/usr/include/opkele/basic_rp.h is in libopkele-dev 2.0.4+git20140305.9651b55-3.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 | #ifndef __OPKELE_BASIC_RP_H
#define __OPKELE_BASIC_RP_H
#include <string>
#include <opkele/types.h>
#include <opkele/extension.h>
namespace opkele {
using std::string;
class basic_RP {
public:
/**
* Claimed identifier from a parsed id_res message.
*/
string claimed_id;
/**
* OP-Local identifier from a parsed id_res message.
*/
string identity;
virtual ~basic_RP() { }
void reset_vars();
/**
* @name Assertion information retrieval
* Retrieval of the information passed with openid message
* @{
*/
/**
* Find out if the assertion is about identity
* @return true if so
*/
bool has_identity() const;
/**
* Get claimed identifier supplied with the request
* @return claimed identifier
* @throw non_identity if request is not about identity
*/
const string& get_claimed_id() const;
/**
* Get the identity (OP-Local identifier) confirmed
* @return identity
* @throw non_identity if request is not about identity
*/
const string& get_identity() const;
/**
* @}
*/
/**
* @name Global persistent store API
* These are functions related to the associations with OP storage
* and retrieval and nonce records. They provide an interface to
* the persistent storage which is shared by all sessions. If the
* implementor prefers the dumb mode instead, the function should
* throw dumb_RP exception instead.
* @see opkele::dumb_RP
* @{
*/
/**
* Store association and return allocated association object.
* @param OP OP endpoint
* @param handle association handle
* @param type association type
* @param secret association secret
* @params expires_in the number of seconds association expires in
* @return the association object
* @throw dumb_RP for dumb RP
*/
virtual assoc_t store_assoc(
const string& OP,const string& handle,
const string& type,const secret_t& secret,
int expires_in) = 0;
/**
* Find valid unexpired association with an OP.
* @param OP OP endpoint URL
* @return association found
* @throw failed_lookup if no association found
* @throw dumb_RP for dumb RP
*/
virtual assoc_t find_assoc(
const string& OP) = 0;
/**
* Retrieve valid association handle for an OP by handle.
* @param OP OP endpoint URL
* @param handle association handle
* @return association found
* @throw failed_lookup if no association found
* @throw dumb_RP for dumb RP
*/
virtual assoc_t retrieve_assoc(
const string& OP,const string& handle) = 0;
/**
* Invalidate association with OP
* @param OP OP endpoint URL
* @param handle association handle
* @throw dumb_RP for dumb RP
*/
virtual void invalidate_assoc(const string& OP,const string& handle) = 0;
/**
* Check the nonce validity. That is, check that we haven't
* accepted request with this nonce from this OP, yet. May involve
* cutting off by the timestamp and checking the rest against the
* store of seen nonces.
* @param OP OP endpoint URL
* @param nonce nonce value
* @throw id_res_bad_nonce if the nonce is not to be accepted, i.e.
* either too old or seen.
*/
virtual void check_nonce(const string& OP,const string& nonce) = 0;
/**
* @}
*/
/**
* @name Session persistent store API
* @{
*/
/**
* Retrieve OpenID endpoint being currently used for
* authentication. If there is no endpoint available, throw a
* no_endpoint exception.
* @return reference to the service endpoint object
* @see next_endpoint
* @throw no_endpoint if no endpoint available
*/
virtual const openid_endpoint_t& get_endpoint() const = 0;
/**
* Advance to the next endpoint to try.
* @see get_endpoint()
* @throw no_endpoint if there are no more endpoints
*/
virtual void next_endpoint() = 0;
/**
* @}
*/
/**
* @name Site particulars API
* @{
*/
/**
* Return an absolute URL of the page being processed, includining
* query parameters. It is used to validate return_to URL on
* positive assertions.
* @return fully qualified url of the page being processed.
*/
virtual const string get_this_url() const = 0;
/**
* @}
*/
/**
* @name OpenID actions
* @{
*/
/**
* Initiates authentication session, doing discovery, normalization
* and whatever implementor wants to do at this point.
* @param usi User-supplied identity
*/
virtual void initiate(const string& usi) = 0;
/**
* Prepare checkid_request.
* @param rv reference to the openid message to prepare
* @param mode checkid_setup or checkid_immediate
* @param return_to the URL OP should redirect to after completion
* @param realm authentication realm to pass to OP
* @param ext pointer to extension to use in request preparation
* @return reference to the openid message
*/
basic_openid_message& checkid_(
basic_openid_message& rv,
mode_t mode,
const string& return_to,const string& realm,
extension_t *ext=0);
/**
* Verify assertion at the end of round-trip.
* @param om incoming openid message
* @param ext pointer to extention to use in parsing assertion
* @throw id_res_setup if checkid_immediate request could not be
* completed
* @throw id_res_cancel if authentication request was canceled
* @throw id_res_mismatch in case of signature mismatch
* @throw id_res_bad_return_to if return_to url seems to be
* tampered with
* @throw id_res_unauthorized if OP is not authorized to make
* assertions regarding the identity
*/
void id_res(const basic_openid_message& om,extension_t *ext=0);
/**
* Establish association with OP
* @param OP OP to establish association with
* @throw dumb_RP if for a dumb RP
*/
virtual assoc_t associate(const string& OP);
/**
* Check authentication with OP and invalidate handle if requested
* and confirmed
* @param OP OP to check with
* @param om message to check
* @throw failed_check_authentication if OP fails to confirm
* authenticity of the assertion
*/
void check_authentication(const string& OP,const basic_openid_message& om);
/**
* @}
*/
/**
* @name Miscellanea
* @{
*/
/**
* Verify OP authority. Return normally if OP is authorized to make
* an assertion, throw an exception otherwise.
* @param OP OP endpoint
* @param claimed_id claimed identity
* @param identity OP-Local identifier
* @throw id_res_unauthorized if OP is not authorized to make
* assertion regarding this identity.
*/
virtual void verify_OP(const string& OP,
const string& claimed_id,const string& identity) const = 0;
/**
* @}
*/
};
}
#endif /* __OPKELE_BASIC_RP_H */
|