + 'openid.mode': 'id_res', + 'openid.user_setup_url': setup_url, + 'openid.identity': 'bogus', + }) + self.failUnless(message.isOpenID1()) + self.failUnlessSetupNeeded(setup_url, message) + + def test_noSetupNeededOpenID1(self): + """When the user_setup_url is missing on an OpenID 1 message, + we assume that it's not a cancel response to checkid_immediate""" + message = Message.fromOpenIDArgs({'mode': 'id_res'}) + self.failUnless(message.isOpenID1()) + + # No SetupNeededError raised + self.consumer._checkSetupNeeded(message) + + def test_setupNeededOpenID2(self): + message = Message.fromOpenIDArgs({ + 'mode':'setup_needed', + 'ns':OPENID2_NS, + }) + self.failUnless(message.isOpenID2()) + response = self.consumer.complete(message, None, None) + self.failUnlessEqual('setup_needed', response.status) + self.failUnlessEqual(None, response.setup_url) + + def test_setupNeededDoesntWorkForOpenID1(self): + message = Message.fromOpenIDArgs({ + 'mode':'setup_needed', + }) + + # No SetupNeededError raised + self.consumer._checkSetupNeeded(message) + + response = self.consumer.complete(message, None, None) + self.failUnlessEqual('failure', response.status) + self.failUnless(response.message.startswith('Invalid openid.mode')) + + def test_noSetupNeededOpenID2(self): + message = Message.fromOpenIDArgs({ + 'mode':'id_res', + 'game':'puerto_rico', + 'ns':OPENID2_NS, + }) + self.failUnless(message.isOpenID2()) + + # No SetupNeededError raised + self.consumer._checkSetupNeeded(message) + +class IdResCheckForFieldsTest(TestIdRes): + def setUp(self): + self.consumer = GenericConsumer(None) + + def mkSuccessTest(openid_args, signed_list): + def test(self): + message = Message.fromOpenIDArgs(openid_args) + message.setArg(OPENID_NS, 'signed', ','.join(signed_list)) + self.consumer._idResCheckForFields(message) + return test + + test_openid1Success = mkSuccessTest( + {'return_to':'return', + 'assoc_handle':'assoc handle', + 'sig':'a signature', + 'identity':'someone', + }, + ['return_to', 'identity']) + + test_openid2Success = mkSuccessTest( + {'ns':OPENID2_NS, + 'return_to':'return', + 'assoc_handle':'assoc handle', + 'sig':'a signature', + 'op_endpoint':'my favourite server', + 'response_nonce':'use only once', + }, + ['return_to', 'response_nonce', 'assoc_handle', 'op_endpoint']) + + test_openid2Success_identifiers = mkSuccessTest( + {'ns':OPENID2_NS, + 'return_to':'return', + 'assoc_handle':'assoc handle', + 'sig':'a signature', + 'claimed_id':'i claim to be me', + 'identity':'my server knows me as me', + 'op_endpoint':'my favourite server', + 'response_nonce':'use only once', + }, + ['return_to', 'response_nonce', 'identity', + 'claimed_id', 'assoc_handle', 'op_endpoint']) + + def mkMissingFieldTest(openid_args): + def test(self): + message = Message.fromOpenIDArgs(openid_args) + try: + self.consumer._idResCheckForFields(message) + except ProtocolError, why: + self.failUnless(why[0].startswith('Missing required')) + else: + self.fail('Expected an error, but none occurred') + return test + + def mkMissingSignedTest(openid_args): + def test(self): + message = Message.fromOpenIDArgs(openid_args) + try: + self.consumer._idResCheckForFields(message) + except ProtocolError, why: + self.failUnless(why[0].endswith('not signed')) + else: + self.fail('Expected an error, but none occurred') + return test + + test_openid1Missing_returnToSig = mkMissingSignedTest( + {'return_to':'return', + 'assoc_handle':'assoc handle', + 'sig':'a signature', + 'identity':'someone', + 'signed':'identity', + }) + + test_openid1Missing_identitySig = mkMissingSignedTest( + {'return_to':'return', + 'assoc_handle':'assoc handle', + 'sig':'a signature', + 'identity':'someone', + 'signed':'return_to' + }) + + test_openid2Missing_opEndpointSig = mkMissingSignedTest( + {'ns':OPENID2_NS, + 'return_to':'return', + 'assoc_handle':'assoc handle', + 'sig':'a signature', + 'identity':'someone', + 'op_endpoint':'the endpoint', + 'signed':'return_to,identity,assoc_handle' + }) + + test_openid1MissingReturnTo = mkMissingFieldTest( + {'assoc_handle':'assoc handle', + 'sig':'a signature', + 'identity':'someone', + }) + + test_openid1MissingAssocHandle = mkMissingFieldTest( + {'return_to':'return', + 'sig':'a signature', + 'identity':'someone', + }) + + # XXX: I could go on... + +class CheckAuthHappened(Exception): pass + +class CheckNonceVerifyTest(TestIdRes, CatchLogs): + def setUp(self): + CatchLogs.setUp(self) + TestIdRes.setUp(self) + self.consumer.openid1_nonce_query_arg_name = 'nonce' + + def tearDown(self): + CatchLogs.tearDown(self) + + def test_openid1Success(self): + """use consumer-generated nonce""" + nonce_value = mkNonce() + self.return_to = 'http://rt.unittest/?nonce=%s' % (nonce_value,) + self.response = Message.fromOpenIDArgs({'return_to': self.return_to}) + self.response.setArg(BARE_NS, 'nonce', nonce_value) + self.consumer._idResCheckNonce(self.response, self.endpoint) + self.failUnlessLogEmpty() + + def test_openid1Missing(self): + """use consumer-generated nonce""" + self.response = Message.fromOpenIDArgs({}) + n = self.consumer._idResGetNonceOpenID1(self.response, self.endpoint) + self.failUnless(n is None, n) + self.failUnlessLogEmpty() + + def test_consumerNonceOpenID2(self): + """OpenID 2 does not use consumer-generated nonce""" + self.return_to = 'http://rt.unittest/?nonce=%s' % (mkNonce(),) + self.response = Message.fromOpenIDArgs( + {'return_to': self.return_to, 'ns':OPENID2_NS}) + self.failUnlessRaises(ProtocolError, self.consumer._idResCheckNonce, + self.response, self.endpoint) + self.failUnlessLogEmpty() + + def test_serverNonce(self): + """use server-generated nonce""" + self.response = Message.fromOpenIDArgs( + {'ns':OPENID2_NS, 'response_nonce': mkNonce(),}) + self.consumer._idResCheckNonce(self.response, self.endpoint) + self.failUnlessLogEmpty() + + def test_serverNonceOpenID1(self): + """OpenID 1 does not use server-generated nonce""" + self.response = Message.fromOpenIDArgs( + {'ns':OPENID1_NS, + 'return_to': 'http://return.to/', + 'response_nonce': mkNonce(),}) + self.failUnlessRaises(ProtocolError, self.consumer._idResCheckNonce, + self.response, self.endpoint) + self.failUnlessLogEmpty() + + def test_badNonce(self): + """remove the nonce from the store + + From "Checking the Nonce":: + + When the Relying Party checks the signature on an assertion, the + + Relying Party SHOULD ensure that an assertion has not yet + been accepted with the same value for "openid.response_nonce" + from the same OP Endpoint URL. + """ + nonce = mkNonce() + stamp, salt = splitNonce(nonce) + self.store.useNonce(self.server_url, stamp, salt) + self.response = Message.fromOpenIDArgs( + {'response_nonce': nonce, + 'ns':OPENID2_NS, + }) + self.failUnlessRaises(ProtocolError, self.consumer._idResCheckNonce, + self.response, self.endpoint) + + def test_successWithNoStore(self): + """When there is no store, checking the nonce succeeds""" + self.consumer.store = None + self.response = Message.fromOpenIDArgs( + {'response_nonce': mkNonce(), + 'ns':OPENID2_NS, + }) + self.consumer._idResCheckNonce(self.response, self.endpoint) + self.failUnlessLogEmpty() + + def test_tamperedNonce(self): + """Malformed nonce""" + self.response = Message.fromOpenIDArgs( + {'ns':OPENID2_NS, + 'response_nonce':'malformed'}) + self.failUnlessRaises(ProtocolError, self.consumer._idResCheckNonce, + self.response, self.endpoint) + + def test_missingNonce(self): + """no nonce parameter on the return_to""" + self.response = Message.fromOpenIDArgs( + {'return_to': self.return_to}) + self.failUnlessRaises(ProtocolError, self.consumer._idResCheckNonce, + self.response, self.endpoint) + +class CheckAuthDetectingConsumer(GenericConsumer): + def _checkAuth(self, *args): + raise CheckAuthHappened(args) + + def _idResCheckNonce(self, *args): + """We're not testing nonce-checking, so just return success + when it asks.""" + return True + +class TestCheckAuthTriggered(TestIdRes, CatchLogs): + consumer_class = CheckAuthDetectingConsumer + + def setUp(self): + TestIdRes.setUp(self) + CatchLogs.setUp(self) + self.disableDiscoveryVerification() + + def test_checkAuthTriggered(self): + message = Message.fromPostArgs({ + 'openid.return_to':self.return_to, + 'openid.identity':self.server_id, + 'openid.assoc_handle':'not_found', + 'openid.sig': GOODSIG, + 'openid.signed': 'identity,return_to', + }) + self.disableReturnToChecking() + try: + result = self.consumer._doIdRes(message, self.endpoint, None) + except CheckAuthHappened: + pass + else: + self.fail('_checkAuth did not happen. Result was: %r %s' % + (result, self.messages)) + + def test_checkAuthTriggeredWithAssoc(self): + # Store an association for this server that does not match the + # handle that is in the message + issued = time.time() + lifetime = 1000 + assoc = association.Association( + 'handle', 'secret', issued, lifetime, 'HMAC-SHA1') + self.store.storeAssociation(self.server_url, assoc) + self.disableReturnToChecking() + message = Message.fromPostArgs({ + 'openid.return_to':self.return_to, + 'openid.identity':self.server_id, + 'openid.assoc_handle':'not_found', + 'openid.sig': GOODSIG, + 'openid.signed': 'identity,return_to', + }) + try: + result = self.consumer._doIdRes(message, self.endpoint, None) + except CheckAuthHappened: + pass + else: + self.fail('_checkAuth did not happen. Result was: %r' % (result,)) + + def test_expiredAssoc(self): + # Store an expired association for the server with the handle + # that is in the message + issued = time.time() - 10 + lifetime = 0 + handle = 'handle' + assoc = association.Association( + handle, 'secret', issued, lifetime, 'HMAC-SHA1') + self.failUnless(assoc.expiresIn <= 0) + self.store.storeAssociation(self.server_url, assoc) + + message = Message.fromPostArgs({ + 'openid.return_to':self.return_to, + 'openid.identity':self.server_id, + 'openid.assoc_handle':handle, + 'openid.sig': GOODSIG, + 'openid.signed': 'identity,return_to', + }) + self.disableReturnToChecking() + self.failUnlessRaises(ProtocolError, self.consumer._doIdRes, + message, self.endpoint, None) + + def test_newerAssoc(self): + lifetime = 1000 + + good_issued = time.time() - 10 + good_handle = 'handle' + good_assoc = association.Association( + good_handle, 'secret', good_issued, lifetime, 'HMAC-SHA1') + self.store.storeAssociation(self.server_url, good_assoc) + + bad_issued = time.time() - 5 + bad_handle = 'handle2' + bad_assoc = association.Association( + bad_handle, 'secret', bad_issued, lifetime, 'HMAC-SHA1') + self.store.storeAssociation(self.server_url, bad_assoc) + + query = { + 'return_to':self.return_to, + 'identity':self.server_id, + 'assoc_handle':good_handle, + } + + message = Message.fromOpenIDArgs(query) + message = good_assoc.signMessage(message) + self.disableReturnToChecking() + info = self.consumer._doIdRes(message, self.endpoint, None) + self.failUnlessEqual(info.status, SUCCESS, info.message) + self.failUnlessEqual(self.consumer_id, info.identity_url) + + + +class TestReturnToArgs(unittest.TestCase): + """Verifying the Return URL paramaters. + From the specification "Verifying the Return URL":: + + To verify that the "openid.return_to" URL matches the URL that is + processing this assertion: + + - The URL scheme, authority, and path MUST be the same between the + two URLs. + + - Any query parameters that are present in the "openid.return_to" + URL MUST also be present with the same values in the + accepting URL. + + XXX: So far we have only tested the second item on the list above. + XXX: _verifyReturnToArgs is not invoked anywhere. + """ + + def setUp(self): + store = object() + self.consumer = GenericConsumer(store) + + def test_returnToArgsOkay(self): + query = { + 'openid.mode': 'id_res', + 'openid.return_to': 'http://example.com/?foo=bar', + 'foo': 'bar', + } + # no return value, success is assumed if there are no exceptions. + self.consumer._verifyReturnToArgs(query) + + def test_returnToArgsUnexpectedArg(self): + query = { + 'openid.mode': 'id_res', + 'openid.return_to': 'http://example.com/', + 'foo': 'bar', + } + # no return value, success is assumed if there are no exceptions. + self.failUnlessRaises(ProtocolError, + self.consumer._verifyReturnToArgs, query) + + def test_returnToMismatch(self): + query = { + 'openid.mode': 'id_res', + 'openid.return_to': 'http://example.com/?foo=bar', + } + # fail, query has no key 'foo'. + self.failUnlessRaises(ValueError, + self.consumer._verifyReturnToArgs, query) + + query['foo'] = 'baz' + # fail, values for 'foo' do not match. + self.failUnlessRaises(ValueError, + self.consumer._verifyReturnToArgs, query) + + + def test_noReturnTo(self): + query = {'openid.mode': 'id_res'} + self.failUnlessRaises(ValueError, + self.consumer._verifyReturnToArgs, query) + + def test_completeBadReturnTo(self): + """Test GenericConsumer.complete()'s handling of bad return_to + values. + """ + return_to = "http://some.url/path?foo=bar" + + # Scheme, authority, and path differences are checked by + # GenericConsumer._checkReturnTo. Query args checked by + # GenericConsumer._verifyReturnToArgs. + bad_return_tos = [ + # Scheme only + "https://some.url/path?foo=bar", + # Authority only + "http://some.url.invalid/path?foo=bar", + # Path only + "http://some.url/path_extra?foo=bar", + # Query args differ + "http://some.url/path?foo=bar2", + "http://some.url/path?foo2=bar", + ] + + m = Message(OPENID1_NS) + m.setArg(OPENID_NS, 'mode', 'cancel') + m.setArg(BARE_NS, 'foo', 'bar') + endpoint = None + + for bad in bad_return_tos: + m.setArg(OPENID_NS, 'return_to', bad) + self.failIf(self.consumer._checkReturnTo(m, return_to)) + + def test_completeGoodReturnTo(self): + """Test GenericConsumer.complete()'s handling of good + return_to values. + """ + return_to = "http://some.url/path" + + good_return_tos = [ + (return_to, {}), + (return_to + "?another=arg", {(BARE_NS, 'another'): 'arg'}), + (return_to + "?another=arg#fragment", {(BARE_NS, 'another'): 'arg'}), + ("HTTP"+return_to[4:], {}), + (return_to.replace('url','URL'), {}), + ("http://some.url:80/path", {}), + ("http://some.url/p%61th", {}), + ("http://some.url/./path", {}), + ] + + endpoint = None + + for good, extra in good_return_tos: + m = Message(OPENID1_NS) + m.setArg(OPENID_NS, 'mode', 'cancel') + + for ns, key in extra: + m.setArg(ns, key, extra[(ns, key)]) + + m.setArg(OPENID_NS, 'return_to', good) + result = self.consumer.complete(m, endpoint, return_to) + self.failUnless(isinstance(result, CancelResponse), \ + "Expected CancelResponse, got %r for %s" % (result, good,)) + +class MockFetcher(object): + def __init__(self, response=None): + self.response = response or HTTPResponse() + self.fetches = [] + + def fetch(self, url, body=None, headers=None): + self.fetches.append((url, body, headers)) + return self.response + +class ExceptionRaisingMockFetcher(object): + class MyException(Exception): + pass + + def fetch(self, url, body=None, headers=None): + raise self.MyException('mock fetcher exception') + +class BadArgCheckingConsumer(GenericConsumer): + def _makeKVPost(self, args, _): + assert args == { + 'openid.mode':'check_authentication', + 'openid.signed':'foo', + 'openid.ns':OPENID1_NS + }, args + return None + +class TestCheckAuth(unittest.TestCase, CatchLogs): + consumer_class = GenericConsumer + + def setUp(self): + CatchLogs.setUp(self) + self.store = memstore.MemoryStore() + + self.consumer = self.consumer_class(self.store) + + self._orig_fetcher = fetchers.getDefaultFetcher() + self.fetcher = MockFetcher() + fetchers.setDefaultFetcher(self.fetcher) + + def tearDown(self): + CatchLogs.tearDown(self) + fetchers.setDefaultFetcher(self._orig_fetcher, wrap_exceptions=False) + + def test_error(self): + self.fetcher.response = HTTPResponse( + "http://some_url", 404, {'Hea': 'der'}, 'blah:blah\n') + query = {'openid.signed': 'stuff', + 'openid.stuff':'a value'} + r = self.consumer._checkAuth(Message.fromPostArgs(query), + http_server_url) + self.failIf(r) + self.failUnless(self.messages) + + def test_bad_args(self): + query = { + 'openid.signed':'foo', + 'closid.foo':'something', + } + consumer = BadArgCheckingConsumer(self.store) + consumer._checkAuth(Message.fromPostArgs(query), 'does://not.matter') + + + def test_signedList(self): + query = Message.fromOpenIDArgs({ + 'mode': 'id_res', + 'sig': 'rabbits', + 'identity': '=example', + 'assoc_handle': 'munchkins', + 'ns.sreg': 'urn:sreg', + 'sreg.email': 'bogus@example.com', + 'signed': 'identity,mode,ns.sreg,sreg.email', + 'foo': 'bar', + }) + args = self.consumer._createCheckAuthRequest(query) + self.failUnless(args.isOpenID1()) + for signed_arg in query.getArg(OPENID_NS, 'signed').split(','): + self.failUnless(args.getAliasedArg(signed_arg), signed_arg) + + def test_112(self): + args = {'openid.assoc_handle': 'fa1f5ff0-cde4-11dc-a183-3714bfd55ca8', + 'openid.claimed_id': 'http://binkley.lan/user/test01', + 'openid.identity': 'http://test01.binkley.lan/', + 'openid.mode': 'id_res', + 'openid.ns': 'http://specs.openid.net/auth/2.0', + 'openid.ns.pape': 'http://specs.openid.net/extensions/pape/1.0', + 'openid.op_endpoint': 'http://binkley.lan/server', + 'openid.pape.auth_policies': 'none', + 'openid.pape.auth_time': '2008-01-28T20:42:36Z', + 'openid.pape.nist_auth_level': '0', + 'openid.response_nonce': '2008-01-28T21:07:04Z99Q=', + 'openid.return_to': 'http://binkley.lan:8001/process?janrain_nonce=2008-01-28T21%3A07%3A02Z0tMIKx', + 'openid.sig': 'YJlWH4U6SroB1HoPkmEKx9AyGGg=', + 'openid.signed': 'assoc_handle,identity,response_nonce,return_to,claimed_id,op_endpoint,pape.auth_time,ns.pape,pape.nist_auth_level,pape.auth_policies' + } + self.failUnlessEqual(OPENID2_NS, args['openid.ns']) + incoming = Message.fromPostArgs(args) + self.failUnless(incoming.isOpenID2()) + car = self.consumer._createCheckAuthRequest(incoming) + expected_args = args.copy() + expected_args['openid.mode'] = 'check_authentication' + expected =Message.fromPostArgs(expected_args) + self.failUnless(expected.isOpenID2()) + self.failUnlessEqual(expected, car) + self.failUnlessEqual(expected_args, car.toPostArgs()) + + + +class TestFetchAssoc(unittest.TestCase, CatchLogs): + consumer_class = GenericConsumer + + def setUp(self): + CatchLogs.setUp(self) + self.store = memstore.MemoryStore() + self.fetcher = MockFetcher() + fetchers.setDefaultFetcher(self.fetcher) + self.consumer = self.consumer_class(self.store) + + def test_error_404(self): + """404 from a kv post raises HTTPFetchingError""" + self.fetcher.response = HTTPResponse( + "http://some_url", 404, {'Hea': 'der'}, 'blah:blah\n') + self.failUnlessRaises( + fetchers.HTTPFetchingError, + self.consumer._makeKVPost, + Message.fromPostArgs({'mode':'associate'}), + "http://server_url") + + def test_error_exception_unwrapped(self): + """Ensure that exceptions are bubbled through from fetchers + when making associations + """ + self.fetcher = ExceptionRaisingMockFetcher() + fetchers.setDefaultFetcher(self.fetcher, wrap_exceptions=False) + self.failUnlessRaises(self.fetcher.MyException, + self.consumer._makeKVPost, + Message.fromPostArgs({'mode':'associate'}), + "http://server_url") + + # exception fetching returns no association + e = OpenIDServiceEndpoint() + e.server_url = 'some://url' + self.failUnlessRaises(self.fetcher.MyException, + self.consumer._getAssociation, e) + + self.failUnlessRaises(self.fetcher.MyException, + self.consumer._checkAuth, + Message.fromPostArgs({'openid.signed':''}), + 'some://url') + + def test_error_exception_wrapped(self): + """Ensure that openid.fetchers.HTTPFetchingError is caught by + the association creation stuff. + """ + self.fetcher = ExceptionRaisingMockFetcher() + # This will wrap exceptions! + fetchers.setDefaultFetcher(self.fetcher) + self.failUnlessRaises(fetchers.HTTPFetchingError, + self.consumer._makeKVPost, + Message.fromOpenIDArgs({'mode':'associate'}), + "http://server_url") + + # exception fetching returns no association + e = OpenIDServiceEndpoint() + e.server_url = 'some://url' + self.failUnless(self.consumer._getAssociation(e) is None) + + msg = Message.fromPostArgs({'openid.signed':''}) + self.failIf(self.consumer._checkAuth(msg, 'some://url')) + + +class TestSuccessResponse(unittest.TestCase): + def setUp(self): + self.endpoint = OpenIDServiceEndpoint() + self.endpoint.claimed_id = 'identity_url' + + def test_extensionResponse(self): + resp = mkSuccess(self.endpoint, { + 'ns.sreg':'urn:sreg', + 'ns.unittest':'urn:unittest', + 'unittest.one':'1', + 'unittest.two':'2', + 'sreg.nickname':'j3h', + 'return_to':'return_to', + }) + utargs = resp.extensionResponse('urn:unittest', False) + self.failUnlessEqual(utargs, {'one':'1', 'two':'2'}) + sregargs = resp.extensionResponse('urn:sreg', False) + self.failUnlessEqual(sregargs, {'nickname':'j3h'}) + + def test_extensionResponseSigned(self): + args = { + 'ns.sreg':'urn:sreg', + 'ns.unittest':'urn:unittest', + 'unittest.one':'1', + 'unittest.two':'2', + 'sreg.nickname':'j3h', + 'sreg.dob':'yesterday', + 'return_to':'return_to', + 'signed': 'sreg.nickname,unittest.one,sreg.dob', + } + + signed_list = ['openid.sreg.nickname', + 'openid.unittest.one', + 'openid.sreg.dob',] + + # Don't use mkSuccess because it creates an all-inclusive + # signed list. + msg = Message.fromOpenIDArgs(args) + resp = SuccessResponse(self.endpoint, msg, signed_list) + + # All args in this NS are signed, so expect all. + sregargs = resp.extensionResponse('urn:sreg', True) + self.failUnlessEqual(sregargs, {'nickname':'j3h', 'dob': 'yesterday'}) + + # Not all args in this NS are signed, so expect None when + # asking for them. + utargs = resp.extensionResponse('urn:unittest', True) + self.failUnlessEqual(utargs, None) + + def test_noReturnTo(self): + resp = mkSuccess(self.endpoint, {}) + self.failUnless(resp.getReturnTo() is None) + + def test_returnTo(self): + resp = mkSuccess(self.endpoint, {'return_to':'return_to'}) + self.failUnlessEqual(resp.getReturnTo(), 'return_to') + + def test_displayIdentifierClaimedId(self): + resp = mkSuccess(self.endpoint, {}) + self.failUnlessEqual(resp.getDisplayIdentifier(), + resp.endpoint.claimed_id) + + def test_displayIdentifierOverride(self): + self.endpoint.display_identifier = "http://input.url/" + resp = mkSuccess(self.endpoint, {}) + self.failUnlessEqual(resp.getDisplayIdentifier(), + "http://input.url/") + +class StubConsumer(object): + def __init__(self): + self.assoc = object() + self.response = None + self.endpoint = None + + def begin(self, service): + auth_req = AuthRequest(service, self.assoc) + self.endpoint = service + return auth_req + + def complete(self, message, endpoint, return_to): + assert endpoint is self.endpoint + return self.response + +class ConsumerTest(unittest.TestCase): + """Tests for high-level consumer.Consumer functions. + + Its GenericConsumer component is stubbed out with StubConsumer. + """ + def setUp(self): + self.endpoint = OpenIDServiceEndpoint() + self.endpoint.claimed_id = self.identity_url = 'http://identity.url/' + self.store = None + self.session = {} + self.consumer = Consumer(self.session, self.store) + self.consumer.consumer = StubConsumer() + self.discovery = Discovery(self.session, + self.identity_url, + self.consumer.session_key_prefix) + + def test_setAssociationPreference(self): + self.consumer.setAssociationPreference([]) + self.failUnless(isinstance(self.consumer.consumer.negotiator, + association.SessionNegotiator)) + self.failUnlessEqual([], + self.consumer.consumer.negotiator.allowed_types) + self.consumer.setAssociationPreference([('HMAC-SHA1', 'DH-SHA1')]) + self.failUnlessEqual([('HMAC-SHA1', 'DH-SHA1')], + self.consumer.consumer.negotiator.allowed_types) + + def withDummyDiscovery(self, callable, dummy_getNextService): + class DummyDisco(object): + def __init__(self, *ignored): + pass + + getNextService = dummy_getNextService + + import openid.consumer.consumer + old_discovery = openid.consumer.consumer.Discovery + try: + openid.consumer.consumer.Discovery = DummyDisco + callable() + finally: + openid.consumer.consumer.Discovery = old_discovery + + def test_beginHTTPError(self): + """Make sure that the discovery HTTP failure case behaves properly + """ + def getNextService(self, ignored): + raise HTTPFetchingError("Unit test") + + def test(): + try: + self.consumer.begin('unused in this test') + except DiscoveryFailure, why: + self.failUnless(why[0].startswith('Error fetching')) + self.failIf(why[0].find('Unit test') == -1) + else: + self.fail('Expected DiscoveryFailure') + + self.withDummyDiscovery(test, getNextService) + + def test_beginNoServices(self): + def getNextService(self, ignored): + return None + + url = 'http://a.user.url/' + def test(): + try: + self.consumer.begin(url) + except DiscoveryFailure, why: + self.failUnless(why[0].startswith('No usable OpenID')) + self.failIf(why[0].find(url) == -1) + else: + self.fail('Expected DiscoveryFailure') + + self.withDummyDiscovery(test, getNextService) + + + def test_beginWithoutDiscovery(self): + # Does this really test anything non-trivial? + result = self.consumer.beginWithoutDiscovery(self.endpoint) + + # The result is an auth request + self.failUnless(isinstance(result, AuthRequest)) + + # Side-effect of calling beginWithoutDiscovery is setting the + # session value to the endpoint attribute of the result + self.failUnless(self.session[self.consumer._token_key] is result.endpoint) + + # The endpoint that we passed in is the endpoint on the auth_request + self.failUnless(result.endpoint is self.endpoint) + + def test_completeEmptySession(self): + text = "failed complete" + + def checkEndpoint(message, endpoint, return_to): + self.failUnless(endpoint is None) + return FailureResponse(endpoint, text) + + self.consumer.consumer.complete = checkEndpoint + + response = self.consumer.complete({}, None) + self.failUnlessEqual(response.status, FAILURE) + self.failUnlessEqual(response.message, text) + self.failUnless(response.identity_url is None) + + def _doResp(self, auth_req, exp_resp): + """complete a transaction, using the expected response from + the generic consumer.""" + # response is an attribute of StubConsumer, returned by + # StubConsumer.complete. + self.consumer.consumer.response = exp_resp + + # endpoint is stored in the session + self.failUnless(self.session) + resp = self.consumer.complete({}, None) + + # All responses should have the same identity URL, and the + # session should be cleaned out + if self.endpoint.claimed_id != IDENTIFIER_SELECT: + self.failUnless(resp.identity_url is self.identity_url) + + self.failIf(self.consumer._token_key in self.session) + + # Expected status response + self.failUnlessEqual(resp.status, exp_resp.status) + + return resp + + def _doRespNoDisco(self, exp_resp): + """Set up a transaction without discovery""" + auth_req = self.consumer.beginWithoutDiscovery(self.endpoint) + resp = self._doResp(auth_req, exp_resp) + # There should be nothing left in the session once we have completed. + self.failIf(self.session) + return resp + + def test_noDiscoCompleteSuccessWithToken(self): + self._doRespNoDisco(mkSuccess(self.endpoint, {})) + + def test_noDiscoCompleteCancelWithToken(self): + self._doRespNoDisco(CancelResponse(self.endpoint)) + + def test_noDiscoCompleteFailure(self): + msg = 'failed!' + resp = self._doRespNoDisco(FailureResponse(self.endpoint, msg)) + self.failUnless(resp.message is msg) + + def test_noDiscoCompleteSetupNeeded(self): + setup_url = 'http://setup.url/' + resp = self._doRespNoDisco( + SetupNeededResponse(self.endpoint, setup_url)) + self.failUnless(resp.setup_url is setup_url) + + # To test that discovery is cleaned up, we need to initialize a + # Yadis manager, and have it put its values in the session. + def _doRespDisco(self, is_clean, exp_resp): + """Set up and execute a transaction, with discovery""" + self.discovery.createManager([self.endpoint], self.identity_url) + auth_req = self.consumer.begin(self.identity_url) + resp = self._doResp(auth_req, exp_resp) + + manager = self.discovery.getManager() + if is_clean: + self.failUnless(self.discovery.getManager() is None, manager) + else: + self.failIf(self.discovery.getManager() is None, manager) + + return resp + + # Cancel and success DO clean up the discovery process + def test_completeSuccess(self): + self._doRespDisco(True, mkSuccess(self.endpoint, {})) + + def test_completeCancel(self): + self._doRespDisco(True, CancelResponse(self.endpoint)) + + # Failure and setup_needed don't clean up the discovery process + def test_completeFailure(self): + msg = 'failed!' + resp = self._doRespDisco(False, FailureResponse(self.endpoint, msg)) + self.failUnless(resp.message is msg) + + def test_completeSetupNeeded(self): + setup_url = 'http://setup.url/' + resp = self._doRespDisco( + False, + SetupNeededResponse(self.endpoint, setup_url)) + self.failUnless(resp.setup_url is setup_url) + + def test_successDifferentURL(self): + """ + Be sure that the session gets cleaned up when the response is + successful and has a different URL than the one in the + request. + """ + # Set up a request endpoint describing an IDP URL + self.identity_url = 'http://idp.url/' + self.endpoint.claimed_id = self.endpoint.local_id = IDENTIFIER_SELECT + + # Use a response endpoint with a different URL (asserted by + # the IDP) + resp_endpoint = OpenIDServiceEndpoint() + resp_endpoint.claimed_id = "http://user.url/" + + resp = self._doRespDisco( + True, + mkSuccess(resp_endpoint, {})) + self.failUnless(self.discovery.getManager(force=True) is None) + + def test_begin(self): + self.discovery.createManager([self.endpoint], self.identity_url) + # Should not raise an exception + auth_req = self.consumer.begin(self.identity_url) + self.failUnless(isinstance(auth_req, AuthRequest)) + self.failUnless(auth_req.endpoint is self.endpoint) + self.failUnless(auth_req.endpoint is self.consumer.consumer.endpoint) + self.failUnless(auth_req.assoc is self.consumer.consumer.assoc) + + + +class IDPDrivenTest(unittest.TestCase): + + def setUp(self): + self.store = GoodAssocStore() + self.consumer = GenericConsumer(self.store) + self.endpoint = OpenIDServiceEndpoint() + self.endpoint.server_url = "http://idp.unittest/" + + + def test_idpDrivenBegin(self): + # Testing here that the token-handling doesn't explode... + self.consumer.begin(self.endpoint) + + + def test_idpDrivenComplete(self): + identifier = '=directed_identifier' + message = Message.fromPostArgs({ + 'openid.identity': '=directed_identifier', + 'openid.return_to': 'x', + 'openid.assoc_handle': 'z', + 'openid.signed': 'identity,return_to', + 'openid.sig': GOODSIG, + }) + + discovered_endpoint = OpenIDServiceEndpoint() + discovered_endpoint.claimed_id = identifier + discovered_endpoint.server_url = self.endpoint.server_url + discovered_endpoint.local_id = identifier + iverified = [] + def verifyDiscoveryResults(identifier, endpoint): + self.failUnless(endpoint is self.endpoint) + iverified.append(discovered_endpoint) + return discovered_endpoint + self.consumer._verifyDiscoveryResults = verifyDiscoveryResults + self.consumer._idResCheckNonce = lambda *args: True + self.consumer._checkReturnTo = lambda unused1, unused2 : True + response = self.consumer._doIdRes(message, self.endpoint, None) + + self.failUnlessSuccess(response) + self.failUnlessEqual(response.identity_url, "=directed_identifier") + + # assert that discovery attempt happens and returns good + self.failUnlessEqual(iverified, [discovered_endpoint]) + + + def test_idpDrivenCompleteFraud(self): + # crap with an identifier that doesn't match discovery info + message = Message.fromPostArgs({ + 'openid.identity': '=directed_identifier', + 'openid.return_to': 'x', + 'openid.assoc_handle': 'z', + 'openid.signed': 'identity,return_to', + 'openid.sig': GOODSIG, + }) + def verifyDiscoveryResults(identifier, endpoint): + raise DiscoveryFailure("PHREAK!", None) + self.consumer._verifyDiscoveryResults = verifyDiscoveryResults + self.consumer._checkReturnTo = lambda unused1, unused2 : True + self.failUnlessRaises(DiscoveryFailure, self.consumer._doIdRes, + message, self.endpoint, None) + + + def failUnlessSuccess(self, response): + if response.status != SUCCESS: + self.fail("Non-successful response: %s" % (response,)) + + + +class TestDiscoveryVerification(unittest.TestCase): + services = [] + + def setUp(self): + self.store = GoodAssocStore() + self.consumer = GenericConsumer(self.store) + + self.consumer._discover = self.discoveryFunc + + self.identifier = "http://idp.unittest/1337" + self.server_url = "http://endpoint.unittest/" + + self.message = Message.fromPostArgs({ + 'openid.ns': OPENID2_NS, + 'openid.identity': self.identifier, + 'openid.claimed_id': self.identifier, + 'openid.op_endpoint': self.server_url, + }) + + self.endpoint = OpenIDServiceEndpoint() + self.endpoint.server_url = self.server_url + + def test_theGoodStuff(self): + endpoint = OpenIDServiceEndpoint() + endpoint.type_uris = [OPENID_2_0_TYPE] + endpoint.claimed_id = self.identifier + endpoint.server_url = self.server_url + endpoint.local_id = self.identifier + self.services = [endpoint] + r = self.consumer._verifyDiscoveryResults(self.message, endpoint) + + self.failUnlessEqual(r, endpoint) + + + def test_otherServer(self): + text = "verify failed" + + def discoverAndVerify(claimed_id, to_match_endpoints): + self.failUnlessEqual(claimed_id, self.identifier) + for to_match in to_match_endpoints: + self.failUnlessEqual(claimed_id, to_match.claimed_id) + raise ProtocolError(text) + + self.consumer._discoverAndVerify = discoverAndVerify + + # a set of things without the stuff + endpoint = OpenIDServiceEndpoint() + endpoint.type_uris = [OPENID_2_0_TYPE] + endpoint.claimed_id = self.identifier + endpoint.server_url = "http://the-MOON.unittest/" + endpoint.local_id = self.identifier + self.services = [endpoint] + try: + r = self.consumer._verifyDiscoveryResults(self.message, endpoint) + except ProtocolError, e: + # Should we make more ProtocolError subclasses? + self.failUnless(str(e), text) + else: + self.fail("expected ProtocolError, %r returned." % (r,)) + + + def test_foreignDelegate(self): + text = "verify failed" + + def discoverAndVerify(claimed_id, to_match_endpoints): + self.failUnlessEqual(claimed_id, self.identifier) + for to_match in to_match_endpoints: + self.failUnlessEqual(claimed_id, to_match.claimed_id) + raise ProtocolError(text) + + self.consumer._discoverAndVerify = discoverAndVerify + + # a set of things with the server stuff but other delegate + endpoint = OpenIDServiceEndpoint() + endpoint.type_uris = [OPENID_2_0_TYPE] + endpoint.claimed_id = self.identifier + endpoint.server_url = self.server_url + endpoint.local_id = "http://unittest/juan-carlos" + + try: + r = self.consumer._verifyDiscoveryResults(self.message, endpoint) + except ProtocolError, e: + self.failUnlessEqual(str(e), text) + else: + self.fail("Exepected ProtocolError, %r returned" % (r,)) + + def test_nothingDiscovered(self): + # a set of no things. + self.services = [] + self.failUnlessRaises(DiscoveryFailure, + self.consumer._verifyDiscoveryResults, + self.message, self.endpoint) + + + def discoveryFunc(self, identifier): + return identifier, self.services + + +class TestCreateAssociationRequest(unittest.TestCase): + def setUp(self): + class DummyEndpoint(object): + use_compatibility = False + + def compatibilityMode(self): + return self.use_compatibility + + self.endpoint = DummyEndpoint() + self.consumer = GenericConsumer(store=None) + self.assoc_type = 'HMAC-SHA1' + + def test_noEncryptionSendsType(self): + session_type = 'no-encryption' + session, args = self.consumer._createAssociateRequest( + self.endpoint, self.assoc_type, session_type) + + self.failUnless(isinstance(session, PlainTextConsumerSession)) + expected = Message.fromOpenIDArgs( + {'ns':OPENID2_NS, + 'session_type':session_type, + 'mode':'associate', + 'assoc_type':self.assoc_type, + }) + + self.failUnlessEqual(expected, args) + + def test_noEncryptionCompatibility(self): + self.endpoint.use_compatibility = True + session_type = 'no-encryption' + session, args = self.consumer._createAssociateRequest( + self.endpoint, self.assoc_type, session_type) + + self.failUnless(isinstance(session, PlainTextConsumerSession)) + self.failUnlessEqual(Message.fromOpenIDArgs({'mode':'associate', + 'assoc_type':self.assoc_type, + }), args) + + def test_dhSHA1Compatibility(self): + # Set the consumer's session type to a fast session since we + # need it here. + setConsumerSession(self.consumer) + + self.endpoint.use_compatibility = True + session_type = 'DH-SHA1' + session, args = self.consumer._createAssociateRequest( + self.endpoint, self.assoc_type, session_type) + + self.failUnless(isinstance(session, DiffieHellmanSHA1ConsumerSession)) + + # This is a random base-64 value, so just check that it's + # present. + self.failUnless(args.getArg(OPENID1_NS, 'dh_consumer_public')) + args.delArg(OPENID1_NS, 'dh_consumer_public') + + # OK, session_type is set here and not for no-encryption + # compatibility + expected = Message.fromOpenIDArgs({'mode':'associate', + 'session_type':'DH-SHA1', + 'assoc_type':self.assoc_type, + 'dh_modulus': 'BfvStQ==', + 'dh_gen': 'Ag==', + }) + + self.failUnlessEqual(expected, args) + + # XXX: test the other types + +class TestDiffieHellmanResponseParameters(object): + session_cls = None + message_namespace = None + + def setUp(self): + # Pre-compute DH with small prime so tests run quickly. + self.server_dh = DiffieHellman(100389557, 2) + self.consumer_dh = DiffieHellman(100389557, 2) + + # base64(btwoc(g ^ xb mod p)) + self.dh_server_public = cryptutil.longToBase64(self.server_dh.public) + + self.secret = cryptutil.randomString(self.session_cls.secret_size) + + self.enc_mac_key = oidutil.toBase64( + self.server_dh.xorSecret(self.consumer_dh.public, + self.secret, + self.session_cls.hash_func)) + + self.consumer_session = self.session_cls(self.consumer_dh) + + self.msg = Message(self.message_namespace) + + def testExtractSecret(self): + self.msg.setArg(OPENID_NS, 'dh_server_public', self.dh_server_public) + self.msg.setArg(OPENID_NS, 'enc_mac_key', self.enc_mac_key) + + extracted = self.consumer_session.extractSecret(self.msg) + self.failUnlessEqual(extracted, self.secret) + + def testAbsentServerPublic(self): + self.msg.setArg(OPENID_NS, 'enc_mac_key', self.enc_mac_key) + + self.failUnlessRaises(KeyError, self.consumer_session.extractSecret, self.msg) + + def testAbsentMacKey(self): + self.msg.setArg(OPENID_NS, 'dh_server_public', self.dh_server_public) + + self.failUnlessRaises(KeyError, self.consumer_session.extractSecret, self.msg) + + def testInvalidBase64Public(self): + self.msg.setArg(OPENID_NS, 'dh_server_public', 'n o t b a s e 6 4.') + self.msg.setArg(OPENID_NS, 'enc_mac_key', self.enc_mac_key) + + self.failUnlessRaises(ValueError, self.consumer_session.extractSecret, self.msg) + + def testInvalidBase64MacKey(self): + self.msg.setArg(OPENID_NS, 'dh_server_public', self.dh_server_public) + self.msg.setArg(OPENID_NS, 'enc_mac_key', 'n o t base 64') + + self.failUnlessRaises(ValueError, self.consumer_session.extractSecret, self.msg) + +class TestOpenID1SHA1(TestDiffieHellmanResponseParameters, unittest.TestCase): + session_cls = DiffieHellmanSHA1ConsumerSession + message_namespace = OPENID1_NS + +class TestOpenID2SHA1(TestDiffieHellmanResponseParameters, unittest.TestCase): + session_cls = DiffieHellmanSHA1ConsumerSession + message_namespace = OPENID2_NS + +if cryptutil.SHA256_AVAILABLE: + class TestOpenID2SHA256(TestDiffieHellmanResponseParameters, unittest.TestCase): + session_cls = DiffieHellmanSHA256ConsumerSession + message_namespace = OPENID2_NS +else: + warnings.warn("Not running SHA256 association session tests.") + +class TestNoStore(unittest.TestCase): + def setUp(self): + self.consumer = GenericConsumer(None) + + def test_completeNoGetAssoc(self): + """_getAssociation is never called when the store is None""" + def notCalled(unused): + self.fail('This method was unexpectedly called') + + endpoint = OpenIDServiceEndpoint() + endpoint.claimed_id = 'identity_url' + + self.consumer._getAssociation = notCalled + auth_request = self.consumer.begin(endpoint) + # _getAssociation was not called + + + + +class NonAnonymousAuthRequest(object): + endpoint = 'unused' + + def setAnonymous(self, unused): + raise ValueError('Should trigger ProtocolError') + +class TestConsumerAnonymous(unittest.TestCase): + def test_beginWithoutDiscoveryAnonymousFail(self): + """Make sure that ValueError for setting an auth request + anonymous gets converted to a ProtocolError + """ + sess = {} + consumer = Consumer(sess, None) + def bogusBegin(unused): + return NonAnonymousAuthRequest() + consumer.consumer.begin = bogusBegin + self.failUnlessRaises( + ProtocolError, + consumer.beginWithoutDiscovery, None) + + +class TestDiscoverAndVerify(unittest.TestCase): + def setUp(self): + self.consumer = GenericConsumer(None) + self.discovery_result = None + def dummyDiscover(unused_identifier): + return self.discovery_result + self.consumer._discover = dummyDiscover + self.to_match = OpenIDServiceEndpoint() + + def failUnlessDiscoveryFailure(self): + self.failUnlessRaises( + DiscoveryFailure, + self.consumer._discoverAndVerify, + 'http://claimed-id.com/', + [self.to_match]) + + def test_noServices(self): + """Discovery returning no results results in a + DiscoveryFailure exception""" + self.discovery_result = (None, []) + self.failUnlessDiscoveryFailure() + + def test_noMatches(self): + """If no discovered endpoint matches the values from the + assertion, then we end up raising a ProtocolError + """ + self.discovery_result = (None, ['unused']) + def raiseProtocolError(unused1, unused2): + raise ProtocolError('unit test') + self.consumer._verifyDiscoverySingle = raiseProtocolError + self.failUnlessDiscoveryFailure() + + def test_matches(self): + """If an endpoint matches, we return it + """ + # Discovery returns a single "endpoint" object + matching_endpoint = 'matching endpoint' + self.discovery_result = (None, [matching_endpoint]) + + # Make verifying discovery return True for this endpoint + def returnTrue(unused1, unused2): + return True + self.consumer._verifyDiscoverySingle = returnTrue + + # Since _verifyDiscoverySingle returns True, we should get the + # first endpoint that we passed in as a result. + result = self.consumer._discoverAndVerify( + 'http://claimed.id/', [self.to_match]) + self.failUnlessEqual(matching_endpoint, result) + +from openid.extension import Extension +class SillyExtension(Extension): + ns_uri = 'http://silly.example.com/' + ns_alias = 'silly' + + def getExtensionArgs(self): + return {'i_am':'silly'} + +class TestAddExtension(unittest.TestCase): + + def test_SillyExtension(self): + ext = SillyExtension() + ar = AuthRequest(OpenIDServiceEndpoint(), None) + ar.addExtension(ext) + ext_args = ar.message.getArgs(ext.ns_uri) + self.failUnlessEqual(ext.getExtensionArgs(), ext_args) + + + +class TestKVPost(unittest.TestCase): + def setUp(self): + self.server_url = 'http://unittest/%s' % (self.id(),) + + def test_200(self): + from openid.fetchers import HTTPResponse + response = HTTPResponse() + response.status = 200 + response.body = "foo:bar\nbaz:quux\n" + r = _httpResponseToMessage(response, self.server_url) + expected_msg = Message.fromOpenIDArgs({'foo':'bar','baz':'quux'}) + self.failUnlessEqual(expected_msg, r) + + + def test_400(self): + response = HTTPResponse() + response.status = 400 + response.body = "error:bonk\nerror_code:7\n" + try: + r = _httpResponseToMessage(response, self.server_url) + except ServerError, e: + self.failUnlessEqual(e.error_text, 'bonk') + self.failUnlessEqual(e.error_code, '7') + else: + self.fail("Expected ServerError, got return %r" % (r,)) + + + def test_500(self): + # 500 as an example of any non-200, non-400 code. + response = HTTPResponse() + response.status = 500 + response.body = "foo:bar\nbaz:quux\n" + self.failUnlessRaises(fetchers.HTTPFetchingError, + _httpResponseToMessage, response, + self.server_url) + + + + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_discover.py b/askbot/deps/openid/test/test_discover.py new file mode 100644 index 00000000..fca93631 --- /dev/null +++ b/askbot/deps/openid/test/test_discover.py @@ -0,0 +1,783 @@ +import sys +import unittest +import datadriven +import os.path +from openid import fetchers +from openid.fetchers import HTTPResponse +from openid.yadis.discover import DiscoveryFailure +from openid.consumer import discover +from openid.yadis import xrires +from openid.yadis.xri import XRI +from urlparse import urlsplit +from openid import message + +### Tests for conditions that trigger DiscoveryFailure + +class SimpleMockFetcher(object): + def __init__(self, responses): + self.responses = list(responses) + + def fetch(self, url, body=None, headers=None): + response = self.responses.pop(0) + assert body is None + assert response.final_url == url + return response + +class TestDiscoveryFailure(datadriven.DataDrivenTestCase): + cases = [ + [HTTPResponse('http://network.error/', None)], + [HTTPResponse('http://not.found/', 404)], + [HTTPResponse('http://bad.request/', 400)], + [HTTPResponse('http://server.error/', 500)], + [HTTPResponse('http://header.found/', 200, + headers={'x-xrds-location':'http://xrds.missing/'}), + HTTPResponse('http://xrds.missing/', 404)], + ] + + def __init__(self, responses): + self.url = responses[0].final_url + datadriven.DataDrivenTestCase.__init__(self, self.url) + self.responses = responses + + def setUp(self): + fetcher = SimpleMockFetcher(self.responses) + fetchers.setDefaultFetcher(fetcher) + + def tearDown(self): + fetchers.setDefaultFetcher(None) + + def runOneTest(self): + expected_status = self.responses[-1].status + try: + discover.discover(self.url) + except DiscoveryFailure, why: + self.failUnlessEqual(why.http_response.status, expected_status) + else: + self.fail('Did not raise DiscoveryFailure') + + +### Tests for raising/catching exceptions from the fetcher through the +### discover function + +# Python 2.5 displays a message when running this test, which is +# testing the behaviour in the presence of string exceptions, +# deprecated or not, so tell it no to complain when this particular +# string exception is raised. +import warnings +warnings.filterwarnings('ignore', 'raising a string.*', DeprecationWarning, + r'^openid\.test\.test_discover$', 77) + +class ErrorRaisingFetcher(object): + """Just raise an exception when fetch is called""" + + def __init__(self, thing_to_raise): + self.thing_to_raise = thing_to_raise + + def fetch(self, url, body=None, headers=None): + raise self.thing_to_raise + +class DidFetch(Exception): + """Custom exception just to make sure it's not handled differently""" + +class TestFetchException(datadriven.DataDrivenTestCase): + """Make sure exceptions get passed through discover function from + fetcher.""" + + cases = [ + Exception(), + DidFetch(), + ValueError(), + RuntimeError(), + ] + + # String exceptions are finally gone from Python 2.6. + if sys.version_info[:2] < (2, 6): + cases.append('oi!') + + def __init__(self, exc): + datadriven.DataDrivenTestCase.__init__(self, repr(exc)) + self.exc = exc + + def setUp(self): + fetcher = ErrorRaisingFetcher(self.exc) + fetchers.setDefaultFetcher(fetcher, wrap_exceptions=False) + + def tearDown(self): + fetchers.setDefaultFetcher(None) + + def runOneTest(self): + try: + discover.discover('http://doesnt.matter/') + except: + exc = sys.exc_info()[1] + if exc is None: + # str exception + self.failUnless(self.exc is sys.exc_info()[0]) + else: + self.failUnless(self.exc is exc, exc) + else: + self.fail('Expected %r', self.exc) + + +### Tests for openid.consumer.discover.discover + +class TestNormalization(unittest.TestCase): + def testAddingProtocol(self): + f = ErrorRaisingFetcher(RuntimeError()) + fetchers.setDefaultFetcher(f, wrap_exceptions=False) + + try: + discover.discover('users.stompy.janrain.com:8000/x') + except DiscoveryFailure, why: + self.fail('failed to parse url with port correctly') + except RuntimeError: + pass #expected + + fetchers.setDefaultFetcher(None) + + +class DiscoveryMockFetcher(object): + redirect = None + + def __init__(self, documents): + self.documents = documents + self.fetchlog = [] + + def fetch(self, url, body=None, headers=None): + self.fetchlog.append((url, body, headers)) + if self.redirect: + final_url = self.redirect + else: + final_url = url + + try: + ctype, body = self.documents[url] + except KeyError: + status = 404 + ctype = 'text/plain' + body = '' + else: + status = 200 + + return HTTPResponse(final_url, status, {'content-type': ctype}, body) + +# from twisted.trial import unittest as trialtest + +class BaseTestDiscovery(unittest.TestCase): + id_url = "http://someuser.unittest/" + + documents = {} + fetcherClass = DiscoveryMockFetcher + + def _checkService(self, s, + server_url, + claimed_id=None, + local_id=None, + canonical_id=None, + types=None, + used_yadis=False, + display_identifier=None + ): + self.failUnlessEqual(server_url, s.server_url) + if types == ['2.0 OP']: + self.failIf(claimed_id) + self.failIf(local_id) + self.failIf(s.claimed_id) + self.failIf(s.local_id) + self.failIf(s.getLocalID()) + self.failIf(s.compatibilityMode()) + self.failUnless(s.isOPIdentifier()) + self.failUnlessEqual(s.preferredNamespace(), + discover.OPENID_2_0_MESSAGE_NS) + else: + self.failUnlessEqual(claimed_id, s.claimed_id) + self.failUnlessEqual(local_id, s.getLocalID()) + + if used_yadis: + self.failUnless(s.used_yadis, "Expected to use Yadis") + else: + self.failIf(s.used_yadis, + "Expected to use old-style discovery") + + openid_types = { + '1.1': discover.OPENID_1_1_TYPE, + '1.0': discover.OPENID_1_0_TYPE, + '2.0': discover.OPENID_2_0_TYPE, + '2.0 OP': discover.OPENID_IDP_2_0_TYPE, + } + + type_uris = [openid_types[t] for t in types] + self.failUnlessEqual(type_uris, s.type_uris) + self.failUnlessEqual(canonical_id, s.canonicalID) + + if s.canonicalID: + self.failUnless(s.getDisplayIdentifier() != claimed_id) + self.failUnless(s.getDisplayIdentifier() is not None) + self.failUnlessEqual(display_identifier, s.getDisplayIdentifier()) + self.failUnlessEqual(s.claimed_id, s.canonicalID) + + self.failUnlessEqual(s.display_identifier or s.claimed_id, s.getDisplayIdentifier()) + + def setUp(self): + self.documents = self.documents.copy() + self.fetcher = self.fetcherClass(self.documents) + fetchers.setDefaultFetcher(self.fetcher) + + def tearDown(self): + fetchers.setDefaultFetcher(None) + +def readDataFile(filename): + module_directory = os.path.dirname(os.path.abspath(__file__)) + filename = os.path.join( + module_directory, 'data', 'test_discover', filename) + return file(filename).read() + +class TestDiscovery(BaseTestDiscovery): + def _discover(self, content_type, data, + expected_services, expected_id=None): + if expected_id is None: + expected_id = self.id_url + + self.documents[self.id_url] = (content_type, data) + id_url, services = discover.discover(self.id_url) + self.failUnlessEqual(expected_services, len(services)) + self.failUnlessEqual(expected_id, id_url) + return services + + def test_404(self): + self.failUnlessRaises(DiscoveryFailure, + discover.discover, self.id_url + '/404') + + def test_noOpenID(self): + services = self._discover(content_type='text/plain', + data="junk", + expected_services=0) + + services = self._discover( + content_type='text/html', + data=readDataFile('openid_no_delegate.html'), + expected_services=1, + ) + + self._checkService( + services[0], + used_yadis=False, + types=['1.1'], + server_url="http://www.myopenid.com/server", + claimed_id=self.id_url, + local_id=self.id_url, + ) + + def test_html1(self): + services = self._discover( + content_type='text/html', + data=readDataFile('openid.html'), + expected_services=1) + + + self._checkService( + services[0], + used_yadis=False, + types=['1.1'], + server_url="http://www.myopenid.com/server", + claimed_id=self.id_url, + local_id='http://smoker.myopenid.com/', + display_identifier=self.id_url, + ) + + def test_html1Fragment(self): + """Ensure that the Claimed Identifier does not have a fragment + if one is supplied in the User Input.""" + content_type = 'text/html' + data = readDataFile('openid.html') + expected_services = 1 + + self.documents[self.id_url] = (content_type, data) + expected_id = self.id_url + self.id_url = self.id_url + '#fragment' + id_url, services = discover.discover(self.id_url) + self.failUnlessEqual(expected_services, len(services)) + self.failUnlessEqual(expected_id, id_url) + + self._checkService( + services[0], + used_yadis=False, + types=['1.1'], + server_url="http://www.myopenid.com/server", + claimed_id=expected_id, + local_id='http://smoker.myopenid.com/', + display_identifier=expected_id, + ) + + def test_html2(self): + services = self._discover( + content_type='text/html', + data=readDataFile('openid2.html'), + expected_services=1, + ) + + self._checkService( + services[0], + used_yadis=False, + types=['2.0'], + server_url="http://www.myopenid.com/server", + claimed_id=self.id_url, + local_id='http://smoker.myopenid.com/', + display_identifier=self.id_url, + ) + + def test_html1And2(self): + services = self._discover( + content_type='text/html', + data=readDataFile('openid_1_and_2.html'), + expected_services=2, + ) + + for t, s in zip(['2.0', '1.1'], services): + self._checkService( + s, + used_yadis=False, + types=[t], + server_url="http://www.myopenid.com/server", + claimed_id=self.id_url, + local_id='http://smoker.myopenid.com/', + display_identifier=self.id_url, + ) + + def test_yadisEmpty(self): + services = self._discover(content_type='application/xrds+xml', + data=readDataFile('yadis_0entries.xml'), + expected_services=0) + + def test_htmlEmptyYadis(self): + """HTML document has discovery information, but points to an + empty Yadis document.""" + # The XRDS document pointed to by "openid_and_yadis.html" + self.documents[self.id_url + 'xrds'] = ( + 'application/xrds+xml', readDataFile('yadis_0entries.xml')) + + services = self._discover(content_type='text/html', + data=readDataFile('openid_and_yadis.html'), + expected_services=1) + + self._checkService( + services[0], + used_yadis=False, + types=['1.1'], + server_url="http://www.myopenid.com/server", + claimed_id=self.id_url, + local_id='http://smoker.myopenid.com/', + display_identifier=self.id_url, + ) + + def test_yadis1NoDelegate(self): + services = self._discover(content_type='application/xrds+xml', + data=readDataFile('yadis_no_delegate.xml'), + expected_services=1) + + self._checkService( + services[0], + used_yadis=True, + types=['1.0'], + server_url="http://www.myopenid.com/server", + claimed_id=self.id_url, + local_id=self.id_url, + display_identifier=self.id_url, + ) + + def test_yadis2NoLocalID(self): + services = self._discover( + content_type='application/xrds+xml', + data=readDataFile('openid2_xrds_no_local_id.xml'), + expected_services=1, + ) + + self._checkService( + services[0], + used_yadis=True, + types=['2.0'], + server_url="http://www.myopenid.com/server", + claimed_id=self.id_url, + local_id=self.id_url, + display_identifier=self.id_url, + ) + + def test_yadis2(self): + services = self._discover( + content_type='application/xrds+xml', + data=readDataFile('openid2_xrds.xml'), + expected_services=1, + ) + + self._checkService( + services[0], + used_yadis=True, + types=['2.0'], + server_url="http://www.myopenid.com/server", + claimed_id=self.id_url, + local_id='http://smoker.myopenid.com/', + display_identifier=self.id_url, + ) + + def test_yadis2OP(self): + services = self._discover( + content_type='application/xrds+xml', + data=readDataFile('yadis_idp.xml'), + expected_services=1, + ) + + self._checkService( + services[0], + used_yadis=True, + types=['2.0 OP'], + server_url="http://www.myopenid.com/server", + display_identifier=self.id_url, + ) + + def test_yadis2OPDelegate(self): + """The delegate tag isn't meaningful for OP entries.""" + services = self._discover( + content_type='application/xrds+xml', + data=readDataFile('yadis_idp_delegate.xml'), + expected_services=1, + ) + + self._checkService( + services[0], + used_yadis=True, + types=['2.0 OP'], + server_url="http://www.myopenid.com/server", + display_identifier=self.id_url, + ) + + def test_yadis2BadLocalID(self): + self.failUnlessRaises(DiscoveryFailure, self._discover, + content_type='application/xrds+xml', + data=readDataFile('yadis_2_bad_local_id.xml'), + expected_services=1, + ) + + def test_yadis1And2(self): + services = self._discover( + content_type='application/xrds+xml', + data=readDataFile('openid_1_and_2_xrds.xml'), + expected_services=1, + ) + + self._checkService( + services[0], + used_yadis=True, + types=['2.0', '1.1'], + server_url="http://www.myopenid.com/server", + claimed_id=self.id_url, + local_id='http://smoker.myopenid.com/', + display_identifier=self.id_url, + ) + + def test_yadis1And2BadLocalID(self): + self.failUnlessRaises(DiscoveryFailure, self._discover, + content_type='application/xrds+xml', + data=readDataFile('openid_1_and_2_xrds_bad_delegate.xml'), + expected_services=1, + ) + +class MockFetcherForXRIProxy(object): + + def __init__(self, documents, proxy_url=xrires.DEFAULT_PROXY): + self.documents = documents + self.fetchlog = [] + self.proxy_url = None + + + def fetch(self, url, body=None, headers=None): + self.fetchlog.append((url, body, headers)) + + u = urlsplit(url) + proxy_host = u[1] + xri = u[2] + query = u[3] + + if not headers and not query: + raise ValueError("No headers or query; you probably didn't " + "mean to do that.") + + if xri.startswith('/'): + xri = xri[1:] + + try: + ctype, body = self.documents[xri] + except KeyError: + status = 404 + ctype = 'text/plain' + body = '' + else: + status = 200 + + return HTTPResponse(url, status, {'content-type': ctype}, body) + + +class TestXRIDiscovery(BaseTestDiscovery): + fetcherClass = MockFetcherForXRIProxy + + documents = {'=smoker': ('application/xrds+xml', + readDataFile('yadis_2entries_delegate.xml')), + '=smoker*bad': ('application/xrds+xml', + readDataFile('yadis_another_delegate.xml')) } + + def test_xri(self): + user_xri, services = discover.discoverXRI('=smoker') + + self._checkService( + services[0], + used_yadis=True, + types=['1.0'], + server_url="http://www.myopenid.com/server", + claimed_id=XRI("=!1000"), + canonical_id=XRI("=!1000"), + local_id='http://smoker.myopenid.com/', + display_identifier='=smoker' + ) + + self._checkService( + services[1], + used_yadis=True, + types=['1.0'], + server_url="http://www.livejournal.com/openid/server.bml", + claimed_id=XRI("=!1000"), + canonical_id=XRI("=!1000"), + local_id='http://frank.livejournal.com/', + display_identifier='=smoker' + ) + + def test_xri_normalize(self): + user_xri, services = discover.discoverXRI('xri://=smoker') + + self._checkService( + services[0], + used_yadis=True, + types=['1.0'], + server_url="http://www.myopenid.com/server", + claimed_id=XRI("=!1000"), + canonical_id=XRI("=!1000"), + local_id='http://smoker.myopenid.com/', + display_identifier='=smoker' + ) + + self._checkService( + services[1], + used_yadis=True, + types=['1.0'], + server_url="http://www.livejournal.com/openid/server.bml", + claimed_id=XRI("=!1000"), + canonical_id=XRI("=!1000"), + local_id='http://frank.livejournal.com/', + display_identifier='=smoker' + ) + + def test_xriNoCanonicalID(self): + user_xri, services = discover.discoverXRI('=smoker*bad') + self.failIf(services) + + def test_useCanonicalID(self): + """When there is no delegate, the CanonicalID should be used with XRI. + """ + endpoint = discover.OpenIDServiceEndpoint() + endpoint.claimed_id = XRI("=!1000") + endpoint.canonicalID = XRI("=!1000") + self.failUnlessEqual(endpoint.getLocalID(), XRI("=!1000")) + + +class TestXRIDiscoveryIDP(BaseTestDiscovery): + fetcherClass = MockFetcherForXRIProxy + + documents = {'=smoker': ('application/xrds+xml', + readDataFile('yadis_2entries_idp.xml')) } + + def test_xri(self): + user_xri, services = discover.discoverXRI('=smoker') + self.failUnless(services, "Expected services, got zero") + self.failUnlessEqual(services[0].server_url, + "http://www.livejournal.com/openid/server.bml") + + +class TestPreferredNamespace(datadriven.DataDrivenTestCase): + def __init__(self, expected_ns, type_uris): + datadriven.DataDrivenTestCase.__init__( + self, 'Expecting %s from %s' % (expected_ns, type_uris)) + self.expected_ns = expected_ns + self.type_uris = type_uris + + def runOneTest(self): + endpoint = discover.OpenIDServiceEndpoint() + endpoint.type_uris = self.type_uris + actual_ns = endpoint.preferredNamespace() + self.failUnlessEqual(actual_ns, self.expected_ns) + + cases = [ + (message.OPENID1_NS, []), + (message.OPENID1_NS, ['http://jyte.com/']), + (message.OPENID1_NS, [discover.OPENID_1_0_TYPE]), + (message.OPENID1_NS, [discover.OPENID_1_1_TYPE]), + (message.OPENID2_NS, [discover.OPENID_2_0_TYPE]), + (message.OPENID2_NS, [discover.OPENID_IDP_2_0_TYPE]), + (message.OPENID2_NS, [discover.OPENID_2_0_TYPE, + discover.OPENID_1_0_TYPE]), + (message.OPENID2_NS, [discover.OPENID_1_0_TYPE, + discover.OPENID_2_0_TYPE]), + ] + +class TestIsOPIdentifier(unittest.TestCase): + def setUp(self): + self.endpoint = discover.OpenIDServiceEndpoint() + + def test_none(self): + self.failIf(self.endpoint.isOPIdentifier()) + + def test_openid1_0(self): + self.endpoint.type_uris = [discover.OPENID_1_0_TYPE] + self.failIf(self.endpoint.isOPIdentifier()) + + def test_openid1_1(self): + self.endpoint.type_uris = [discover.OPENID_1_1_TYPE] + self.failIf(self.endpoint.isOPIdentifier()) + + def test_openid2(self): + self.endpoint.type_uris = [discover.OPENID_2_0_TYPE] + self.failIf(self.endpoint.isOPIdentifier()) + + def test_openid2OP(self): + self.endpoint.type_uris = [discover.OPENID_IDP_2_0_TYPE] + self.failUnless(self.endpoint.isOPIdentifier()) + + def test_multipleMissing(self): + self.endpoint.type_uris = [discover.OPENID_2_0_TYPE, + discover.OPENID_1_0_TYPE] + self.failIf(self.endpoint.isOPIdentifier()) + + def test_multiplePresent(self): + self.endpoint.type_uris = [discover.OPENID_2_0_TYPE, + discover.OPENID_1_0_TYPE, + discover.OPENID_IDP_2_0_TYPE] + self.failUnless(self.endpoint.isOPIdentifier()) + +class TestFromOPEndpointURL(unittest.TestCase): + def setUp(self): + self.op_endpoint_url = 'http://example.com/op/endpoint' + self.endpoint = discover.OpenIDServiceEndpoint.fromOPEndpointURL( + self.op_endpoint_url) + + def test_isOPEndpoint(self): + self.failUnless(self.endpoint.isOPIdentifier()) + + def test_noIdentifiers(self): + self.failUnlessEqual(self.endpoint.getLocalID(), None) + self.failUnlessEqual(self.endpoint.claimed_id, None) + + def test_compatibility(self): + self.failIf(self.endpoint.compatibilityMode()) + + def test_canonicalID(self): + self.failUnlessEqual(self.endpoint.canonicalID, None) + + def test_serverURL(self): + self.failUnlessEqual(self.endpoint.server_url, self.op_endpoint_url) + +class TestDiscoverFunction(unittest.TestCase): + def setUp(self): + self._old_discoverURI = discover.discoverURI + self._old_discoverXRI = discover.discoverXRI + + discover.discoverXRI = self.discoverXRI + discover.discoverURI = self.discoverURI + + def tearDown(self): + discover.discoverURI = self._old_discoverURI + discover.discoverXRI = self._old_discoverXRI + + def discoverXRI(self, identifier): + return 'XRI' + + def discoverURI(self, identifier): + return 'URI' + + def test_uri(self): + self.failUnlessEqual('URI', discover.discover('http://woo!')) + + def test_uriForBogus(self): + self.failUnlessEqual('URI', discover.discover('not a URL or XRI')) + + def test_xri(self): + self.failUnlessEqual('XRI', discover.discover('xri://=something')) + + def test_xriChar(self): + self.failUnlessEqual('XRI', discover.discover('=something')) + +class TestEndpointSupportsType(unittest.TestCase): + def setUp(self): + self.endpoint = discover.OpenIDServiceEndpoint() + + def failUnlessSupportsOnly(self, *types): + for t in [ + 'foo', + discover.OPENID_1_1_TYPE, + discover.OPENID_1_0_TYPE, + discover.OPENID_2_0_TYPE, + discover.OPENID_IDP_2_0_TYPE, + ]: + if t in types: + self.failUnless(self.endpoint.supportsType(t), + "Must support %r" % (t,)) + else: + self.failIf(self.endpoint.supportsType(t), + "Shouldn't support %r" % (t,)) + + def test_supportsNothing(self): + self.failUnlessSupportsOnly() + + def test_openid2(self): + self.endpoint.type_uris = [discover.OPENID_2_0_TYPE] + self.failUnlessSupportsOnly(discover.OPENID_2_0_TYPE) + + def test_openid2provider(self): + self.endpoint.type_uris = [discover.OPENID_IDP_2_0_TYPE] + self.failUnlessSupportsOnly(discover.OPENID_IDP_2_0_TYPE, + discover.OPENID_2_0_TYPE) + + def test_openid1_0(self): + self.endpoint.type_uris = [discover.OPENID_1_0_TYPE] + self.failUnlessSupportsOnly(discover.OPENID_1_0_TYPE) + + def test_openid1_1(self): + self.endpoint.type_uris = [discover.OPENID_1_1_TYPE] + self.failUnlessSupportsOnly(discover.OPENID_1_1_TYPE) + + def test_multiple(self): + self.endpoint.type_uris = [discover.OPENID_1_1_TYPE, + discover.OPENID_2_0_TYPE] + self.failUnlessSupportsOnly(discover.OPENID_1_1_TYPE, + discover.OPENID_2_0_TYPE) + + def test_multipleWithProvider(self): + self.endpoint.type_uris = [discover.OPENID_1_1_TYPE, + discover.OPENID_2_0_TYPE, + discover.OPENID_IDP_2_0_TYPE] + self.failUnlessSupportsOnly(discover.OPENID_1_1_TYPE, + discover.OPENID_2_0_TYPE, + discover.OPENID_IDP_2_0_TYPE, + ) + + +class TestEndpointDisplayIdentifier(unittest.TestCase): + def test_strip_fragment(self): + endpoint = discover.OpenIDServiceEndpoint() + endpoint.claimed_id = 'http://recycled.invalid/#123' + self.failUnlessEqual('http://recycled.invalid/', endpoint.getDisplayIdentifier()) + + +def pyUnitTests(): + return datadriven.loadTests(__name__) + +if __name__ == '__main__': + suite = pyUnitTests() + runner = unittest.TextTestRunner() + runner.run(suite) diff --git a/askbot/deps/openid/test/test_etxrd.py b/askbot/deps/openid/test/test_etxrd.py new file mode 100644 index 00000000..51cd27f6 --- /dev/null +++ b/askbot/deps/openid/test/test_etxrd.py @@ -0,0 +1,194 @@ +import unittest +from openid.yadis import services, etxrd, xri +import os.path + +def datapath(filename): + module_directory = os.path.dirname(os.path.abspath(__file__)) + return os.path.join(module_directory, 'data', 'test_etxrd', filename) + +XRD_FILE = datapath('valid-populated-xrds.xml') +NOXRDS_FILE = datapath('not-xrds.xml') +NOXRD_FILE = datapath('no-xrd.xml') + +# None of the namespaces or service URIs below are official (or even +# sanctioned by the owners of that piece of URL-space) + +LID_2_0 = "http://lid.netmesh.org/sso/2.0b5" +TYPEKEY_1_0 = "http://typekey.com/services/1.0" + +def simpleOpenIDTransformer(endpoint): + """Function to extract information from an OpenID service element""" + if 'http://openid.net/signon/1.0' not in endpoint.type_uris: + return None + + delegates = list(endpoint.service_element.findall( + '{http://openid.net/xmlns/1.0}Delegate')) + assert len(delegates) == 1 + delegate = delegates[0].text + return (endpoint.uri, delegate) + +class TestServiceParser(unittest.TestCase): + def setUp(self): + self.xmldoc = file(XRD_FILE).read() + self.yadis_url = 'http://unittest.url/' + + def _getServices(self, flt=None): + return list(services.applyFilter(self.yadis_url, self.xmldoc, flt)) + + def testParse(self): + """Make sure that parsing succeeds at all""" + services = self._getServices() + + def testParseOpenID(self): + """Parse for OpenID services with a transformer function""" + services = self._getServices(simpleOpenIDTransformer) + + expectedServices = [ + ("http://www.myopenid.com/server", "http://josh.myopenid.com/"), + ("http://www.schtuff.com/openid", "http://users.schtuff.com/josh"), + ("http://www.livejournal.com/openid/server.bml", + "http://www.livejournal.com/users/nedthealpaca/"), + ] + + it = iter(services) + for (server_url, delegate) in expectedServices: + for (actual_url, actual_delegate) in it: + self.failUnlessEqual(server_url, actual_url) + self.failUnlessEqual(delegate, actual_delegate) + break + else: + self.fail('Not enough services found') + + def _checkServices(self, expectedServices): + """Check to make sure that the expected services are found in + that order in the parsed document.""" + it = iter(self._getServices()) + for (type_uri, uri) in expectedServices: + for service in it: + if type_uri in service.type_uris: + self.failUnlessEqual(service.uri, uri) + break + else: + self.fail('Did not find %r service' % (type_uri,)) + + def testGetSeveral(self): + """Get some services in order""" + expectedServices = [ + # type, URL + (TYPEKEY_1_0, None), + (LID_2_0, "http://mylid.net/josh"), + ] + + self._checkServices(expectedServices) + + def testGetSeveralForOne(self): + """Getting services for one Service with several Type elements.""" + types = [ 'http://lid.netmesh.org/sso/2.0b5' + , 'http://lid.netmesh.org/2.0b5' + ] + + uri = "http://mylid.net/josh" + + for service in self._getServices(): + if service.uri == uri: + found_types = service.matchTypes(types) + if found_types == types: + break + else: + self.fail('Did not find service with expected types and uris') + + def testNoXRDS(self): + """Make sure that we get an exception when an XRDS element is + not present""" + self.xmldoc = file(NOXRDS_FILE).read() + self.failUnlessRaises( + etxrd.XRDSError, + services.applyFilter, self.yadis_url, self.xmldoc, None) + + def testEmpty(self): + """Make sure that we get an exception when an XRDS element is + not present""" + self.xmldoc = '' + self.failUnlessRaises( + etxrd.XRDSError, + services.applyFilter, self.yadis_url, self.xmldoc, None) + + def testNoXRD(self): + """Make sure that we get an exception when there is no XRD + element present.""" + self.xmldoc = file(NOXRD_FILE).read() + self.failUnlessRaises( + etxrd.XRDSError, + services.applyFilter, self.yadis_url, self.xmldoc, None) + + +class TestCanonicalID(unittest.TestCase): + + def mkTest(iname, filename, expectedID): + """This function builds a method that runs the CanonicalID + test for the given set of inputs""" + + filename = datapath(filename) + def test(self): + xrds = etxrd.parseXRDS(file(filename).read()) + self._getCanonicalID(iname, xrds, expectedID) + return test + + test_delegated = mkTest( + "@ootao*test1", "delegated-20060809.xrds", + "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01") + + test_delegated_r1 = mkTest( + "@ootao*test1", "delegated-20060809-r1.xrds", + "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01") + + test_delegated_r2 = mkTest( + "@ootao*test1", "delegated-20060809-r2.xrds", + "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01") + + test_sometimesprefix = mkTest( + "@ootao*test1", "sometimesprefix.xrds", + "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01") + + test_prefixsometimes = mkTest( + "@ootao*test1", "prefixsometimes.xrds", + "@!5BAD.2AA.3C72.AF46!0000.0000.3B9A.CA01") + + test_spoof1 = mkTest("=keturn*isDrummond", "spoof1.xrds", etxrd.XRDSFraud) + + test_spoof2 = mkTest("=keturn*isDrummond", "spoof2.xrds", etxrd.XRDSFraud) + + test_spoof3 = mkTest("@keturn*is*drummond", "spoof3.xrds", etxrd.XRDSFraud) + + test_status222 = mkTest("=x", "status222.xrds", None) + + test_multisegment_xri = mkTest('xri://=nishitani*masaki', + 'subsegments.xrds', + '=!E117.EF2F.454B.C707!0000.0000.3B9A.CA01') + + test_iri_auth_not_allowed = mkTest( + "phreak.example.com", "delegated-20060809-r2.xrds", etxrd.XRDSFraud) + test_iri_auth_not_allowed.__doc__ = \ + "Don't let IRI authorities be canonical for the GCS." + + # TODO: Refs + # test_ref = mkTest("@ootao*test.ref", "ref.xrds", "@!BAE.A650.823B.2475") + + # TODO: Add a IRI authority with an IRI canonicalID. + # TODO: Add test cases with real examples of multiple CanonicalIDs + # somewhere in the resolution chain. + + def _getCanonicalID(self, iname, xrds, expectedID): + if isinstance(expectedID, (str, unicode, type(None))): + cid = etxrd.getCanonicalID(iname, xrds) + self.failUnlessEqual(cid, expectedID and xri.XRI(expectedID)) + elif issubclass(expectedID, etxrd.XRDSError): + self.failUnlessRaises(expectedID, etxrd.getCanonicalID, + iname, xrds) + else: + self.fail("Don't know how to test for expected value %r" + % (expectedID,)) + + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_examples.py b/askbot/deps/openid/test/test_examples.py new file mode 100644 index 00000000..92269d05 --- /dev/null +++ b/askbot/deps/openid/test/test_examples.py @@ -0,0 +1,185 @@ +"Test some examples." + +import socket +import os.path, unittest, sys, time +from cStringIO import StringIO + +import twill.commands, twill.parse, twill.unit + +from openid.consumer.discover import \ + OpenIDServiceEndpoint, OPENID_1_1_TYPE +from openid.consumer.consumer import AuthRequest + +class TwillTest(twill.unit.TestInfo): + """Variant of twill.unit.TestInfo that runs a function as a test script, + not twill script from a file. + """ + + # twill.unit is pretty small to start with, we're overriding + # run_script and bypassing twill.parse, so it may make sense to + # rewrite twill.unit altogether. + + # Desirable features: + # * better unittest.TestCase integration. + # - handle logs on setup and teardown. + # - treat TwillAssertionError as failed test assertion, make twill + # assertions more consistant with TestCase.failUnless idioms. + # - better error reporting on failed assertions. + # - The amount of functions passed back and forth between TestInfo + # and TestCase is currently pretty silly. + # * access to child process's logs. + # TestInfo.start_server redirects stdout/stderr to StringIO + # objects which are, afaict, inaccessible to the caller of + # test.unit.run_child_process. + # * notice when the child process dies, i.e. if you muck up and + # your runExampleServer function throws an exception. + + def run_script(self): + time.sleep(self.sleep) + # twill.commands.go(self.get_url()) + self.script(self) + + +def splitDir(d, count): + # in python2.4 and above, it's easier to spell this as + # d.rsplit(os.sep, count) + for i in xrange(count): + d = os.path.dirname(d) + return d + +def runExampleServer(host, port, data_path): + thisfile = os.path.abspath(sys.modules[__name__].__file__) + topDir = splitDir(thisfile, 3) + exampleDir = os.path.join(topDir, 'examples') + serverExample = os.path.join(exampleDir, 'server.py') + serverModule = {} + execfile(serverExample, serverModule) + serverMain = serverModule['main'] + + serverMain(host, port, data_path) + + + +class TestServer(unittest.TestCase): + """Acceptance tests for examples/server.py. + + These are more acceptance tests than unit tests as they actually + start the whole server running and test it on its external HTTP + interface. + """ + + def setUp(self): + self.twillOutput = StringIO() + self.twillErr = StringIO() + twill.set_output(self.twillOutput) + twill.set_errout(self.twillErr) + # FIXME: make sure we pick an available port. + self.server_port = 8080 + + # We need something to feed the server as a realm, but it needn't + # be reachable. (Until we test realm verification.) + self.realm = 'http://127.0.0.1/%s' % (self.id(),) + self.return_to = self.realm + '/return_to' + + twill.commands.reset_browser() + + + def runExampleServer(self): + """Zero-arg run-the-server function to be passed to TestInfo.""" + # FIXME - make sure sstore starts clean. + runExampleServer('127.0.0.1', self.server_port, 'sstore') + + + def v1endpoint(self, port): + """Return an OpenID 1.1 OpenIDServiceEndpoint for the server.""" + base = "http://%s:%s" % (socket.getfqdn('127.0.0.1'), port) + ep = OpenIDServiceEndpoint() + ep.claimed_id = base + "/id/bob" + ep.server_url = base + "/openidserver" + ep.type_uris = [OPENID_1_1_TYPE] + return ep + + + # TODO: test discovery + + def test_checkidv1(self): + """OpenID 1.1 checkid_setup request.""" + ti = TwillTest(self.twill_checkidv1, self.runExampleServer, + self.server_port, sleep=0.2) + twill.unit.run_test(ti) + + if self.twillErr.getvalue(): + self.fail(self.twillErr.getvalue()) + + + def test_allowed(self): + """OpenID 1.1 checkid_setup request.""" + ti = TwillTest(self.twill_allowed, self.runExampleServer, + self.server_port, sleep=0.2) + twill.unit.run_test(ti) + + if self.twillErr.getvalue(): + self.fail(self.twillErr.getvalue()) + + + def twill_checkidv1(self, twillInfo): + endpoint = self.v1endpoint(self.server_port) + authreq = AuthRequest(endpoint, assoc=None) + url = authreq.redirectURL(self.realm, self.return_to) + + c = twill.commands + + try: + c.go(url) + c.get_browser()._browser.set_handle_redirect(False) + c.submit("yes") + c.code(302) + headers = c.get_browser()._browser.response().info() + finalURL = headers['Location'] + self.failUnless('openid.mode=id_res' in finalURL, finalURL) + self.failUnless('openid.identity=' in finalURL, finalURL) + except twill.commands.TwillAssertionError, e: + msg = '%s\nFinal page:\n%s' % ( + str(e), c.get_browser().get_html()) + self.fail(msg) + + + def twill_allowed(self, twillInfo): + endpoint = self.v1endpoint(self.server_port) + authreq = AuthRequest(endpoint, assoc=None) + url = authreq.redirectURL(self.realm, self.return_to) + + c = twill.commands + + try: + c.go(url) + c.code(200) + c.get_browser()._browser.set_handle_redirect(False) + c.formvalue(1, 'remember', 'true') + c.find('name="login_as" value="bob"') + c.submit("yes") + c.code(302) + # Since we set remember=yes, the second time we shouldn't + # see that page. + c.go(url) + c.code(302) + headers = c.get_browser()._browser.response().info() + finalURL = headers['Location'] + self.failUnless(finalURL.startswith(self.return_to)) + except twill.commands.TwillAssertionError, e: + from traceback import format_exc + msg = '%s\nTwill output:%s\nTwill errors:%s\nFinal page:\n%s' % ( + format_exc(), + self.twillOutput.getvalue(), + self.twillErr.getvalue(), + c.get_browser().get_html()) + self.fail(msg) + + + def tearDown(self): + twill.set_output(None) + twill.set_errout(None) + + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_extension.py b/askbot/deps/openid/test/test_extension.py new file mode 100644 index 00000000..7dadbd0b --- /dev/null +++ b/askbot/deps/openid/test/test_extension.py @@ -0,0 +1,36 @@ +from openid import extension +from openid import message + +import unittest + +class DummyExtension(extension.Extension): + ns_uri = 'http://an.extension/' + ns_alias = 'dummy' + + def getExtensionArgs(self): + return {} + +class ToMessageTest(unittest.TestCase): + def test_OpenID1(self): + oid1_msg = message.Message(message.OPENID1_NS) + ext = DummyExtension() + ext.toMessage(oid1_msg) + namespaces = oid1_msg.namespaces + self.failUnless(namespaces.isImplicit(DummyExtension.ns_uri)) + self.failUnlessEqual( + DummyExtension.ns_uri, + namespaces.getNamespaceURI(DummyExtension.ns_alias)) + self.failUnlessEqual(DummyExtension.ns_alias, + namespaces.getAlias(DummyExtension.ns_uri)) + + def test_OpenID2(self): + oid2_msg = message.Message(message.OPENID2_NS) + ext = DummyExtension() + ext.toMessage(oid2_msg) + namespaces = oid2_msg.namespaces + self.failIf(namespaces.isImplicit(DummyExtension.ns_uri)) + self.failUnlessEqual( + DummyExtension.ns_uri, + namespaces.getNamespaceURI(DummyExtension.ns_alias)) + self.failUnlessEqual(DummyExtension.ns_alias, + namespaces.getAlias(DummyExtension.ns_uri)) diff --git a/askbot/deps/openid/test/test_fetchers.py b/askbot/deps/openid/test/test_fetchers.py new file mode 100644 index 00000000..da1eea84 --- /dev/null +++ b/askbot/deps/openid/test/test_fetchers.py @@ -0,0 +1,285 @@ +import warnings +import unittest +import sys +import urllib2 +import socket + +from openid import fetchers + +# XXX: make these separate test cases + +def failUnlessResponseExpected(expected, actual): + assert expected.final_url == actual.final_url, ( + "%r != %r" % (expected.final_url, actual.final_url)) + assert expected.status == actual.status + assert expected.body == actual.body + got_headers = dict(actual.headers) + del got_headers['date'] + del got_headers['server'] + for k, v in expected.headers.iteritems(): + assert got_headers[k] == v, (k, v, got_headers[k]) + +def test_fetcher(fetcher, exc, server): + def geturl(path): + return 'http://%s:%s%s' % (socket.getfqdn(server.server_name), + server.socket.getsockname()[1], + path) + + expected_headers = {'content-type':'text/plain'} + + def plain(path, code): + path = '/' + path + expected = fetchers.HTTPResponse( + geturl(path), code, expected_headers, path) + return (path, expected) + + expect_success = fetchers.HTTPResponse( + geturl('/success'), 200, expected_headers, '/success') + cases = [ + ('/success', expect_success), + ('/301redirect', expect_success), + ('/302redirect', expect_success), + ('/303redirect', expect_success), + ('/307redirect', expect_success), + plain('notfound', 404), + plain('badreq', 400), + plain('forbidden', 403), + plain('error', 500), + plain('server_error', 503), + ] + + for path, expected in cases: + fetch_url = geturl(path) + try: + actual = fetcher.fetch(fetch_url) + except (SystemExit, KeyboardInterrupt): + pass + except: + print fetcher, fetch_url + raise + else: + failUnlessResponseExpected(expected, actual) + + for err_url in [geturl('/closed'), + 'http://invalid.janrain.com/', + 'not:a/url', + 'ftp://janrain.com/pub/']: + try: + result = fetcher.fetch(err_url) + except (KeyboardInterrupt, SystemExit): + raise + except fetchers.HTTPError, why: + # This is raised by the Curl fetcher for bad cases + # detected by the fetchers module, but it's a subclass of + # HTTPFetchingError, so we have to catch it explicitly. + assert exc + except fetchers.HTTPFetchingError, why: + assert not exc, (fetcher, exc, server) + except: + assert exc + else: + assert False, 'An exception was expected for %r (%r)' % (fetcher, result) + +def run_fetcher_tests(server): + exc_fetchers = [] + for klass, library_name in [ + (fetchers.Urllib2Fetcher, 'urllib2'), + (fetchers.CurlHTTPFetcher, 'pycurl'), + (fetchers.HTTPLib2Fetcher, 'httplib2'), + ]: + try: + exc_fetchers.append(klass()) + except RuntimeError, why: + if why[0].startswith('Cannot find %s library' % (library_name,)): + try: + __import__(library_name) + except ImportError: + warnings.warn( + 'Skipping tests for %r fetcher because ' + 'the library did not import.' % (library_name,)) + pass + else: + assert False, ('%s present but not detected' % (library_name,)) + else: + raise + + non_exc_fetchers = [] + for f in exc_fetchers: + non_exc_fetchers.append(fetchers.ExceptionWrappingFetcher(f)) + + for f in exc_fetchers: + test_fetcher(f, True, server) + + for f in non_exc_fetchers: + test_fetcher(f, False, server) + +from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer + +class FetcherTestHandler(BaseHTTPRequestHandler): + cases = { + '/success':(200, None), + '/301redirect':(301, '/success'), + '/302redirect':(302, '/success'), + '/303redirect':(303, '/success'), + '/307redirect':(307, '/success'), + '/notfound':(404, None), + '/badreq':(400, None), + '/forbidden':(403, None), + '/error':(500, None), + '/server_error':(503, None), + } + + def log_request(self, *args): + pass + + def do_GET(self): + if self.path == '/closed': + self.wfile.close() + else: + try: + http_code, location = self.cases[self.path] + except KeyError: + self.errorResponse('Bad path') + else: + extra_headers = [('Content-type', 'text/plain')] + if location is not None: + host, port = self.server.server_address + base = ('http://%s:%s' % (socket.getfqdn(host), port,)) + location = base + location + extra_headers.append(('Location', location)) + self._respond(http_code, extra_headers, self.path) + + def do_POST(self): + try: + http_code, extra_headers = self.cases[self.path] + except KeyError: + self.errorResponse('Bad path') + else: + if http_code in [301, 302, 303, 307]: + self.errorResponse() + else: + content_type = self.headers.get('content-type', 'text/plain') + extra_headers.append(('Content-type', content_type)) + content_length = int(self.headers.get('Content-length', '-1')) + body = self.rfile.read(content_length) + self._respond(http_code, extra_headers, body) + + def errorResponse(self, message=None): + req = [ + ('HTTP method', self.command), + ('path', self.path), + ] + if message: + req.append(('message', message)) + + body_parts = ['Bad request:\r\n'] + for k, v in req: + body_parts.append(' %s: %s\r\n' % (k, v)) + body = ''.join(body_parts) + self._respond(400, [('Content-type', 'text/plain')], body) + + def _respond(self, http_code, extra_headers, body): + self.send_response(http_code) + for k, v in extra_headers: + self.send_header(k, v) + self.end_headers() + self.wfile.write(body) + self.wfile.close() + + def finish(self): + if not self.wfile.closed: + self.wfile.flush() + self.wfile.close() + self.rfile.close() + +def test(): + import socket + host = socket.getfqdn('127.0.0.1') + # When I use port 0 here, it works for the first fetch and the + # next one gets connection refused. Bummer. So instead, pick a + # port that's *probably* not in use. + import os + port = (os.getpid() % 31000) + 1024 + + server = HTTPServer((host, port), FetcherTestHandler) + + import threading + server_thread = threading.Thread(target=server.serve_forever) + server_thread.setDaemon(True) + server_thread.start() + + run_fetcher_tests(server) + +class FakeFetcher(object): + sentinel = object() + + def fetch(self, *args, **kwargs): + return self.sentinel + +class DefaultFetcherTest(unittest.TestCase): + def setUp(self): + """reset the default fetcher to None""" + fetchers.setDefaultFetcher(None) + + def tearDown(self): + """reset the default fetcher to None""" + fetchers.setDefaultFetcher(None) + + def test_getDefaultNotNone(self): + """Make sure that None is never returned as a default fetcher""" + self.failUnless(fetchers.getDefaultFetcher() is not None) + fetchers.setDefaultFetcher(None) + self.failUnless(fetchers.getDefaultFetcher() is not None) + + def test_setDefault(self): + """Make sure the getDefaultFetcher returns the object set for + setDefaultFetcher""" + sentinel = object() + fetchers.setDefaultFetcher(sentinel, wrap_exceptions=False) + self.failUnless(fetchers.getDefaultFetcher() is sentinel) + + def test_callFetch(self): + """Make sure that fetchers.fetch() uses the default fetcher + instance that was set.""" + fetchers.setDefaultFetcher(FakeFetcher()) + actual = fetchers.fetch('bad://url') + self.failUnless(actual is FakeFetcher.sentinel) + + def test_wrappedByDefault(self): + """Make sure that the default fetcher instance wraps + exceptions by default""" + default_fetcher = fetchers.getDefaultFetcher() + self.failUnless(isinstance(default_fetcher, + fetchers.ExceptionWrappingFetcher), + default_fetcher) + + self.failUnlessRaises(fetchers.HTTPFetchingError, + fetchers.fetch, 'http://invalid.janrain.com/') + + def test_notWrapped(self): + """Make sure that if we set a non-wrapped fetcher as default, + it will not wrap exceptions.""" + # A fetcher that will raise an exception when it encounters a + # host that will not resolve + fetcher = fetchers.Urllib2Fetcher() + fetchers.setDefaultFetcher(fetcher, wrap_exceptions=False) + + self.failIf(isinstance(fetchers.getDefaultFetcher(), + fetchers.ExceptionWrappingFetcher)) + + try: + fetchers.fetch('http://invalid.janrain.com/') + except fetchers.HTTPFetchingError: + self.fail('Should not be wrapping exception') + except: + exc = sys.exc_info()[1] + self.failUnless(isinstance(exc, urllib2.URLError), exc) + pass + else: + self.fail('Should have raised an exception') + +def pyUnitTests(): + case1 = unittest.FunctionTestCase(test) + loadTests = unittest.defaultTestLoader.loadTestsFromTestCase + case2 = loadTests(DefaultFetcherTest) + return unittest.TestSuite([case1, case2]) diff --git a/askbot/deps/openid/test/test_htmldiscover.py b/askbot/deps/openid/test/test_htmldiscover.py new file mode 100644 index 00000000..0a49e163 --- /dev/null +++ b/askbot/deps/openid/test/test_htmldiscover.py @@ -0,0 +1,21 @@ +from openid.consumer.discover import OpenIDServiceEndpoint +import datadriven + +class BadLinksTestCase(datadriven.DataDrivenTestCase): + cases = [ + '', + "http://not.in.a.link.tag/", + '<link rel="openid.server" href="not.in.html.or.head" />', + ] + + def __init__(self, data): + datadriven.DataDrivenTestCase.__init__(self, data) + self.data = data + + def runOneTest(self): + actual = OpenIDServiceEndpoint.fromHTML('http://unused.url/', self.data) + expected = [] + self.failUnlessEqual(expected, actual) + +def pyUnitTests(): + return datadriven.loadTests(__name__) diff --git a/askbot/deps/openid/test/test_message.py b/askbot/deps/openid/test/test_message.py new file mode 100644 index 00000000..0bbd2800 --- /dev/null +++ b/askbot/deps/openid/test/test_message.py @@ -0,0 +1,998 @@ +from openid import message +from openid import oidutil +from openid.extensions import sreg + +import urllib +import cgi +import unittest + +def mkGetArgTest(ns, key, expected=None): + def test(self): + a_default = object() + self.failUnlessEqual(self.msg.getArg(ns, key), expected) + if expected is None: + self.failUnlessEqual( + self.msg.getArg(ns, key, a_default), a_default) + self.failUnlessRaises( + KeyError, self.msg.getArg, ns, key, message.no_default) + else: + self.failUnlessEqual( + self.msg.getArg(ns, key, a_default), expected) + self.failUnlessEqual( + self.msg.getArg(ns, key, message.no_default), expected) + + return test + +class EmptyMessageTest(unittest.TestCase): + def setUp(self): + self.msg = message.Message() + + def test_toPostArgs(self): + self.failUnlessEqual(self.msg.toPostArgs(), {}) + + def test_toArgs(self): + self.failUnlessEqual(self.msg.toArgs(), {}) + + def test_toKVForm(self): + self.failUnlessEqual(self.msg.toKVForm(), '') + + def test_toURLEncoded(self): + self.failUnlessEqual(self.msg.toURLEncoded(), '') + + def test_toURL(self): + base_url = 'http://base.url/' + self.failUnlessEqual(self.msg.toURL(base_url), base_url) + + def test_getOpenID(self): + self.failUnlessEqual(self.msg.getOpenIDNamespace(), None) + + def test_getKeyOpenID(self): + # Could reasonably return None instead of raising an + # exception. I'm not sure which one is more right, since this + # case should only happen when you're building a message from + # scratch and so have no default namespace. + self.failUnlessRaises(message.UndefinedOpenIDNamespace, + self.msg.getKey, message.OPENID_NS, 'foo') + + def test_getKeyBARE(self): + self.failUnlessEqual(self.msg.getKey(message.BARE_NS, 'foo'), 'foo') + + def test_getKeyNS1(self): + self.failUnlessEqual(self.msg.getKey(message.OPENID1_NS, 'foo'), None) + + def test_getKeyNS2(self): + self.failUnlessEqual(self.msg.getKey(message.OPENID2_NS, 'foo'), None) + + def test_getKeyNS3(self): + self.failUnlessEqual(self.msg.getKey('urn:nothing-significant', 'foo'), + None) + + def test_hasKey(self): + # Could reasonably return False instead of raising an + # exception. I'm not sure which one is more right, since this + # case should only happen when you're building a message from + # scratch and so have no default namespace. + self.failUnlessRaises(message.UndefinedOpenIDNamespace, + self.msg.hasKey, message.OPENID_NS, 'foo') + + def test_hasKeyBARE(self): + self.failUnlessEqual(self.msg.hasKey(message.BARE_NS, 'foo'), False) + + def test_hasKeyNS1(self): + self.failUnlessEqual(self.msg.hasKey(message.OPENID1_NS, 'foo'), False) + + def test_hasKeyNS2(self): + self.failUnlessEqual(self.msg.hasKey(message.OPENID2_NS, 'foo'), False) + + def test_hasKeyNS3(self): + self.failUnlessEqual(self.msg.hasKey('urn:nothing-significant', 'foo'), + False) + + def test_getAliasedArgSuccess(self): + msg = message.Message.fromPostArgs({'openid.ns.test': 'urn://foo', + 'openid.test.flub': 'bogus'}) + actual_uri = msg.getAliasedArg('ns.test', message.no_default) + self.assertEquals("urn://foo", actual_uri) + + def test_getAliasedArgFailure(self): + msg = message.Message.fromPostArgs({'openid.test.flub': 'bogus'}) + self.assertRaises(KeyError, + msg.getAliasedArg, 'ns.test', message.no_default) + + def test_getArg(self): + # Could reasonably return None instead of raising an + # exception. I'm not sure which one is more right, since this + # case should only happen when you're building a message from + # scratch and so have no default namespace. + self.failUnlessRaises(message.UndefinedOpenIDNamespace, + self.msg.getArg, message.OPENID_NS, 'foo') + + test_getArgBARE = mkGetArgTest(message.BARE_NS, 'foo') + test_getArgNS1 = mkGetArgTest(message.OPENID1_NS, 'foo') + test_getArgNS2 = mkGetArgTest(message.OPENID2_NS, 'foo') + test_getArgNS3 = mkGetArgTest('urn:nothing-significant', 'foo') + + def test_getArgs(self): + # Could reasonably return {} instead of raising an + # exception. I'm not sure which one is more right, since this + # case should only happen when you're building a message from + # scratch and so have no default namespace. + self.failUnlessRaises(message.UndefinedOpenIDNamespace, + self.msg.getArgs, message.OPENID_NS) + + def test_getArgsBARE(self): + self.failUnlessEqual(self.msg.getArgs(message.BARE_NS), {}) + + def test_getArgsNS1(self): + self.failUnlessEqual(self.msg.getArgs(message.OPENID1_NS), {}) + + def test_getArgsNS2(self): + self.failUnlessEqual(self.msg.getArgs(message.OPENID2_NS), {}) + + def test_getArgsNS3(self): + self.failUnlessEqual(self.msg.getArgs('urn:nothing-significant'), {}) + + def test_updateArgs(self): + self.failUnlessRaises(message.UndefinedOpenIDNamespace, + self.msg.updateArgs, message.OPENID_NS, + {'does not':'matter'}) + + def _test_updateArgsNS(self, ns): + update_args = { + 'Camper van Beethoven':'David Lowery', + 'Magnolia Electric Co.':'Jason Molina', + } + + self.failUnlessEqual(self.msg.getArgs(ns), {}) + self.msg.updateArgs(ns, update_args) + self.failUnlessEqual(self.msg.getArgs(ns), update_args) + + def test_updateArgsBARE(self): + self._test_updateArgsNS(message.BARE_NS) + + def test_updateArgsNS1(self): + self._test_updateArgsNS(message.OPENID1_NS) + + def test_updateArgsNS2(self): + self._test_updateArgsNS(message.OPENID2_NS) + + def test_updateArgsNS3(self): + self._test_updateArgsNS('urn:nothing-significant') + + def test_setArg(self): + self.failUnlessRaises(message.UndefinedOpenIDNamespace, + self.msg.setArg, message.OPENID_NS, + 'does not', 'matter') + + def _test_setArgNS(self, ns): + key = 'Camper van Beethoven' + value = 'David Lowery' + self.failUnlessEqual(self.msg.getArg(ns, key), None) + self.msg.setArg(ns, key, value) + self.failUnlessEqual(self.msg.getArg(ns, key), value) + + def test_setArgBARE(self): + self._test_setArgNS(message.BARE_NS) + + def test_setArgNS1(self): + self._test_setArgNS(message.OPENID1_NS) + + def test_setArgNS2(self): + self._test_setArgNS(message.OPENID2_NS) + + def test_setArgNS3(self): + self._test_setArgNS('urn:nothing-significant') + + def test_setArgToNone(self): + self.failUnlessRaises(AssertionError, self.msg.setArg, + message.OPENID1_NS, 'op_endpoint', None) + + def test_delArg(self): + # Could reasonably raise KeyError instead of raising + # UndefinedOpenIDNamespace. I'm not sure which one is more + # right, since this case should only happen when you're + # building a message from scratch and so have no default + # namespace. + self.failUnlessRaises(message.UndefinedOpenIDNamespace, + self.msg.delArg, message.OPENID_NS, 'key') + + def _test_delArgNS(self, ns): + key = 'Camper van Beethoven' + self.failUnlessRaises(KeyError, self.msg.delArg, ns, key) + + def test_delArgBARE(self): + self._test_delArgNS(message.BARE_NS) + + def test_delArgNS1(self): + self._test_delArgNS(message.OPENID1_NS) + + def test_delArgNS2(self): + self._test_delArgNS(message.OPENID2_NS) + + def test_delArgNS3(self): + self._test_delArgNS('urn:nothing-significant') + + def test_isOpenID1(self): + self.failIf(self.msg.isOpenID1()) + + def test_isOpenID2(self): + self.failIf(self.msg.isOpenID2()) + +class OpenID1MessageTest(unittest.TestCase): + def setUp(self): + self.msg = message.Message.fromPostArgs({'openid.mode':'error', + 'openid.error':'unit test'}) + + def test_toPostArgs(self): + self.failUnlessEqual(self.msg.toPostArgs(), + {'openid.mode':'error', + 'openid.error':'unit test'}) + + def test_toArgs(self): + self.failUnlessEqual(self.msg.toArgs(), {'mode':'error', + 'error':'unit test'}) + + def test_toKVForm(self): + self.failUnlessEqual(self.msg.toKVForm(), + 'error:unit test\nmode:error\n') + + def test_toURLEncoded(self): + self.failUnlessEqual(self.msg.toURLEncoded(), + 'openid.error=unit+test&openid.mode=error') + + def test_toURL(self): + base_url = 'http://base.url/' + actual = self.msg.toURL(base_url) + actual_base = actual[:len(base_url)] + self.failUnlessEqual(actual_base, base_url) + self.failUnlessEqual(actual[len(base_url)], '?') + query = actual[len(base_url) + 1:] + parsed = cgi.parse_qs(query) + self.failUnlessEqual(parsed, {'openid.mode':['error'], + 'openid.error':['unit test']}) + + def test_getOpenID(self): + self.failUnlessEqual(self.msg.getOpenIDNamespace(), message.OPENID1_NS) + + def test_getKeyOpenID(self): + self.failUnlessEqual(self.msg.getKey(message.OPENID_NS, 'mode'), + 'openid.mode') + + def test_getKeyBARE(self): + self.failUnlessEqual(self.msg.getKey(message.BARE_NS, 'mode'), 'mode') + + def test_getKeyNS1(self): + self.failUnlessEqual( + self.msg.getKey(message.OPENID1_NS, 'mode'), 'openid.mode') + + def test_getKeyNS2(self): + self.failUnlessEqual(self.msg.getKey(message.OPENID2_NS, 'mode'), None) + + def test_getKeyNS3(self): + self.failUnlessEqual( + self.msg.getKey('urn:nothing-significant', 'mode'), None) + + def test_hasKey(self): + self.failUnlessEqual(self.msg.hasKey(message.OPENID_NS, 'mode'), True) + + def test_hasKeyBARE(self): + self.failUnlessEqual(self.msg.hasKey(message.BARE_NS, 'mode'), False) + + def test_hasKeyNS1(self): + self.failUnlessEqual(self.msg.hasKey(message.OPENID1_NS, 'mode'), True) + + def test_hasKeyNS2(self): + self.failUnlessEqual( + self.msg.hasKey(message.OPENID2_NS, 'mode'), False) + + def test_hasKeyNS3(self): + self.failUnlessEqual( + self.msg.hasKey('urn:nothing-significant', 'mode'), False) + + test_getArgBARE = mkGetArgTest(message.BARE_NS, 'mode') + test_getArgNS = mkGetArgTest(message.OPENID_NS, 'mode', 'error') + test_getArgNS1 = mkGetArgTest(message.OPENID1_NS, 'mode', 'error') + test_getArgNS2 = mkGetArgTest(message.OPENID2_NS, 'mode') + test_getArgNS3 = mkGetArgTest('urn:nothing-significant', 'mode') + + def test_getArgs(self): + self.failUnlessEqual(self.msg.getArgs(message.OPENID_NS), + {'mode':'error', + 'error':'unit test', + }) + + def test_getArgsBARE(self): + self.failUnlessEqual(self.msg.getArgs(message.BARE_NS), {}) + + def test_getArgsNS1(self): + self.failUnlessEqual(self.msg.getArgs(message.OPENID1_NS), + {'mode':'error', + 'error':'unit test', + }) + + def test_getArgsNS2(self): + self.failUnlessEqual(self.msg.getArgs(message.OPENID2_NS), {}) + + def test_getArgsNS3(self): + self.failUnlessEqual(self.msg.getArgs('urn:nothing-significant'), {}) + + def _test_updateArgsNS(self, ns, before=None): + if before is None: + before = {} + update_args = { + 'Camper van Beethoven':'David Lowery', + 'Magnolia Electric Co.':'Jason Molina', + } + + self.failUnlessEqual(self.msg.getArgs(ns), before) + self.msg.updateArgs(ns, update_args) + after = dict(before) + after.update(update_args) + self.failUnlessEqual(self.msg.getArgs(ns), after) + + def test_updateArgs(self): + self._test_updateArgsNS(message.OPENID_NS, + before={'mode':'error', 'error':'unit test'}) + + def test_updateArgsBARE(self): + self._test_updateArgsNS(message.BARE_NS) + + def test_updateArgsNS1(self): + self._test_updateArgsNS(message.OPENID1_NS, + before={'mode':'error', 'error':'unit test'}) + + def test_updateArgsNS2(self): + self._test_updateArgsNS(message.OPENID2_NS) + + def test_updateArgsNS3(self): + self._test_updateArgsNS('urn:nothing-significant') + + def _test_setArgNS(self, ns): + key = 'Camper van Beethoven' + value = 'David Lowery' + self.failUnlessEqual(self.msg.getArg(ns, key), None) + self.msg.setArg(ns, key, value) + self.failUnlessEqual(self.msg.getArg(ns, key), value) + + def test_setArg(self): + self._test_setArgNS(message.OPENID_NS) + + def test_setArgBARE(self): + self._test_setArgNS(message.BARE_NS) + + def test_setArgNS1(self): + self._test_setArgNS(message.OPENID1_NS) + + def test_setArgNS2(self): + self._test_setArgNS(message.OPENID2_NS) + + def test_setArgNS3(self): + self._test_setArgNS('urn:nothing-significant') + + def _test_delArgNS(self, ns): + key = 'Camper van Beethoven' + value = 'David Lowery' + + self.failUnlessRaises(KeyError, self.msg.delArg, ns, key) + self.msg.setArg(ns, key, value) + self.failUnlessEqual(self.msg.getArg(ns, key), value) + self.msg.delArg(ns, key) + self.failUnlessEqual(self.msg.getArg(ns, key), None) + + def test_delArg(self): + self._test_delArgNS(message.OPENID_NS) + + def test_delArgBARE(self): + self._test_delArgNS(message.BARE_NS) + + def test_delArgNS1(self): + self._test_delArgNS(message.OPENID1_NS) + + def test_delArgNS2(self): + self._test_delArgNS(message.OPENID2_NS) + + def test_delArgNS3(self): + self._test_delArgNS('urn:nothing-significant') + + + def test_isOpenID1(self): + self.failUnless(self.msg.isOpenID1()) + + def test_isOpenID2(self): + self.failIf(self.msg.isOpenID2()) + +class OpenID1ExplicitMessageTest(unittest.TestCase): + def setUp(self): + self.msg = message.Message.fromPostArgs({'openid.mode':'error', + 'openid.error':'unit test', + 'openid.ns':message.OPENID1_NS + }) + + def test_toPostArgs(self): + self.failUnlessEqual(self.msg.toPostArgs(), + {'openid.mode':'error', + 'openid.error':'unit test', + 'openid.ns':message.OPENID1_NS + }) + + def test_toArgs(self): + self.failUnlessEqual(self.msg.toArgs(), {'mode':'error', + 'error':'unit test', + 'ns':message.OPENID1_NS}) + + def test_toKVForm(self): + self.failUnlessEqual(self.msg.toKVForm(), + 'error:unit test\nmode:error\nns:%s\n' + %message.OPENID1_NS) + + def test_toURLEncoded(self): + self.failUnlessEqual(self.msg.toURLEncoded(), + 'openid.error=unit+test&openid.mode=error&openid.ns=http%3A%2F%2Fopenid.net%2Fsignon%2F1.0') + + def test_toURL(self): + base_url = 'http://base.url/' + actual = self.msg.toURL(base_url) + actual_base = actual[:len(base_url)] + self.failUnlessEqual(actual_base, base_url) + self.failUnlessEqual(actual[len(base_url)], '?') + query = actual[len(base_url) + 1:] + parsed = cgi.parse_qs(query) + self.failUnlessEqual(parsed, {'openid.mode':['error'], + 'openid.error':['unit test'], + 'openid.ns':[message.OPENID1_NS] + }) + + def test_isOpenID1(self): + self.failUnless(self.msg.isOpenID1()) + + +class OpenID2MessageTest(unittest.TestCase): + def setUp(self): + self.msg = message.Message.fromPostArgs({'openid.mode':'error', + 'openid.error':'unit test', + 'openid.ns':message.OPENID2_NS + }) + self.msg.setArg(message.BARE_NS, "xey", "value") + + def test_toPostArgs(self): + self.failUnlessEqual(self.msg.toPostArgs(), + {'openid.mode':'error', + 'openid.error':'unit test', + 'openid.ns':message.OPENID2_NS, + 'xey': 'value', + }) + + def test_toArgs(self): + # This method can't tolerate BARE_NS. + self.msg.delArg(message.BARE_NS, "xey") + self.failUnlessEqual(self.msg.toArgs(), {'mode':'error', + 'error':'unit test', + 'ns':message.OPENID2_NS, + }) + + def test_toKVForm(self): + # Can't tolerate BARE_NS in kvform + self.msg.delArg(message.BARE_NS, "xey") + self.failUnlessEqual(self.msg.toKVForm(), + 'error:unit test\nmode:error\nns:%s\n' % + (message.OPENID2_NS,)) + + def _test_urlencoded(self, s): + expected = ('openid.error=unit+test&openid.mode=error&' + 'openid.ns=%s&xey=value' % ( + urllib.quote(message.OPENID2_NS, ''),)) + self.failUnlessEqual(s, expected) + + + def test_toURLEncoded(self): + self._test_urlencoded(self.msg.toURLEncoded()) + + def test_toURL(self): + base_url = 'http://base.url/' + actual = self.msg.toURL(base_url) + actual_base = actual[:len(base_url)] + self.failUnlessEqual(actual_base, base_url) + self.failUnlessEqual(actual[len(base_url)], '?') + query = actual[len(base_url) + 1:] + self._test_urlencoded(query) + + def test_getOpenID(self): + self.failUnlessEqual(self.msg.getOpenIDNamespace(), message.OPENID2_NS) + + def test_getKeyOpenID(self): + self.failUnlessEqual(self.msg.getKey(message.OPENID_NS, 'mode'), + 'openid.mode') + + def test_getKeyBARE(self): + self.failUnlessEqual(self.msg.getKey(message.BARE_NS, 'mode'), 'mode') + + def test_getKeyNS1(self): + self.failUnlessEqual( + self.msg.getKey(message.OPENID1_NS, 'mode'), None) + + def test_getKeyNS2(self): + self.failUnlessEqual( + self.msg.getKey(message.OPENID2_NS, 'mode'), 'openid.mode') + + def test_getKeyNS3(self): + self.failUnlessEqual( + self.msg.getKey('urn:nothing-significant', 'mode'), None) + + def test_hasKeyOpenID(self): + self.failUnlessEqual(self.msg.hasKey(message.OPENID_NS, 'mode'), True) + + def test_hasKeyBARE(self): + self.failUnlessEqual(self.msg.hasKey(message.BARE_NS, 'mode'), False) + + def test_hasKeyNS1(self): + self.failUnlessEqual( + self.msg.hasKey(message.OPENID1_NS, 'mode'), False) + + def test_hasKeyNS2(self): + self.failUnlessEqual( + self.msg.hasKey(message.OPENID2_NS, 'mode'), True) + + def test_hasKeyNS3(self): + self.failUnlessEqual( + self.msg.hasKey('urn:nothing-significant', 'mode'), False) + + test_getArgBARE = mkGetArgTest(message.BARE_NS, 'mode') + test_getArgNS = mkGetArgTest(message.OPENID_NS, 'mode', 'error') + test_getArgNS1 = mkGetArgTest(message.OPENID1_NS, 'mode') + test_getArgNS2 = mkGetArgTest(message.OPENID2_NS, 'mode', 'error') + test_getArgNS3 = mkGetArgTest('urn:nothing-significant', 'mode') + + def test_getArgsOpenID(self): + self.failUnlessEqual(self.msg.getArgs(message.OPENID_NS), + {'mode':'error', + 'error':'unit test', + }) + + def test_getArgsBARE(self): + self.failUnlessEqual(self.msg.getArgs(message.BARE_NS), + {'xey': 'value'}) + + def test_getArgsNS1(self): + self.failUnlessEqual(self.msg.getArgs(message.OPENID1_NS), {}) + + def test_getArgsNS2(self): + self.failUnlessEqual(self.msg.getArgs(message.OPENID2_NS), + {'mode':'error', + 'error':'unit test', + }) + + def test_getArgsNS3(self): + self.failUnlessEqual(self.msg.getArgs('urn:nothing-significant'), {}) + + def _test_updateArgsNS(self, ns, before=None): + if before is None: + before = {} + update_args = { + 'Camper van Beethoven':'David Lowery', + 'Magnolia Electric Co.':'Jason Molina', + } + + self.failUnlessEqual(self.msg.getArgs(ns), before) + self.msg.updateArgs(ns, update_args) + after = dict(before) + after.update(update_args) + self.failUnlessEqual(self.msg.getArgs(ns), after) + + def test_updateArgsOpenID(self): + self._test_updateArgsNS(message.OPENID_NS, + before={'mode':'error', 'error':'unit test'}) + + def test_updateArgsBARE(self): + self._test_updateArgsNS(message.BARE_NS, + before={'xey':'value'}) + + def test_updateArgsNS1(self): + self._test_updateArgsNS(message.OPENID1_NS) + + def test_updateArgsNS2(self): + self._test_updateArgsNS(message.OPENID2_NS, + before={'mode':'error', 'error':'unit test'}) + + def test_updateArgsNS3(self): + self._test_updateArgsNS('urn:nothing-significant') + + def _test_setArgNS(self, ns): + key = 'Camper van Beethoven' + value = 'David Lowery' + self.failUnlessEqual(self.msg.getArg(ns, key), None) + self.msg.setArg(ns, key, value) + self.failUnlessEqual(self.msg.getArg(ns, key), value) + + def test_setArgOpenID(self): + self._test_setArgNS(message.OPENID_NS) + + def test_setArgBARE(self): + self._test_setArgNS(message.BARE_NS) + + def test_setArgNS1(self): + self._test_setArgNS(message.OPENID1_NS) + + def test_setArgNS2(self): + self._test_setArgNS(message.OPENID2_NS) + + def test_setArgNS3(self): + self._test_setArgNS('urn:nothing-significant') + + def test_badAlias(self): + """Make sure dotted aliases and OpenID protocol fields are not + allowed as namespace aliases.""" + + for f in message.OPENID_PROTOCOL_FIELDS + ['dotted.alias']: + args = {'openid.ns.%s' % f: 'blah', + 'openid.%s.foo' % f: 'test'} + + # .fromPostArgs covers .fromPostArgs, .fromOpenIDArgs, + # ._fromOpenIDArgs, and .fromOpenIDArgs (since it calls + # .fromPostArgs). + self.failUnlessRaises(AssertionError, self.msg.fromPostArgs, + args) + + def test_mysterious_missing_namespace_bug(self): + """A failing test for bug #112""" + openid_args = { + 'assoc_handle': '{{HMAC-SHA256}{1211477242.29743}{v5cadg==}', + 'claimed_id': 'http://nerdbank.org/OPAffirmative/AffirmativeIdentityWithSregNoAssoc.aspx', + 'ns.sreg': 'http://openid.net/extensions/sreg/1.1', + 'response_nonce': '2008-05-22T17:27:22ZUoW5.\\NV', + 'signed': 'return_to,identity,claimed_id,op_endpoint,response_nonce,ns.sreg,sreg.email,sreg.nickname,assoc_handle', + 'sig': 'e3eGZ10+TNRZitgq5kQlk5KmTKzFaCRI8OrRoXyoFa4=', + 'mode': 'check_authentication', + 'op_endpoint': 'http://nerdbank.org/OPAffirmative/ProviderNoAssoc.aspx', + 'sreg.nickname': 'Andy', + 'return_to': 'http://localhost.localdomain:8001/process?janrain_nonce=2008-05-22T17%3A27%3A21ZnxHULd', + 'invalidate_handle': '{{HMAC-SHA1}{1211477241.92242}{H0akXw==}', + 'identity': 'http://nerdbank.org/OPAffirmative/AffirmativeIdentityWithSregNoAssoc.aspx', + 'sreg.email': 'a@b.com' + } + m = message.Message.fromOpenIDArgs(openid_args) + + self.failUnless(('http://openid.net/extensions/sreg/1.1', 'sreg') in + list(m.namespaces.iteritems())) + missing = [] + for k in openid_args['signed'].split(','): + if not ("openid."+k) in m.toPostArgs().keys(): + missing.append(k) + self.assertEqual([], missing, missing) + self.assertEqual(openid_args, m.toArgs()) + self.failUnless(m.isOpenID1()) + + def test_112B(self): + args = {'openid.assoc_handle': 'fa1f5ff0-cde4-11dc-a183-3714bfd55ca8', + 'openid.claimed_id': 'http://binkley.lan/user/test01', + 'openid.identity': 'http://test01.binkley.lan/', + 'openid.mode': 'id_res', + 'openid.ns': 'http://specs.openid.net/auth/2.0', + 'openid.ns.pape': 'http://specs.openid.net/extensions/pape/1.0', + 'openid.op_endpoint': 'http://binkley.lan/server', + 'openid.pape.auth_policies': 'none', + 'openid.pape.auth_time': '2008-01-28T20:42:36Z', + 'openid.pape.nist_auth_level': '0', + 'openid.response_nonce': '2008-01-28T21:07:04Z99Q=', + 'openid.return_to': 'http://binkley.lan:8001/process?janrain_nonce=2008-01-28T21%3A07%3A02Z0tMIKx', + 'openid.sig': 'YJlWH4U6SroB1HoPkmEKx9AyGGg=', + 'openid.signed': 'assoc_handle,identity,response_nonce,return_to,claimed_id,op_endpoint,pape.auth_time,ns.pape,pape.nist_auth_level,pape.auth_policies' + } + m = message.Message.fromPostArgs(args) + missing = [] + for k in args['openid.signed'].split(','): + if not ("openid."+k) in m.toPostArgs().keys(): + missing.append(k) + self.assertEqual([], missing, missing) + self.assertEqual(args, m.toPostArgs()) + self.failUnless(m.isOpenID2()) + + def test_implicit_sreg_ns(self): + openid_args = { + 'sreg.email': 'a@b.com' + } + m = message.Message.fromOpenIDArgs(openid_args) + self.failUnless((sreg.ns_uri, 'sreg') in + list(m.namespaces.iteritems())) + self.assertEqual('a@b.com', m.getArg(sreg.ns_uri, 'email')) + self.assertEqual(openid_args, m.toArgs()) + self.failUnless(m.isOpenID1()) + + def _test_delArgNS(self, ns): + key = 'Camper van Beethoven' + value = 'David Lowery' + + self.failUnlessRaises(KeyError, self.msg.delArg, ns, key) + self.msg.setArg(ns, key, value) + self.failUnlessEqual(self.msg.getArg(ns, key), value) + self.msg.delArg(ns, key) + self.failUnlessEqual(self.msg.getArg(ns, key), None) + + def test_delArgOpenID(self): + self._test_delArgNS(message.OPENID_NS) + + def test_delArgBARE(self): + self._test_delArgNS(message.BARE_NS) + + def test_delArgNS1(self): + self._test_delArgNS(message.OPENID1_NS) + + def test_delArgNS2(self): + self._test_delArgNS(message.OPENID2_NS) + + def test_delArgNS3(self): + self._test_delArgNS('urn:nothing-significant') + + def test_overwriteExtensionArg(self): + ns = 'urn:unittest_extension' + key = 'mykey' + value_1 = 'value_1' + value_2 = 'value_2' + + self.msg.setArg(ns, key, value_1) + self.failUnless(self.msg.getArg(ns, key) == value_1) + self.msg.setArg(ns, key, value_2) + self.failUnless(self.msg.getArg(ns, key) == value_2) + + def test_argList(self): + self.failUnlessRaises(TypeError, self.msg.fromPostArgs, + {'arg': [1, 2, 3]}) + + def test_isOpenID1(self): + self.failIf(self.msg.isOpenID1()) + + def test_isOpenID2(self): + self.failUnless(self.msg.isOpenID2()) + +class MessageTest(unittest.TestCase): + def setUp(self): + self.postargs = { + 'openid.ns': message.OPENID2_NS, + 'openid.mode': 'checkid_setup', + 'openid.identity': 'http://bogus.example.invalid:port/', + 'openid.assoc_handle': 'FLUB', + 'openid.return_to': 'Neverland', + } + + self.action_url = 'scheme://host:port/path?query' + + self.form_tag_attrs = { + 'company': 'janrain', + 'class': 'fancyCSS', + } + + self.submit_text = 'GO!' + + ### Expected data regardless of input + + self.required_form_attrs = { + 'accept-charset':'UTF-8', + 'enctype':'application/x-www-form-urlencoded', + 'method': 'post', + } + + def _checkForm(self, html, message_, action_url, + form_tag_attrs, submit_text): + E = oidutil.importElementTree() + + # Build element tree from HTML source + input_tree = E.ElementTree(E.fromstring(html)) + + # Get root element + form = input_tree.getroot() + + # Check required form attributes + for k, v in self.required_form_attrs.iteritems(): + assert form.attrib[k] == v, \ + "Expected '%s' for required form attribute '%s', got '%s'" % \ + (v, k, form.attrib[k]) + + # Check extra form attributes + for k, v in form_tag_attrs.iteritems(): + + # Skip attributes that already passed the required + # attribute check, since they should be ignored by the + # form generation code. + if k in self.required_form_attrs: + continue + + assert form.attrib[k] == v, \ + "Form attribute '%s' should be '%s', found '%s'" % \ + (k, v, form.attrib[k]) + + # Check hidden fields against post args + hiddens = [e for e in form \ + if e.tag.upper() == 'INPUT' and \ + e.attrib['type'].upper() == 'HIDDEN'] + + # For each post arg, make sure there is a hidden with that + # value. Make sure there are no other hiddens. + for name, value in message_.toPostArgs().iteritems(): + for e in hiddens: + if e.attrib['name'] == name: + assert e.attrib['value'] == value, \ + "Expected value of hidden input '%s' to be '%s', got '%s'" % \ + (e.attrib['name'], value, e.attrib['value']) + break + else: + self.fail("Post arg '%s' not found in form" % (name,)) + + for e in hiddens: + assert e.attrib['name'] in message_.toPostArgs().keys(), \ + "Form element for '%s' not in " + \ + "original message" % (e.attrib['name']) + + # Check action URL + assert form.attrib['action'] == action_url, \ + "Expected form 'action' to be '%s', got '%s'" % \ + (action_url, form.attrib['action']) + + # Check submit text + submits = [e for e in form \ + if e.tag.upper() == 'INPUT' and \ + e.attrib['type'].upper() == 'SUBMIT'] + + assert len(submits) == 1, \ + "Expected only one 'input' with type = 'submit', got %d" % \ + (len(submits),) + + assert submits[0].attrib['value'] == submit_text, \ + "Expected submit value to be '%s', got '%s'" % \ + (submit_text, submits[0].attrib['value']) + + def test_toFormMarkup(self): + m = message.Message.fromPostArgs(self.postargs) + html = m.toFormMarkup(self.action_url, self.form_tag_attrs, + self.submit_text) + self._checkForm(html, m, self.action_url, + self.form_tag_attrs, self.submit_text) + + def test_overrideMethod(self): + """Be sure that caller cannot change form method to GET.""" + m = message.Message.fromPostArgs(self.postargs) + + tag_attrs = dict(self.form_tag_attrs) + tag_attrs['method'] = 'GET' + + html = m.toFormMarkup(self.action_url, self.form_tag_attrs, + self.submit_text) + self._checkForm(html, m, self.action_url, + self.form_tag_attrs, self.submit_text) + + def test_overrideRequired(self): + """Be sure that caller CANNOT change the form charset for + encoding type.""" + m = message.Message.fromPostArgs(self.postargs) + + tag_attrs = dict(self.form_tag_attrs) + tag_attrs['accept-charset'] = 'UCS4' + tag_attrs['enctype'] = 'invalid/x-broken' + + html = m.toFormMarkup(self.action_url, tag_attrs, + self.submit_text) + self._checkForm(html, m, self.action_url, + tag_attrs, self.submit_text) + + + def test_setOpenIDNamespace_invalid(self): + m = message.Message() + invalid_things = [ + # Empty string is not okay here. + '', + # Good guess! But wrong. + 'http://openid.net/signon/2.0', + # What? + u'http://specs%\\\r2Eopenid.net/auth/2.0', + # Too much escapings! + 'http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0', + # This is a Type URI, not a openid.ns value. + 'http://specs.openid.net/auth/2.0/signon', + ] + + for x in invalid_things: + self.failUnlessRaises(message.InvalidOpenIDNamespace, + m.setOpenIDNamespace, x, False) + + + def test_isOpenID1(self): + v1_namespaces = [ + # Yes, there are two of them. + 'http://openid.net/signon/1.1', + 'http://openid.net/signon/1.0', + ] + + for ns in v1_namespaces: + m = message.Message(ns) + self.failUnless(m.isOpenID1(), "%r not recognized as OpenID 1" % + (ns,)) + self.failUnlessEqual(ns, m.getOpenIDNamespace()) + self.failUnless(m.namespaces.isImplicit(ns), + m.namespaces.getNamespaceURI(message.NULL_NAMESPACE)) + + def test_isOpenID2(self): + ns = 'http://specs.openid.net/auth/2.0' + m = message.Message(ns) + self.failUnless(m.isOpenID2()) + self.failIf(m.namespaces.isImplicit(message.NULL_NAMESPACE)) + self.failUnlessEqual(ns, m.getOpenIDNamespace()) + + def test_setOpenIDNamespace_explicit(self): + m = message.Message() + m.setOpenIDNamespace(message.THE_OTHER_OPENID1_NS, False) + self.failIf(m.namespaces.isImplicit(message.THE_OTHER_OPENID1_NS)) + + def test_setOpenIDNamespace_implicit(self): + m = message.Message() + m.setOpenIDNamespace(message.THE_OTHER_OPENID1_NS, True) + self.failUnless(m.namespaces.isImplicit(message.THE_OTHER_OPENID1_NS)) + + + def test_explicitOpenID11NSSerialzation(self): + m = message.Message() + m.setOpenIDNamespace(message.THE_OTHER_OPENID1_NS, implicit=False) + + post_args = m.toPostArgs() + self.failUnlessEqual(post_args, + {'openid.ns':message.THE_OTHER_OPENID1_NS}) + + def test_fromPostArgs_ns11(self): + # An example of the stuff that some Drupal installations send us, + # which includes openid.ns but is 1.1. + query = { + u'openid.assoc_handle': u'', + u'openid.claimed_id': u'http://foobar.invalid/', + u'openid.identity': u'http://foobar.myopenid.com', + u'openid.mode': u'checkid_setup', + u'openid.ns': u'http://openid.net/signon/1.1', + u'openid.ns.sreg': u'http://openid.net/extensions/sreg/1.1', + u'openid.return_to': u'http://drupal.invalid/return_to', + u'openid.sreg.required': u'nickname,email', + u'openid.trust_root': u'http://drupal.invalid', + } + m = message.Message.fromPostArgs(query) + self.failUnless(m.isOpenID1()) + + + +class NamespaceMapTest(unittest.TestCase): + def test_onealias(self): + nsm = message.NamespaceMap() + uri = 'http://example.com/foo' + alias = "foo" + nsm.addAlias(uri, alias) + self.failUnless(nsm.getNamespaceURI(alias) == uri) + self.failUnless(nsm.getAlias(uri) == alias) + + def test_iteration(self): + nsm = message.NamespaceMap() + uripat = 'http://example.com/foo%r' + + nsm.add(uripat%0) + for n in range(1,23): + self.failUnless(uripat%(n-1) in nsm) + self.failUnless(nsm.isDefined(uripat%(n-1))) + nsm.add(uripat%n) + + for (uri, alias) in nsm.iteritems(): + self.failUnless(uri[22:]==alias[3:]) + + i=0 + it = nsm.iterAliases() + try: + while True: + it.next() + i += 1 + except StopIteration: + self.failUnless(i == 23) + + i=0 + it = nsm.iterNamespaceURIs() + try: + while True: + it.next() + i += 1 + except StopIteration: + self.failUnless(i == 23) + + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_negotiation.py b/askbot/deps/openid/test/test_negotiation.py new file mode 100644 index 00000000..c9c254a6 --- /dev/null +++ b/askbot/deps/openid/test/test_negotiation.py @@ -0,0 +1,271 @@ + +import unittest +from support import CatchLogs + +from openid.message import Message, OPENID2_NS, OPENID1_NS, OPENID_NS +from openid import association +from openid.consumer.consumer import GenericConsumer, ServerError +from openid.consumer.discover import OpenIDServiceEndpoint, OPENID_2_0_TYPE + +class ErrorRaisingConsumer(GenericConsumer): + """ + A consumer whose _requestAssocation will return predefined results + instead of trying to actually perform association requests. + """ + + # The list of objects to be returned by successive calls to + # _requestAssocation. Each call will pop the first element from + # this list and return it to _negotiateAssociation. If the + # element is a Message object, it will be wrapped in a ServerError + # exception. Otherwise it will be returned as-is. + return_messages = [] + + def _requestAssociation(self, endpoint, assoc_type, session_type): + m = self.return_messages.pop(0) + if isinstance(m, Message): + raise ServerError.fromMessage(m) + else: + return m + +class TestOpenID2SessionNegotiation(unittest.TestCase, CatchLogs): + """ + Test the session type negotiation behavior of an OpenID 2 + consumer. + """ + def setUp(self): + CatchLogs.setUp(self) + self.consumer = ErrorRaisingConsumer(store=None) + + self.endpoint = OpenIDServiceEndpoint() + self.endpoint.type_uris = [OPENID_2_0_TYPE] + self.endpoint.server_url = 'bogus' + + def testBadResponse(self): + """ + Test the case where the response to an associate request is a + server error or is otherwise undecipherable. + """ + self.consumer.return_messages = [Message(self.endpoint.preferredNamespace())] + self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) + self.failUnlessLogMatches('Server error when requesting an association') + + def testEmptyAssocType(self): + """ + Test the case where the association type (assoc_type) returned + in an unsupported-type response is absent. + """ + msg = Message(self.endpoint.preferredNamespace()) + msg.setArg(OPENID_NS, 'error', 'Unsupported type') + msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') + # not set: msg.delArg(OPENID_NS, 'assoc_type') + msg.setArg(OPENID_NS, 'session_type', 'new-session-type') + + self.consumer.return_messages = [msg] + self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) + + self.failUnlessLogMatches('Unsupported association type', + 'Server responded with unsupported association ' + + 'session but did not supply a fallback.') + + def testEmptySessionType(self): + """ + Test the case where the session type (session_type) returned + in an unsupported-type response is absent. + """ + msg = Message(self.endpoint.preferredNamespace()) + msg.setArg(OPENID_NS, 'error', 'Unsupported type') + msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') + msg.setArg(OPENID_NS, 'assoc_type', 'new-assoc-type') + # not set: msg.setArg(OPENID_NS, 'session_type', None) + + self.consumer.return_messages = [msg] + self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) + + self.failUnlessLogMatches('Unsupported association type', + 'Server responded with unsupported association ' + + 'session but did not supply a fallback.') + + def testNotAllowed(self): + """ + Test the case where an unsupported-type response specifies a + preferred (assoc_type, session_type) combination that is not + allowed by the consumer's SessionNegotiator. + """ + allowed_types = [] + + negotiator = association.SessionNegotiator(allowed_types) + self.consumer.negotiator = negotiator + + msg = Message(self.endpoint.preferredNamespace()) + msg.setArg(OPENID_NS, 'error', 'Unsupported type') + msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') + msg.setArg(OPENID_NS, 'assoc_type', 'not-allowed') + msg.setArg(OPENID_NS, 'session_type', 'not-allowed') + + self.consumer.return_messages = [msg] + self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) + + self.failUnlessLogMatches('Unsupported association type', + 'Server sent unsupported session/association type:') + + def testUnsupportedWithRetry(self): + """ + Test the case where an unsupported-type response triggers a + retry to get an association with the new preferred type. + """ + msg = Message(self.endpoint.preferredNamespace()) + msg.setArg(OPENID_NS, 'error', 'Unsupported type') + msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') + msg.setArg(OPENID_NS, 'assoc_type', 'HMAC-SHA1') + msg.setArg(OPENID_NS, 'session_type', 'DH-SHA1') + + assoc = association.Association( + 'handle', 'secret', 'issued', 10000, 'HMAC-SHA1') + + self.consumer.return_messages = [msg, assoc] + self.failUnless(self.consumer._negotiateAssociation(self.endpoint) is assoc) + + self.failUnlessLogMatches('Unsupported association type') + + def testUnsupportedWithRetryAndFail(self): + """ + Test the case where an unsupported-typ response triggers a + retry, but the retry fails and None is returned instead. + """ + msg = Message(self.endpoint.preferredNamespace()) + msg.setArg(OPENID_NS, 'error', 'Unsupported type') + msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') + msg.setArg(OPENID_NS, 'assoc_type', 'HMAC-SHA1') + msg.setArg(OPENID_NS, 'session_type', 'DH-SHA1') + + self.consumer.return_messages = [msg, + Message(self.endpoint.preferredNamespace())] + + self.failUnlessEqual(self.consumer._negotiateAssociation(self.endpoint), None) + + self.failUnlessLogMatches('Unsupported association type', + 'Server %s refused' % (self.endpoint.server_url)) + + def testValid(self): + """ + Test the valid case, wherein an association is returned on the + first attempt to get one. + """ + assoc = association.Association( + 'handle', 'secret', 'issued', 10000, 'HMAC-SHA1') + + self.consumer.return_messages = [assoc] + self.failUnless(self.consumer._negotiateAssociation(self.endpoint) is assoc) + self.failUnlessLogEmpty() + +class TestOpenID1SessionNegotiation(unittest.TestCase, CatchLogs): + """ + Tests for the OpenID 1 consumer association session behavior. See + the docs for TestOpenID2SessionNegotiation. Notice that this + class is not a subclass of the OpenID 2 tests. Instead, it uses + many of the same inputs but inspects the log messages logged with + oidutil.log. See the calls to self.failUnlessLogMatches. Some of + these tests pass openid2-style messages to the openid 1 + association processing logic to be sure it ignores the extra data. + """ + def setUp(self): + CatchLogs.setUp(self) + self.consumer = ErrorRaisingConsumer(store=None) + + self.endpoint = OpenIDServiceEndpoint() + self.endpoint.type_uris = [OPENID1_NS] + self.endpoint.server_url = 'bogus' + + def testBadResponse(self): + self.consumer.return_messages = [Message(self.endpoint.preferredNamespace())] + self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) + self.failUnlessLogMatches('Server error when requesting an association') + + def testEmptyAssocType(self): + msg = Message(self.endpoint.preferredNamespace()) + msg.setArg(OPENID_NS, 'error', 'Unsupported type') + msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') + # not set: msg.setArg(OPENID_NS, 'assoc_type', None) + msg.setArg(OPENID_NS, 'session_type', 'new-session-type') + + self.consumer.return_messages = [msg] + self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) + + self.failUnlessLogMatches('Server error when requesting an association') + + def testEmptySessionType(self): + msg = Message(self.endpoint.preferredNamespace()) + msg.setArg(OPENID_NS, 'error', 'Unsupported type') + msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') + msg.setArg(OPENID_NS, 'assoc_type', 'new-assoc-type') + # not set: msg.setArg(OPENID_NS, 'session_type', None) + + self.consumer.return_messages = [msg] + self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) + + self.failUnlessLogMatches('Server error when requesting an association') + + def testNotAllowed(self): + allowed_types = [] + + negotiator = association.SessionNegotiator(allowed_types) + self.consumer.negotiator = negotiator + + msg = Message(self.endpoint.preferredNamespace()) + msg.setArg(OPENID_NS, 'error', 'Unsupported type') + msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') + msg.setArg(OPENID_NS, 'assoc_type', 'not-allowed') + msg.setArg(OPENID_NS, 'session_type', 'not-allowed') + + self.consumer.return_messages = [msg] + self.assertEqual(self.consumer._negotiateAssociation(self.endpoint), None) + + self.failUnlessLogMatches('Server error when requesting an association') + + def testUnsupportedWithRetry(self): + msg = Message(self.endpoint.preferredNamespace()) + msg.setArg(OPENID_NS, 'error', 'Unsupported type') + msg.setArg(OPENID_NS, 'error_code', 'unsupported-type') + msg.setArg(OPENID_NS, 'assoc_type', 'HMAC-SHA1') + msg.setArg(OPENID_NS, 'session_type', 'DH-SHA1') + + assoc = association.Association( + 'handle', 'secret', 'issued', 10000, 'HMAC-SHA1') + + self.consumer.return_messages = [msg, assoc] + self.failUnless(self.consumer._negotiateAssociation(self.endpoint) is None) + + self.failUnlessLogMatches('Server error when requesting an association') + + def testValid(self): + assoc = association.Association( + 'handle', 'secret', 'issued', 10000, 'HMAC-SHA1') + + self.consumer.return_messages = [assoc] + self.failUnless(self.consumer._negotiateAssociation(self.endpoint) is assoc) + self.failUnlessLogEmpty() + +class TestNegotiatorBehaviors(unittest.TestCase, CatchLogs): + def setUp(self): + self.allowed_types = [ + ('HMAC-SHA1', 'no-encryption'), + ('HMAC-SHA256', 'no-encryption'), + ] + + self.n = association.SessionNegotiator(self.allowed_types) + + def testAddAllowedTypeNoSessionTypes(self): + self.assertRaises(ValueError, self.n.addAllowedType, 'invalid') + + def testAddAllowedTypeBadSessionType(self): + self.assertRaises(ValueError, self.n.addAllowedType, 'assoc1', 'invalid') + + def testAddAllowedTypeContents(self): + assoc_type = 'HMAC-SHA1' + self.failUnless(self.n.addAllowedType(assoc_type) is None) + + for typ in association.getSessionTypes(assoc_type): + self.failUnless((assoc_type, typ) in self.n.allowed_types) + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_nonce.py b/askbot/deps/openid/test/test_nonce.py new file mode 100644 index 00000000..2138305c --- /dev/null +++ b/askbot/deps/openid/test/test_nonce.py @@ -0,0 +1,104 @@ +from openid.test import datadriven +import time +import unittest +import re + +from openid.store.nonce import \ + mkNonce, \ + split as splitNonce, \ + checkTimestamp + +nonce_re = re.compile(r'\A\d{4}-\d\d-\d\dT\d\d:\d\d:\d\dZ') + +class NonceTest(unittest.TestCase): + def test_mkNonce(self): + nonce = mkNonce() + self.failUnless(nonce_re.match(nonce)) + self.failUnless(len(nonce) == 26) + + def test_mkNonce_when(self): + nonce = mkNonce(0) + self.failUnless(nonce_re.match(nonce)) + self.failUnless(nonce.startswith('1970-01-01T00:00:00Z')) + self.failUnless(len(nonce) == 26) + + def test_splitNonce(self): + s = '1970-01-01T00:00:00Z' + expected_t = 0 + expected_salt = '' + actual_t, actual_salt = splitNonce(s) + self.failUnlessEqual(expected_t, actual_t) + self.failUnlessEqual(expected_salt, actual_salt) + + def test_mkSplit(self): + t = 42 + nonce_str = mkNonce(t) + self.failUnless(nonce_re.match(nonce_str)) + et, salt = splitNonce(nonce_str) + self.failUnlessEqual(len(salt), 6) + self.failUnlessEqual(et, t) + +class BadSplitTest(datadriven.DataDrivenTestCase): + cases = [ + '', + '1970-01-01T00:00:00+1:00', + '1969-01-01T00:00:00Z', + '1970-00-01T00:00:00Z', + '1970.01-01T00:00:00Z', + 'Thu Sep 7 13:29:31 PDT 2006', + 'monkeys', + ] + + def __init__(self, nonce_str): + datadriven.DataDrivenTestCase.__init__(self, nonce_str) + self.nonce_str = nonce_str + + def runOneTest(self): + self.failUnlessRaises(ValueError, splitNonce, self.nonce_str) + +class CheckTimestampTest(datadriven.DataDrivenTestCase): + cases = [ + # exact, no allowed skew + ('1970-01-01T00:00:00Z', 0, 0, True), + + # exact, large skew + ('1970-01-01T00:00:00Z', 1000, 0, True), + + # no allowed skew, one second old + ('1970-01-01T00:00:00Z', 0, 1, False), + + # many seconds old, outside of skew + ('1970-01-01T00:00:00Z', 10, 50, False), + + # one second old, one second skew allowed + ('1970-01-01T00:00:00Z', 1, 1, True), + + # One second in the future, one second skew allowed + ('1970-01-01T00:00:02Z', 1, 1, True), + + # two seconds in the future, one second skew allowed + ('1970-01-01T00:00:02Z', 1, 0, False), + + # malformed nonce string + ('monkeys', 0, 0, False), + ] + + def __init__(self, nonce_string, allowed_skew, now, expected): + datadriven.DataDrivenTestCase.__init__( + self, repr((nonce_string, allowed_skew, now))) + self.nonce_string = nonce_string + self.allowed_skew = allowed_skew + self.now = now + self.expected = expected + + def runOneTest(self): + actual = checkTimestamp(self.nonce_string, self.allowed_skew, self.now) + self.failUnlessEqual(bool(self.expected), bool(actual)) + +def pyUnitTests(): + return datadriven.loadTests(__name__) + +if __name__ == '__main__': + suite = pyUnitTests() + runner = unittest.TextTestRunner() + runner.run(suite) diff --git a/askbot/deps/openid/test/test_openidyadis.py b/askbot/deps/openid/test/test_openidyadis.py new file mode 100644 index 00000000..8573d3ce --- /dev/null +++ b/askbot/deps/openid/test/test_openidyadis.py @@ -0,0 +1,164 @@ +import unittest +from openid.consumer.discover import \ + OpenIDServiceEndpoint, OPENID_1_1_TYPE, OPENID_1_0_TYPE + +from openid.yadis.services import applyFilter + + +XRDS_BOILERPLATE = '''\ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + xmlns:openid="http://openid.net/xmlns/1.0"> + <XRD> +%s\ + </XRD> +</xrds:XRDS> +''' + +def mkXRDS(services): + return XRDS_BOILERPLATE % (services,) + +def mkService(uris=None, type_uris=None, local_id=None, dent=' '): + chunks = [dent, '<Service>\n'] + dent2 = dent + ' ' + if type_uris: + for type_uri in type_uris: + chunks.extend([dent2 + '<Type>', type_uri, '</Type>\n']) + + if uris: + for uri in uris: + if type(uri) is tuple: + uri, prio = uri + else: + prio = None + + chunks.extend([dent2, '<URI']) + if prio is not None: + chunks.extend([' priority="', str(prio), '"']) + chunks.extend(['>', uri, '</URI>\n']) + + if local_id: + chunks.extend( + [dent2, '<openid:Delegate>', local_id, '</openid:Delegate>\n']) + + chunks.extend([dent, '</Service>\n']) + + return ''.join(chunks) + +# Different sets of server URLs for use in the URI tag +server_url_options = [ + [], # This case should not generate an endpoint object + ['http://server.url/'], + ['https://server.url/'], + ['https://server.url/', 'http://server.url/'], + ['https://server.url/', + 'http://server.url/', + 'http://example.server.url/'], + ] + +# Used for generating test data +def subsets(l): + """Generate all non-empty sublists of a list""" + subsets_list = [[]] + for x in l: + subsets_list += [[x] + t for t in subsets_list] + return subsets_list + +# A couple of example extension type URIs. These are not at all +# official, but are just here for testing. +ext_types = [ + 'http://janrain.com/extension/blah', + 'http://openid.net/sreg/1.0', + ] + +# All valid combinations of Type tags that should produce an OpenID endpoint +type_uri_options = [ + exts + ts + + # All non-empty sublists of the valid OpenID type URIs + for ts in subsets([OPENID_1_0_TYPE, OPENID_1_1_TYPE]) + if ts + + # All combinations of extension types (including empty extenstion list) + for exts in subsets(ext_types) + ] + +# Range of valid Delegate tag values for generating test data +local_id_options = [ + None, + 'http://vanity.domain/', + 'https://somewhere/yadis/', + ] + +# All combinations of valid URIs, Type URIs and Delegate tags +data = [ + (uris, type_uris, local_id) + for uris in server_url_options + for type_uris in type_uri_options + for local_id in local_id_options + ] + +class OpenIDYadisTest(unittest.TestCase): + def __init__(self, uris, type_uris, local_id): + unittest.TestCase.__init__(self) + self.uris = uris + self.type_uris = type_uris + self.local_id = local_id + + def shortDescription(self): + # XXX: + return 'Successful OpenID Yadis parsing case' + + def setUp(self): + self.yadis_url = 'http://unit.test/' + + # Create an XRDS document to parse + services = mkService(uris=self.uris, + type_uris=self.type_uris, + local_id=self.local_id) + self.xrds = mkXRDS(services) + + def runTest(self): + # Parse into endpoint objects that we will check + endpoints = applyFilter( + self.yadis_url, self.xrds, OpenIDServiceEndpoint) + + # make sure there are the same number of endpoints as + # URIs. This assumes that the type_uris contains at least one + # OpenID type. + self.failUnlessEqual(len(self.uris), len(endpoints)) + + # So that we can check equality on the endpoint types + type_uris = list(self.type_uris) + type_uris.sort() + + seen_uris = [] + for endpoint in endpoints: + seen_uris.append(endpoint.server_url) + + # All endpoints will have same yadis_url + self.failUnlessEqual(self.yadis_url, endpoint.claimed_id) + + # and local_id + self.failUnlessEqual(self.local_id, endpoint.local_id) + + # and types + actual_types = list(endpoint.type_uris) + actual_types.sort() + self.failUnlessEqual(actual_types, type_uris) + + # So that they will compare equal, because we don't care what + # order they are in + seen_uris.sort() + uris = list(self.uris) + uris.sort() + + # Make sure we saw all URIs, and saw each one once + self.failUnlessEqual(uris, seen_uris) + +def pyUnitTests(): + cases = [] + for args in data: + cases.append(OpenIDYadisTest(*args)) + return unittest.TestSuite(cases) diff --git a/askbot/deps/openid/test/test_pape.py b/askbot/deps/openid/test/test_pape.py new file mode 100644 index 00000000..ef47f60c --- /dev/null +++ b/askbot/deps/openid/test/test_pape.py @@ -0,0 +1,9 @@ + +from openid.extensions import pape + +import unittest + +class PapeImportTestCase(unittest.TestCase): + def test_version(self): + from openid.extensions.draft import pape5 + self.assert_(pape is pape5) diff --git a/askbot/deps/openid/test/test_pape_draft2.py b/askbot/deps/openid/test/test_pape_draft2.py new file mode 100644 index 00000000..ed3d439f --- /dev/null +++ b/askbot/deps/openid/test/test_pape_draft2.py @@ -0,0 +1,217 @@ + +from openid.extensions.draft import pape2 as pape +from openid.message import * +from openid.server import server + +import unittest + +class PapeRequestTestCase(unittest.TestCase): + def setUp(self): + self.req = pape.Request() + + def test_construct(self): + self.failUnlessEqual([], self.req.preferred_auth_policies) + self.failUnlessEqual(None, self.req.max_auth_age) + self.failUnlessEqual('pape', self.req.ns_alias) + + req2 = pape.Request([pape.AUTH_MULTI_FACTOR], 1000) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], req2.preferred_auth_policies) + self.failUnlessEqual(1000, req2.max_auth_age) + + def test_add_policy_uri(self): + self.failUnlessEqual([], self.req.preferred_auth_policies) + self.req.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], self.req.preferred_auth_policies) + self.req.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], self.req.preferred_auth_policies) + self.req.addPolicyURI(pape.AUTH_PHISHING_RESISTANT) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT], + self.req.preferred_auth_policies) + self.req.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT], + self.req.preferred_auth_policies) + + def test_getExtensionArgs(self): + self.failUnlessEqual({'preferred_auth_policies': ''}, self.req.getExtensionArgs()) + self.req.addPolicyURI('http://uri') + self.failUnlessEqual({'preferred_auth_policies': 'http://uri'}, self.req.getExtensionArgs()) + self.req.addPolicyURI('http://zig') + self.failUnlessEqual({'preferred_auth_policies': 'http://uri http://zig'}, self.req.getExtensionArgs()) + self.req.max_auth_age = 789 + self.failUnlessEqual({'preferred_auth_policies': 'http://uri http://zig', 'max_auth_age': '789'}, self.req.getExtensionArgs()) + + def test_parseExtensionArgs(self): + args = {'preferred_auth_policies': 'http://foo http://bar', + 'max_auth_age': '9'} + self.req.parseExtensionArgs(args) + self.failUnlessEqual(9, self.req.max_auth_age) + self.failUnlessEqual(['http://foo','http://bar'], self.req.preferred_auth_policies) + + def test_parseExtensionArgs_empty(self): + self.req.parseExtensionArgs({}) + self.failUnlessEqual(None, self.req.max_auth_age) + self.failUnlessEqual([], self.req.preferred_auth_policies) + + def test_fromOpenIDRequest(self): + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'checkid_setup', + 'ns': OPENID2_NS, + 'ns.pape': pape.ns_uri, + 'pape.preferred_auth_policies': ' '.join([pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT]), + 'pape.max_auth_age': '5476' + }) + oid_req = server.OpenIDRequest() + oid_req.message = openid_req_msg + req = pape.Request.fromOpenIDRequest(oid_req) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT], req.preferred_auth_policies) + self.failUnlessEqual(5476, req.max_auth_age) + + def test_fromOpenIDRequest_no_pape(self): + message = Message() + openid_req = server.OpenIDRequest() + openid_req.message = message + pape_req = pape.Request.fromOpenIDRequest(openid_req) + assert(pape_req is None) + + def test_preferred_types(self): + self.req.addPolicyURI(pape.AUTH_PHISHING_RESISTANT) + self.req.addPolicyURI(pape.AUTH_MULTI_FACTOR) + pt = self.req.preferredTypes([pape.AUTH_MULTI_FACTOR, + pape.AUTH_MULTI_FACTOR_PHYSICAL]) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], pt) + +class DummySuccessResponse: + def __init__(self, message, signed_stuff): + self.message = message + self.signed_stuff = signed_stuff + + def getSignedNS(self, ns_uri): + return self.signed_stuff + +class PapeResponseTestCase(unittest.TestCase): + def setUp(self): + self.req = pape.Response() + + def test_construct(self): + self.failUnlessEqual([], self.req.auth_policies) + self.failUnlessEqual(None, self.req.auth_time) + self.failUnlessEqual('pape', self.req.ns_alias) + self.failUnlessEqual(None, self.req.nist_auth_level) + + req2 = pape.Response([pape.AUTH_MULTI_FACTOR], "2004-12-11T10:30:44Z", 3) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], req2.auth_policies) + self.failUnlessEqual("2004-12-11T10:30:44Z", req2.auth_time) + self.failUnlessEqual(3, req2.nist_auth_level) + + def test_add_policy_uri(self): + self.failUnlessEqual([], self.req.auth_policies) + self.req.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], self.req.auth_policies) + self.req.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], self.req.auth_policies) + self.req.addPolicyURI(pape.AUTH_PHISHING_RESISTANT) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT], self.req.auth_policies) + self.req.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT], self.req.auth_policies) + + def test_getExtensionArgs(self): + self.failUnlessEqual({'auth_policies': 'none'}, self.req.getExtensionArgs()) + self.req.addPolicyURI('http://uri') + self.failUnlessEqual({'auth_policies': 'http://uri'}, self.req.getExtensionArgs()) + self.req.addPolicyURI('http://zig') + self.failUnlessEqual({'auth_policies': 'http://uri http://zig'}, self.req.getExtensionArgs()) + self.req.auth_time = "1776-07-04T14:43:12Z" + self.failUnlessEqual({'auth_policies': 'http://uri http://zig', 'auth_time': "1776-07-04T14:43:12Z"}, self.req.getExtensionArgs()) + self.req.nist_auth_level = 3 + self.failUnlessEqual({'auth_policies': 'http://uri http://zig', 'auth_time': "1776-07-04T14:43:12Z", 'nist_auth_level': '3'}, self.req.getExtensionArgs()) + + def test_getExtensionArgs_error_auth_age(self): + self.req.auth_time = "long ago" + self.failUnlessRaises(ValueError, self.req.getExtensionArgs) + + def test_getExtensionArgs_error_nist_auth_level(self): + self.req.nist_auth_level = "high as a kite" + self.failUnlessRaises(ValueError, self.req.getExtensionArgs) + self.req.nist_auth_level = 5 + self.failUnlessRaises(ValueError, self.req.getExtensionArgs) + self.req.nist_auth_level = -1 + self.failUnlessRaises(ValueError, self.req.getExtensionArgs) + + def test_parseExtensionArgs(self): + args = {'auth_policies': 'http://foo http://bar', + 'auth_time': '1970-01-01T00:00:00Z'} + self.req.parseExtensionArgs(args) + self.failUnlessEqual('1970-01-01T00:00:00Z', self.req.auth_time) + self.failUnlessEqual(['http://foo','http://bar'], self.req.auth_policies) + + def test_parseExtensionArgs_empty(self): + self.req.parseExtensionArgs({}) + self.failUnlessEqual(None, self.req.auth_time) + self.failUnlessEqual([], self.req.auth_policies) + + def test_parseExtensionArgs_strict_bogus1(self): + args = {'auth_policies': 'http://foo http://bar', + 'auth_time': 'yesterday'} + self.failUnlessRaises(ValueError, self.req.parseExtensionArgs, + args, True) + + def test_parseExtensionArgs_strict_bogus2(self): + args = {'auth_policies': 'http://foo http://bar', + 'auth_time': '1970-01-01T00:00:00Z', + 'nist_auth_level': 'some'} + self.failUnlessRaises(ValueError, self.req.parseExtensionArgs, + args, True) + + def test_parseExtensionArgs_strict_good(self): + args = {'auth_policies': 'http://foo http://bar', + 'auth_time': '1970-01-01T00:00:00Z', + 'nist_auth_level': '0'} + self.req.parseExtensionArgs(args, True) + self.failUnlessEqual(['http://foo','http://bar'], self.req.auth_policies) + self.failUnlessEqual('1970-01-01T00:00:00Z', self.req.auth_time) + self.failUnlessEqual(0, self.req.nist_auth_level) + + def test_parseExtensionArgs_nostrict_bogus(self): + args = {'auth_policies': 'http://foo http://bar', + 'auth_time': 'when the cows come home', + 'nist_auth_level': 'some'} + self.req.parseExtensionArgs(args) + self.failUnlessEqual(['http://foo','http://bar'], self.req.auth_policies) + self.failUnlessEqual(None, self.req.auth_time) + self.failUnlessEqual(None, self.req.nist_auth_level) + + def test_fromSuccessResponse(self): + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'id_res', + 'ns': OPENID2_NS, + 'ns.pape': pape.ns_uri, + 'pape.auth_policies': ' '.join([pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT]), + 'pape.auth_time': '1970-01-01T00:00:00Z' + }) + signed_stuff = { + 'auth_policies': ' '.join([pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT]), + 'auth_time': '1970-01-01T00:00:00Z' + } + oid_req = DummySuccessResponse(openid_req_msg, signed_stuff) + req = pape.Response.fromSuccessResponse(oid_req) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT], req.auth_policies) + self.failUnlessEqual('1970-01-01T00:00:00Z', req.auth_time) + + def test_fromSuccessResponseNoSignedArgs(self): + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'id_res', + 'ns': OPENID2_NS, + 'ns.pape': pape.ns_uri, + 'pape.auth_policies': ' '.join([pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT]), + 'pape.auth_time': '1970-01-01T00:00:00Z' + }) + + signed_stuff = {} + + class NoSigningDummyResponse(DummySuccessResponse): + def getSignedNS(self, ns_uri): + return None + + oid_req = NoSigningDummyResponse(openid_req_msg, signed_stuff) + resp = pape.Response.fromSuccessResponse(oid_req) + self.failUnless(resp is None) diff --git a/askbot/deps/openid/test/test_pape_draft5.py b/askbot/deps/openid/test/test_pape_draft5.py new file mode 100644 index 00000000..d93ee96e --- /dev/null +++ b/askbot/deps/openid/test/test_pape_draft5.py @@ -0,0 +1,441 @@ + +from openid.extensions.draft import pape5 as pape +from openid.message import * +from openid.server import server + +import warnings +warnings.filterwarnings('ignore', module=__name__, + message='"none" used as a policy URI') + +import unittest + +class PapeRequestTestCase(unittest.TestCase): + def setUp(self): + self.req = pape.Request() + + def test_construct(self): + self.failUnlessEqual([], self.req.preferred_auth_policies) + self.failUnlessEqual(None, self.req.max_auth_age) + self.failUnlessEqual('pape', self.req.ns_alias) + self.failIf(self.req.preferred_auth_level_types) + + bogus_levels = ['http://janrain.com/our_levels'] + req2 = pape.Request( + [pape.AUTH_MULTI_FACTOR], 1000, bogus_levels) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], + req2.preferred_auth_policies) + self.failUnlessEqual(1000, req2.max_auth_age) + self.failUnlessEqual(bogus_levels, req2.preferred_auth_level_types) + + def test_addAuthLevel(self): + self.req.addAuthLevel('http://example.com/', 'example') + self.failUnlessEqual(['http://example.com/'], + self.req.preferred_auth_level_types) + self.failUnlessEqual('http://example.com/', + self.req.auth_level_aliases['example']) + + self.req.addAuthLevel('http://example.com/1', 'example1') + self.failUnlessEqual(['http://example.com/', 'http://example.com/1'], + self.req.preferred_auth_level_types) + + self.req.addAuthLevel('http://example.com/', 'exmpl') + self.failUnlessEqual(['http://example.com/', 'http://example.com/1'], + self.req.preferred_auth_level_types) + + self.req.addAuthLevel('http://example.com/', 'example') + self.failUnlessEqual(['http://example.com/', 'http://example.com/1'], + self.req.preferred_auth_level_types) + + self.failUnlessRaises(KeyError, + self.req.addAuthLevel, + 'http://example.com/2', 'example') + + # alias is None; we expect a new one to be generated. + uri = 'http://another.example.com/' + self.req.addAuthLevel(uri) + self.assert_(uri in self.req.auth_level_aliases.values()) + + # We don't expect a new alias to be generated if one already + # exists. + before_aliases = self.req.auth_level_aliases.keys() + self.req.addAuthLevel(uri) + after_aliases = self.req.auth_level_aliases.keys() + self.assertEqual(before_aliases, after_aliases) + + def test_add_policy_uri(self): + self.failUnlessEqual([], self.req.preferred_auth_policies) + self.req.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], + self.req.preferred_auth_policies) + self.req.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], + self.req.preferred_auth_policies) + self.req.addPolicyURI(pape.AUTH_PHISHING_RESISTANT) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR, + pape.AUTH_PHISHING_RESISTANT], + self.req.preferred_auth_policies) + self.req.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR, + pape.AUTH_PHISHING_RESISTANT], + self.req.preferred_auth_policies) + + def test_getExtensionArgs(self): + self.failUnlessEqual({'preferred_auth_policies': ''}, + self.req.getExtensionArgs()) + self.req.addPolicyURI('http://uri') + self.failUnlessEqual( + {'preferred_auth_policies': 'http://uri'}, + self.req.getExtensionArgs()) + self.req.addPolicyURI('http://zig') + self.failUnlessEqual( + {'preferred_auth_policies': 'http://uri http://zig'}, + self.req.getExtensionArgs()) + self.req.max_auth_age = 789 + self.failUnlessEqual( + {'preferred_auth_policies': 'http://uri http://zig', + 'max_auth_age': '789'}, + self.req.getExtensionArgs()) + + def test_getExtensionArgsWithAuthLevels(self): + uri = 'http://example.com/auth_level' + alias = 'my_level' + self.req.addAuthLevel(uri, alias) + + uri2 = 'http://example.com/auth_level_2' + alias2 = 'my_level_2' + self.req.addAuthLevel(uri2, alias2) + + expected_args = { + ('auth_level.ns.%s' % alias): uri, + ('auth_level.ns.%s' % alias2): uri2, + 'preferred_auth_level_types': ' '.join([alias, alias2]), + 'preferred_auth_policies': '', + } + + self.failUnlessEqual(expected_args, self.req.getExtensionArgs()) + + def test_parseExtensionArgsWithAuthLevels(self): + uri = 'http://example.com/auth_level' + alias = 'my_level' + + uri2 = 'http://example.com/auth_level_2' + alias2 = 'my_level_2' + + request_args = { + ('auth_level.ns.%s' % alias): uri, + ('auth_level.ns.%s' % alias2): uri2, + 'preferred_auth_level_types': ' '.join([alias, alias2]), + 'preferred_auth_policies': '', + } + + # Check request object state + self.req.parseExtensionArgs(request_args, is_openid1=False, strict=False) + + expected_auth_levels = [uri, uri2] + + self.assertEqual(expected_auth_levels, + self.req.preferred_auth_level_types) + self.assertEqual(uri, self.req.auth_level_aliases[alias]) + self.assertEqual(uri2, self.req.auth_level_aliases[alias2]) + + def test_parseExtensionArgsWithAuthLevels_openID1(self): + request_args = { + 'preferred_auth_level_types':'nist jisa', + } + expected_auth_levels = [pape.LEVELS_NIST, pape.LEVELS_JISA] + self.req.parseExtensionArgs(request_args, is_openid1=True) + self.assertEqual(expected_auth_levels, + self.req.preferred_auth_level_types) + + self.req = pape.Request() + self.req.parseExtensionArgs(request_args, is_openid1=False) + self.assertEqual([], + self.req.preferred_auth_level_types) + + self.req = pape.Request() + self.failUnlessRaises(ValueError, + self.req.parseExtensionArgs, + request_args, is_openid1=False, strict=True) + + def test_parseExtensionArgs_ignoreBadAuthLevels(self): + request_args = {'preferred_auth_level_types':'monkeys'} + self.req.parseExtensionArgs(request_args, False) + self.assertEqual([], self.req.preferred_auth_level_types) + + def test_parseExtensionArgs_strictBadAuthLevels(self): + request_args = {'preferred_auth_level_types':'monkeys'} + self.failUnlessRaises(ValueError, self.req.parseExtensionArgs, + request_args, is_openid1=False, strict=True) + + def test_parseExtensionArgs(self): + args = {'preferred_auth_policies': 'http://foo http://bar', + 'max_auth_age': '9'} + self.req.parseExtensionArgs(args, False) + self.failUnlessEqual(9, self.req.max_auth_age) + self.failUnlessEqual(['http://foo','http://bar'], + self.req.preferred_auth_policies) + self.failUnlessEqual([], self.req.preferred_auth_level_types) + + def test_parseExtensionArgs_strict_bad_auth_age(self): + args = {'max_auth_age': 'not an int'} + self.assertRaises(ValueError, self.req.parseExtensionArgs, args, + is_openid1=False, strict=True) + + def test_parseExtensionArgs_empty(self): + self.req.parseExtensionArgs({}, False) + self.failUnlessEqual(None, self.req.max_auth_age) + self.failUnlessEqual([], self.req.preferred_auth_policies) + self.failUnlessEqual([], self.req.preferred_auth_level_types) + + def test_fromOpenIDRequest(self): + policy_uris = [pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT] + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'checkid_setup', + 'ns': OPENID2_NS, + 'ns.pape': pape.ns_uri, + 'pape.preferred_auth_policies': ' '.join(policy_uris), + 'pape.max_auth_age': '5476' + }) + oid_req = server.OpenIDRequest() + oid_req.message = openid_req_msg + req = pape.Request.fromOpenIDRequest(oid_req) + self.failUnlessEqual(policy_uris, req.preferred_auth_policies) + self.failUnlessEqual(5476, req.max_auth_age) + + def test_fromOpenIDRequest_no_pape(self): + message = Message() + openid_req = server.OpenIDRequest() + openid_req.message = message + pape_req = pape.Request.fromOpenIDRequest(openid_req) + assert(pape_req is None) + + def test_preferred_types(self): + self.req.addPolicyURI(pape.AUTH_PHISHING_RESISTANT) + self.req.addPolicyURI(pape.AUTH_MULTI_FACTOR) + pt = self.req.preferredTypes([pape.AUTH_MULTI_FACTOR, + pape.AUTH_MULTI_FACTOR_PHYSICAL]) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], pt) + +class DummySuccessResponse: + def __init__(self, message, signed_stuff): + self.message = message + self.signed_stuff = signed_stuff + + def isOpenID1(self): + return False + + def getSignedNS(self, ns_uri): + return self.signed_stuff + +class PapeResponseTestCase(unittest.TestCase): + def setUp(self): + self.resp = pape.Response() + + def test_construct(self): + self.failUnlessEqual([], self.resp.auth_policies) + self.failUnlessEqual(None, self.resp.auth_time) + self.failUnlessEqual('pape', self.resp.ns_alias) + self.failUnlessEqual(None, self.resp.nist_auth_level) + + req2 = pape.Response([pape.AUTH_MULTI_FACTOR], + "2004-12-11T10:30:44Z", {pape.LEVELS_NIST: 3}) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], req2.auth_policies) + self.failUnlessEqual("2004-12-11T10:30:44Z", req2.auth_time) + self.failUnlessEqual(3, req2.nist_auth_level) + + def test_add_policy_uri(self): + self.failUnlessEqual([], self.resp.auth_policies) + self.resp.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], self.resp.auth_policies) + self.resp.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR], self.resp.auth_policies) + self.resp.addPolicyURI(pape.AUTH_PHISHING_RESISTANT) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR, + pape.AUTH_PHISHING_RESISTANT], + self.resp.auth_policies) + self.resp.addPolicyURI(pape.AUTH_MULTI_FACTOR) + self.failUnlessEqual([pape.AUTH_MULTI_FACTOR, + pape.AUTH_PHISHING_RESISTANT], + self.resp.auth_policies) + + self.failUnlessRaises(RuntimeError, self.resp.addPolicyURI, + pape.AUTH_NONE) + + def test_getExtensionArgs(self): + self.failUnlessEqual({'auth_policies': pape.AUTH_NONE}, + self.resp.getExtensionArgs()) + self.resp.addPolicyURI('http://uri') + self.failUnlessEqual({'auth_policies': 'http://uri'}, + self.resp.getExtensionArgs()) + self.resp.addPolicyURI('http://zig') + self.failUnlessEqual({'auth_policies': 'http://uri http://zig'}, + self.resp.getExtensionArgs()) + self.resp.auth_time = "1776-07-04T14:43:12Z" + self.failUnlessEqual( + {'auth_policies': 'http://uri http://zig', + 'auth_time': "1776-07-04T14:43:12Z"}, + self.resp.getExtensionArgs()) + self.resp.setAuthLevel(pape.LEVELS_NIST, '3') + self.failUnlessEqual( + {'auth_policies': 'http://uri http://zig', + 'auth_time': "1776-07-04T14:43:12Z", + 'auth_level.nist': '3', + 'auth_level.ns.nist': pape.LEVELS_NIST}, + self.resp.getExtensionArgs()) + + def test_getExtensionArgs_error_auth_age(self): + self.resp.auth_time = "long ago" + self.failUnlessRaises(ValueError, self.resp.getExtensionArgs) + + def test_parseExtensionArgs(self): + args = {'auth_policies': 'http://foo http://bar', + 'auth_time': '1970-01-01T00:00:00Z'} + self.resp.parseExtensionArgs(args, is_openid1=False) + self.failUnlessEqual('1970-01-01T00:00:00Z', self.resp.auth_time) + self.failUnlessEqual(['http://foo','http://bar'], + self.resp.auth_policies) + + def test_parseExtensionArgs_valid_none(self): + args = {'auth_policies': pape.AUTH_NONE} + self.resp.parseExtensionArgs(args, is_openid1=False) + self.failUnlessEqual([], self.resp.auth_policies) + + def test_parseExtensionArgs_old_none(self): + args = {'auth_policies': 'none'} + self.resp.parseExtensionArgs(args, is_openid1=False) + self.failUnlessEqual([], self.resp.auth_policies) + + def test_parseExtensionArgs_old_none_strict(self): + args = {'auth_policies': 'none'} + self.failUnlessRaises( + ValueError, + self.resp.parseExtensionArgs, args, is_openid1=False, strict=True) + + def test_parseExtensionArgs_empty(self): + self.resp.parseExtensionArgs({}, is_openid1=False) + self.failUnlessEqual(None, self.resp.auth_time) + self.failUnlessEqual([], self.resp.auth_policies) + + def test_parseExtensionArgs_empty_strict(self): + self.failUnlessRaises( + ValueError, + self.resp.parseExtensionArgs, {}, is_openid1=False, strict=True) + + def test_parseExtensionArgs_ignore_superfluous_none(self): + policies = [pape.AUTH_NONE, pape.AUTH_MULTI_FACTOR_PHYSICAL] + + args = { + 'auth_policies': ' '.join(policies), + } + + self.resp.parseExtensionArgs(args, is_openid1=False, strict=False) + + self.assertEqual([pape.AUTH_MULTI_FACTOR_PHYSICAL], + self.resp.auth_policies) + + def test_parseExtensionArgs_none_strict(self): + policies = [pape.AUTH_NONE, pape.AUTH_MULTI_FACTOR_PHYSICAL] + + args = { + 'auth_policies': ' '.join(policies), + } + + self.failUnlessRaises(ValueError, self.resp.parseExtensionArgs, + args, is_openid1=False, strict=True) + + def test_parseExtensionArgs_strict_bogus1(self): + args = {'auth_policies': 'http://foo http://bar', + 'auth_time': 'yesterday'} + self.failUnlessRaises(ValueError, self.resp.parseExtensionArgs, + args, is_openid1=False, strict=True) + + def test_parseExtensionArgs_openid1_strict(self): + args = {'auth_level.nist': '0', + 'auth_policies': pape.AUTH_NONE, + } + self.resp.parseExtensionArgs(args, strict=True, is_openid1=True) + self.failUnlessEqual('0', self.resp.getAuthLevel(pape.LEVELS_NIST)) + self.failUnlessEqual([], self.resp.auth_policies) + + def test_parseExtensionArgs_strict_no_namespace_decl_openid2(self): + # Test the case where the namespace is not declared for an + # auth level. + args = {'auth_policies': pape.AUTH_NONE, + 'auth_level.nist': '0', + } + self.failUnlessRaises(ValueError, self.resp.parseExtensionArgs, + args, is_openid1=False, strict=True) + + def test_parseExtensionArgs_nostrict_no_namespace_decl_openid2(self): + # Test the case where the namespace is not declared for an + # auth level. + args = {'auth_policies': pape.AUTH_NONE, + 'auth_level.nist': '0', + } + self.resp.parseExtensionArgs(args, is_openid1=False, strict=False) + + # There is no namespace declaration for this auth level. + self.failUnlessRaises(KeyError, self.resp.getAuthLevel, + pape.LEVELS_NIST) + + def test_parseExtensionArgs_strict_good(self): + args = {'auth_policies': 'http://foo http://bar', + 'auth_time': '1970-01-01T00:00:00Z', + 'auth_level.nist': '0', + 'auth_level.ns.nist': pape.LEVELS_NIST} + self.resp.parseExtensionArgs(args, is_openid1=False, strict=True) + self.failUnlessEqual(['http://foo','http://bar'], + self.resp.auth_policies) + self.failUnlessEqual('1970-01-01T00:00:00Z', self.resp.auth_time) + self.failUnlessEqual(0, self.resp.nist_auth_level) + + def test_parseExtensionArgs_nostrict_bogus(self): + args = {'auth_policies': 'http://foo http://bar', + 'auth_time': 'when the cows come home', + 'nist_auth_level': 'some'} + self.resp.parseExtensionArgs(args, is_openid1=False) + self.failUnlessEqual(['http://foo','http://bar'], + self.resp.auth_policies) + self.failUnlessEqual(None, self.resp.auth_time) + self.failUnlessEqual(None, self.resp.nist_auth_level) + + def test_fromSuccessResponse(self): + policy_uris = [pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT] + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'id_res', + 'ns': OPENID2_NS, + 'ns.pape': pape.ns_uri, + 'pape.auth_policies': ' '.join(policy_uris), + 'pape.auth_time': '1970-01-01T00:00:00Z' + }) + signed_stuff = { + 'auth_policies': ' '.join(policy_uris), + 'auth_time': '1970-01-01T00:00:00Z' + } + oid_req = DummySuccessResponse(openid_req_msg, signed_stuff) + req = pape.Response.fromSuccessResponse(oid_req) + self.failUnlessEqual(policy_uris, req.auth_policies) + self.failUnlessEqual('1970-01-01T00:00:00Z', req.auth_time) + + def test_fromSuccessResponseNoSignedArgs(self): + policy_uris = [pape.AUTH_MULTI_FACTOR, pape.AUTH_PHISHING_RESISTANT] + openid_req_msg = Message.fromOpenIDArgs({ + 'mode': 'id_res', + 'ns': OPENID2_NS, + 'ns.pape': pape.ns_uri, + 'pape.auth_policies': ' '.join(policy_uris), + 'pape.auth_time': '1970-01-01T00:00:00Z' + }) + + signed_stuff = {} + + class NoSigningDummyResponse(DummySuccessResponse): + def getSignedNS(self, ns_uri): + return None + + oid_req = NoSigningDummyResponse(openid_req_msg, signed_stuff) + resp = pape.Response.fromSuccessResponse(oid_req) + self.failUnless(resp is None) + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_parsehtml.py b/askbot/deps/openid/test/test_parsehtml.py new file mode 100644 index 00000000..2f962cdb --- /dev/null +++ b/askbot/deps/openid/test/test_parsehtml.py @@ -0,0 +1,82 @@ +from openid.yadis.parsehtml import YadisHTMLParser, ParseDone +from HTMLParser import HTMLParseError + +import os.path, unittest, sys + +class _TestCase(unittest.TestCase): + reserved_values = ['None', 'EOF'] + + def __init__(self, filename, testname, expected, case): + self.filename = filename + self.testname = testname + self.expected = expected + self.case = case + unittest.TestCase.__init__(self) + + def runTest(self): + p = YadisHTMLParser() + try: + p.feed(self.case) + except ParseDone, why: + found = why[0] + + # make sure we protect outselves against accidental bogus + # test cases + assert found not in self.reserved_values + + # convert to a string + if found is None: + found = 'None' + + msg = "%r != %r for case %s" % (found, self.expected, self.case) + self.failUnlessEqual(found, self.expected, msg) + except HTMLParseError: + self.failUnless(self.expected == 'None', (self.case, self.expected)) + else: + self.failUnless(self.expected == 'EOF', (self.case, self.expected)) + + def shortDescription(self): + return "%s (%s<%s>)" % ( + self.testname, + self.__class__.__module__, + os.path.basename(self.filename)) + +def parseCases(data): + cases = [] + for chunk in data.split('\f\n'): + expected, case = chunk.split('\n', 1) + cases.append((expected, case)) + return cases + +def pyUnitTests(): + """Make a pyunit TestSuite from a file defining test cases.""" + s = unittest.TestSuite() + for (filename, test_num, expected, case) in getCases(): + s.addTest(_TestCase(filename, str(test_num), expected, case)) + return s + +def test(): + runner = unittest.TextTestRunner() + return runner.run(loadTests()) + +filenames = ['data/test1-parsehtml.txt'] + +default_test_files = [] +base = os.path.dirname(__file__) +for filename in filenames: + full_name = os.path.join(base, filename) + default_test_files.append(full_name) + +def getCases(test_files=default_test_files): + cases = [] + for filename in test_files: + test_num = 0 + data = file(filename).read() + for expected, case in parseCases(data): + test_num += 1 + cases.append((filename, test_num, expected, case)) + return cases + + +if __name__ == '__main__': + sys.exit(not test().wasSuccessful()) diff --git a/askbot/deps/openid/test/test_rpverify.py b/askbot/deps/openid/test/test_rpverify.py new file mode 100644 index 00000000..9d781bb1 --- /dev/null +++ b/askbot/deps/openid/test/test_rpverify.py @@ -0,0 +1,246 @@ +"""Unit tests for verification of return_to URLs for a realm +""" + +__all__ = ['TestBuildDiscoveryURL'] + +from openid.yadis.discover import DiscoveryResult, DiscoveryFailure +from openid.yadis import services +from openid.server import trustroot +from openid.test.support import CatchLogs +import unittest + +# Too many methods does not apply to unit test objects +#pylint:disable-msg=R0904 +class TestBuildDiscoveryURL(unittest.TestCase): + """Tests for building the discovery URL from a realm and a + return_to URL + """ + + def failUnlessDiscoURL(self, realm, expected_discovery_url): + """Build a discovery URL out of the realm and a return_to and + make sure that it matches the expected discovery URL + """ + realm_obj = trustroot.TrustRoot.parse(realm) + actual_discovery_url = realm_obj.buildDiscoveryURL() + self.failUnlessEqual(expected_discovery_url, actual_discovery_url) + + def test_trivial(self): + """There is no wildcard and the realm is the same as the return_to URL + """ + self.failUnlessDiscoURL('http://example.com/foo', + 'http://example.com/foo') + + def test_wildcard(self): + """There is a wildcard + """ + self.failUnlessDiscoURL('http://*.example.com/foo', + 'http://www.example.com/foo') + +class TestExtractReturnToURLs(unittest.TestCase): + disco_url = 'http://example.com/' + + def setUp(self): + self.original_discover = services.discover + services.discover = self.mockDiscover + self.data = None + + def tearDown(self): + services.discover = self.original_discover + + def mockDiscover(self, uri): + result = DiscoveryResult(uri) + result.response_text = self.data + result.normalized_uri = uri + return result + + def failUnlessFileHasReturnURLs(self, filename, expected_return_urls): + self.failUnlessXRDSHasReturnURLs(file(filename).read(), + expected_return_urls) + + def failUnlessXRDSHasReturnURLs(self, data, expected_return_urls): + self.data = data + actual_return_urls = list(trustroot.getAllowedReturnURLs( + self.disco_url)) + + self.failUnlessEqual(expected_return_urls, actual_return_urls) + + def failUnlessDiscoveryFailure(self, text): + self.data = text + self.failUnlessRaises( + DiscoveryFailure, trustroot.getAllowedReturnURLs, self.disco_url) + + def test_empty(self): + self.failUnlessDiscoveryFailure('') + + def test_badXML(self): + self.failUnlessDiscoveryFailure('>') + + def test_noEntries(self): + self.failUnlessXRDSHasReturnURLs('''\ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + > + <XRD> + </XRD> +</xrds:XRDS> +''', []) + + def test_noReturnToEntries(self): + self.failUnlessXRDSHasReturnURLs('''\ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + > + <XRD> + <Service priority="10"> + <Type>http://specs.openid.net/auth/2.0/server</Type> + <URI>http://www.myopenid.com/server</URI> + </Service> + </XRD> +</xrds:XRDS> +''', []) + + def test_oneEntry(self): + self.failUnlessXRDSHasReturnURLs('''\ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + > + <XRD> + <Service> + <Type>http://specs.openid.net/auth/2.0/return_to</Type> + <URI>http://rp.example.com/return</URI> + </Service> + </XRD> +</xrds:XRDS> +''', ['http://rp.example.com/return']) + + def test_twoEntries(self): + self.failUnlessXRDSHasReturnURLs('''\ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + > + <XRD> + <Service priority="0"> + <Type>http://specs.openid.net/auth/2.0/return_to</Type> + <URI>http://rp.example.com/return</URI> + </Service> + <Service priority="1"> + <Type>http://specs.openid.net/auth/2.0/return_to</Type> + <URI>http://other.rp.example.com/return</URI> + </Service> + </XRD> +</xrds:XRDS> +''', ['http://rp.example.com/return', + 'http://other.rp.example.com/return']) + + def test_twoEntries_withOther(self): + self.failUnlessXRDSHasReturnURLs('''\ +<?xml version="1.0" encoding="UTF-8"?> +<xrds:XRDS xmlns:xrds="xri://$xrds" + xmlns="xri://$xrd*($v*2.0)" + > + <XRD> + <Service priority="0"> + <Type>http://specs.openid.net/auth/2.0/return_to</Type> + <URI>http://rp.example.com/return</URI> + </Service> + <Service priority="1"> + <Type>http://specs.openid.net/auth/2.0/return_to</Type> + <URI>http://other.rp.example.com/return</URI> + </Service> + <Service priority="0"> + <Type>http://example.com/LOLCATS</Type> + <URI>http://example.com/invisible+uri</URI> + </Service> + </XRD> +</xrds:XRDS> +''', ['http://rp.example.com/return', + 'http://other.rp.example.com/return']) + + + +class TestReturnToMatches(unittest.TestCase): + def test_noEntries(self): + self.failIf(trustroot.returnToMatches([], 'anything')) + + def test_exactMatch(self): + r = 'http://example.com/return.to' + self.failUnless(trustroot.returnToMatches([r], r)) + + def test_garbageMatch(self): + r = 'http://example.com/return.to' + self.failUnless(trustroot.returnToMatches( + ['This is not a URL at all. In fact, it has characters, ' + 'like "<" that are not allowed in URLs', + r], + r)) + + def test_descendant(self): + r = 'http://example.com/return.to' + self.failUnless(trustroot.returnToMatches( + [r], + 'http://example.com/return.to/user:joe')) + + def test_wildcard(self): + self.failIf(trustroot.returnToMatches( + ['http://*.example.com/return.to'], + 'http://example.com/return.to')) + + def test_noMatch(self): + r = 'http://example.com/return.to' + self.failIf(trustroot.returnToMatches( + [r], + 'http://example.com/xss_exploit')) + +class TestVerifyReturnTo(unittest.TestCase, CatchLogs): + + def setUp(self): + CatchLogs.setUp(self) + + def tearDown(self): + CatchLogs.tearDown(self) + + def test_bogusRealm(self): + self.failIf(trustroot.verifyReturnTo('', 'http://example.com/')) + + def test_verifyWithDiscoveryCalled(self): + realm = 'http://*.example.com/' + return_to = 'http://www.example.com/foo' + + def vrfy(disco_url): + self.failUnlessEqual('http://www.example.com/', disco_url) + return [return_to] + + self.failUnless( + trustroot.verifyReturnTo(realm, return_to, _vrfy=vrfy)) + self.failUnlessLogEmpty() + + def test_verifyFailWithDiscoveryCalled(self): + realm = 'http://*.example.com/' + return_to = 'http://www.example.com/foo' + + def vrfy(disco_url): + self.failUnlessEqual('http://www.example.com/', disco_url) + return ['http://something-else.invalid/'] + + self.failIf( + trustroot.verifyReturnTo(realm, return_to, _vrfy=vrfy)) + self.failUnlessLogMatches("Failed to validate return_to") + + def test_verifyFailIfDiscoveryRedirects(self): + realm = 'http://*.example.com/' + return_to = 'http://www.example.com/foo' + + def vrfy(disco_url): + raise trustroot.RealmVerificationRedirected( + disco_url, "http://redirected.invalid") + + self.failIf( + trustroot.verifyReturnTo(realm, return_to, _vrfy=vrfy)) + self.failUnlessLogMatches("Attempting to verify") + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_server.py b/askbot/deps/openid/test/test_server.py new file mode 100644 index 00000000..83261c8c --- /dev/null +++ b/askbot/deps/openid/test/test_server.py @@ -0,0 +1,2064 @@ +"""Tests for openid.server. +""" +from openid.server import server +from openid import association, cryptutil, oidutil +from openid.message import Message, OPENID_NS, OPENID2_NS, OPENID1_NS, \ + IDENTIFIER_SELECT, no_default, OPENID1_URL_LIMIT +from openid.store import memstore +import cgi + +import unittest +import warnings + +from urlparse import urlparse + +# In general, if you edit or add tests here, try to move in the direction +# of testing smaller units. For testing the external interfaces, we'll be +# developing an implementation-agnostic testing suite. + +# for more, see /etc/ssh/moduli + +ALT_MODULUS = 0xCAADDDEC1667FC68B5FA15D53C4E1532DD24561A1A2D47A12C01ABEA1E00731F6921AAC40742311FDF9E634BB7131BEE1AF240261554389A910425E044E88C8359B010F5AD2B80E29CB1A5B027B19D9E01A6F63A6F45E5D7ED2FF6A2A0085050A7D0CF307C3DB51D2490355907B4427C23A98DF1EB8ABEF2BA209BB7AFFE86A7 +ALT_GEN = 5 + +class CatchLogs(object): + def setUp(self): + self.old_logger = oidutil.log + oidutil.log = self.gotLogMessage + self.messages = [] + + def gotLogMessage(self, message): + self.messages.append(message) + + def tearDown(self): + oidutil.log = self.old_logger + +class TestProtocolError(unittest.TestCase): + def test_browserWithReturnTo(self): + return_to = "http://rp.unittest/consumer" + # will be a ProtocolError raised by Decode or CheckIDRequest.answer + args = Message.fromPostArgs({ + 'openid.mode': 'monkeydance', + 'openid.identity': 'http://wagu.unittest/', + 'openid.return_to': return_to, + }) + e = server.ProtocolError(args, "plucky") + self.failUnless(e.hasReturnTo()) + expected_args = { + 'openid.mode': ['error'], + 'openid.error': ['plucky'], + } + + rt_base, result_args = e.encodeToURL().split('?', 1) + result_args = cgi.parse_qs(result_args) + self.failUnlessEqual(result_args, expected_args) + + def test_browserWithReturnTo_OpenID2_GET(self): + return_to = "http://rp.unittest/consumer" + # will be a ProtocolError raised by Decode or CheckIDRequest.answer + args = Message.fromPostArgs({ + 'openid.ns': OPENID2_NS, + 'openid.mode': 'monkeydance', + 'openid.identity': 'http://wagu.unittest/', + 'openid.claimed_id': 'http://wagu.unittest/', + 'openid.return_to': return_to, + }) + e = server.ProtocolError(args, "plucky") + self.failUnless(e.hasReturnTo()) + expected_args = { + 'openid.ns': [OPENID2_NS], + 'openid.mode': ['error'], + 'openid.error': ['plucky'], + } + + rt_base, result_args = e.encodeToURL().split('?', 1) + result_args = cgi.parse_qs(result_args) + self.failUnlessEqual(result_args, expected_args) + + def test_browserWithReturnTo_OpenID2_POST(self): + return_to = "http://rp.unittest/consumer" + ('x' * OPENID1_URL_LIMIT) + # will be a ProtocolError raised by Decode or CheckIDRequest.answer + args = Message.fromPostArgs({ + 'openid.ns': OPENID2_NS, + 'openid.mode': 'monkeydance', + 'openid.identity': 'http://wagu.unittest/', + 'openid.claimed_id': 'http://wagu.unittest/', + 'openid.return_to': return_to, + }) + e = server.ProtocolError(args, "plucky") + self.failUnless(e.hasReturnTo()) + expected_args = { + 'openid.ns': [OPENID2_NS], + 'openid.mode': ['error'], + 'openid.error': ['plucky'], + } + + self.failUnless(e.whichEncoding() == server.ENCODE_HTML_FORM) + self.failUnless(e.toFormMarkup() == e.toMessage().toFormMarkup( + args.getArg(OPENID_NS, 'return_to'))) + + def test_browserWithReturnTo_OpenID1_exceeds_limit(self): + return_to = "http://rp.unittest/consumer" + ('x' * OPENID1_URL_LIMIT) + # will be a ProtocolError raised by Decode or CheckIDRequest.answer + args = Message.fromPostArgs({ + 'openid.mode': 'monkeydance', + 'openid.identity': 'http://wagu.unittest/', + 'openid.return_to': return_to, + }) + e = server.ProtocolError(args, "plucky") + self.failUnless(e.hasReturnTo()) + expected_args = { + 'openid.mode': ['error'], + 'openid.error': ['plucky'], + } + + self.failUnless(e.whichEncoding() == server.ENCODE_URL) + + rt_base, result_args = e.encodeToURL().split('?', 1) + result_args = cgi.parse_qs(result_args) + self.failUnlessEqual(result_args, expected_args) + + def test_noReturnTo(self): + # will be a ProtocolError raised by Decode or CheckIDRequest.answer + args = Message.fromPostArgs({ + 'openid.mode': 'zebradance', + 'openid.identity': 'http://wagu.unittest/', + }) + e = server.ProtocolError(args, "waffles") + self.failIf(e.hasReturnTo()) + expected = """error:waffles +mode:error +""" + self.failUnlessEqual(e.encodeToKVForm(), expected) + + + def test_noMessage(self): + e = server.ProtocolError(None, "no moar pancakes") + self.failIf(e.hasReturnTo()) + self.failUnlessEqual(e.whichEncoding(), None) + + +class TestDecode(unittest.TestCase): + def setUp(self): + self.claimed_id = 'http://de.legating.de.coder.unittest/' + self.id_url = "http://decoder.am.unittest/" + self.rt_url = "http://rp.unittest/foobot/?qux=zam" + self.tr_url = "http://rp.unittest/" + self.assoc_handle = "{assoc}{handle}" + self.op_endpoint = 'http://endpoint.unittest/encode' + self.store = memstore.MemoryStore() + self.server = server.Server(self.store, self.op_endpoint) + self.decode = self.server.decoder.decode + self.decode = server.Decoder(self.server).decode + + def test_none(self): + args = {} + r = self.decode(args) + self.failUnlessEqual(r, None) + + def test_irrelevant(self): + args = { + 'pony': 'spotted', + 'sreg.mutant_power': 'decaffinator', + } + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + def test_bad(self): + args = { + 'openid.mode': 'twos-compliment', + 'openid.pants': 'zippered', + } + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + def test_dictOfLists(self): + args = { + 'openid.mode': ['checkid_setup'], + 'openid.identity': self.id_url, + 'openid.assoc_handle': self.assoc_handle, + 'openid.return_to': self.rt_url, + 'openid.trust_root': self.tr_url, + } + try: + result = self.decode(args) + except TypeError, err: + self.failUnless(str(err).find('values') != -1, err) + else: + self.fail("Expected TypeError, but got result %s" % (result,)) + + def test_checkidImmediate(self): + args = { + 'openid.mode': 'checkid_immediate', + 'openid.identity': self.id_url, + 'openid.assoc_handle': self.assoc_handle, + 'openid.return_to': self.rt_url, + 'openid.trust_root': self.tr_url, + # should be ignored + 'openid.some.extension': 'junk', + } + r = self.decode(args) + self.failUnless(isinstance(r, server.CheckIDRequest)) + self.failUnlessEqual(r.mode, "checkid_immediate") + self.failUnlessEqual(r.immediate, True) + self.failUnlessEqual(r.identity, self.id_url) + self.failUnlessEqual(r.trust_root, self.tr_url) + self.failUnlessEqual(r.return_to, self.rt_url) + self.failUnlessEqual(r.assoc_handle, self.assoc_handle) + + def test_checkidSetup(self): + args = { + 'openid.mode': 'checkid_setup', + 'openid.identity': self.id_url, + 'openid.assoc_handle': self.assoc_handle, + 'openid.return_to': self.rt_url, + 'openid.trust_root': self.tr_url, + } + r = self.decode(args) + self.failUnless(isinstance(r, server.CheckIDRequest)) + self.failUnlessEqual(r.mode, "checkid_setup") + self.failUnlessEqual(r.immediate, False) + self.failUnlessEqual(r.identity, self.id_url) + self.failUnlessEqual(r.trust_root, self.tr_url) + self.failUnlessEqual(r.return_to, self.rt_url) + + def test_checkidSetupOpenID2(self): + args = { + 'openid.ns': OPENID2_NS, + 'openid.mode': 'checkid_setup', + 'openid.identity': self.id_url, + 'openid.claimed_id': self.claimed_id, + 'openid.assoc_handle': self.assoc_handle, + 'openid.return_to': self.rt_url, + 'openid.realm': self.tr_url, + } + r = self.decode(args) + self.failUnless(isinstance(r, server.CheckIDRequest)) + self.failUnlessEqual(r.mode, "checkid_setup") + self.failUnlessEqual(r.immediate, False) + self.failUnlessEqual(r.identity, self.id_url) + self.failUnlessEqual(r.claimed_id, self.claimed_id) + self.failUnlessEqual(r.trust_root, self.tr_url) + self.failUnlessEqual(r.return_to, self.rt_url) + + def test_checkidSetupNoClaimedIDOpenID2(self): + args = { + 'openid.ns': OPENID2_NS, + 'openid.mode': 'checkid_setup', + 'openid.identity': self.id_url, + 'openid.assoc_handle': self.assoc_handle, + 'openid.return_to': self.rt_url, + 'openid.realm': self.tr_url, + } + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + def test_checkidSetupNoIdentityOpenID2(self): + args = { + 'openid.ns': OPENID2_NS, + 'openid.mode': 'checkid_setup', + 'openid.assoc_handle': self.assoc_handle, + 'openid.return_to': self.rt_url, + 'openid.realm': self.tr_url, + } + r = self.decode(args) + self.failUnless(isinstance(r, server.CheckIDRequest)) + self.failUnlessEqual(r.mode, "checkid_setup") + self.failUnlessEqual(r.immediate, False) + self.failUnlessEqual(r.identity, None) + self.failUnlessEqual(r.trust_root, self.tr_url) + self.failUnlessEqual(r.return_to, self.rt_url) + + def test_checkidSetupNoReturnOpenID1(self): + """Make sure an OpenID 1 request cannot be decoded if it lacks + a return_to. + """ + args = { + 'openid.mode': 'checkid_setup', + 'openid.identity': self.id_url, + 'openid.assoc_handle': self.assoc_handle, + 'openid.trust_root': self.tr_url, + } + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + def test_checkidSetupNoReturnOpenID2(self): + """Make sure an OpenID 2 request with no return_to can be + decoded, and make sure a response to such a request raises + NoReturnToError. + """ + args = { + 'openid.ns': OPENID2_NS, + 'openid.mode': 'checkid_setup', + 'openid.identity': self.id_url, + 'openid.claimed_id': self.id_url, + 'openid.assoc_handle': self.assoc_handle, + 'openid.realm': self.tr_url, + } + self.failUnless(isinstance(self.decode(args), server.CheckIDRequest)) + + req = self.decode(args) + self.assertRaises(server.NoReturnToError, req.answer, False) + self.assertRaises(server.NoReturnToError, req.encodeToURL, 'bogus') + self.assertRaises(server.NoReturnToError, req.getCancelURL) + + def test_checkidSetupRealmRequiredOpenID2(self): + """Make sure that an OpenID 2 request which lacks return_to + cannot be decoded if it lacks a realm. Spec: This value + (openid.realm) MUST be sent if openid.return_to is omitted. + """ + args = { + 'openid.ns': OPENID2_NS, + 'openid.mode': 'checkid_setup', + 'openid.identity': self.id_url, + 'openid.assoc_handle': self.assoc_handle, + } + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + def test_checkidSetupBadReturn(self): + args = { + 'openid.mode': 'checkid_setup', + 'openid.identity': self.id_url, + 'openid.assoc_handle': self.assoc_handle, + 'openid.return_to': 'not a url', + } + try: + result = self.decode(args) + except server.ProtocolError, err: + self.failUnless(err.openid_message) + else: + self.fail("Expected ProtocolError, instead returned with %s" % + (result,)) + + def test_checkidSetupUntrustedReturn(self): + args = { + 'openid.mode': 'checkid_setup', + 'openid.identity': self.id_url, + 'openid.assoc_handle': self.assoc_handle, + 'openid.return_to': self.rt_url, + 'openid.trust_root': 'http://not-the-return-place.unittest/', + } + try: + result = self.decode(args) + except server.UntrustedReturnURL, err: + self.failUnless(err.openid_message) + else: + self.fail("Expected UntrustedReturnURL, instead returned with %s" % + (result,)) + + def test_checkAuth(self): + args = { + 'openid.mode': 'check_authentication', + 'openid.assoc_handle': '{dumb}{handle}', + 'openid.sig': 'sigblob', + 'openid.signed': 'identity,return_to,response_nonce,mode', + 'openid.identity': 'signedval1', + 'openid.return_to': 'signedval2', + 'openid.response_nonce': 'signedval3', + 'openid.baz': 'unsigned', + } + r = self.decode(args) + self.failUnless(isinstance(r, server.CheckAuthRequest)) + self.failUnlessEqual(r.mode, 'check_authentication') + self.failUnlessEqual(r.sig, 'sigblob') + + + def test_checkAuthMissingSignature(self): + args = { + 'openid.mode': 'check_authentication', + 'openid.assoc_handle': '{dumb}{handle}', + 'openid.signed': 'foo,bar,mode', + 'openid.foo': 'signedval1', + 'openid.bar': 'signedval2', + 'openid.baz': 'unsigned', + } + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + + def test_checkAuthAndInvalidate(self): + args = { + 'openid.mode': 'check_authentication', + 'openid.assoc_handle': '{dumb}{handle}', + 'openid.invalidate_handle': '[[SMART_handle]]', + 'openid.sig': 'sigblob', + 'openid.signed': 'identity,return_to,response_nonce,mode', + 'openid.identity': 'signedval1', + 'openid.return_to': 'signedval2', + 'openid.response_nonce': 'signedval3', + 'openid.baz': 'unsigned', + } + r = self.decode(args) + self.failUnless(isinstance(r, server.CheckAuthRequest)) + self.failUnlessEqual(r.invalidate_handle, '[[SMART_handle]]') + + + def test_associateDH(self): + args = { + 'openid.mode': 'associate', + 'openid.session_type': 'DH-SHA1', + 'openid.dh_consumer_public': "Rzup9265tw==", + } + r = self.decode(args) + self.failUnless(isinstance(r, server.AssociateRequest)) + self.failUnlessEqual(r.mode, "associate") + self.failUnlessEqual(r.session.session_type, "DH-SHA1") + self.failUnlessEqual(r.assoc_type, "HMAC-SHA1") + self.failUnless(r.session.consumer_pubkey) + + def test_associateDHMissingKey(self): + """Trying DH assoc w/o public key""" + args = { + 'openid.mode': 'associate', + 'openid.session_type': 'DH-SHA1', + } + # Using DH-SHA1 without supplying dh_consumer_public is an error. + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + + def test_associateDHpubKeyNotB64(self): + args = { + 'openid.mode': 'associate', + 'openid.session_type': 'DH-SHA1', + 'openid.dh_consumer_public': "donkeydonkeydonkey", + } + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + + def test_associateDHModGen(self): + # test dh with non-default but valid values for dh_modulus and dh_gen + args = { + 'openid.mode': 'associate', + 'openid.session_type': 'DH-SHA1', + 'openid.dh_consumer_public': "Rzup9265tw==", + 'openid.dh_modulus': cryptutil.longToBase64(ALT_MODULUS), + 'openid.dh_gen': cryptutil.longToBase64(ALT_GEN) , + } + r = self.decode(args) + self.failUnless(isinstance(r, server.AssociateRequest)) + self.failUnlessEqual(r.mode, "associate") + self.failUnlessEqual(r.session.session_type, "DH-SHA1") + self.failUnlessEqual(r.assoc_type, "HMAC-SHA1") + self.failUnlessEqual(r.session.dh.modulus, ALT_MODULUS) + self.failUnlessEqual(r.session.dh.generator, ALT_GEN) + self.failUnless(r.session.consumer_pubkey) + + + def test_associateDHCorruptModGen(self): + # test dh with non-default but valid values for dh_modulus and dh_gen + args = { + 'openid.mode': 'associate', + 'openid.session_type': 'DH-SHA1', + 'openid.dh_consumer_public': "Rzup9265tw==", + 'openid.dh_modulus': 'pizza', + 'openid.dh_gen': 'gnocchi', + } + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + + def test_associateDHMissingModGen(self): + # test dh with non-default but valid values for dh_modulus and dh_gen + args = { + 'openid.mode': 'associate', + 'openid.session_type': 'DH-SHA1', + 'openid.dh_consumer_public': "Rzup9265tw==", + 'openid.dh_modulus': 'pizza', + } + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + +# def test_associateDHInvalidModGen(self): +# # test dh with properly encoded values that are not a valid +# # modulus/generator combination. +# args = { +# 'openid.mode': 'associate', +# 'openid.session_type': 'DH-SHA1', +# 'openid.dh_consumer_public': "Rzup9265tw==", +# 'openid.dh_modulus': cryptutil.longToBase64(9), +# 'openid.dh_gen': cryptutil.longToBase64(27) , +# } +# self.failUnlessRaises(server.ProtocolError, self.decode, args) +# test_associateDHInvalidModGen.todo = "low-priority feature" + + + def test_associateWeirdSession(self): + args = { + 'openid.mode': 'associate', + 'openid.session_type': 'FLCL6', + 'openid.dh_consumer_public': "YQ==\n", + } + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + + def test_associatePlain(self): + args = { + 'openid.mode': 'associate', + } + r = self.decode(args) + self.failUnless(isinstance(r, server.AssociateRequest)) + self.failUnlessEqual(r.mode, "associate") + self.failUnlessEqual(r.session.session_type, "no-encryption") + self.failUnlessEqual(r.assoc_type, "HMAC-SHA1") + + def test_nomode(self): + args = { + 'openid.session_type': 'DH-SHA1', + 'openid.dh_consumer_public': "my public keeey", + } + self.failUnlessRaises(server.ProtocolError, self.decode, args) + + def test_invalidns(self): + args = {'openid.ns': 'Tuesday', + 'openid.mode': 'associate'} + + try: + r = self.decode(args) + except server.ProtocolError, err: + # Assert that the ProtocolError does have a Message attached + # to it, even though the request wasn't a well-formed Message. + self.failUnless(err.openid_message) + # The error message contains the bad openid.ns. + self.failUnless('Tuesday' in str(err), str(err)) + else: + self.fail("Expected ProtocolError but returned with %r" % (r,)) + + +class TestEncode(unittest.TestCase): + def setUp(self): + self.encoder = server.Encoder() + self.encode = self.encoder.encode + self.op_endpoint = 'http://endpoint.unittest/encode' + self.store = memstore.MemoryStore() + self.server = server.Server(self.store, self.op_endpoint) + + def test_id_res_OpenID2_GET(self): + """ + Check that when an OpenID 2 response does not exceed the + OpenID 1 message size, a GET response (i.e., redirect) is + issued. + """ + request = server.CheckIDRequest( + identity = 'http://bombom.unittest/', + trust_root = 'http://burr.unittest/', + return_to = 'http://burr.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + request.message = Message(OPENID2_NS) + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'ns': OPENID2_NS, + 'mode': 'id_res', + 'identity': request.identity, + 'claimed_id': request.identity, + 'return_to': request.return_to, + }) + + self.failIf(response.renderAsForm()) + self.failUnless(response.whichEncoding() == server.ENCODE_URL) + webresponse = self.encode(response) + self.failUnless(webresponse.headers.has_key('location')) + + def test_id_res_OpenID2_POST(self): + """ + Check that when an OpenID 2 response exceeds the OpenID 1 + message size, a POST response (i.e., an HTML form) is + returned. + """ + request = server.CheckIDRequest( + identity = 'http://bombom.unittest/', + trust_root = 'http://burr.unittest/', + return_to = 'http://burr.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + request.message = Message(OPENID2_NS) + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'ns': OPENID2_NS, + 'mode': 'id_res', + 'identity': request.identity, + 'claimed_id': request.identity, + 'return_to': 'x' * OPENID1_URL_LIMIT, + }) + + self.failUnless(response.renderAsForm()) + self.failUnless(len(response.encodeToURL()) > OPENID1_URL_LIMIT) + self.failUnless(response.whichEncoding() == server.ENCODE_HTML_FORM) + webresponse = self.encode(response) + self.failUnlessEqual(webresponse.body, response.toFormMarkup()) + + def test_toFormMarkup(self): + request = server.CheckIDRequest( + identity = 'http://bombom.unittest/', + trust_root = 'http://burr.unittest/', + return_to = 'http://burr.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + request.message = Message(OPENID2_NS) + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'ns': OPENID2_NS, + 'mode': 'id_res', + 'identity': request.identity, + 'claimed_id': request.identity, + 'return_to': 'x' * OPENID1_URL_LIMIT, + }) + + form_markup = response.toFormMarkup({'foo':'bar'}) + self.failUnless(' foo="bar"' in form_markup) + + def test_toHTML(self): + request = server.CheckIDRequest( + identity = 'http://bombom.unittest/', + trust_root = 'http://burr.unittest/', + return_to = 'http://burr.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + request.message = Message(OPENID2_NS) + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'ns': OPENID2_NS, + 'mode': 'id_res', + 'identity': request.identity, + 'claimed_id': request.identity, + 'return_to': 'x' * OPENID1_URL_LIMIT, + }) + html = response.toHTML() + self.failUnless('<html>' in html) + self.failUnless('</html>' in html) + self.failUnless('<body onload=' in html) + self.failUnless('<form' in html) + self.failUnless('http://bombom.unittest/' in html) + + def test_id_res_OpenID1_exceeds_limit(self): + """ + Check that when an OpenID 1 response exceeds the OpenID 1 + message size, a GET response is issued. Technically, this + shouldn't be permitted by the library, but this test is in + place to preserve the status quo for OpenID 1. + """ + request = server.CheckIDRequest( + identity = 'http://bombom.unittest/', + trust_root = 'http://burr.unittest/', + return_to = 'http://burr.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + request.message = Message(OPENID2_NS) + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'mode': 'id_res', + 'identity': request.identity, + 'return_to': 'x' * OPENID1_URL_LIMIT, + }) + + self.failIf(response.renderAsForm()) + self.failUnless(len(response.encodeToURL()) > OPENID1_URL_LIMIT) + self.failUnless(response.whichEncoding() == server.ENCODE_URL) + webresponse = self.encode(response) + self.failUnlessEqual(webresponse.headers['location'], response.encodeToURL()) + + def test_id_res(self): + request = server.CheckIDRequest( + identity = 'http://bombom.unittest/', + trust_root = 'http://burr.unittest/', + return_to = 'http://burr.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + request.message = Message(OPENID2_NS) + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'mode': 'id_res', + 'identity': request.identity, + 'return_to': request.return_to, + }) + webresponse = self.encode(response) + self.failUnlessEqual(webresponse.code, server.HTTP_REDIRECT) + self.failUnless(webresponse.headers.has_key('location')) + + location = webresponse.headers['location'] + self.failUnless(location.startswith(request.return_to), + "%s does not start with %s" % (location, + request.return_to)) + # argh. + q2 = dict(cgi.parse_qsl(urlparse(location)[4])) + expected = response.fields.toPostArgs() + self.failUnlessEqual(q2, expected) + + def test_cancel(self): + request = server.CheckIDRequest( + identity = 'http://bombom.unittest/', + trust_root = 'http://burr.unittest/', + return_to = 'http://burr.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + request.message = Message(OPENID2_NS) + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'mode': 'cancel', + }) + webresponse = self.encode(response) + self.failUnlessEqual(webresponse.code, server.HTTP_REDIRECT) + self.failUnless(webresponse.headers.has_key('location')) + + def test_cancelToForm(self): + request = server.CheckIDRequest( + identity = 'http://bombom.unittest/', + trust_root = 'http://burr.unittest/', + return_to = 'http://burr.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + request.message = Message(OPENID2_NS) + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'mode': 'cancel', + }) + form = response.toFormMarkup() + self.failUnless(form) + + def test_assocReply(self): + msg = Message(OPENID2_NS) + msg.setArg(OPENID2_NS, 'session_type', 'no-encryption') + request = server.AssociateRequest.fromMessage(msg) + response = server.OpenIDResponse(request) + response.fields = Message.fromPostArgs( + {'openid.assoc_handle': "every-zig"}) + webresponse = self.encode(response) + body = """assoc_handle:every-zig +""" + self.failUnlessEqual(webresponse.code, server.HTTP_OK) + self.failUnlessEqual(webresponse.headers, {}) + self.failUnlessEqual(webresponse.body, body) + + def test_checkauthReply(self): + request = server.CheckAuthRequest('a_sock_monkey', + 'siggggg', + []) + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'is_valid': 'true', + 'invalidate_handle': 'xXxX:xXXx' + }) + body = """invalidate_handle:xXxX:xXXx +is_valid:true +""" + webresponse = self.encode(response) + self.failUnlessEqual(webresponse.code, server.HTTP_OK) + self.failUnlessEqual(webresponse.headers, {}) + self.failUnlessEqual(webresponse.body, body) + + def test_unencodableError(self): + args = Message.fromPostArgs({ + 'openid.identity': 'http://limu.unittest/', + }) + e = server.ProtocolError(args, "wet paint") + self.failUnlessRaises(server.EncodingError, self.encode, e) + + def test_encodableError(self): + args = Message.fromPostArgs({ + 'openid.mode': 'associate', + 'openid.identity': 'http://limu.unittest/', + }) + body="error:snoot\nmode:error\n" + webresponse = self.encode(server.ProtocolError(args, "snoot")) + self.failUnlessEqual(webresponse.code, server.HTTP_ERROR) + self.failUnlessEqual(webresponse.headers, {}) + self.failUnlessEqual(webresponse.body, body) + + + +class TestSigningEncode(unittest.TestCase): + def setUp(self): + self._dumb_key = server.Signatory._dumb_key + self._normal_key = server.Signatory._normal_key + self.store = memstore.MemoryStore() + self.server = server.Server(self.store, "http://signing.unittest/enc") + self.request = server.CheckIDRequest( + identity = 'http://bombom.unittest/', + trust_root = 'http://burr.unittest/', + return_to = 'http://burr.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + self.request.message = Message(OPENID2_NS) + self.response = server.OpenIDResponse(self.request) + self.response.fields = Message.fromOpenIDArgs({ + 'mode': 'id_res', + 'identity': self.request.identity, + 'return_to': self.request.return_to, + }) + self.signatory = server.Signatory(self.store) + self.encoder = server.SigningEncoder(self.signatory) + self.encode = self.encoder.encode + + def test_idres(self): + assoc_handle = '{bicycle}{shed}' + self.store.storeAssociation( + self._normal_key, + association.Association.fromExpiresIn(60, assoc_handle, + 'sekrit', 'HMAC-SHA1')) + self.request.assoc_handle = assoc_handle + webresponse = self.encode(self.response) + self.failUnlessEqual(webresponse.code, server.HTTP_REDIRECT) + self.failUnless(webresponse.headers.has_key('location')) + + location = webresponse.headers['location'] + query = cgi.parse_qs(urlparse(location)[4]) + self.failUnless('openid.sig' in query) + self.failUnless('openid.assoc_handle' in query) + self.failUnless('openid.signed' in query) + + def test_idresDumb(self): + webresponse = self.encode(self.response) + self.failUnlessEqual(webresponse.code, server.HTTP_REDIRECT) + self.failUnless(webresponse.headers.has_key('location')) + + location = webresponse.headers['location'] + query = cgi.parse_qs(urlparse(location)[4]) + self.failUnless('openid.sig' in query) + self.failUnless('openid.assoc_handle' in query) + self.failUnless('openid.signed' in query) + + def test_forgotStore(self): + self.encoder.signatory = None + self.failUnlessRaises(ValueError, self.encode, self.response) + + def test_cancel(self): + request = server.CheckIDRequest( + identity = 'http://bombom.unittest/', + trust_root = 'http://burr.unittest/', + return_to = 'http://burr.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + request.message = Message(OPENID2_NS) + response = server.OpenIDResponse(request) + response.fields.setArg(OPENID_NS, 'mode', 'cancel') + webresponse = self.encode(response) + self.failUnlessEqual(webresponse.code, server.HTTP_REDIRECT) + self.failUnless(webresponse.headers.has_key('location')) + location = webresponse.headers['location'] + query = cgi.parse_qs(urlparse(location)[4]) + self.failIf('openid.sig' in query, response.fields.toPostArgs()) + + def test_assocReply(self): + msg = Message(OPENID2_NS) + msg.setArg(OPENID2_NS, 'session_type', 'no-encryption') + request = server.AssociateRequest.fromMessage(msg) + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({'assoc_handle': "every-zig"}) + webresponse = self.encode(response) + body = """assoc_handle:every-zig +""" + self.failUnlessEqual(webresponse.code, server.HTTP_OK) + self.failUnlessEqual(webresponse.headers, {}) + self.failUnlessEqual(webresponse.body, body) + + def test_alreadySigned(self): + self.response.fields.setArg(OPENID_NS, 'sig', 'priorSig==') + self.failUnlessRaises(server.AlreadySigned, self.encode, self.response) + +class TestCheckID(unittest.TestCase): + def setUp(self): + self.op_endpoint = 'http://endpoint.unittest/' + self.store = memstore.MemoryStore() + self.server = server.Server(self.store, self.op_endpoint) + self.request = server.CheckIDRequest( + identity = 'http://bambam.unittest/', + trust_root = 'http://bar.unittest/', + return_to = 'http://bar.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + self.request.message = Message(OPENID2_NS) + + def test_trustRootInvalid(self): + self.request.trust_root = "http://foo.unittest/17" + self.request.return_to = "http://foo.unittest/39" + self.failIf(self.request.trustRootValid()) + + def test_trustRootValid(self): + self.request.trust_root = "http://foo.unittest/" + self.request.return_to = "http://foo.unittest/39" + self.failUnless(self.request.trustRootValid()) + + def test_malformedTrustRoot(self): + self.request.trust_root = "invalid://trust*root/" + self.request.return_to = "http://foo.unittest/39" + sentinel = object() + self.request.message = sentinel + try: + result = self.request.trustRootValid() + except server.MalformedTrustRoot, why: + self.failUnless(sentinel is why.openid_message) + else: + self.fail('Expected MalformedTrustRoot exception. Got %r' + % (result,)) + + def test_trustRootValidNoReturnTo(self): + request = server.CheckIDRequest( + identity = 'http://bambam.unittest/', + trust_root = 'http://bar.unittest/', + return_to = None, + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + + self.failUnless(request.trustRootValid()) + + def test_returnToVerified_callsVerify(self): + """Make sure that verifyReturnTo is calling the trustroot + function verifyReturnTo + """ + def withVerifyReturnTo(new_verify, callable): + old_verify = server.verifyReturnTo + try: + server.verifyReturnTo = new_verify + return callable() + finally: + server.verifyReturnTo = old_verify + + # Ensure that exceptions are passed through + sentinel = Exception() + def vrfyExc(trust_root, return_to): + self.failUnlessEqual(self.request.trust_root, trust_root) + self.failUnlessEqual(self.request.return_to, return_to) + raise sentinel + + try: + withVerifyReturnTo(vrfyExc, self.request.returnToVerified) + except Exception, e: + self.failUnless(e is sentinel, e) + + # Ensure that True and False are passed through unchanged + def constVerify(val): + def verify(trust_root, return_to): + self.failUnlessEqual(self.request.trust_root, trust_root) + self.failUnlessEqual(self.request.return_to, return_to) + return val + return verify + + for val in [True, False]: + self.failUnlessEqual( + val, + withVerifyReturnTo(constVerify(val), + self.request.returnToVerified)) + + def _expectAnswer(self, answer, identity=None, claimed_id=None): + expected_list = [ + ('mode', 'id_res'), + ('return_to', self.request.return_to), + ('op_endpoint', self.op_endpoint), + ] + if identity: + expected_list.append(('identity', identity)) + if claimed_id: + expected_list.append(('claimed_id', claimed_id)) + else: + expected_list.append(('claimed_id', identity)) + + for k, expected in expected_list: + actual = answer.fields.getArg(OPENID_NS, k) + self.failUnlessEqual(actual, expected, "%s: expected %s, got %s" % (k, expected, actual)) + + self.failUnless(answer.fields.hasKey(OPENID_NS, 'response_nonce')) + self.failUnless(answer.fields.getOpenIDNamespace() == OPENID2_NS) + + # One for nonce, one for ns + self.failUnlessEqual(len(answer.fields.toPostArgs()), + len(expected_list) + 2, + answer.fields.toPostArgs()) + + def test_answerAllow(self): + """Check the fields specified by "Positive Assertions" + + including mode=id_res, identity, claimed_id, op_endpoint, return_to + """ + answer = self.request.answer(True) + self.failUnlessEqual(answer.request, self.request) + self._expectAnswer(answer, self.request.identity) + + def test_answerAllowDelegatedIdentity(self): + self.request.claimed_id = 'http://delegating.unittest/' + answer = self.request.answer(True) + self._expectAnswer(answer, self.request.identity, + self.request.claimed_id) + + def test_answerAllowDelegatedIdentity2(self): + # This time with the identity argument explicitly passed in to + # answer() + self.request.claimed_id = 'http://delegating.unittest/' + answer = self.request.answer(True, identity='http://bambam.unittest/') + self._expectAnswer(answer, self.request.identity, + self.request.claimed_id) + + def test_answerAllowWithoutIdentityReally(self): + self.request.identity = None + answer = self.request.answer(True) + self.failUnlessEqual(answer.request, self.request) + self._expectAnswer(answer) + + def test_answerAllowAnonymousFail(self): + self.request.identity = None + # XXX - Check on this, I think this behavior is legal in OpenID 2.0? + self.failUnlessRaises( + ValueError, self.request.answer, True, identity="=V") + + def test_answerAllowWithIdentity(self): + self.request.identity = IDENTIFIER_SELECT + selected_id = 'http://anon.unittest/9861' + answer = self.request.answer(True, identity=selected_id) + self._expectAnswer(answer, selected_id) + + def test_answerAllowWithDelegatedIdentityOpenID2(self): + """Answer an IDENTIFIER_SELECT case with a delegated identifier. + """ + # claimed_id delegates to selected_id here. + self.request.identity = IDENTIFIER_SELECT + selected_id = 'http://anon.unittest/9861' + claimed_id = 'http://monkeyhat.unittest/' + answer = self.request.answer(True, identity=selected_id, + claimed_id=claimed_id) + self._expectAnswer(answer, selected_id, claimed_id) + + def test_answerAllowWithDelegatedIdentityOpenID1(self): + """claimed_id parameter doesn't exist in OpenID 1. + """ + self.request.message = Message(OPENID1_NS) + # claimed_id delegates to selected_id here. + self.request.identity = IDENTIFIER_SELECT + selected_id = 'http://anon.unittest/9861' + claimed_id = 'http://monkeyhat.unittest/' + self.failUnlessRaises(server.VersionError, + self.request.answer, True, + identity=selected_id, + claimed_id=claimed_id) + + def test_answerAllowWithAnotherIdentity(self): + # XXX - Check on this, I think this behavior is legal in OpenID 2.0? + self.failUnlessRaises(ValueError, self.request.answer, True, + identity="http://pebbles.unittest/") + + def test_answerAllowWithIdentityNormalization(self): + # The RP has sent us a non-normalized value for openid.identity, + # and the library user is passing an explicit value for identity + # to CheckIDRequest.answer. + non_normalized = 'http://bambam.unittest' + normalized = non_normalized + '/' + + self.request.identity = non_normalized + self.request.claimed_id = non_normalized + + answer = self.request.answer(True, identity=normalized) + + # Expect the values that were sent in the request, even though + # they're not normalized. + self._expectAnswer(answer, identity=non_normalized, + claimed_id=non_normalized) + + def test_answerAllowNoIdentityOpenID1(self): + self.request.message = Message(OPENID1_NS) + self.request.identity = None + self.failUnlessRaises(ValueError, self.request.answer, True, + identity=None) + + def test_answerAllowForgotEndpoint(self): + self.request.op_endpoint = None + self.failUnlessRaises(RuntimeError, self.request.answer, True) + + def test_checkIDWithNoIdentityOpenID1(self): + msg = Message(OPENID1_NS) + msg.setArg(OPENID_NS, 'return_to', 'bogus') + msg.setArg(OPENID_NS, 'trust_root', 'bogus') + msg.setArg(OPENID_NS, 'mode', 'checkid_setup') + msg.setArg(OPENID_NS, 'assoc_handle', 'bogus') + + self.failUnlessRaises(server.ProtocolError, + server.CheckIDRequest.fromMessage, + msg, self.server) + + def test_fromMessageClaimedIDWithoutIdentityOpenID2(self): + name = 'https://example.myopenid.com' + + msg = Message(OPENID2_NS) + msg.setArg(OPENID_NS, 'mode', 'checkid_setup') + msg.setArg(OPENID_NS, 'return_to', 'http://invalid:8000/rt') + msg.setArg(OPENID_NS, 'claimed_id', name) + + self.failUnlessRaises(server.ProtocolError, + server.CheckIDRequest.fromMessage, + msg, self.server) + + def test_fromMessageIdentityWithoutClaimedIDOpenID2(self): + name = 'https://example.myopenid.com' + + msg = Message(OPENID2_NS) + msg.setArg(OPENID_NS, 'mode', 'checkid_setup') + msg.setArg(OPENID_NS, 'return_to', 'http://invalid:8000/rt') + msg.setArg(OPENID_NS, 'identity', name) + + self.failUnlessRaises(server.ProtocolError, + server.CheckIDRequest.fromMessage, + msg, self.server) + + def test_trustRootOpenID1(self): + """Ignore openid.realm in OpenID 1""" + msg = Message(OPENID1_NS) + msg.setArg(OPENID_NS, 'mode', 'checkid_setup') + msg.setArg(OPENID_NS, 'trust_root', 'http://real_trust_root/') + msg.setArg(OPENID_NS, 'realm', 'http://fake_trust_root/') + msg.setArg(OPENID_NS, 'return_to', 'http://real_trust_root/foo') + msg.setArg(OPENID_NS, 'assoc_handle', 'bogus') + msg.setArg(OPENID_NS, 'identity', 'george') + + result = server.CheckIDRequest.fromMessage(msg, self.server.op_endpoint) + + self.failUnless(result.trust_root == 'http://real_trust_root/') + + def test_trustRootOpenID2(self): + """Ignore openid.trust_root in OpenID 2""" + msg = Message(OPENID2_NS) + msg.setArg(OPENID_NS, 'mode', 'checkid_setup') + msg.setArg(OPENID_NS, 'realm', 'http://real_trust_root/') + msg.setArg(OPENID_NS, 'trust_root', 'http://fake_trust_root/') + msg.setArg(OPENID_NS, 'return_to', 'http://real_trust_root/foo') + msg.setArg(OPENID_NS, 'assoc_handle', 'bogus') + msg.setArg(OPENID_NS, 'identity', 'george') + msg.setArg(OPENID_NS, 'claimed_id', 'george') + + result = server.CheckIDRequest.fromMessage(msg, self.server.op_endpoint) + + self.failUnless(result.trust_root == 'http://real_trust_root/') + + def test_answerAllowNoTrustRoot(self): + self.request.trust_root = None + answer = self.request.answer(True) + self.failUnlessEqual(answer.request, self.request) + self._expectAnswer(answer, self.request.identity) + + def test_fromMessageWithoutTrustRoot(self): + msg = Message(OPENID2_NS) + msg.setArg(OPENID_NS, 'mode', 'checkid_setup') + msg.setArg(OPENID_NS, 'return_to', 'http://real_trust_root/foo') + msg.setArg(OPENID_NS, 'assoc_handle', 'bogus') + msg.setArg(OPENID_NS, 'identity', 'george') + msg.setArg(OPENID_NS, 'claimed_id', 'george') + + result = server.CheckIDRequest.fromMessage(msg, self.server.op_endpoint) + + self.failUnlessEqual(result.trust_root, 'http://real_trust_root/foo') + + def test_fromMessageWithEmptyTrustRoot(self): + return_to = u'http://someplace.invalid/?go=thing' + msg = Message.fromPostArgs({ + u'openid.assoc_handle': u'{blah}{blah}{OZivdQ==}', + u'openid.claimed_id': u'http://delegated.invalid/', + u'openid.identity': u'http://op-local.example.com/', + u'openid.mode': u'checkid_setup', + u'openid.ns': u'http://openid.net/signon/1.0', + u'openid.return_to': return_to, + u'openid.trust_root': u''}) + + result = server.CheckIDRequest.fromMessage(msg, self.server.op_endpoint) + + self.failUnlessEqual(result.trust_root, return_to) + + def test_fromMessageWithoutTrustRootOrReturnTo(self): + msg = Message(OPENID2_NS) + msg.setArg(OPENID_NS, 'mode', 'checkid_setup') + msg.setArg(OPENID_NS, 'assoc_handle', 'bogus') + msg.setArg(OPENID_NS, 'identity', 'george') + msg.setArg(OPENID_NS, 'claimed_id', 'george') + + self.failUnlessRaises(server.ProtocolError, + server.CheckIDRequest.fromMessage, + msg, self.server.op_endpoint) + + def test_answerAllowNoEndpointOpenID1(self): + """Test .allow() with an OpenID 1.x Message on a CheckIDRequest + built without an op_endpoint parameter. + """ + identity = 'http://bambam.unittest/' + reqmessage = Message.fromOpenIDArgs({ + 'identity': identity, + 'trust_root': 'http://bar.unittest/', + 'return_to': 'http://bar.unittest/999', + }) + self.request = server.CheckIDRequest.fromMessage(reqmessage, None) + answer = self.request.answer(True) + + expected_list = [ + ('mode', 'id_res'), + ('return_to', self.request.return_to), + ('identity', identity), + ] + + for k, expected in expected_list: + actual = answer.fields.getArg(OPENID_NS, k) + self.failUnlessEqual( + expected, actual, + "%s: expected %s, got %s" % (k, expected, actual)) + + self.failUnless(answer.fields.hasKey(OPENID_NS, 'response_nonce')) + self.failUnlessEqual(answer.fields.getOpenIDNamespace(), OPENID1_NS) + self.failUnless(answer.fields.namespaces.isImplicit(OPENID1_NS)) + + # One for nonce (OpenID v1 namespace is implicit) + self.failUnlessEqual(len(answer.fields.toPostArgs()), + len(expected_list) + 1, + answer.fields.toPostArgs()) + + def test_answerImmediateDenyOpenID2(self): + """Look for mode=setup_needed in checkid_immediate negative + response in OpenID 2 case. + + See specification Responding to Authentication Requests / + Negative Assertions / In Response to Immediate Requests. + """ + self.request.mode = 'checkid_immediate' + self.request.immediate = True + self.request.claimed_id = 'http://claimed-id.test/' + server_url = "http://setup-url.unittest/" + # crappiting setup_url, you dirty my interface with your presence! + answer = self.request.answer(False, server_url=server_url) + self.failUnlessEqual(answer.request, self.request) + self.failUnlessEqual(len(answer.fields.toPostArgs()), 3, answer.fields) + self.failUnlessEqual(answer.fields.getOpenIDNamespace(), OPENID2_NS) + self.failUnlessEqual(answer.fields.getArg(OPENID_NS, 'mode'), + 'setup_needed') + + usu = answer.fields.getArg(OPENID_NS, 'user_setup_url') + expected_substr = 'openid.claimed_id=http%3A%2F%2Fclaimed-id.test%2F' + self.failUnless(expected_substr in usu, usu) + + def test_answerImmediateDenyOpenID1(self): + """Look for user_setup_url in checkid_immediate negative + response in OpenID 1 case.""" + self.request.message = Message(OPENID1_NS) + self.request.mode = 'checkid_immediate' + self.request.immediate = True + server_url = "http://setup-url.unittest/" + # crappiting setup_url, you dirty my interface with your presence! + answer = self.request.answer(False, server_url=server_url) + self.failUnlessEqual(answer.request, self.request) + self.failUnlessEqual(len(answer.fields.toPostArgs()), 2, answer.fields) + self.failUnlessEqual(answer.fields.getOpenIDNamespace(), OPENID1_NS) + self.failUnless(answer.fields.namespaces.isImplicit(OPENID1_NS)) + self.failUnlessEqual(answer.fields.getArg(OPENID_NS, 'mode'), 'id_res') + self.failUnless(answer.fields.getArg( + OPENID_NS, 'user_setup_url', '').startswith(server_url)) + + def test_answerSetupDeny(self): + answer = self.request.answer(False) + self.failUnlessEqual(answer.fields.getArgs(OPENID_NS), { + 'mode': 'cancel', + }) + + def test_encodeToURL(self): + server_url = 'http://openid-server.unittest/' + result = self.request.encodeToURL(server_url) + + # How to check? How about a round-trip test. + base, result_args = result.split('?', 1) + result_args = dict(cgi.parse_qsl(result_args)) + message = Message.fromPostArgs(result_args) + rebuilt_request = server.CheckIDRequest.fromMessage(message, + self.server.op_endpoint) + # argh, lousy hack + self.request.message = message + self.failUnlessEqual(rebuilt_request.__dict__, self.request.__dict__) + + def test_getCancelURL(self): + url = self.request.getCancelURL() + rt, query_string = url.split('?') + self.failUnlessEqual(self.request.return_to, rt) + query = dict(cgi.parse_qsl(query_string)) + self.failUnlessEqual(query, {'openid.mode':'cancel', + 'openid.ns':OPENID2_NS}) + + def test_getCancelURLimmed(self): + self.request.mode = 'checkid_immediate' + self.request.immediate = True + self.failUnlessRaises(ValueError, self.request.getCancelURL) + + + +class TestCheckIDExtension(unittest.TestCase): + + def setUp(self): + self.op_endpoint = 'http://endpoint.unittest/ext' + self.store = memstore.MemoryStore() + self.server = server.Server(self.store, self.op_endpoint) + self.request = server.CheckIDRequest( + identity = 'http://bambam.unittest/', + trust_root = 'http://bar.unittest/', + return_to = 'http://bar.unittest/999', + immediate = False, + op_endpoint = self.server.op_endpoint, + ) + self.request.message = Message(OPENID2_NS) + self.response = server.OpenIDResponse(self.request) + self.response.fields.setArg(OPENID_NS, 'mode', 'id_res') + self.response.fields.setArg(OPENID_NS, 'blue', 'star') + + + def test_addField(self): + namespace = 'something:' + self.response.fields.setArg(namespace, 'bright', 'potato') + self.failUnlessEqual(self.response.fields.getArgs(OPENID_NS), + {'blue': 'star', + 'mode': 'id_res', + }) + + self.failUnlessEqual(self.response.fields.getArgs(namespace), + {'bright':'potato'}) + + + def test_addFields(self): + namespace = 'mi5:' + args = {'tangy': 'suspenders', + 'bravo': 'inclusion'} + self.response.fields.updateArgs(namespace, args) + self.failUnlessEqual(self.response.fields.getArgs(OPENID_NS), + {'blue': 'star', + 'mode': 'id_res', + }) + self.failUnlessEqual(self.response.fields.getArgs(namespace), args) + + + +class MockSignatory(object): + isValid = True + + def __init__(self, assoc): + self.assocs = [assoc] + + def verify(self, assoc_handle, message): + assert message.hasKey(OPENID_NS, "sig") + if (True, assoc_handle) in self.assocs: + return self.isValid + else: + return False + + def getAssociation(self, assoc_handle, dumb): + if (dumb, assoc_handle) in self.assocs: + # This isn't a valid implementation for many uses of this + # function, mind you. + return True + else: + return None + + def invalidate(self, assoc_handle, dumb): + if (dumb, assoc_handle) in self.assocs: + self.assocs.remove((dumb, assoc_handle)) + + +class TestCheckAuth(unittest.TestCase): + def setUp(self): + self.assoc_handle = 'mooooooooo' + self.message = Message.fromPostArgs({ + 'openid.sig': 'signarture', + 'one': 'alpha', + 'two': 'beta', + }) + self.request = server.CheckAuthRequest( + self.assoc_handle, self.message) + + self.signatory = MockSignatory((True, self.assoc_handle)) + + def test_valid(self): + r = self.request.answer(self.signatory) + self.failUnlessEqual(r.fields.getArgs(OPENID_NS), {'is_valid': 'true'}) + self.failUnlessEqual(r.request, self.request) + + def test_invalid(self): + self.signatory.isValid = False + r = self.request.answer(self.signatory) + self.failUnlessEqual(r.fields.getArgs(OPENID_NS), + {'is_valid': 'false'}) + + def test_replay(self): + """Don't validate the same response twice. + + From "Checking the Nonce":: + + When using "check_authentication", the OP MUST ensure that an + assertion has not yet been accepted with the same value for + "openid.response_nonce". + + In this implementation, the assoc_handle is only valid once. And + nonces are a signed component of the message, so they can't be used + with another handle without breaking the sig. + """ + r = self.request.answer(self.signatory) + r = self.request.answer(self.signatory) + self.failUnlessEqual(r.fields.getArgs(OPENID_NS), + {'is_valid': 'false'}) + + def test_invalidatehandle(self): + self.request.invalidate_handle = "bogusHandle" + r = self.request.answer(self.signatory) + self.failUnlessEqual(r.fields.getArgs(OPENID_NS), + {'is_valid': 'true', + 'invalidate_handle': "bogusHandle"}) + self.failUnlessEqual(r.request, self.request) + + def test_invalidatehandleNo(self): + assoc_handle = 'goodhandle' + self.signatory.assocs.append((False, 'goodhandle')) + self.request.invalidate_handle = assoc_handle + r = self.request.answer(self.signatory) + self.failUnlessEqual(r.fields.getArgs(OPENID_NS), {'is_valid': 'true'}) + + +class TestAssociate(unittest.TestCase): + # TODO: test DH with non-default values for modulus and gen. + # (important to do because we actually had it broken for a while.) + + def setUp(self): + self.request = server.AssociateRequest.fromMessage( + Message.fromPostArgs({})) + self.store = memstore.MemoryStore() + self.signatory = server.Signatory(self.store) + + def test_dhSHA1(self): + self.assoc = self.signatory.createAssociation(dumb=False, assoc_type='HMAC-SHA1') + from openid.dh import DiffieHellman + from openid.server.server import DiffieHellmanSHA1ServerSession + consumer_dh = DiffieHellman.fromDefaults() + cpub = consumer_dh.public + server_dh = DiffieHellman.fromDefaults() + session = DiffieHellmanSHA1ServerSession(server_dh, cpub) + self.request = server.AssociateRequest(session, 'HMAC-SHA1') + response = self.request.answer(self.assoc) + rfg = lambda f: response.fields.getArg(OPENID_NS, f) + self.failUnlessEqual(rfg("assoc_type"), "HMAC-SHA1") + self.failUnlessEqual(rfg("assoc_handle"), self.assoc.handle) + self.failIf(rfg("mac_key")) + self.failUnlessEqual(rfg("session_type"), "DH-SHA1") + self.failUnless(rfg("enc_mac_key")) + self.failUnless(rfg("dh_server_public")) + + enc_key = rfg("enc_mac_key").decode('base64') + spub = cryptutil.base64ToLong(rfg("dh_server_public")) + secret = consumer_dh.xorSecret(spub, enc_key, cryptutil.sha1) + self.failUnlessEqual(secret, self.assoc.secret) + + + if not cryptutil.SHA256_AVAILABLE: + warnings.warn("Not running SHA256 tests.") + else: + def test_dhSHA256(self): + self.assoc = self.signatory.createAssociation( + dumb=False, assoc_type='HMAC-SHA256') + from openid.dh import DiffieHellman + from openid.server.server import DiffieHellmanSHA256ServerSession + consumer_dh = DiffieHellman.fromDefaults() + cpub = consumer_dh.public + server_dh = DiffieHellman.fromDefaults() + session = DiffieHellmanSHA256ServerSession(server_dh, cpub) + self.request = server.AssociateRequest(session, 'HMAC-SHA256') + response = self.request.answer(self.assoc) + rfg = lambda f: response.fields.getArg(OPENID_NS, f) + self.failUnlessEqual(rfg("assoc_type"), "HMAC-SHA256") + self.failUnlessEqual(rfg("assoc_handle"), self.assoc.handle) + self.failIf(rfg("mac_key")) + self.failUnlessEqual(rfg("session_type"), "DH-SHA256") + self.failUnless(rfg("enc_mac_key")) + self.failUnless(rfg("dh_server_public")) + + enc_key = rfg("enc_mac_key").decode('base64') + spub = cryptutil.base64ToLong(rfg("dh_server_public")) + secret = consumer_dh.xorSecret(spub, enc_key, cryptutil.sha256) + self.failUnlessEqual(secret, self.assoc.secret) + + def test_protoError256(self): + from openid.consumer.consumer import \ + DiffieHellmanSHA256ConsumerSession + + s256_session = DiffieHellmanSHA256ConsumerSession() + + invalid_s256 = {'openid.assoc_type':'HMAC-SHA1', + 'openid.session_type':'DH-SHA256',} + invalid_s256.update(s256_session.getRequest()) + + invalid_s256_2 = {'openid.assoc_type':'MONKEY-PIRATE', + 'openid.session_type':'DH-SHA256',} + invalid_s256_2.update(s256_session.getRequest()) + + bad_request_argss = [ + invalid_s256, + invalid_s256_2, + ] + + for request_args in bad_request_argss: + message = Message.fromPostArgs(request_args) + self.failUnlessRaises(server.ProtocolError, + server.AssociateRequest.fromMessage, + message) + + def test_protoError(self): + from openid.consumer.consumer import DiffieHellmanSHA1ConsumerSession + + s1_session = DiffieHellmanSHA1ConsumerSession() + + invalid_s1 = {'openid.assoc_type':'HMAC-SHA256', + 'openid.session_type':'DH-SHA1',} + invalid_s1.update(s1_session.getRequest()) + + invalid_s1_2 = {'openid.assoc_type':'ROBOT-NINJA', + 'openid.session_type':'DH-SHA1',} + invalid_s1_2.update(s1_session.getRequest()) + + bad_request_argss = [ + {'openid.assoc_type':'Wha?'}, + invalid_s1, + invalid_s1_2, + ] + + for request_args in bad_request_argss: + message = Message.fromPostArgs(request_args) + self.failUnlessRaises(server.ProtocolError, + server.AssociateRequest.fromMessage, + message) + + def test_protoErrorFields(self): + + contact = 'user@example.invalid' + reference = 'Trac ticket number MAX_INT' + error = 'poltergeist' + + openid1_args = { + 'openid.identitiy': 'invalid', + 'openid.mode': 'checkid_setup', + } + + openid2_args = dict(openid1_args) + openid2_args.update({'openid.ns': OPENID2_NS}) + + # Check presence of optional fields in both protocol versions + + openid1_msg = Message.fromPostArgs(openid1_args) + p = server.ProtocolError(openid1_msg, error, + contact=contact, reference=reference) + reply = p.toMessage() + + self.failUnlessEqual(reply.getArg(OPENID_NS, 'reference'), reference) + self.failUnlessEqual(reply.getArg(OPENID_NS, 'contact'), contact) + + openid2_msg = Message.fromPostArgs(openid2_args) + p = server.ProtocolError(openid2_msg, error, + contact=contact, reference=reference) + reply = p.toMessage() + + self.failUnlessEqual(reply.getArg(OPENID_NS, 'reference'), reference) + self.failUnlessEqual(reply.getArg(OPENID_NS, 'contact'), contact) + + def failUnlessExpiresInMatches(self, msg, expected_expires_in): + expires_in_str = msg.getArg(OPENID_NS, 'expires_in', no_default) + expires_in = int(expires_in_str) + + # Slop is necessary because the tests can sometimes get run + # right on a second boundary + slop = 1 # second + difference = expected_expires_in - expires_in + + error_message = ('"expires_in" value not within %s of expected: ' + 'expected=%s, actual=%s' % + (slop, expected_expires_in, expires_in)) + self.failUnless(0 <= difference <= slop, error_message) + + def test_plaintext(self): + self.assoc = self.signatory.createAssociation(dumb=False, assoc_type='HMAC-SHA1') + response = self.request.answer(self.assoc) + rfg = lambda f: response.fields.getArg(OPENID_NS, f) + + self.failUnlessEqual(rfg("assoc_type"), "HMAC-SHA1") + self.failUnlessEqual(rfg("assoc_handle"), self.assoc.handle) + + self.failUnlessExpiresInMatches( + response.fields, self.signatory.SECRET_LIFETIME) + + self.failUnlessEqual( + rfg("mac_key"), oidutil.toBase64(self.assoc.secret)) + self.failIf(rfg("session_type")) + self.failIf(rfg("enc_mac_key")) + self.failIf(rfg("dh_server_public")) + + def test_plaintext_v2(self): + # The main difference between this and the v1 test is that + # session_type is always returned in v2. + args = { + 'openid.ns': OPENID2_NS, + 'openid.mode': 'associate', + 'openid.assoc_type': 'HMAC-SHA1', + 'openid.session_type': 'no-encryption', + } + self.request = server.AssociateRequest.fromMessage( + Message.fromPostArgs(args)) + + self.failIf(self.request.message.isOpenID1()) + + self.assoc = self.signatory.createAssociation( + dumb=False, assoc_type='HMAC-SHA1') + response = self.request.answer(self.assoc) + rfg = lambda f: response.fields.getArg(OPENID_NS, f) + + self.failUnlessEqual(rfg("assoc_type"), "HMAC-SHA1") + self.failUnlessEqual(rfg("assoc_handle"), self.assoc.handle) + + self.failUnlessExpiresInMatches( + response.fields, self.signatory.SECRET_LIFETIME) + + self.failUnlessEqual( + rfg("mac_key"), oidutil.toBase64(self.assoc.secret)) + + self.failUnlessEqual(rfg("session_type"), "no-encryption") + self.failIf(rfg("enc_mac_key")) + self.failIf(rfg("dh_server_public")) + + def test_plaintext256(self): + self.assoc = self.signatory.createAssociation(dumb=False, assoc_type='HMAC-SHA256') + response = self.request.answer(self.assoc) + rfg = lambda f: response.fields.getArg(OPENID_NS, f) + + self.failUnlessEqual(rfg("assoc_type"), "HMAC-SHA1") + self.failUnlessEqual(rfg("assoc_handle"), self.assoc.handle) + + self.failUnlessExpiresInMatches( + response.fields, self.signatory.SECRET_LIFETIME) + + self.failUnlessEqual( + rfg("mac_key"), oidutil.toBase64(self.assoc.secret)) + self.failIf(rfg("session_type")) + self.failIf(rfg("enc_mac_key")) + self.failIf(rfg("dh_server_public")) + + def test_unsupportedPrefer(self): + allowed_assoc = 'COLD-PET-RAT' + allowed_sess = 'FROG-BONES' + message = 'This is a unit test' + + # Set an OpenID 2 message so answerUnsupported doesn't raise + # ProtocolError. + self.request.message = Message(OPENID2_NS) + + response = self.request.answerUnsupported( + message=message, + preferred_session_type=allowed_sess, + preferred_association_type=allowed_assoc, + ) + rfg = lambda f: response.fields.getArg(OPENID_NS, f) + self.failUnlessEqual(rfg('error_code'), 'unsupported-type') + self.failUnlessEqual(rfg('assoc_type'), allowed_assoc) + self.failUnlessEqual(rfg('error'), message) + self.failUnlessEqual(rfg('session_type'), allowed_sess) + + def test_unsupported(self): + message = 'This is a unit test' + + # Set an OpenID 2 message so answerUnsupported doesn't raise + # ProtocolError. + self.request.message = Message(OPENID2_NS) + + response = self.request.answerUnsupported(message) + rfg = lambda f: response.fields.getArg(OPENID_NS, f) + self.failUnlessEqual(rfg('error_code'), 'unsupported-type') + self.failUnlessEqual(rfg('assoc_type'), None) + self.failUnlessEqual(rfg('error'), message) + self.failUnlessEqual(rfg('session_type'), None) + +class Counter(object): + def __init__(self): + self.count = 0 + + def inc(self): + self.count += 1 + +class TestServer(unittest.TestCase, CatchLogs): + def setUp(self): + self.store = memstore.MemoryStore() + self.server = server.Server(self.store, "http://server.unittest/endpt") + CatchLogs.setUp(self) + + def test_dispatch(self): + monkeycalled = Counter() + def monkeyDo(request): + monkeycalled.inc() + r = server.OpenIDResponse(request) + return r + self.server.openid_monkeymode = monkeyDo + request = server.OpenIDRequest() + request.mode = "monkeymode" + request.namespace = OPENID1_NS + webresult = self.server.handleRequest(request) + self.failUnlessEqual(monkeycalled.count, 1) + + def test_associate(self): + request = server.AssociateRequest.fromMessage(Message.fromPostArgs({})) + response = self.server.openid_associate(request) + self.failUnless(response.fields.hasKey(OPENID_NS, "assoc_handle"), + "No assoc_handle here: %s" % (response.fields,)) + + def test_associate2(self): + """Associate when the server has no allowed association types + + Gives back an error with error_code and no fallback session or + assoc types.""" + self.server.negotiator.setAllowedTypes([]) + + # Set an OpenID 2 message so answerUnsupported doesn't raise + # ProtocolError. + msg = Message.fromPostArgs({ + 'openid.ns': OPENID2_NS, + 'openid.session_type': 'no-encryption', + }) + + request = server.AssociateRequest.fromMessage(msg) + + response = self.server.openid_associate(request) + self.failUnless(response.fields.hasKey(OPENID_NS, "error")) + self.failUnless(response.fields.hasKey(OPENID_NS, "error_code")) + self.failIf(response.fields.hasKey(OPENID_NS, "assoc_handle")) + self.failIf(response.fields.hasKey(OPENID_NS, "assoc_type")) + self.failIf(response.fields.hasKey(OPENID_NS, "session_type")) + + def test_associate3(self): + """Request an assoc type that is not supported when there are + supported types. + + Should give back an error message with a fallback type. + """ + self.server.negotiator.setAllowedTypes([('HMAC-SHA256', 'DH-SHA256')]) + + msg = Message.fromPostArgs({ + 'openid.ns': OPENID2_NS, + 'openid.session_type': 'no-encryption', + }) + + request = server.AssociateRequest.fromMessage(msg) + response = self.server.openid_associate(request) + + self.failUnless(response.fields.hasKey(OPENID_NS, "error")) + self.failUnless(response.fields.hasKey(OPENID_NS, "error_code")) + self.failIf(response.fields.hasKey(OPENID_NS, "assoc_handle")) + self.failUnlessEqual(response.fields.getArg(OPENID_NS, "assoc_type"), + 'HMAC-SHA256') + self.failUnlessEqual(response.fields.getArg(OPENID_NS, "session_type"), + 'DH-SHA256') + + if not cryptutil.SHA256_AVAILABLE: + warnings.warn("Not running SHA256 tests.") + else: + def test_associate4(self): + """DH-SHA256 association session""" + self.server.negotiator.setAllowedTypes( + [('HMAC-SHA256', 'DH-SHA256')]) + query = { + 'openid.dh_consumer_public': + 'ALZgnx8N5Lgd7pCj8K86T/DDMFjJXSss1SKoLmxE72kJTzOtG6I2PaYrHX' + 'xku4jMQWSsGfLJxwCZ6280uYjUST/9NWmuAfcrBfmDHIBc3H8xh6RBnlXJ' + '1WxJY3jHd5k1/ZReyRZOxZTKdF/dnIqwF8ZXUwI6peV0TyS/K1fOfF/s', + 'openid.assoc_type': 'HMAC-SHA256', + 'openid.session_type': 'DH-SHA256', + } + message = Message.fromPostArgs(query) + request = server.AssociateRequest.fromMessage(message) + response = self.server.openid_associate(request) + self.failUnless(response.fields.hasKey(OPENID_NS, "assoc_handle")) + + def test_missingSessionTypeOpenID2(self): + """Make sure session_type is required in OpenID 2""" + msg = Message.fromPostArgs({ + 'openid.ns': OPENID2_NS, + }) + + self.assertRaises(server.ProtocolError, + server.AssociateRequest.fromMessage, msg) + + def test_checkAuth(self): + request = server.CheckAuthRequest('arrrrrf', '0x3999', []) + response = self.server.openid_check_authentication(request) + self.failUnless(response.fields.hasKey(OPENID_NS, "is_valid")) + +class TestSignatory(unittest.TestCase, CatchLogs): + def setUp(self): + self.store = memstore.MemoryStore() + self.signatory = server.Signatory(self.store) + self._dumb_key = self.signatory._dumb_key + self._normal_key = self.signatory._normal_key + CatchLogs.setUp(self) + + def test_sign(self): + request = server.OpenIDRequest() + assoc_handle = '{assoc}{lookatme}' + self.store.storeAssociation( + self._normal_key, + association.Association.fromExpiresIn(60, assoc_handle, + 'sekrit', 'HMAC-SHA1')) + request.assoc_handle = assoc_handle + request.namespace = OPENID1_NS + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'foo': 'amsigned', + 'bar': 'notsigned', + 'azu': 'alsosigned', + }) + sresponse = self.signatory.sign(response) + self.failUnlessEqual( + sresponse.fields.getArg(OPENID_NS, 'assoc_handle'), + assoc_handle) + self.failUnlessEqual(sresponse.fields.getArg(OPENID_NS, 'signed'), + 'assoc_handle,azu,bar,foo,signed') + self.failUnless(sresponse.fields.getArg(OPENID_NS, 'sig')) + self.failIf(self.messages, self.messages) + + def test_signDumb(self): + request = server.OpenIDRequest() + request.assoc_handle = None + request.namespace = OPENID2_NS + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'foo': 'amsigned', + 'bar': 'notsigned', + 'azu': 'alsosigned', + 'ns':OPENID2_NS, + }) + sresponse = self.signatory.sign(response) + assoc_handle = sresponse.fields.getArg(OPENID_NS, 'assoc_handle') + self.failUnless(assoc_handle) + assoc = self.signatory.getAssociation(assoc_handle, dumb=True) + self.failUnless(assoc) + self.failUnlessEqual(sresponse.fields.getArg(OPENID_NS, 'signed'), + 'assoc_handle,azu,bar,foo,ns,signed') + self.failUnless(sresponse.fields.getArg(OPENID_NS, 'sig')) + self.failIf(self.messages, self.messages) + + def test_signExpired(self): + """Sign a response to a message with an expired handle (using invalidate_handle). + + From "Verifying with an Association":: + + If an authentication request included an association handle for an + association between the OP and the Relying party, and the OP no + longer wishes to use that handle (because it has expired or the + secret has been compromised, for instance), the OP will send a + response that must be verified directly with the OP, as specified + in Section 11.3.2. In that instance, the OP will include the field + "openid.invalidate_handle" set to the association handle that the + Relying Party included with the original request. + """ + request = server.OpenIDRequest() + request.namespace = OPENID2_NS + assoc_handle = '{assoc}{lookatme}' + self.store.storeAssociation( + self._normal_key, + association.Association.fromExpiresIn(-10, assoc_handle, + 'sekrit', 'HMAC-SHA1')) + self.failUnless(self.store.getAssociation(self._normal_key, assoc_handle)) + + request.assoc_handle = assoc_handle + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'foo': 'amsigned', + 'bar': 'notsigned', + 'azu': 'alsosigned', + }) + sresponse = self.signatory.sign(response) + + new_assoc_handle = sresponse.fields.getArg(OPENID_NS, 'assoc_handle') + self.failUnless(new_assoc_handle) + self.failIfEqual(new_assoc_handle, assoc_handle) + + self.failUnlessEqual( + sresponse.fields.getArg(OPENID_NS, 'invalidate_handle'), + assoc_handle) + + self.failUnlessEqual(sresponse.fields.getArg(OPENID_NS, 'signed'), + 'assoc_handle,azu,bar,foo,invalidate_handle,signed') + self.failUnless(sresponse.fields.getArg(OPENID_NS, 'sig')) + + # make sure the expired association is gone + self.failIf(self.store.getAssociation(self._normal_key, assoc_handle), + "expired association is still retrievable.") + + # make sure the new key is a dumb mode association + self.failUnless(self.store.getAssociation(self._dumb_key, new_assoc_handle)) + self.failIf(self.store.getAssociation(self._normal_key, new_assoc_handle)) + self.failUnless(self.messages) + + + def test_signInvalidHandle(self): + request = server.OpenIDRequest() + request.namespace = OPENID2_NS + assoc_handle = '{bogus-assoc}{notvalid}' + + request.assoc_handle = assoc_handle + response = server.OpenIDResponse(request) + response.fields = Message.fromOpenIDArgs({ + 'foo': 'amsigned', + 'bar': 'notsigned', + 'azu': 'alsosigned', + }) + sresponse = self.signatory.sign(response) + + new_assoc_handle = sresponse.fields.getArg(OPENID_NS, 'assoc_handle') + self.failUnless(new_assoc_handle) + self.failIfEqual(new_assoc_handle, assoc_handle) + + self.failUnlessEqual( + sresponse.fields.getArg(OPENID_NS, 'invalidate_handle'), + assoc_handle) + + self.failUnlessEqual( + sresponse.fields.getArg(OPENID_NS, 'signed'), 'assoc_handle,azu,bar,foo,invalidate_handle,signed') + self.failUnless(sresponse.fields.getArg(OPENID_NS, 'sig')) + + # make sure the new key is a dumb mode association + self.failUnless(self.store.getAssociation(self._dumb_key, new_assoc_handle)) + self.failIf(self.store.getAssociation(self._normal_key, new_assoc_handle)) + self.failIf(self.messages, self.messages) + + + def test_verify(self): + assoc_handle = '{vroom}{zoom}' + assoc = association.Association.fromExpiresIn( + 60, assoc_handle, 'sekrit', 'HMAC-SHA1') + + self.store.storeAssociation(self._dumb_key, assoc) + + signed = Message.fromPostArgs({ + 'openid.foo': 'bar', + 'openid.apple': 'orange', + 'openid.assoc_handle': assoc_handle, + 'openid.signed': 'apple,assoc_handle,foo,signed', + 'openid.sig': 'uXoT1qm62/BB09Xbj98TQ8mlBco=', + }) + + verified = self.signatory.verify(assoc_handle, signed) + self.failIf(self.messages, self.messages) + self.failUnless(verified) + + + def test_verifyBadSig(self): + assoc_handle = '{vroom}{zoom}' + assoc = association.Association.fromExpiresIn( + 60, assoc_handle, 'sekrit', 'HMAC-SHA1') + + self.store.storeAssociation(self._dumb_key, assoc) + + signed = Message.fromPostArgs({ + 'openid.foo': 'bar', + 'openid.apple': 'orange', + 'openid.assoc_handle': assoc_handle, + 'openid.signed': 'apple,assoc_handle,foo,signed', + 'openid.sig': 'uXoT1qm62/BB09Xbj98TQ8mlBco='.encode('rot13'), + }) + + verified = self.signatory.verify(assoc_handle, signed) + self.failIf(self.messages, self.messages) + self.failIf(verified) + + def test_verifyBadHandle(self): + assoc_handle = '{vroom}{zoom}' + signed = Message.fromPostArgs({ + 'foo': 'bar', + 'apple': 'orange', + 'openid.sig': "Ylu0KcIR7PvNegB/K41KpnRgJl0=", + }) + + verified = self.signatory.verify(assoc_handle, signed) + self.failIf(verified) + self.failUnless(self.messages) + + + def test_verifyAssocMismatch(self): + """Attempt to validate sign-all message with a signed-list assoc.""" + assoc_handle = '{vroom}{zoom}' + assoc = association.Association.fromExpiresIn( + 60, assoc_handle, 'sekrit', 'HMAC-SHA1') + + self.store.storeAssociation(self._dumb_key, assoc) + + signed = Message.fromPostArgs({ + 'foo': 'bar', + 'apple': 'orange', + 'openid.sig': "d71xlHtqnq98DonoSgoK/nD+QRM=", + }) + + verified = self.signatory.verify(assoc_handle, signed) + self.failIf(verified) + self.failUnless(self.messages) + + def test_getAssoc(self): + assoc_handle = self.makeAssoc(dumb=True) + assoc = self.signatory.getAssociation(assoc_handle, True) + self.failUnless(assoc) + self.failUnlessEqual(assoc.handle, assoc_handle) + self.failIf(self.messages, self.messages) + + def test_getAssocExpired(self): + assoc_handle = self.makeAssoc(dumb=True, lifetime=-10) + assoc = self.signatory.getAssociation(assoc_handle, True) + self.failIf(assoc, assoc) + self.failUnless(self.messages) + + def test_getAssocInvalid(self): + ah = 'no-such-handle' + self.failUnlessEqual( + self.signatory.getAssociation(ah, dumb=False), None) + self.failIf(self.messages, self.messages) + + def test_getAssocDumbVsNormal(self): + """getAssociation(dumb=False) cannot get a dumb assoc""" + assoc_handle = self.makeAssoc(dumb=True) + self.failUnlessEqual( + self.signatory.getAssociation(assoc_handle, dumb=False), None) + self.failIf(self.messages, self.messages) + + def test_getAssocNormalVsDumb(self): + """getAssociation(dumb=True) cannot get a shared assoc + + From "Verifying Directly with the OpenID Provider":: + + An OP MUST NOT verify signatures for associations that have shared + MAC keys. + """ + assoc_handle = self.makeAssoc(dumb=False) + self.failUnlessEqual( + self.signatory.getAssociation(assoc_handle, dumb=True), None) + self.failIf(self.messages, self.messages) + + def test_createAssociation(self): + assoc = self.signatory.createAssociation(dumb=False) + self.failUnless(self.signatory.getAssociation(assoc.handle, dumb=False)) + self.failIf(self.messages, self.messages) + + def makeAssoc(self, dumb, lifetime=60): + assoc_handle = '{bling}' + assoc = association.Association.fromExpiresIn(lifetime, assoc_handle, + 'sekrit', 'HMAC-SHA1') + + self.store.storeAssociation((dumb and self._dumb_key) or self._normal_key, assoc) + return assoc_handle + + def test_invalidate(self): + assoc_handle = '-squash-' + assoc = association.Association.fromExpiresIn(60, assoc_handle, + 'sekrit', 'HMAC-SHA1') + + self.store.storeAssociation(self._dumb_key, assoc) + assoc = self.signatory.getAssociation(assoc_handle, dumb=True) + self.failUnless(assoc) + assoc = self.signatory.getAssociation(assoc_handle, dumb=True) + self.failUnless(assoc) + self.signatory.invalidate(assoc_handle, dumb=True) + assoc = self.signatory.getAssociation(assoc_handle, dumb=True) + self.failIf(assoc) + self.failIf(self.messages, self.messages) + + + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_services.py b/askbot/deps/openid/test/test_services.py new file mode 100644 index 00000000..8708a3c5 --- /dev/null +++ b/askbot/deps/openid/test/test_services.py @@ -0,0 +1,23 @@ +import unittest + +from openid.yadis import services +from openid.yadis.discover import DiscoveryFailure, DiscoveryResult + + +class TestGetServiceEndpoints(unittest.TestCase): + def setUp(self): + self.orig_discover = services.discover + services.discover = self.discover + + def tearDown(self): + services.discover = self.orig_discover + + def discover(self, input_url): + result = DiscoveryResult(input_url) + result.response_text = "This is not XRDS text." + return result + + def test_catchXRDSError(self): + self.failUnlessRaises(DiscoveryFailure, + services.getServiceEndpoints, + "http://example.invalid/sometest") diff --git a/askbot/deps/openid/test/test_sreg.py b/askbot/deps/openid/test/test_sreg.py new file mode 100644 index 00000000..49f9ea91 --- /dev/null +++ b/askbot/deps/openid/test/test_sreg.py @@ -0,0 +1,484 @@ +from openid.extensions import sreg +from openid.message import NamespaceMap, Message, registerNamespaceAlias +from openid.server.server import OpenIDRequest, OpenIDResponse + +import unittest + +class SRegURITest(unittest.TestCase): + def test_is11(self): + self.failUnlessEqual(sreg.ns_uri_1_1, sreg.ns_uri) + +class CheckFieldNameTest(unittest.TestCase): + def test_goodNamePasses(self): + for field_name in sreg.data_fields: + sreg.checkFieldName(field_name) + + def test_badNameFails(self): + self.failUnlessRaises(ValueError, sreg.checkFieldName, 'INVALID') + + def test_badTypeFails(self): + self.failUnlessRaises(ValueError, sreg.checkFieldName, None) + +# For supportsSReg test +class FakeEndpoint(object): + def __init__(self, supported): + self.supported = supported + self.checked_uris = [] + + def usesExtension(self, namespace_uri): + self.checked_uris.append(namespace_uri) + return namespace_uri in self.supported + +class SupportsSRegTest(unittest.TestCase): + def test_unsupported(self): + endpoint = FakeEndpoint([]) + self.failIf(sreg.supportsSReg(endpoint)) + self.failUnlessEqual([sreg.ns_uri_1_1, sreg.ns_uri_1_0], + endpoint.checked_uris) + + def test_supported_1_1(self): + endpoint = FakeEndpoint([sreg.ns_uri_1_1]) + self.failUnless(sreg.supportsSReg(endpoint)) + self.failUnlessEqual([sreg.ns_uri_1_1], endpoint.checked_uris) + + def test_supported_1_0(self): + endpoint = FakeEndpoint([sreg.ns_uri_1_0]) + self.failUnless(sreg.supportsSReg(endpoint)) + self.failUnlessEqual([sreg.ns_uri_1_1, sreg.ns_uri_1_0], + endpoint.checked_uris) + +class FakeMessage(object): + def __init__(self): + self.openid1 = False + self.namespaces = NamespaceMap() + + def isOpenID1(self): + return self.openid1 + +class GetNSTest(unittest.TestCase): + def setUp(self): + self.msg = FakeMessage() + + def test_openID2Empty(self): + ns_uri = sreg.getSRegNS(self.msg) + self.failUnlessEqual(self.msg.namespaces.getAlias(ns_uri), 'sreg') + self.failUnlessEqual(sreg.ns_uri, ns_uri) + + def test_openID1Empty(self): + self.msg.openid1 = True + ns_uri = sreg.getSRegNS(self.msg) + self.failUnlessEqual(self.msg.namespaces.getAlias(ns_uri), 'sreg') + self.failUnlessEqual(sreg.ns_uri, ns_uri) + + def test_openID1Defined_1_0(self): + self.msg.openid1 = True + self.msg.namespaces.add(sreg.ns_uri_1_0) + ns_uri = sreg.getSRegNS(self.msg) + self.failUnlessEqual(sreg.ns_uri_1_0, ns_uri) + + def test_openID1Defined_1_0_overrideAlias(self): + for openid_version in [True, False]: + for sreg_version in [sreg.ns_uri_1_0, sreg.ns_uri_1_1]: + for alias in ['sreg', 'bogus']: + self.setUp() + + self.msg.openid1 = openid_version + self.msg.namespaces.addAlias(sreg_version, alias) + ns_uri = sreg.getSRegNS(self.msg) + self.failUnlessEqual(self.msg.namespaces.getAlias(ns_uri), alias) + self.failUnlessEqual(sreg_version, ns_uri) + + def test_openID1DefinedBadly(self): + self.msg.openid1 = True + self.msg.namespaces.addAlias('http://invalid/', 'sreg') + self.failUnlessRaises(sreg.SRegNamespaceError, + sreg.getSRegNS, self.msg) + + def test_openID2DefinedBadly(self): + self.msg.openid1 = False + self.msg.namespaces.addAlias('http://invalid/', 'sreg') + self.failUnlessRaises(sreg.SRegNamespaceError, + sreg.getSRegNS, self.msg) + + def test_openID2Defined_1_0(self): + self.msg.namespaces.add(sreg.ns_uri_1_0) + ns_uri = sreg.getSRegNS(self.msg) + self.failUnlessEqual(sreg.ns_uri_1_0, ns_uri) + + def test_openID1_sregNSfromArgs(self): + args = { + 'sreg.optional': 'nickname', + 'sreg.required': 'dob', + } + + m = Message.fromOpenIDArgs(args) + + self.failUnless(m.getArg(sreg.ns_uri_1_1, 'optional') == 'nickname') + self.failUnless(m.getArg(sreg.ns_uri_1_1, 'required') == 'dob') + +class SRegRequestTest(unittest.TestCase): + def test_constructEmpty(self): + req = sreg.SRegRequest() + self.failUnlessEqual([], req.optional) + self.failUnlessEqual([], req.required) + self.failUnlessEqual(None, req.policy_url) + self.failUnlessEqual(sreg.ns_uri, req.ns_uri) + + def test_constructFields(self): + req = sreg.SRegRequest( + ['nickname'], + ['gender'], + 'http://policy', + 'http://sreg.ns_uri') + self.failUnlessEqual(['gender'], req.optional) + self.failUnlessEqual(['nickname'], req.required) + self.failUnlessEqual('http://policy', req.policy_url) + self.failUnlessEqual('http://sreg.ns_uri', req.ns_uri) + + def test_constructBadFields(self): + self.failUnlessRaises( + ValueError, + sreg.SRegRequest, ['elvis']) + + def test_fromOpenIDRequest(self): + args = {} + ns_sentinel = object() + args_sentinel = object() + + class FakeMessage(object): + copied = False + + def __init__(self): + self.message = Message() + + def getArgs(msg_self, ns_uri): + self.failUnlessEqual(ns_sentinel, ns_uri) + return args_sentinel + + def copy(msg_self): + msg_self.copied = True + return msg_self + + class TestingReq(sreg.SRegRequest): + def _getSRegNS(req_self, unused): + return ns_sentinel + + def parseExtensionArgs(req_self, args): + self.failUnlessEqual(args_sentinel, args) + + openid_req = OpenIDRequest() + + msg = FakeMessage() + openid_req.message = msg + + req = TestingReq.fromOpenIDRequest(openid_req) + self.failUnless(type(req) is TestingReq) + self.failUnless(msg.copied) + + def test_parseExtensionArgs_empty(self): + req = sreg.SRegRequest() + results = req.parseExtensionArgs({}) + self.failUnlessEqual(None, results) + + def test_parseExtensionArgs_extraIgnored(self): + req = sreg.SRegRequest() + req.parseExtensionArgs({'janrain':'inc'}) + + def test_parseExtensionArgs_nonStrict(self): + req = sreg.SRegRequest() + req.parseExtensionArgs({'required':'beans'}) + self.failUnlessEqual([], req.required) + + def test_parseExtensionArgs_strict(self): + req = sreg.SRegRequest() + self.failUnlessRaises( + ValueError, + req.parseExtensionArgs, {'required':'beans'}, strict=True) + + def test_parseExtensionArgs_policy(self): + req = sreg.SRegRequest() + req.parseExtensionArgs({'policy_url':'http://policy'}, strict=True) + self.failUnlessEqual('http://policy', req.policy_url) + + def test_parseExtensionArgs_requiredEmpty(self): + req = sreg.SRegRequest() + req.parseExtensionArgs({'required':''}, strict=True) + self.failUnlessEqual([], req.required) + + def test_parseExtensionArgs_optionalEmpty(self): + req = sreg.SRegRequest() + req.parseExtensionArgs({'optional':''}, strict=True) + self.failUnlessEqual([], req.optional) + + def test_parseExtensionArgs_optionalSingle(self): + req = sreg.SRegRequest() + req.parseExtensionArgs({'optional':'nickname'}, strict=True) + self.failUnlessEqual(['nickname'], req.optional) + + def test_parseExtensionArgs_optionalList(self): + req = sreg.SRegRequest() + req.parseExtensionArgs({'optional':'nickname,email'}, strict=True) + self.failUnlessEqual(['nickname','email'], req.optional) + + def test_parseExtensionArgs_optionalListBadNonStrict(self): + req = sreg.SRegRequest() + req.parseExtensionArgs({'optional':'nickname,email,beer'}) + self.failUnlessEqual(['nickname','email'], req.optional) + + def test_parseExtensionArgs_optionalListBadStrict(self): + req = sreg.SRegRequest() + self.failUnlessRaises( + ValueError, + req.parseExtensionArgs, {'optional':'nickname,email,beer'}, + strict=True) + + def test_parseExtensionArgs_bothNonStrict(self): + req = sreg.SRegRequest() + req.parseExtensionArgs({'optional':'nickname', + 'required':'nickname'}) + self.failUnlessEqual([], req.optional) + self.failUnlessEqual(['nickname'], req.required) + + def test_parseExtensionArgs_bothStrict(self): + req = sreg.SRegRequest() + self.failUnlessRaises( + ValueError, + req.parseExtensionArgs, + {'optional':'nickname', + 'required':'nickname'}, + strict=True) + + def test_parseExtensionArgs_bothList(self): + req = sreg.SRegRequest() + req.parseExtensionArgs({'optional':'nickname,email', + 'required':'country,postcode'}, strict=True) + self.failUnlessEqual(['nickname','email'], req.optional) + self.failUnlessEqual(['country','postcode'], req.required) + + def test_allRequestedFields(self): + req = sreg.SRegRequest() + self.failUnlessEqual([], req.allRequestedFields()) + req.requestField('nickname') + self.failUnlessEqual(['nickname'], req.allRequestedFields()) + req.requestField('gender', required=True) + requested = req.allRequestedFields() + requested.sort() + self.failUnlessEqual(['gender', 'nickname'], requested) + + def test_wereFieldsRequested(self): + req = sreg.SRegRequest() + self.failIf(req.wereFieldsRequested()) + req.requestField('gender') + self.failUnless(req.wereFieldsRequested()) + + def test_contains(self): + req = sreg.SRegRequest() + for field_name in sreg.data_fields: + self.failIf(field_name in req) + + self.failIf('something else' in req) + + req.requestField('nickname') + for field_name in sreg.data_fields: + if field_name == 'nickname': + self.failUnless(field_name in req) + else: + self.failIf(field_name in req) + + def test_requestField_bogus(self): + req = sreg.SRegRequest() + self.failUnlessRaises( + ValueError, + req.requestField, 'something else') + + self.failUnlessRaises( + ValueError, + req.requestField, 'something else', strict=True) + + def test_requestField(self): + # Add all of the fields, one at a time + req = sreg.SRegRequest() + fields = list(sreg.data_fields) + for field_name in fields: + req.requestField(field_name) + + self.failUnlessEqual(fields, req.optional) + self.failUnlessEqual([], req.required) + + # By default, adding the same fields over again has no effect + for field_name in fields: + req.requestField(field_name) + + self.failUnlessEqual(fields, req.optional) + self.failUnlessEqual([], req.required) + + # Requesting a field as required overrides requesting it as optional + expected = list(fields) + overridden = expected.pop(0) + req.requestField(overridden, required=True) + self.failUnlessEqual(expected, req.optional) + self.failUnlessEqual([overridden], req.required) + + # Requesting a field as required overrides requesting it as optional + for field_name in fields: + req.requestField(field_name, required=True) + + self.failUnlessEqual([], req.optional) + self.failUnlessEqual(fields, req.required) + + # Requesting it as optional does not downgrade it to optional + for field_name in fields: + req.requestField(field_name) + + self.failUnlessEqual([], req.optional) + self.failUnlessEqual(fields, req.required) + + def test_requestFields_type(self): + req = sreg.SRegRequest() + self.failUnlessRaises(TypeError, req.requestFields, 'nickname') + + def test_requestFields(self): + # Add all of the fields + req = sreg.SRegRequest() + + fields = list(sreg.data_fields) + req.requestFields(fields) + + self.failUnlessEqual(fields, req.optional) + self.failUnlessEqual([], req.required) + + # By default, adding the same fields over again has no effect + req.requestFields(fields) + + self.failUnlessEqual(fields, req.optional) + self.failUnlessEqual([], req.required) + + # Requesting a field as required overrides requesting it as optional + expected = list(fields) + overridden = expected.pop(0) + req.requestFields([overridden], required=True) + self.failUnlessEqual(expected, req.optional) + self.failUnlessEqual([overridden], req.required) + + # Requesting a field as required overrides requesting it as optional + req.requestFields(fields, required=True) + + self.failUnlessEqual([], req.optional) + self.failUnlessEqual(fields, req.required) + + # Requesting it as optional does not downgrade it to optional + req.requestFields(fields) + + self.failUnlessEqual([], req.optional) + self.failUnlessEqual(fields, req.required) + + def test_getExtensionArgs(self): + req = sreg.SRegRequest() + self.failUnlessEqual({}, req.getExtensionArgs()) + + req.requestField('nickname') + self.failUnlessEqual({'optional':'nickname'}, req.getExtensionArgs()) + + req.requestField('email') + self.failUnlessEqual({'optional':'nickname,email'}, + req.getExtensionArgs()) + + req.requestField('gender', required=True) + self.failUnlessEqual({'optional':'nickname,email', + 'required':'gender'}, + req.getExtensionArgs()) + + req.requestField('postcode', required=True) + self.failUnlessEqual({'optional':'nickname,email', + 'required':'gender,postcode'}, + req.getExtensionArgs()) + + req.policy_url = 'http://policy.invalid/' + self.failUnlessEqual({'optional':'nickname,email', + 'required':'gender,postcode', + 'policy_url':'http://policy.invalid/'}, + req.getExtensionArgs()) + +data = { + 'nickname':'linusaur', + 'postcode':'12345', + 'country':'US', + 'gender':'M', + 'fullname':'Leonhard Euler', + 'email':'president@whitehouse.gov', + 'dob':'0000-00-00', + 'language':'en-us', + } + +class DummySuccessResponse(object): + def __init__(self, message, signed_stuff): + self.message = message + self.signed_stuff = signed_stuff + + def getSignedNS(self, ns_uri): + return self.signed_stuff + +class SRegResponseTest(unittest.TestCase): + def test_construct(self): + resp = sreg.SRegResponse(data) + + self.failUnless(resp) + + empty_resp = sreg.SRegResponse({}) + self.failIf(empty_resp) + + # XXX: finish this test + + def test_fromSuccessResponse_signed(self): + message = Message.fromOpenIDArgs({ + 'sreg.nickname':'The Mad Stork', + }) + success_resp = DummySuccessResponse(message, {}) + sreg_resp = sreg.SRegResponse.fromSuccessResponse(success_resp) + self.failIf(sreg_resp) + + def test_fromSuccessResponse_unsigned(self): + message = Message.fromOpenIDArgs({ + 'sreg.nickname':'The Mad Stork', + }) + success_resp = DummySuccessResponse(message, {}) + sreg_resp = sreg.SRegResponse.fromSuccessResponse(success_resp, + signed_only=False) + self.failUnlessEqual([('nickname', 'The Mad Stork')], + sreg_resp.items()) + +class SendFieldsTest(unittest.TestCase): + def test(self): + # Create a request message with simple registration fields + sreg_req = sreg.SRegRequest(required=['nickname', 'email'], + optional=['fullname']) + req_msg = Message() + req_msg.updateArgs(sreg.ns_uri, sreg_req.getExtensionArgs()) + + req = OpenIDRequest() + req.message = req_msg + req.namespace = req_msg.getOpenIDNamespace() + + # -> send checkid_* request + + # Create an empty response message + resp_msg = Message() + resp = OpenIDResponse(req) + resp.fields = resp_msg + + # Put the requested data fields in the response message + sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, data) + resp.addExtension(sreg_resp) + + # <- send id_res response + + # Extract the fields that were sent + sreg_data_resp = resp_msg.getArgs(sreg.ns_uri) + self.failUnlessEqual( + {'nickname':'linusaur', + 'email':'president@whitehouse.gov', + 'fullname':'Leonhard Euler', + }, sreg_data_resp) + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_symbol.py b/askbot/deps/openid/test/test_symbol.py new file mode 100644 index 00000000..42ca2123 --- /dev/null +++ b/askbot/deps/openid/test/test_symbol.py @@ -0,0 +1,35 @@ +import unittest + +from openid import oidutil + +class SymbolTest(unittest.TestCase): + def test_selfEquality(self): + s = oidutil.Symbol('xxx') + self.failUnlessEqual(s, s) + + def test_otherEquality(self): + x = oidutil.Symbol('xxx') + y = oidutil.Symbol('xxx') + self.failUnlessEqual(x, y) + + def test_inequality(self): + x = oidutil.Symbol('xxx') + y = oidutil.Symbol('yyy') + self.failIfEqual(x, y) + + def test_selfInequality(self): + x = oidutil.Symbol('xxx') + self.failIf(x != x) + + def test_otherInequality(self): + x = oidutil.Symbol('xxx') + y = oidutil.Symbol('xxx') + self.failIf(x != y) + + def test_ne_inequality(self): + x = oidutil.Symbol('xxx') + y = oidutil.Symbol('yyy') + self.failUnless(x != y) + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_urinorm.py b/askbot/deps/openid/test/test_urinorm.py new file mode 100644 index 00000000..7f5ecaa1 --- /dev/null +++ b/askbot/deps/openid/test/test_urinorm.py @@ -0,0 +1,52 @@ +import os +import unittest +import openid.urinorm + +class UrinormTest(unittest.TestCase): + def __init__(self, desc, case, expected): + unittest.TestCase.__init__(self) + self.desc = desc + self.case = case + self.expected = expected + + def shortDescription(self): + return self.desc + + def runTest(self): + try: + actual = openid.urinorm.urinorm(self.case) + except ValueError, why: + self.assertEqual(self.expected, 'fail', why) + else: + self.assertEqual(actual, self.expected) + + def parse(cls, full_case): + desc, case, expected = full_case.split('\n') + case = unicode(case, 'utf-8') + + return cls(desc, case, expected) + + parse = classmethod(parse) + + +def parseTests(test_data): + result = [] + + cases = test_data.split('\n\n') + for case in cases: + case = case.strip() + + if case: + result.append(UrinormTest.parse(case)) + + return result + +def pyUnitTests(): + here = os.path.dirname(os.path.abspath(__file__)) + test_data_file_name = os.path.join(here, 'urinorm.txt') + test_data_file = file(test_data_file_name) + test_data = test_data_file.read() + test_data_file.close() + + tests = parseTests(test_data) + return unittest.TestSuite(tests) diff --git a/askbot/deps/openid/test/test_verifydisco.py b/askbot/deps/openid/test/test_verifydisco.py new file mode 100644 index 00000000..e64a48a5 --- /dev/null +++ b/askbot/deps/openid/test/test_verifydisco.py @@ -0,0 +1,270 @@ +import unittest +from openid import message +from openid.test.support import OpenIDTestMixin +from openid.consumer import consumer +from openid.test.test_consumer import TestIdRes +from openid.consumer import discover + +def const(result): + """Return a function that ignores any arguments and just returns + the specified result""" + def constResult(*args, **kwargs): + return result + + return constResult + +class DiscoveryVerificationTest(OpenIDTestMixin, TestIdRes): + def failUnlessProtocolError(self, prefix, callable, *args, **kwargs): + try: + result = callable(*args, **kwargs) + except consumer.ProtocolError, e: + self.failUnless( + e[0].startswith(prefix), + 'Expected message prefix %r, got message %r' % (prefix, e[0])) + else: + self.fail('Expected ProtocolError with prefix %r, ' + 'got successful return %r' % (prefix, result)) + + def test_openID1NoLocalID(self): + endpoint = discover.OpenIDServiceEndpoint() + endpoint.claimed_id = 'bogus' + + msg = message.Message.fromOpenIDArgs({}) + self.failUnlessProtocolError( + 'Missing required field openid.identity', + self.consumer._verifyDiscoveryResults, msg, endpoint) + self.failUnlessLogEmpty() + + def test_openID1NoEndpoint(self): + msg = message.Message.fromOpenIDArgs({'identity':'snakes on a plane'}) + self.failUnlessRaises(RuntimeError, + self.consumer._verifyDiscoveryResults, msg) + self.failUnlessLogEmpty() + + def test_openID2NoOPEndpointArg(self): + msg = message.Message.fromOpenIDArgs({'ns':message.OPENID2_NS}) + self.failUnlessRaises(KeyError, + self.consumer._verifyDiscoveryResults, msg) + self.failUnlessLogEmpty() + + def test_openID2LocalIDNoClaimed(self): + msg = message.Message.fromOpenIDArgs({'ns':message.OPENID2_NS, + 'op_endpoint':'Phone Home', + 'identity':'Jose Lius Borges'}) + self.failUnlessProtocolError( + 'openid.identity is present without', + self.consumer._verifyDiscoveryResults, msg) + self.failUnlessLogEmpty() + + def test_openID2NoLocalIDClaimed(self): + msg = message.Message.fromOpenIDArgs({'ns':message.OPENID2_NS, + 'op_endpoint':'Phone Home', + 'claimed_id':'Manuel Noriega'}) + self.failUnlessProtocolError( + 'openid.claimed_id is present without', + self.consumer._verifyDiscoveryResults, msg) + self.failUnlessLogEmpty() + + def test_openID2NoIdentifiers(self): + op_endpoint = 'Phone Home' + msg = message.Message.fromOpenIDArgs({'ns':message.OPENID2_NS, + 'op_endpoint':op_endpoint}) + result_endpoint = self.consumer._verifyDiscoveryResults(msg) + self.failUnless(result_endpoint.isOPIdentifier()) + self.failUnlessEqual(op_endpoint, result_endpoint.server_url) + self.failUnlessEqual(None, result_endpoint.claimed_id) + self.failUnlessLogEmpty() + + def test_openID2NoEndpointDoesDisco(self): + op_endpoint = 'Phone Home' + sentinel = discover.OpenIDServiceEndpoint() + sentinel.claimed_id = 'monkeysoft' + self.consumer._discoverAndVerify = const(sentinel) + msg = message.Message.fromOpenIDArgs( + {'ns':message.OPENID2_NS, + 'identity':'sour grapes', + 'claimed_id':'monkeysoft', + 'op_endpoint':op_endpoint}) + result = self.consumer._verifyDiscoveryResults(msg) + self.failUnlessEqual(sentinel, result) + self.failUnlessLogMatches('No pre-discovered') + + def test_openID2MismatchedDoesDisco(self): + mismatched = discover.OpenIDServiceEndpoint() + mismatched.identity = 'nothing special, but different' + mismatched.local_id = 'green cheese' + + op_endpoint = 'Phone Home' + sentinel = discover.OpenIDServiceEndpoint() + sentinel.claimed_id = 'monkeysoft' + self.consumer._discoverAndVerify = const(sentinel) + msg = message.Message.fromOpenIDArgs( + {'ns':message.OPENID2_NS, + 'identity':'sour grapes', + 'claimed_id':'monkeysoft', + 'op_endpoint':op_endpoint}) + result = self.consumer._verifyDiscoveryResults(msg, mismatched) + self.failUnlessEqual(sentinel, result) + self.failUnlessLogMatches('Error attempting to use stored', + 'Attempting discovery') + + def test_openid2UsePreDiscovered(self): + endpoint = discover.OpenIDServiceEndpoint() + endpoint.local_id = 'my identity' + endpoint.claimed_id = 'i am sam' + endpoint.server_url = 'Phone Home' + endpoint.type_uris = [discover.OPENID_2_0_TYPE] + + msg = message.Message.fromOpenIDArgs( + {'ns':message.OPENID2_NS, + 'identity':endpoint.local_id, + 'claimed_id':endpoint.claimed_id, + 'op_endpoint':endpoint.server_url}) + result = self.consumer._verifyDiscoveryResults(msg, endpoint) + self.failUnless(result is endpoint) + self.failUnlessLogEmpty() + + def test_openid2UsePreDiscoveredWrongType(self): + text = "verify failed" + + endpoint = discover.OpenIDServiceEndpoint() + endpoint.local_id = 'my identity' + endpoint.claimed_id = 'i am sam' + endpoint.server_url = 'Phone Home' + endpoint.type_uris = [discover.OPENID_1_1_TYPE] + + def discoverAndVerify(claimed_id, to_match_endpoints): + self.failUnlessEqual(claimed_id, endpoint.claimed_id) + for to_match in to_match_endpoints: + self.failUnlessEqual(claimed_id, to_match.claimed_id) + raise consumer.ProtocolError(text) + + self.consumer._discoverAndVerify = discoverAndVerify + + msg = message.Message.fromOpenIDArgs( + {'ns':message.OPENID2_NS, + 'identity':endpoint.local_id, + 'claimed_id':endpoint.claimed_id, + 'op_endpoint':endpoint.server_url}) + + try: + r = self.consumer._verifyDiscoveryResults(msg, endpoint) + except consumer.ProtocolError, e: + # Should we make more ProtocolError subclasses? + self.failUnless(str(e), text) + else: + self.fail("expected ProtocolError, %r returned." % (r,)) + + self.failUnlessLogMatches('Error attempting to use stored', + 'Attempting discovery') + + def test_openid1UsePreDiscovered(self): + endpoint = discover.OpenIDServiceEndpoint() + endpoint.local_id = 'my identity' + endpoint.claimed_id = 'i am sam' + endpoint.server_url = 'Phone Home' + endpoint.type_uris = [discover.OPENID_1_1_TYPE] + + msg = message.Message.fromOpenIDArgs( + {'ns':message.OPENID1_NS, + 'identity':endpoint.local_id}) + result = self.consumer._verifyDiscoveryResults(msg, endpoint) + self.failUnless(result is endpoint) + self.failUnlessLogEmpty() + + def test_openid1UsePreDiscoveredWrongType(self): + class VerifiedError(Exception): pass + + def discoverAndVerify(claimed_id, _to_match): + raise VerifiedError + + self.consumer._discoverAndVerify = discoverAndVerify + + endpoint = discover.OpenIDServiceEndpoint() + endpoint.local_id = 'my identity' + endpoint.claimed_id = 'i am sam' + endpoint.server_url = 'Phone Home' + endpoint.type_uris = [discover.OPENID_2_0_TYPE] + + msg = message.Message.fromOpenIDArgs( + {'ns':message.OPENID1_NS, + 'identity':endpoint.local_id}) + + self.failUnlessRaises( + VerifiedError, + self.consumer._verifyDiscoveryResults, msg, endpoint) + + self.failUnlessLogMatches('Error attempting to use stored', + 'Attempting discovery') + + def test_openid2Fragment(self): + claimed_id = "http://unittest.invalid/" + claimed_id_frag = claimed_id + "#fragment" + endpoint = discover.OpenIDServiceEndpoint() + endpoint.local_id = 'my identity' + endpoint.claimed_id = claimed_id + endpoint.server_url = 'Phone Home' + endpoint.type_uris = [discover.OPENID_2_0_TYPE] + + msg = message.Message.fromOpenIDArgs( + {'ns':message.OPENID2_NS, + 'identity':endpoint.local_id, + 'claimed_id': claimed_id_frag, + 'op_endpoint': endpoint.server_url}) + result = self.consumer._verifyDiscoveryResults(msg, endpoint) + + self.failUnlessEqual(result.local_id, endpoint.local_id) + self.failUnlessEqual(result.server_url, endpoint.server_url) + self.failUnlessEqual(result.type_uris, endpoint.type_uris) + + self.failUnlessEqual(result.claimed_id, claimed_id_frag) + + self.failUnlessLogEmpty() + + def test_openid1Fallback1_0(self): + claimed_id = 'http://claimed.id/' + endpoint = None + resp_mesg = message.Message.fromOpenIDArgs({ + 'ns': message.OPENID1_NS, + 'identity': claimed_id}) + # Pass the OpenID 1 claimed_id this way since we're passing + # None for the endpoint. + resp_mesg.setArg(message.BARE_NS, 'openid1_claimed_id', claimed_id) + + # We expect the OpenID 1 discovery verification to try + # matching the discovered endpoint against the 1.1 type and + # fall back to 1.0. + expected_endpoint = discover.OpenIDServiceEndpoint() + expected_endpoint.type_uris = [discover.OPENID_1_0_TYPE] + expected_endpoint.local_id = None + expected_endpoint.claimed_id = claimed_id + + discovered_services = [expected_endpoint] + self.consumer._discover = lambda *args: ('unused', discovered_services) + + actual_endpoint = self.consumer._verifyDiscoveryResults( + resp_mesg, endpoint) + self.failUnless(actual_endpoint is expected_endpoint) + +# XXX: test the implementation of _discoverAndVerify + + +class TestVerifyDiscoverySingle(TestIdRes): + # XXX: more test the implementation of _verifyDiscoverySingle + def test_endpointWithoutLocalID(self): + # An endpoint like this with no local_id is generated as a result of + # e.g. Yadis discovery with no LocalID tag. + endpoint = discover.OpenIDServiceEndpoint() + endpoint.server_url = "http://localhost:8000/openidserver" + endpoint.claimed_id = "http://localhost:8000/id/id-jo" + to_match = discover.OpenIDServiceEndpoint() + to_match.server_url = "http://localhost:8000/openidserver" + to_match.claimed_id = "http://localhost:8000/id/id-jo" + to_match.local_id = "http://localhost:8000/id/id-jo" + result = self.consumer._verifyDiscoverySingle(endpoint, to_match) + # result should always be None, raises exception on failure. + self.failUnlessEqual(result, None) + self.failUnlessLogEmpty() + +if __name__ == '__main__': + unittest.main() diff --git a/askbot/deps/openid/test/test_xri.py b/askbot/deps/openid/test/test_xri.py new file mode 100644 index 00000000..dc5921ae --- /dev/null +++ b/askbot/deps/openid/test/test_xri.py @@ -0,0 +1,102 @@ +from unittest import TestCase +from openid.yadis import xri + +class XriDiscoveryTestCase(TestCase): + def test_isXRI(self): + i = xri.identifierScheme + self.failUnlessEqual(i('=john.smith'), 'XRI') + self.failUnlessEqual(i('@smiths/john'), 'XRI') + self.failUnlessEqual(i('smoker.myopenid.com'), 'URI') + self.failUnlessEqual(i('xri://=john'), 'XRI') + self.failUnlessEqual(i(''), 'URI') + + +class XriEscapingTestCase(TestCase): + def test_escaping_percents(self): + self.failUnlessEqual(xri.escapeForIRI('@example/abc%2Fd/ef'), + '@example/abc%252Fd/ef') + + + def test_escaping_xref(self): + # no escapes + esc = xri.escapeForIRI + self.failUnlessEqual('@example/foo/(@bar)', esc('@example/foo/(@bar)')) + # escape slashes + self.failUnlessEqual('@example/foo/(@bar%2Fbaz)', + esc('@example/foo/(@bar/baz)')) + self.failUnlessEqual('@example/foo/(@bar%2Fbaz)/(+a%2Fb)', + esc('@example/foo/(@bar/baz)/(+a/b)')) + # escape query ? and fragment # + self.failUnlessEqual('@example/foo/(@baz%3Fp=q%23r)?i=j#k', + esc('@example/foo/(@baz?p=q#r)?i=j#k')) + + + +class XriTransformationTestCase(TestCase): + def test_to_iri_normal(self): + self.failUnlessEqual(xri.toIRINormal('@example'), 'xri://@example') + + try: + unichr(0x10000) + except ValueError: + # bleh narrow python build + def test_iri_to_url(self): + s = u'l\xa1m' + expected = 'l%C2%A1m' + self.failUnlessEqual(xri.iriToURI(s), expected) + else: + def test_iri_to_url(self): + s = u'l\xa1m\U00101010n' + expected = 'l%C2%A1m%F4%81%80%90n' + self.failUnlessEqual(xri.iriToURI(s), expected) + + + +class CanonicalIDTest(TestCase): + def mkTest(providerID, canonicalID, isAuthoritative): + def test(self): + result = xri.providerIsAuthoritative(providerID, canonicalID) + format = "%s providing %s, expected %s" + message = format % (providerID, canonicalID, isAuthoritative) + self.failUnlessEqual(isAuthoritative, result, message) + + return test + + test_equals = mkTest('=', '=!698.74D1.A1F2.86C7', True) + test_atOne = mkTest('@!1234', '@!1234!ABCD', True) + test_atTwo = mkTest('@!1234!5678', '@!1234!5678!ABCD', True) + + test_atEqualsFails = mkTest('@!1234', '=!1234!ABCD', False) + test_tooDeepFails = mkTest('@!1234', '@!1234!ABCD!9765', False) + test_atEqualsAndTooDeepFails = mkTest('@!1234!ABCD', '=!1234', False) + test_differentBeginningFails = mkTest('=!BABE', '=!D00D', False) + +class TestGetRootAuthority(TestCase): + def mkTest(the_xri, expected_root): + def test(self): + actual_root = xri.rootAuthority(the_xri) + self.failUnlessEqual(actual_root, xri.XRI(expected_root)) + return test + + test_at = mkTest("@foo", "@") + test_atStar = mkTest("@foo*bar", "@") + test_atStarStar = mkTest("@*foo*bar", "@") + test_atWithPath = mkTest("@foo/bar", "@") + test_bangBang = mkTest("!!990!991", "!") + test_bang = mkTest("!1001!02", "!") + test_equalsStar = mkTest("=foo*bar", "=") + test_xrefPath = mkTest("(example.com)/foo", "(example.com)") + test_xrefStar = mkTest("(example.com)*bar/foo", "(example.com)") + test_uriAuth = mkTest("baz.example.com/foo", "baz.example.com") + test_uriAuthPort = mkTest("baz.example.com:8080/foo", + "baz.example.com:8080") + + # Looking at the ABNF in XRI Syntax 2.0, I don't think you can + # have example.com*bar. You can do (example.com)*bar, but that + # would mean something else. + ##("example.com*bar/(=baz)", "example.com*bar"), + ##("baz.example.com!01/foo", "baz.example.com!01"), + +if __name__ == '__main__': + import unittest + unittest.main() diff --git a/askbot/deps/openid/test/test_xrires.py b/askbot/deps/openid/test/test_xrires.py new file mode 100644 index 00000000..4e17e3b4 --- /dev/null +++ b/askbot/deps/openid/test/test_xrires.py @@ -0,0 +1,40 @@ + +from unittest import TestCase +from openid.yadis import xrires + +class ProxyQueryTestCase(TestCase): + def setUp(self): + self.proxy_url = 'http://xri.example.com/' + self.proxy = xrires.ProxyResolver(self.proxy_url) + self.servicetype = 'xri://+i-service*(+forwarding)*($v*1.0)' + self.servicetype_enc = 'xri%3A%2F%2F%2Bi-service%2A%28%2Bforwarding%29%2A%28%24v%2A1.0%29' + + + def test_proxy_url(self): + st = self.servicetype + ste = self.servicetype_enc + args_esc = "_xrd_r=application%2Fxrds%2Bxml&_xrd_t=" + ste + pqu = self.proxy.queryURL + h = self.proxy_url + self.failUnlessEqual(h + '=foo?' + args_esc, pqu('=foo', st)) + self.failUnlessEqual(h + '=foo/bar?baz&' + args_esc, + pqu('=foo/bar?baz', st)) + self.failUnlessEqual(h + '=foo/bar?baz=quux&' + args_esc, + pqu('=foo/bar?baz=quux', st)) + self.failUnlessEqual(h + '=foo/bar?mi=fa&so=la&' + args_esc, + pqu('=foo/bar?mi=fa&so=la', st)) + + # With no service endpoint selection. + args_esc = "_xrd_r=application%2Fxrds%2Bxml%3Bsep%3Dfalse" + self.failUnlessEqual(h + '=foo?' + args_esc, pqu('=foo', None)) + + + def test_proxy_url_qmarks(self): + st = self.servicetype + ste = self.servicetype_enc + args_esc = "_xrd_r=application%2Fxrds%2Bxml&_xrd_t=" + ste + pqu = self.proxy.queryURL + h = self.proxy_url + self.failUnlessEqual(h + '=foo/bar??' + args_esc, pqu('=foo/bar?', st)) + self.failUnlessEqual(h + '=foo/bar????' + args_esc, + pqu('=foo/bar???', st)) diff --git a/askbot/deps/openid/test/test_yadis_discover.py b/askbot/deps/openid/test/test_yadis_discover.py new file mode 100644 index 00000000..8a7677f3 --- /dev/null +++ b/askbot/deps/openid/test/test_yadis_discover.py @@ -0,0 +1,179 @@ +#!/usr/bin/env python + +"""Tests for yadis.discover. + +@todo: Now that yadis.discover uses urljr.fetchers, we should be able to do + tests with a mock fetcher instead of spawning threads with BaseHTTPServer. +""" + +import unittest +import urlparse +import re +import types + +from openid.yadis.discover import discover, DiscoveryFailure + +from openid import fetchers + +import discoverdata + +status_header_re = re.compile(r'Status: (\d+) .*?$', re.MULTILINE) + +four04_pat = """\ +Content-Type: text/plain + +No such file %s +""" + +class QuitServer(Exception): pass + +def mkResponse(data): + status_mo = status_header_re.match(data) + headers_str, body = data.split('\n\n', 1) + headers = {} + for line in headers_str.split('\n'): + k, v = line.split(':', 1) + k = k.strip().lower() + v = v.strip() + headers[k] = v + status = int(status_mo.group(1)) + return fetchers.HTTPResponse(status=status, + headers=headers, + body=body) + +class TestFetcher(object): + def __init__(self, base_url): + self.base_url = base_url + + def fetch(self, url, headers, body): + current_url = url + while True: + parsed = urlparse.urlparse(current_url) + path = parsed[2][1:] + try: + data = discoverdata.generateSample(path, self.base_url) + except KeyError: + return fetchers.HTTPResponse(status=404, + final_url=current_url, + headers={}, + body='') + + response = mkResponse(data) + if response.status in [301, 302, 303, 307]: + current_url = response.headers['location'] + else: + response.final_url = current_url + return response + +class TestSecondGet(unittest.TestCase): + class MockFetcher(object): + def __init__(self): + self.count = 0 + def fetch(self, uri, headers=None, body=None): + self.count += 1 + if self.count == 1: + headers = { + 'X-XRDS-Location'.lower(): 'http://unittest/404', + } + return fetchers.HTTPResponse(uri, 200, headers, '') + else: + return fetchers.HTTPResponse(uri, 404) + + def setUp(self): + self.oldfetcher = fetchers.getDefaultFetcher() + fetchers.setDefaultFetcher(self.MockFetcher()) + + def tearDown(self): + fetchers.setDefaultFetcher(self.oldfetcher) + + def test_404(self): + uri = "http://something.unittest/" + self.failUnlessRaises(DiscoveryFailure, discover, uri) + + +class _TestCase(unittest.TestCase): + base_url = 'http://invalid.unittest/' + + def __init__(self, input_name, id_name, result_name, success): + self.input_name = input_name + self.id_name = id_name + self.result_name = result_name + self.success = success + # Still not quite sure how to best construct these custom tests. + # Between python2.3 and python2.4, a patch attached to pyunit.sf.net + # bug #469444 got applied which breaks loadTestsFromModule on this + # class if it has test_ or runTest methods. So, kludge to change + # the method name. + unittest.TestCase.__init__(self, methodName='runCustomTest') + + def setUp(self): + fetchers.setDefaultFetcher(TestFetcher(self.base_url), + wrap_exceptions=False) + + self.input_url, self.expected = discoverdata.generateResult( + self.base_url, + self.input_name, + self.id_name, + self.result_name, + self.success) + + def tearDown(self): + fetchers.setDefaultFetcher(None) + + def runCustomTest(self): + if self.expected is DiscoveryFailure: + self.failUnlessRaises(DiscoveryFailure, + discover, self.input_url) + else: + result = discover(self.input_url) + self.failUnlessEqual(self.input_url, result.request_uri) + + msg = 'Identity URL mismatch: actual = %r, expected = %r' % ( + result.normalized_uri, self.expected.normalized_uri) + self.failUnlessEqual( + self.expected.normalized_uri, result.normalized_uri, msg) + + msg = 'Content mismatch: actual = %r, expected = %r' % ( + result.response_text, self.expected.response_text) + self.failUnlessEqual( + self.expected.response_text, result.response_text, msg) + + expected_keys = dir(self.expected) + expected_keys.sort() + actual_keys = dir(result) + actual_keys.sort() + self.failUnlessEqual(actual_keys, expected_keys) + + for k in dir(self.expected): + if k.startswith('__') and k.endswith('__'): + continue + exp_v = getattr(self.expected, k) + if isinstance(exp_v, types.MethodType): + continue + act_v = getattr(result, k) + assert act_v == exp_v, (k, exp_v, act_v) + + def shortDescription(self): + try: + n = self.input_url + except AttributeError: + # run before setUp, or if setUp did not complete successfully. + n = self.input_name + return "%s (%s)" % ( + n, + self.__class__.__module__) + +def pyUnitTests(): + s = unittest.TestSuite() + for success, input_name, id_name, result_name in discoverdata.testlist: + test = _TestCase(input_name, id_name, result_name, success) + s.addTest(test) + + return s + +def test(): + runner = unittest.TextTestRunner() + return runner.run(loadTests()) + +if __name__ == '__main__': + test() diff --git a/askbot/deps/openid/test/trustroot.py b/askbot/deps/openid/test/trustroot.py new file mode 100644 index 00000000..236649ba --- /dev/null +++ b/askbot/deps/openid/test/trustroot.py @@ -0,0 +1,85 @@ +import os +import unittest +from openid.server.trustroot import TrustRoot + +class _ParseTest(unittest.TestCase): + def __init__(self, sanity, desc, case): + unittest.TestCase.__init__(self) + self.desc = desc + ': ' + repr(case) + self.case = case + self.sanity = sanity + + def shortDescription(self): + return self.desc + + def runTest(self): + tr = TrustRoot.parse(self.case) + if self.sanity == 'sane': + assert tr.isSane(), self.case + elif self.sanity == 'insane': + assert not tr.isSane(), self.case + else: + assert tr is None, tr + +class _MatchTest(unittest.TestCase): + def __init__(self, match, desc, line): + unittest.TestCase.__init__(self) + tr, rt = line.split() + self.desc = desc + ': ' + repr(tr) + ' ' + repr(rt) + self.tr = tr + self.rt = rt + self.match = match + + def shortDescription(self): + return self.desc + + def runTest(self): + tr = TrustRoot.parse(self.tr) + self.failIf(tr is None, self.tr) + + match = tr.validateURL(self.rt) + if self.match: + assert match + else: + assert not match + +def getTests(t, grps, head, dat): + tests = [] + top = head.strip() + gdat = map(str.strip, dat.split('-' * 40 + '\n')) + assert not gdat[0] + assert len(gdat) == (len(grps) * 2 + 1), (gdat, grps) + i = 1 + for x in grps: + n, desc = gdat[i].split(': ') + cases = gdat[i + 1].split('\n') + assert len(cases) == int(n) + for case in cases: + tests.append(t(x, top + ' - ' + desc, case)) + i += 2 + return tests + +def parseTests(data): + parts = map(str.strip, data.split('=' * 40 + '\n')) + assert not parts[0] + _, ph, pdat, mh, mdat = parts + + tests = [] + tests.extend(getTests(_ParseTest, ['bad', 'insane', 'sane'], ph, pdat)) + tests.extend(getTests(_MatchTest, [1, 0], mh, mdat)) + return tests + +def pyUnitTests(): + here = os.path.dirname(os.path.abspath(__file__)) + test_data_file_name = os.path.join(here, 'data', 'trustroot.txt') + test_data_file = file(test_data_file_name) + test_data = test_data_file.read() + test_data_file.close() + + tests = parseTests(test_data) + return unittest.TestSuite(tests) + +if __name__ == '__main__': + suite = pyUnitTests() + runner = unittest.TextTestRunner() + runner.run(suite) diff --git a/askbot/deps/openid/test/urinorm.txt b/askbot/deps/openid/test/urinorm.txt new file mode 100644 index 00000000..a5db39e9 --- /dev/null +++ b/askbot/deps/openid/test/urinorm.txt @@ -0,0 +1,87 @@ +Already normal form +http://example.com/ +http://example.com/ + +Add a trailing slash +http://example.com +http://example.com/ + +Remove an empty port segment +http://example.com:/ +http://example.com/ + +Remove a default port segment +http://example.com:80/ +http://example.com/ + +Capitalization in host names +http://wWw.exaMPLE.COm/ +http://www.example.com/ + +Capitalization in scheme names +htTP://example.com/ +http://example.com/ + +Capitalization in percent-escaped reserved characters +http://example.com/foo%2cbar +http://example.com/foo%2Cbar + +Unescape percent-encoded unreserved characters +http://example.com/foo%2Dbar%2dbaz +http://example.com/foo-bar-baz + +remove_dot_segments example 1 +http://example.com/a/b/c/./../../g +http://example.com/a/g + +remove_dot_segments example 2 +http://example.com/mid/content=5/../6 +http://example.com/mid/6 + +remove_dot_segments: single-dot +http://example.com/a/./b +http://example.com/a/b + +remove_dot_segments: double-dot +http://example.com/a/../b +http://example.com/b + +remove_dot_segments: leading double-dot +http://example.com/../b +http://example.com/b + +remove_dot_segments: trailing single-dot +http://example.com/a/. +http://example.com/a/ + +remove_dot_segments: trailing double-dot +http://example.com/a/.. +http://example.com/ + +remove_dot_segments: trailing single-dot-slash +http://example.com/a/./ +http://example.com/a/ + +remove_dot_segments: trailing double-dot-slash +http://example.com/a/../ +http://example.com/ + +Test of all kinds of syntax-based normalization +hTTPS://a/./b/../b/%63/%7bfoo%7d +https://a/b/c/%7Bfoo%7D + +Unsupported scheme +ftp://example.com/ +fail + +Non-absolute URI +http:/foo +fail + +Illegal character in URI +http://<illegal>.com/ +fail + +Non-ascii character in URI +http://foo.com/ +fail diff --git a/askbot/deps/openid/urinorm.py b/askbot/deps/openid/urinorm.py new file mode 100644 index 00000000..5bdbaeff --- /dev/null +++ b/askbot/deps/openid/urinorm.py @@ -0,0 +1,202 @@ +import re + +# from appendix B of rfc 3986 (http://www.ietf.org/rfc/rfc3986.txt) +uri_pattern = r'^(([^:/?#]+):)?(//([^/?#]*))?([^?#]*)(\?([^#]*))?(#(.*))?' +uri_re = re.compile(uri_pattern) + +# gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@" +# +# sub-delims = "!" / "$" / "&" / "'" / "(" / ")" +# / "*" / "+" / "," / ";" / "=" +# +# unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" + +uri_illegal_char_re = re.compile( + "[^-A-Za-z0-9:/?#[\]@!$&'()*+,;=._~%]", re.UNICODE) + +authority_pattern = r'^([^@]*@)?([^:]*)(:.*)?' +authority_re = re.compile(authority_pattern) + + +pct_encoded_pattern = r'%([0-9A-Fa-f]{2})' +pct_encoded_re = re.compile(pct_encoded_pattern) + +try: + unichr(0x10000) +except ValueError: + # narrow python build + UCSCHAR = [ + (0xA0, 0xD7FF), + (0xF900, 0xFDCF), + (0xFDF0, 0xFFEF), + ] + + IPRIVATE = [ + (0xE000, 0xF8FF), + ] +else: + UCSCHAR = [ + (0xA0, 0xD7FF), + (0xF900, 0xFDCF), + (0xFDF0, 0xFFEF), + (0x10000, 0x1FFFD), + (0x20000, 0x2FFFD), + (0x30000, 0x3FFFD), + (0x40000, 0x4FFFD), + (0x50000, 0x5FFFD), + (0x60000, 0x6FFFD), + (0x70000, 0x7FFFD), + (0x80000, 0x8FFFD), + (0x90000, 0x9FFFD), + (0xA0000, 0xAFFFD), + (0xB0000, 0xBFFFD), + (0xC0000, 0xCFFFD), + (0xD0000, 0xDFFFD), + (0xE1000, 0xEFFFD), + ] + + IPRIVATE = [ + (0xE000, 0xF8FF), + (0xF0000, 0xFFFFD), + (0x100000, 0x10FFFD), + ] + + +_unreserved = [False] * 256 +for _ in range(ord('A'), ord('Z') + 1): _unreserved[_] = True +for _ in range(ord('0'), ord('9') + 1): _unreserved[_] = True +for _ in range(ord('a'), ord('z') + 1): _unreserved[_] = True +_unreserved[ord('-')] = True +_unreserved[ord('.')] = True +_unreserved[ord('_')] = True +_unreserved[ord('~')] = True + + +_escapeme_re = re.compile('[%s]' % (''.join( + map(lambda (m, n): u'%s-%s' % (unichr(m), unichr(n)), + UCSCHAR + IPRIVATE)),)) + + +def _pct_escape_unicode(char_match): + c = char_match.group() + return ''.join(['%%%X' % (ord(octet),) for octet in c.encode('utf-8')]) + + +def _pct_encoded_replace_unreserved(mo): + try: + i = int(mo.group(1), 16) + if _unreserved[i]: + return chr(i) + else: + return mo.group().upper() + + except ValueError: + return mo.group() + + +def _pct_encoded_replace(mo): + try: + return chr(int(mo.group(1), 16)) + except ValueError: + return mo.group() + + +def remove_dot_segments(path): + result_segments = [] + + while path: + if path.startswith('../'): + path = path[3:] + elif path.startswith('./'): + path = path[2:] + elif path.startswith('/./'): + path = path[2:] + elif path == '/.': + path = '/' + elif path.startswith('/../'): + path = path[3:] + if result_segments: + result_segments.pop() + elif path == '/..': + path = '/' + if result_segments: + result_segments.pop() + elif path == '..' or path == '.': + path = '' + else: + i = 0 + if path[0] == '/': + i = 1 + i = path.find('/', i) + if i == -1: + i = len(path) + result_segments.append(path[:i]) + path = path[i:] + + return ''.join(result_segments) + + +def urinorm(uri): + if isinstance(uri, unicode): + uri = _escapeme_re.sub(_pct_escape_unicode, uri).encode('ascii') + + illegal_mo = uri_illegal_char_re.search(uri) + if illegal_mo: + raise ValueError('Illegal characters in URI: %r at position %s' % + (illegal_mo.group(), illegal_mo.start())) + + uri_mo = uri_re.match(uri) + + scheme = uri_mo.group(2) + if scheme is None: + raise ValueError('No scheme specified') + + scheme = scheme.lower() + if scheme not in ('http', 'https'): + raise ValueError('Not an absolute HTTP or HTTPS URI: %r' % (uri,)) + + authority = uri_mo.group(4) + if authority is None: + raise ValueError('Not an absolute URI: %r' % (uri,)) + + authority_mo = authority_re.match(authority) + if authority_mo is None: + raise ValueError('URI does not have a valid authority: %r' % (uri,)) + + userinfo, host, port = authority_mo.groups() + + if userinfo is None: + userinfo = '' + + if '%' in host: + host = host.lower() + host = pct_encoded_re.sub(_pct_encoded_replace, host) + host = unicode(host, 'utf-8').encode('idna') + else: + host = host.lower() + + if port: + if (port == ':' or + (scheme == 'http' and port == ':80') or + (scheme == 'https' and port == ':443')): + port = '' + else: + port = '' + + authority = userinfo + host + port + + path = uri_mo.group(5) + path = pct_encoded_re.sub(_pct_encoded_replace_unreserved, path) + path = remove_dot_segments(path) + if not path: + path = '/' + + query = uri_mo.group(6) + if query is None: + query = '' + + fragment = uri_mo.group(8) + if fragment is None: + fragment = '' + + return scheme + '://' + authority + path + query + fragment diff --git a/askbot/deps/openid/yadis/__init__.py b/askbot/deps/openid/yadis/__init__.py new file mode 100644 index 00000000..cfa5f1e7 --- /dev/null +++ b/askbot/deps/openid/yadis/__init__.py @@ -0,0 +1,26 @@ + + +__all__ = [ + 'constants', + 'discover', + 'etxrd', + 'filters', + 'manager', + 'parsehtml', + 'services', + 'xri', + 'xrires', + ] + +__version__ = '[library version:1.1.0-rc1]'[17:-1] + +# Parse the version info +try: + version_info = map(int, __version__.split('.')) +except ValueError: + version_info = (None, None, None) +else: + if len(version_info) != 3: + version_info = (None, None, None) + else: + version_info = tuple(version_info) diff --git a/askbot/deps/openid/yadis/accept.py b/askbot/deps/openid/yadis/accept.py new file mode 100644 index 00000000..d7508131 --- /dev/null +++ b/askbot/deps/openid/yadis/accept.py @@ -0,0 +1,133 @@ +"""Functions for generating and parsing HTTP Accept: headers for +supporting server-directed content negotiation. +""" + +def generateAcceptHeader(*elements): + """Generate an accept header value + + [str or (str, float)] -> str + """ + parts = [] + for element in elements: + if type(element) is str: + qs = "1.0" + mtype = element + else: + mtype, q = element + q = float(q) + if q > 1 or q <= 0: + raise ValueError('Invalid preference factor: %r' % q) + + qs = '%0.1f' % (q,) + + parts.append((qs, mtype)) + + parts.sort() + chunks = [] + for q, mtype in parts: + if q == '1.0': + chunks.append(mtype) + else: + chunks.append('%s; q=%s' % (mtype, q)) + + return ', '.join(chunks) + +def parseAcceptHeader(value): + """Parse an accept header, ignoring any accept-extensions + + returns a list of tuples containing main MIME type, MIME subtype, + and quality markdown. + + str -> [(str, str, float)] + """ + chunks = [chunk.strip() for chunk in value.split(',')] + accept = [] + for chunk in chunks: + parts = [s.strip() for s in chunk.split(';')] + + mtype = parts.pop(0) + if '/' not in mtype: + # This is not a MIME type, so ignore the bad data + continue + + main, sub = mtype.split('/', 1) + + for ext in parts: + if '=' in ext: + k, v = ext.split('=', 1) + if k == 'q': + try: + q = float(v) + break + except ValueError: + # Ignore poorly formed q-values + pass + else: + q = 1.0 + + accept.append((q, main, sub)) + + accept.sort() + accept.reverse() + return [(main, sub, q) for (q, main, sub) in accept] + +def matchTypes(accept_types, have_types): + """Given the result of parsing an Accept: header, and the + available MIME types, return the acceptable types with their + quality markdowns. + + For example: + + >>> acceptable = parseAcceptHeader('text/html, text/plain; q=0.5') + >>> matchTypes(acceptable, ['text/plain', 'text/html', 'image/jpeg']) + [('text/html', 1.0), ('text/plain', 0.5)] + + + Type signature: ([(str, str, float)], [str]) -> [(str, float)] + """ + if not accept_types: + # Accept all of them + default = 1 + else: + default = 0 + + match_main = {} + match_sub = {} + for (main, sub, q) in accept_types: + if main == '*': + default = max(default, q) + continue + elif sub == '*': + match_main[main] = max(match_main.get(main, 0), q) + else: + match_sub[(main, sub)] = max(match_sub.get((main, sub), 0), q) + + accepted_list = [] + order_maintainer = 0 + for mtype in have_types: + main, sub = mtype.split('/') + if (main, sub) in match_sub: + q = match_sub[(main, sub)] + else: + q = match_main.get(main, default) + + if q: + accepted_list.append((1 - q, order_maintainer, q, mtype)) + order_maintainer += 1 + + accepted_list.sort() + return [(mtype, q) for (_, _, q, mtype) in accepted_list] + +def getAcceptable(accept_header, have_types): + """Parse the accept header and return a list of available types in + preferred order. If a type is unacceptable, it will not be in the + resulting list. + + This is a convenience wrapper around matchTypes and + parseAcceptHeader. + + (str, [str]) -> [str] + """ + accepted = parseAcceptHeader(accept_header) + preferred = matchTypes(accepted, have_types) + return [mtype for (mtype, _) in preferred] diff --git a/askbot/deps/openid/yadis/constants.py b/askbot/deps/openid/yadis/constants.py new file mode 100644 index 00000000..75ff96ef --- /dev/null +++ b/askbot/deps/openid/yadis/constants.py @@ -0,0 +1,13 @@ +__all__ = ['YADIS_HEADER_NAME', 'YADIS_CONTENT_TYPE', 'YADIS_ACCEPT_HEADER'] +from openid.yadis.accept import generateAcceptHeader + +YADIS_HEADER_NAME = 'X-XRDS-Location' +YADIS_CONTENT_TYPE = 'application/xrds+xml' + +# A value suitable for using as an accept header when performing YADIS +# discovery, unless the application has special requirements +YADIS_ACCEPT_HEADER = generateAcceptHeader( + ('text/html', 0.3), + ('application/xhtml+xml', 0.5), + (YADIS_CONTENT_TYPE, 1.0), + ) diff --git a/askbot/deps/openid/yadis/discover.py b/askbot/deps/openid/yadis/discover.py new file mode 100644 index 00000000..ed2adfde --- /dev/null +++ b/askbot/deps/openid/yadis/discover.py @@ -0,0 +1,135 @@ +# -*- test-case-name: openid.test.test_yadis_discover -*- +__all__ = ['discover', 'DiscoveryResult', 'DiscoveryFailure'] + +from cStringIO import StringIO + +from openid import fetchers + +from openid.yadis.constants import \ + YADIS_HEADER_NAME, YADIS_CONTENT_TYPE, YADIS_ACCEPT_HEADER +from openid.yadis.parsehtml import MetaNotFound, findHTMLMeta + +class DiscoveryFailure(Exception): + """Raised when a YADIS protocol error occurs in the discovery process""" + identity_url = None + + def __init__(self, message, http_response): + Exception.__init__(self, message) + self.http_response = http_response + +class DiscoveryResult(object): + """Contains the result of performing Yadis discovery on a URI""" + + # The URI that was passed to the fetcher + request_uri = None + + # The result of following redirects from the request_uri + normalized_uri = None + + # The URI from which the response text was returned (set to + # None if there was no XRDS document found) + xrds_uri = None + + # The content-type returned with the response_text + content_type = None + + # The document returned from the xrds_uri + response_text = None + + def __init__(self, request_uri): + """Initialize the state of the object + + sets all attributes to None except the request_uri + """ + self.request_uri = request_uri + + def usedYadisLocation(self): + """Was the Yadis protocol's indirection used?""" + return self.normalized_uri != self.xrds_uri + + def isXRDS(self): + """Is the response text supposed to be an XRDS document?""" + return (self.usedYadisLocation() or + self.content_type == YADIS_CONTENT_TYPE) + +def discover(uri): + """Discover services for a given URI. + + @param uri: The identity URI as a well-formed http or https + URI. The well-formedness and the protocol are not checked, but + the results of this function are undefined if those properties + do not hold. + + @return: DiscoveryResult object + + @raises Exception: Any exception that can be raised by fetching a URL with + the given fetcher. + @raises DiscoveryFailure: When the HTTP response does not have a 200 code. + """ + result = DiscoveryResult(uri) + resp = fetchers.fetch(uri, headers={'Accept': YADIS_ACCEPT_HEADER}) + if resp.status not in (200, 206): + raise DiscoveryFailure( + 'HTTP Response status from identity URL host is not 200. ' + 'Got status %r' % (resp.status,), resp) + + # Note the URL after following redirects + result.normalized_uri = resp.final_url + + # Attempt to find out where to go to discover the document + # or if we already have it + result.content_type = resp.headers.get('content-type') + + result.xrds_uri = whereIsYadis(resp) + + if result.xrds_uri and result.usedYadisLocation(): + resp = fetchers.fetch(result.xrds_uri) + if resp.status not in (200, 206): + exc = DiscoveryFailure( + 'HTTP Response status from Yadis host is not 200. ' + 'Got status %r' % (resp.status,), resp) + exc.identity_url = result.normalized_uri + raise exc + result.content_type = resp.headers.get('content-type') + + result.response_text = resp.body + return result + + + +def whereIsYadis(resp): + """Given a HTTPResponse, return the location of the Yadis document. + + May be the URL just retrieved, another URL, or None, if I can't + find any. + + [non-blocking] + + @returns: str or None + """ + # Attempt to find out where to go to discover the document + # or if we already have it + content_type = resp.headers.get('content-type') + + # According to the spec, the content-type header must be an exact + # match, or else we have to look for an indirection. + if (content_type and + content_type.split(';', 1)[0].lower() == YADIS_CONTENT_TYPE): + return resp.final_url + else: + # Try the header + yadis_loc = resp.headers.get(YADIS_HEADER_NAME.lower()) + + if not yadis_loc: + # Parse as HTML if the header is missing. + # + # XXX: do we want to do something with content-type, like + # have a whitelist or a blacklist (for detecting that it's + # HTML)? + try: + yadis_loc = findHTMLMeta(StringIO(resp.body)) + except MetaNotFound: + pass + + return yadis_loc + diff --git a/askbot/deps/openid/yadis/etxrd.py b/askbot/deps/openid/yadis/etxrd.py new file mode 100644 index 00000000..ef5cadfe --- /dev/null +++ b/askbot/deps/openid/yadis/etxrd.py @@ -0,0 +1,300 @@ +# -*- test-case-name: yadis.test.test_etxrd -*- +""" +ElementTree interface to an XRD document. +""" + +__all__ = [ + 'nsTag', + 'mkXRDTag', + 'isXRDS', + 'parseXRDS', + 'getCanonicalID', + 'getYadisXRD', + 'getPriorityStrict', + 'getPriority', + 'prioSort', + 'iterServices', + 'expandService', + 'expandServices', + ] + +import sys +import random + +from datetime import datetime +from time import strptime + +from openid.oidutil import importElementTree +ElementTree = importElementTree() + +# the different elementtree modules don't have a common exception +# model. We just want to be able to catch the exceptions that signify +# malformed XML data and wrap them, so that the other library code +# doesn't have to know which XML library we're using. +try: + # Make the parser raise an exception so we can sniff out the type + # of exceptions + ElementTree.XML('> purposely malformed XML <') +except (SystemExit, MemoryError, AssertionError, ImportError): + raise +except: + XMLError = sys.exc_info()[0] + +from openid.yadis import xri + +class XRDSError(Exception): + """An error with the XRDS document.""" + + # The exception that triggered this exception + reason = None + + + +class XRDSFraud(XRDSError): + """Raised when there's an assertion in the XRDS that it does not have + the authority to make. + """ + + + +def parseXRDS(text): + """Parse the given text as an XRDS document. + + @return: ElementTree containing an XRDS document + + @raises XRDSError: When there is a parse error or the document does + not contain an XRDS. + """ + try: + element = ElementTree.XML(text) + except XMLError, why: + exc = XRDSError('Error parsing document as XML') + exc.reason = why + raise exc + else: + tree = ElementTree.ElementTree(element) + if not isXRDS(tree): + raise XRDSError('Not an XRDS document') + + return tree + +XRD_NS_2_0 = 'xri://$xrd*($v*2.0)' +XRDS_NS = 'xri://$xrds' + +def nsTag(ns, t): + return '{%s}%s' % (ns, t) + +def mkXRDTag(t): + """basestring -> basestring + + Create a tag name in the XRD 2.0 XML namespace suitable for using + with ElementTree + """ + return nsTag(XRD_NS_2_0, t) + +def mkXRDSTag(t): + """basestring -> basestring + + Create a tag name in the XRDS XML namespace suitable for using + with ElementTree + """ + return nsTag(XRDS_NS, t) + +# Tags that are used in Yadis documents +root_tag = mkXRDSTag('XRDS') +service_tag = mkXRDTag('Service') +xrd_tag = mkXRDTag('XRD') +type_tag = mkXRDTag('Type') +uri_tag = mkXRDTag('URI') +expires_tag = mkXRDTag('Expires') + +# Other XRD tags +canonicalID_tag = mkXRDTag('CanonicalID') + +def isXRDS(xrd_tree): + """Is this document an XRDS document?""" + root = xrd_tree.getroot() + return root.tag == root_tag + +def getYadisXRD(xrd_tree): + """Return the XRD element that should contain the Yadis services""" + xrd = None + + # for the side-effect of assigning the last one in the list to the + # xrd variable + for xrd in xrd_tree.findall(xrd_tag): + pass + + # There were no elements found, or else xrd would be set to the + # last one + if xrd is None: + raise XRDSError('No XRD present in tree') + + return xrd + +def getXRDExpiration(xrd_element, default=None): + """Return the expiration date of this XRD element, or None if no + expiration was specified. + + @type xrd_element: ElementTree node + + @param default: The value to use as the expiration if no + expiration was specified in the XRD. + + @rtype: datetime.datetime + + @raises ValueError: If the xrd:Expires element is present, but its + contents are not formatted according to the specification. + """ + expires_element = xrd_element.find(expires_tag) + if expires_element is None: + return default + else: + expires_string = expires_element.text + + # Will raise ValueError if the string is not the expected format + expires_time = strptime(expires_string, "%Y-%m-%dT%H:%M:%SZ") + return datetime(*expires_time[0:6]) + +def getCanonicalID(iname, xrd_tree): + """Return the CanonicalID from this XRDS document. + + @param iname: the XRI being resolved. + @type iname: unicode + + @param xrd_tree: The XRDS output from the resolver. + @type xrd_tree: ElementTree + + @returns: The XRI CanonicalID or None. + @returntype: unicode or None + """ + xrd_list = xrd_tree.findall(xrd_tag) + xrd_list.reverse() + + try: + canonicalID = xri.XRI(xrd_list[0].findall(canonicalID_tag)[0].text) + except IndexError: + return None + + childID = canonicalID.lower() + + for xrd in xrd_list[1:]: + # XXX: can't use rsplit until we require python >= 2.4. + parent_sought = childID[:childID.rindex('!')] + parent = xri.XRI(xrd.findtext(canonicalID_tag)) + if parent_sought != parent.lower(): + raise XRDSFraud("%r can not come from %s" % (childID, parent)) + + childID = parent_sought + + root = xri.rootAuthority(iname) + if not xri.providerIsAuthoritative(root, childID): + raise XRDSFraud("%r can not come from root %r" % (childID, root)) + + return canonicalID + + + +class _Max(object): + """Value that compares greater than any other value. + + Should only be used as a singleton. Implemented for use as a + priority value for when a priority is not specified.""" + def __cmp__(self, other): + if other is self: + return 0 + + return 1 + +Max = _Max() + +def getPriorityStrict(element): + """Get the priority of this element. + + Raises ValueError if the value of the priority is invalid. If no + priority is specified, it returns a value that compares greater + than any other value. + """ + prio_str = element.get('priority') + if prio_str is not None: + prio_val = int(prio_str) + if prio_val >= 0: + return prio_val + else: + raise ValueError('Priority values must be non-negative integers') + + # Any errors in parsing the priority fall through to here + return Max + +def getPriority(element): + """Get the priority of this element + + Returns Max if no priority is specified or the priority value is invalid. + """ + try: + return getPriorityStrict(element) + except ValueError: + return Max + +def prioSort(elements): + """Sort a list of elements that have priority attributes""" + # Randomize the services before sorting so that equal priority + # elements are load-balanced. + random.shuffle(elements) + + prio_elems = [(getPriority(e), e) for e in elements] + prio_elems.sort() + sorted_elems = [s for (_, s) in prio_elems] + return sorted_elems + +def iterServices(xrd_tree): + """Return an iterable over the Service elements in the Yadis XRD + + sorted by priority""" + xrd = getYadisXRD(xrd_tree) + return prioSort(xrd.findall(service_tag)) + +def sortedURIs(service_element): + """Given a Service element, return a list of the contents of all + URI tags in priority order.""" + return [uri_element.text for uri_element + in prioSort(service_element.findall(uri_tag))] + +def getTypeURIs(service_element): + """Given a Service element, return a list of the contents of all + Type tags""" + return [type_element.text for type_element + in service_element.findall(type_tag)] + +def expandService(service_element): + """Take a service element and expand it into an iterator of: + ([type_uri], uri, service_element) + """ + uris = sortedURIs(service_element) + if not uris: + uris = [None] + + expanded = [] + for uri in uris: + type_uris = getTypeURIs(service_element) + expanded.append((type_uris, uri, service_element)) + + return expanded + +def expandServices(service_elements): + """Take a sorted iterator of service elements and expand it into a + sorted iterator of: + ([type_uri], uri, service_element) + + There may be more than one item in the resulting list for each + service element if there is more than one URI or type for a + service, but each triple will be unique. + + If there is no URI or Type for a Service element, it will not + appear in the result. + """ + expanded = [] + for service_element in service_elements: + expanded.extend(expandService(service_element)) + + return expanded diff --git a/askbot/deps/openid/yadis/filters.py b/askbot/deps/openid/yadis/filters.py new file mode 100644 index 00000000..d01c221b --- /dev/null +++ b/askbot/deps/openid/yadis/filters.py @@ -0,0 +1,200 @@ +"""This module contains functions and classes used for extracting +endpoint information out of a Yadis XRD file using the ElementTree XML +parser. +""" + +__all__ = [ + 'BasicServiceEndpoint', + 'mkFilter', + 'IFilter', + 'TransformFilterMaker', + 'CompoundFilter', + ] + +from openid.yadis.etxrd import expandService + +class BasicServiceEndpoint(object): + """Generic endpoint object that contains parsed service + information, as well as a reference to the service element from + which it was generated. If there is more than one xrd:Type or + xrd:URI in the xrd:Service, this object represents just one of + those pairs. + + This object can be used as a filter, because it implements + fromBasicServiceEndpoint. + + The simplest kind of filter you can write implements + fromBasicServiceEndpoint, which takes one of these objects. + """ + def __init__(self, yadis_url, type_uris, uri, service_element): + self.type_uris = type_uris + self.yadis_url = yadis_url + self.uri = uri + self.service_element = service_element + + def matchTypes(self, type_uris): + """Query this endpoint to see if it has any of the given type + URIs. This is useful for implementing other endpoint classes + that e.g. need to check for the presence of multiple versions + of a single protocol. + + @param type_uris: The URIs that you wish to check + @type type_uris: iterable of str + + @return: all types that are in both in type_uris and + self.type_uris + """ + return [uri for uri in type_uris if uri in self.type_uris] + + def fromBasicServiceEndpoint(endpoint): + """Trivial transform from a basic endpoint to itself. This + method exists to allow BasicServiceEndpoint to be used as a + filter. + + If you are subclassing this object, re-implement this function. + + @param endpoint: An instance of BasicServiceEndpoint + @return: The object that was passed in, with no processing. + """ + return endpoint + + fromBasicServiceEndpoint = staticmethod(fromBasicServiceEndpoint) + +class IFilter(object): + """Interface for Yadis filter objects. Other filter-like things + are convertable to this class.""" + + def getServiceEndpoints(self, yadis_url, service_element): + """Returns an iterator of endpoint objects""" + raise NotImplementedError + +class TransformFilterMaker(object): + """Take a list of basic filters and makes a filter that transforms + the basic filter into a top-level filter. This is mostly useful + for the implementation of mkFilter, which should only be needed + for special cases or internal use by this library. + + This object is useful for creating simple filters for services + that use one URI and are specified by one Type (we expect most + Types will fit this paradigm). + + Creates a BasicServiceEndpoint object and apply the filter + functions to it until one of them returns a value. + """ + + def __init__(self, filter_functions): + """Initialize the filter maker's state + + @param filter_functions: The endpoint transformer functions to + apply to the basic endpoint. These are called in turn + until one of them does not return None, and the result of + that transformer is returned. + """ + self.filter_functions = filter_functions + + def getServiceEndpoints(self, yadis_url, service_element): + """Returns an iterator of endpoint objects produced by the + filter functions.""" + endpoints = [] + + # Do an expansion of the service element by xrd:Type and xrd:URI + for type_uris, uri, _ in expandService(service_element): + + # Create a basic endpoint object to represent this + # yadis_url, Service, Type, URI combination + endpoint = BasicServiceEndpoint( + yadis_url, type_uris, uri, service_element) + + e = self.applyFilters(endpoint) + if e is not None: + endpoints.append(e) + + return endpoints + + def applyFilters(self, endpoint): + """Apply filter functions to an endpoint until one of them + returns non-None.""" + for filter_function in self.filter_functions: + e = filter_function(endpoint) + if e is not None: + # Once one of the filters has returned an + # endpoint, do not apply any more. + return e + + return None + +class CompoundFilter(object): + """Create a new filter that applies a set of filters to an endpoint + and collects their results. + """ + def __init__(self, subfilters): + self.subfilters = subfilters + + def getServiceEndpoints(self, yadis_url, service_element): + """Generate all endpoint objects for all of the subfilters of + this filter and return their concatenation.""" + endpoints = [] + for subfilter in self.subfilters: + endpoints.extend( + subfilter.getServiceEndpoints(yadis_url, service_element)) + return endpoints + +# Exception raised when something is not able to be turned into a filter +filter_type_error = TypeError( + 'Expected a filter, an endpoint, a callable or a list of any of these.') + +def mkFilter(parts): + """Convert a filter-convertable thing into a filter + + @param parts: a filter, an endpoint, a callable, or a list of any of these. + """ + # Convert the parts into a list, and pass to mkCompoundFilter + if parts is None: + parts = [BasicServiceEndpoint] + + try: + parts = list(parts) + except TypeError: + return mkCompoundFilter([parts]) + else: + return mkCompoundFilter(parts) + +def mkCompoundFilter(parts): + """Create a filter out of a list of filter-like things + + Used by mkFilter + + @param parts: list of filter, endpoint, callable or list of any of these + """ + # Separate into a list of callables and a list of filter objects + transformers = [] + filters = [] + for subfilter in parts: + try: + subfilter = list(subfilter) + except TypeError: + # If it's not an iterable + if hasattr(subfilter, 'getServiceEndpoints'): + # It's a full filter + filters.append(subfilter) + elif hasattr(subfilter, 'fromBasicServiceEndpoint'): + # It's an endpoint object, so put its endpoint + # conversion attribute into the list of endpoint + # transformers + transformers.append(subfilter.fromBasicServiceEndpoint) + elif callable(subfilter): + # It's a simple callable, so add it to the list of + # endpoint transformers + transformers.append(subfilter) + else: + raise filter_type_error + else: + filters.append(mkCompoundFilter(subfilter)) + + if transformers: + filters.append(TransformFilterMaker(transformers)) + + if len(filters) == 1: + return filters[0] + else: + return CompoundFilter(filters) diff --git a/askbot/deps/openid/yadis/manager.py b/askbot/deps/openid/yadis/manager.py new file mode 100644 index 00000000..709adb7d --- /dev/null +++ b/askbot/deps/openid/yadis/manager.py @@ -0,0 +1,194 @@ +class YadisServiceManager(object): + """Holds the state of a list of selected Yadis services, managing + storing it in a session and iterating over the services in order.""" + + def __init__(self, starting_url, yadis_url, services, session_key): + # The URL that was used to initiate the Yadis protocol + self.starting_url = starting_url + + # The URL after following redirects (the identifier) + self.yadis_url = yadis_url + + # List of service elements + self.services = list(services) + + self.session_key = session_key + + # Reference to the current service object + self._current = None + + def __len__(self): + """How many untried services remain?""" + return len(self.services) + + def __iter__(self): + return self + + def next(self): + """Return the next service + + self.current() will continue to return that service until the + next call to this method.""" + try: + self._current = self.services.pop(0) + except IndexError: + raise StopIteration + else: + return self._current + + def current(self): + """Return the current service. + + Returns None if there are no services left. + """ + return self._current + + def forURL(self, url): + return url in [self.starting_url, self.yadis_url] + + def started(self): + """Has the first service been returned?""" + return self._current is not None + + def store(self, session): + """Store this object in the session, by its session key.""" + session[self.session_key] = self + +class Discovery(object): + """State management for discovery. + + High-level usage pattern is to call .getNextService(discover) in + order to find the next available service for this user for this + session. Once a request completes, call .finish() to clean up the + session state. + + @ivar session: a dict-like object that stores state unique to the + requesting user-agent. This object must be able to store + serializable objects. + + @ivar url: the URL that is used to make the discovery request + + @ivar session_key_suffix: The suffix that will be used to identify + this object in the session object. + """ + + DEFAULT_SUFFIX = 'auth' + PREFIX = '_yadis_services_' + + def __init__(self, session, url, session_key_suffix=None): + """Initialize a discovery object""" + self.session = session + self.url = url + if session_key_suffix is None: + session_key_suffix = self.DEFAULT_SUFFIX + + self.session_key_suffix = session_key_suffix + + def getNextService(self, discover): + """Return the next authentication service for the pair of + user_input and session. This function handles fallback. + + + @param discover: a callable that takes a URL and returns a + list of services + + @type discover: str -> [service] + + + @return: the next available service + """ + manager = self.getManager() + if manager is not None and not manager: + self.destroyManager() + + if not manager: + yadis_url, services = discover(self.url) + manager = self.createManager(services, yadis_url) + + if manager: + service = manager.next() + manager.store(self.session) + else: + service = None + + return service + + def cleanup(self, force=False): + """Clean up Yadis-related services in the session and return + the most-recently-attempted service from the manager, if one + exists. + + @param force: True if the manager should be deleted regardless + of whether it's a manager for self.url. + + @return: current service endpoint object or None if there is + no current service + """ + manager = self.getManager(force=force) + if manager is not None: + service = manager.current() + self.destroyManager(force=force) + else: + service = None + + return service + + ### Lower-level methods + + def getSessionKey(self): + """Get the session key for this starting URL and suffix + + @return: The session key + @rtype: str + """ + return self.PREFIX + self.session_key_suffix + + def getManager(self, force=False): + """Extract the YadisServiceManager for this object's URL and + suffix from the session. + + @param force: True if the manager should be returned + regardless of whether it's a manager for self.url. + + @return: The current YadisServiceManager, if it's for this + URL, or else None + """ + manager = self.session.get(self.getSessionKey()) + if (manager is not None and (manager.forURL(self.url) or force)): + return manager + else: + return None + + def createManager(self, services, yadis_url=None): + """Create a new YadisService Manager for this starting URL and + suffix, and store it in the session. + + @raises KeyError: When I already have a manager. + + @return: A new YadisServiceManager or None + """ + key = self.getSessionKey() + if self.getManager(): + raise KeyError('There is already a %r manager for %r' % + (key, self.url)) + + if not services: + return None + + manager = YadisServiceManager(self.url, yadis_url, services, key) + manager.store(self.session) + return manager + + def destroyManager(self, force=False): + """Delete any YadisServiceManager with this starting URL and + suffix from the session. + + If there is no service manager or the service manager is for a + different URL, it silently does nothing. + + @param force: True if the manager should be deleted regardless + of whether it's a manager for self.url. + """ + if self.getManager(force=force) is not None: + key = self.getSessionKey() + del self.session[key] diff --git a/askbot/deps/openid/yadis/parsehtml.py b/askbot/deps/openid/yadis/parsehtml.py new file mode 100644 index 00000000..875a089c --- /dev/null +++ b/askbot/deps/openid/yadis/parsehtml.py @@ -0,0 +1,197 @@ +__all__ = ['findHTMLMeta', 'MetaNotFound'] + +from HTMLParser import HTMLParser, HTMLParseError +import htmlentitydefs +import re + +from openid.yadis.constants import YADIS_HEADER_NAME + +# Size of the chunks to search at a time (also the amount that gets +# read at a time) +CHUNK_SIZE = 1024 * 16 # 16 KB + +class ParseDone(Exception): + """Exception to hold the URI that was located when the parse is + finished. If the parse finishes without finding the URI, set it to + None.""" + +class MetaNotFound(Exception): + """Exception to hold the content of the page if we did not find + the appropriate <meta> tag""" + +re_flags = re.IGNORECASE | re.UNICODE | re.VERBOSE +ent_pat = r''' +& + +(?: \#x (?P<hex> [a-f0-9]+ ) +| \# (?P<dec> \d+ ) +| (?P<word> \w+ ) +) + +;''' + +ent_re = re.compile(ent_pat, re_flags) + +def substituteMO(mo): + if mo.lastgroup == 'hex': + codepoint = int(mo.group('hex'), 16) + elif mo.lastgroup == 'dec': + codepoint = int(mo.group('dec')) + else: + assert mo.lastgroup == 'word' + codepoint = htmlentitydefs.name2codepoint.get(mo.group('word')) + + if codepoint is None: + return mo.group() + else: + return unichr(codepoint) + +def substituteEntities(s): + return ent_re.sub(substituteMO, s) + +class YadisHTMLParser(HTMLParser): + """Parser that finds a meta http-equiv tag in the head of a html + document. + + When feeding in data, if the tag is matched or it will never be + found, the parser will raise ParseDone with the uri as the first + attribute. + + Parsing state diagram + ===================== + + Any unlisted input does not affect the state:: + + 1, 2, 5 8 + +--------------------------+ +-+ + | | | | + 4 | 3 1, 2, 5, 7 v | v + TOP -> HTML -> HEAD ----------> TERMINATED + | | ^ | ^ ^ + | | 3 | | | | + | +------------+ +-> FOUND ------+ | + | 6 8 | + | 1, 2 | + +------------------------------------+ + + 1. any of </body>, </html>, </head> -> TERMINATE + 2. <body> -> TERMINATE + 3. <head> -> HEAD + 4. <html> -> HTML + 5. <html> -> TERMINATE + 6. <meta http-equiv='X-XRDS-Location'> -> FOUND + 7. <head> -> TERMINATE + 8. Any input -> TERMINATE + """ + TOP = 0 + HTML = 1 + HEAD = 2 + FOUND = 3 + TERMINATED = 4 + + def __init__(self): + HTMLParser.__init__(self) + self.phase = self.TOP + + def _terminate(self): + self.phase = self.TERMINATED + raise ParseDone(None) + + def handle_endtag(self, tag): + # If we ever see an end of head, body, or html, bail out right away. + # [1] + if tag in ['head', 'body', 'html']: + self._terminate() + + def handle_starttag(self, tag, attrs): + # if we ever see a start body tag, bail out right away, since + # we want to prevent the meta tag from appearing in the body + # [2] + if tag=='body': + self._terminate() + + if self.phase == self.TOP: + # At the top level, allow a html tag or a head tag to move + # to the head or html phase + if tag == 'head': + # [3] + self.phase = self.HEAD + elif tag == 'html': + # [4] + self.phase = self.HTML + + elif self.phase == self.HTML: + # if we are in the html tag, allow a head tag to move to + # the HEAD phase. If we get another html tag, then bail + # out + if tag == 'head': + # [3] + self.phase = self.HEAD + elif tag == 'html': + # [5] + self._terminate() + + elif self.phase == self.HEAD: + # If we are in the head phase, look for the appropriate + # meta tag. If we get a head or body tag, bail out. + if tag == 'meta': + attrs_d = dict(attrs) + http_equiv = attrs_d.get('http-equiv', '').lower() + if http_equiv == YADIS_HEADER_NAME.lower(): + raw_attr = attrs_d.get('content') + yadis_loc = substituteEntities(raw_attr) + # [6] + self.phase = self.FOUND + raise ParseDone(yadis_loc) + + elif tag in ['head', 'html']: + # [5], [7] + self._terminate() + + def feed(self, chars): + # [8] + if self.phase in [self.TERMINATED, self.FOUND]: + self._terminate() + + return HTMLParser.feed(self, chars) + +def findHTMLMeta(stream): + """Look for a meta http-equiv tag with the YADIS header name. + + @param stream: Source of the html text + @type stream: Object that implements a read() method that works + like file.read + + @return: The URI from which to fetch the XRDS document + @rtype: str + + @raises MetaNotFound: raised with the content that was + searched as the first parameter. + """ + parser = YadisHTMLParser() + chunks = [] + + while 1: + chunk = stream.read(CHUNK_SIZE) + if not chunk: + # End of file + break + + chunks.append(chunk) + try: + parser.feed(chunk) + except HTMLParseError, why: + # HTML parse error, so bail + chunks.append(stream.read()) + break + except ParseDone, why: + uri = why[0] + if uri is None: + # Parse finished, but we may need the rest of the file + chunks.append(stream.read()) + break + else: + return uri + + content = ''.join(chunks) + raise MetaNotFound(content) diff --git a/askbot/deps/openid/yadis/services.py b/askbot/deps/openid/yadis/services.py new file mode 100644 index 00000000..4753c194 --- /dev/null +++ b/askbot/deps/openid/yadis/services.py @@ -0,0 +1,54 @@ +# -*- test-case-name: openid.test.test_services -*- + +from openid.yadis.filters import mkFilter +from openid.yadis.discover import discover, DiscoveryFailure +from openid.yadis.etxrd import parseXRDS, iterServices, XRDSError + +def getServiceEndpoints(input_url, flt=None): + """Perform the Yadis protocol on the input URL and return an + iterable of resulting endpoint objects. + + @param flt: A filter object or something that is convertable to + a filter object (using mkFilter) that will be used to generate + endpoint objects. This defaults to generating BasicEndpoint + objects. + + @param input_url: The URL on which to perform the Yadis protocol + + @return: The normalized identity URL and an iterable of endpoint + objects generated by the filter function. + + @rtype: (str, [endpoint]) + + @raises DiscoveryFailure: when Yadis fails to obtain an XRDS document. + """ + result = discover(input_url) + try: + endpoints = applyFilter(result.normalized_uri, + result.response_text, flt) + except XRDSError, err: + raise DiscoveryFailure(str(err), None) + return (result.normalized_uri, endpoints) + +def applyFilter(normalized_uri, xrd_data, flt=None): + """Generate an iterable of endpoint objects given this input data, + presumably from the result of performing the Yadis protocol. + + @param normalized_uri: The input URL, after following redirects, + as in the Yadis protocol. + + + @param xrd_data: The XML text the XRDS file fetched from the + normalized URI. + @type xrd_data: str + + """ + flt = mkFilter(flt) + et = parseXRDS(xrd_data) + + endpoints = [] + for service_element in iterServices(et): + endpoints.extend( + flt.getServiceEndpoints(normalized_uri, service_element)) + + return endpoints diff --git a/askbot/deps/openid/yadis/xri.py b/askbot/deps/openid/yadis/xri.py new file mode 100644 index 00000000..3a39a6b8 --- /dev/null +++ b/askbot/deps/openid/yadis/xri.py @@ -0,0 +1,168 @@ +# -*- test-case-name: openid.test.test_xri -*- +"""Utility functions for handling XRIs. + +@see: XRI Syntax v2.0 at the U{OASIS XRI Technical Committee<http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xri>} +""" + +import re + +XRI_AUTHORITIES = ['!', '=', '@', '+', '$', '('] + +try: + unichr(0x10000) +except ValueError: + # narrow python build + UCSCHAR = [ + (0xA0, 0xD7FF), + (0xF900, 0xFDCF), + (0xFDF0, 0xFFEF), + ] + + IPRIVATE = [ + (0xE000, 0xF8FF), + ] +else: + UCSCHAR = [ + (0xA0, 0xD7FF), + (0xF900, 0xFDCF), + (0xFDF0, 0xFFEF), + (0x10000, 0x1FFFD), + (0x20000, 0x2FFFD), + (0x30000, 0x3FFFD), + (0x40000, 0x4FFFD), + (0x50000, 0x5FFFD), + (0x60000, 0x6FFFD), + (0x70000, 0x7FFFD), + (0x80000, 0x8FFFD), + (0x90000, 0x9FFFD), + (0xA0000, 0xAFFFD), + (0xB0000, 0xBFFFD), + (0xC0000, 0xCFFFD), + (0xD0000, 0xDFFFD), + (0xE1000, 0xEFFFD), + ] + + IPRIVATE = [ + (0xE000, 0xF8FF), + (0xF0000, 0xFFFFD), + (0x100000, 0x10FFFD), + ] + + +_escapeme_re = re.compile('[%s]' % (''.join( + map(lambda (m, n): u'%s-%s' % (unichr(m), unichr(n)), + UCSCHAR + IPRIVATE)),)) + + +def identifierScheme(identifier): + """Determine if this identifier is an XRI or URI. + + @returns: C{"XRI"} or C{"URI"} + """ + if identifier.startswith('xri://') or ( + identifier and identifier[0] in XRI_AUTHORITIES): + return "XRI" + else: + return "URI" + + +def toIRINormal(xri): + """Transform an XRI to IRI-normal form.""" + if not xri.startswith('xri://'): + xri = 'xri://' + xri + return escapeForIRI(xri) + + +_xref_re = re.compile('\((.*?)\)') + + +def _escape_xref(xref_match): + """Escape things that need to be escaped if they're in a cross-reference. + """ + xref = xref_match.group() + xref = xref.replace('/', '%2F') + xref = xref.replace('?', '%3F') + xref = xref.replace('#', '%23') + return xref + + +def escapeForIRI(xri): + """Escape things that need to be escaped when transforming to an IRI.""" + xri = xri.replace('%', '%25') + xri = _xref_re.sub(_escape_xref, xri) + return xri + + +def toURINormal(xri): + """Transform an XRI to URI normal form.""" + return iriToURI(toIRINormal(xri)) + + +def _percentEscapeUnicode(char_match): + c = char_match.group() + return ''.join(['%%%X' % (ord(octet),) for octet in c.encode('utf-8')]) + + +def iriToURI(iri): + """Transform an IRI to a URI by escaping unicode.""" + # According to RFC 3987, section 3.1, "Mapping of IRIs to URIs" + return _escapeme_re.sub(_percentEscapeUnicode, iri) + + +def providerIsAuthoritative(providerID, canonicalID): + """Is this provider ID authoritative for this XRI? + + @returntype: bool + """ + # XXX: can't use rsplit until we require python >= 2.4. + lastbang = canonicalID.rindex('!') + parent = canonicalID[:lastbang] + return parent == providerID + + +def rootAuthority(xri): + """Return the root authority for an XRI. + + Example:: + + rootAuthority("xri://@example") == "xri://@" + + @type xri: unicode + @returntype: unicode + """ + if xri.startswith('xri://'): + xri = xri[6:] + authority = xri.split('/', 1)[0] + if authority[0] == '(': + # Cross-reference. + # XXX: This is incorrect if someone nests cross-references so there + # is another close-paren in there. Hopefully nobody does that + # before we have a real xriparse function. Hopefully nobody does + # that *ever*. + root = authority[:authority.index(')') + 1] + elif authority[0] in XRI_AUTHORITIES: + # Other XRI reference. + root = authority[0] + else: + # IRI reference. XXX: Can IRI authorities have segments? + segments = authority.split('!') + segments = reduce(list.__add__, + map(lambda s: s.split('*'), segments)) + root = segments[0] + + return XRI(root) + + +def XRI(xri): + """An XRI object allowing comparison of XRI. + + Ideally, this would do full normalization and provide comparsion + operators as per XRI Syntax. Right now, it just does a bit of + canonicalization by ensuring the xri scheme is present. + + @param xri: an xri string + @type xri: unicode + """ + if not xri.startswith('xri://'): + xri = 'xri://' + xri + return xri diff --git a/askbot/deps/openid/yadis/xrires.py b/askbot/deps/openid/yadis/xrires.py new file mode 100644 index 00000000..be663c66 --- /dev/null +++ b/askbot/deps/openid/yadis/xrires.py @@ -0,0 +1,123 @@ +# -*- test-case-name: openid.test.test_xrires -*- +"""XRI resolution. +""" + +from urllib import urlencode +from openid import fetchers +from openid.yadis import etxrd +from openid.yadis.xri import toURINormal +from openid.yadis.services import iterServices + +DEFAULT_PROXY = 'http://proxy.xri.net/' + +class ProxyResolver(object): + """Python interface to a remote XRI proxy resolver. + """ + def __init__(self, proxy_url=DEFAULT_PROXY): + self.proxy_url = proxy_url + + + def queryURL(self, xri, service_type=None): + """Build a URL to query the proxy resolver. + + @param xri: An XRI to resolve. + @type xri: unicode + + @param service_type: The service type to resolve, if you desire + service endpoint selection. A service type is a URI. + @type service_type: str + + @returns: a URL + @returntype: str + """ + # Trim off the xri:// prefix. The proxy resolver didn't accept it + # when this code was written, but that may (or may not) change for + # XRI Resolution 2.0 Working Draft 11. + qxri = toURINormal(xri)[6:] + hxri = self.proxy_url + qxri + args = { + # XXX: If the proxy resolver will ensure that it doesn't return + # bogus CanonicalIDs (as per Steve's message of 15 Aug 2006 + # 11:13:42), then we could ask for application/xrd+xml instead, + # which would give us a bit less to process. + '_xrd_r': 'application/xrds+xml', + } + if service_type: + args['_xrd_t'] = service_type + else: + # Don't perform service endpoint selection. + args['_xrd_r'] += ';sep=false' + query = _appendArgs(hxri, args) + return query + + + def query(self, xri, service_types): + """Resolve some services for an XRI. + + Note: I don't implement any service endpoint selection beyond what + the resolver I'm querying does, so the Services I return may well + include Services that were not of the types you asked for. + + May raise fetchers.HTTPFetchingError or L{etxrd.XRDSError} if + the fetching or parsing don't go so well. + + @param xri: An XRI to resolve. + @type xri: unicode + + @param service_types: A list of services types to query for. Service + types are URIs. + @type service_types: list of str + + @returns: tuple of (CanonicalID, Service elements) + @returntype: (unicode, list of C{ElementTree.Element}s) + """ + # FIXME: No test coverage! + services = [] + # Make a seperate request to the proxy resolver for each service + # type, as, if it is following Refs, it could return a different + # XRDS for each. + + canonicalID = None + + for service_type in service_types: + url = self.queryURL(xri, service_type) + response = fetchers.fetch(url) + if response.status not in (200, 206): + # XXX: sucks to fail silently. + # print "response not OK:", response + continue + et = etxrd.parseXRDS(response.body) + canonicalID = etxrd.getCanonicalID(xri, et) + some_services = list(iterServices(et)) + services.extend(some_services) + # TODO: + # * If we do get hits for multiple service_types, we're almost + # certainly going to have duplicated service entries and + # broken priority ordering. + return canonicalID, services + + +def _appendArgs(url, args): + """Append some arguments to an HTTP query. + """ + # to be merged with oidutil.appendArgs when we combine the projects. + if hasattr(args, 'items'): + args = args.items() + args.sort() + + if len(args) == 0: + return url + + # According to XRI Resolution section "QXRI query parameters": + # + # """If the original QXRI had a null query component (only a leading + # question mark), or a query component consisting of only question + # marks, one additional leading question mark MUST be added when + # adding any XRI resolution parameters.""" + + if '?' in url.rstrip('?'): + sep = '&' + else: + sep = '?' + + return '%s%s%s' % (url, sep, urlencode(args)) diff --git a/askbot/setup_templates/settings.py b/askbot/setup_templates/settings.py index bef8370e..6dd443c4 100644 --- a/askbot/setup_templates/settings.py +++ b/askbot/setup_templates/settings.py @@ -1,6 +1,11 @@ # Django settings for ASKBOT enabled project. import os.path import logging +import sys +import askbot + +#this line is added so that we can import pre-packaged askbot dependencies +sys.path.append(os.path.join(os.path.dirname(askbot.__file__), 'deps')) DEBUG = True TEMPLATE_DEBUG = DEBUG @@ -10,7 +10,6 @@ install_requires = [ 'recaptcha-client', 'markdown2', 'html5lib', - 'python-openid', 'django-keyedcache', 'django-threaded-multihost', 'django-robots', |