[libnet-openid-common-perl] 01/09: add IndirectMessage->all_parameters

gregor herrmann gregoa at debian.org
Sun Feb 7 21:50:28 UTC 2016 

This is an automated email from the git hooks/post-receive script.

gregoa pushed a commit to annotated tag v1.12
in repository libnet-openid-common-perl.

commit 7af7ace77e3c8b1946cd281a09a690a7f3a04a8a
Author: Roger Crew <crew at cs.stanford.edu>
Date:   Mon Oct 24 01:27:16 2011 -0700

    add IndirectMessage->all_parameters
    
    removed
       # NOTE: There is intentionally no way to get all of the keys in the core
       # namespace because that means we don't need to be able to enumerate
       # to support the core protocol, and there is no requirement to enumerate
       # anyway.
    
    because, as of OpenID 2.0, this is now actively wrong.
    
    A 2.0 check_authentication message needs to include ALL parameters that
    were received in the positive assertion response received and the only
    way to do that is to be able to enumerate all of the keys.
    
    Fortunately, in the one case where we couldn't do this before
    (passing in a coderef as the URL parameter object), it's easy to
    modify the contract (i.e., the new requirement that a coderef call
    with no arguments returns the full list of URL parameters) -- and also
    easy to recognize when there's legacy code not following it (parameter
    names are never going to be undef, nor will there *ever* be zero
    parameters since we always have .mode).
---
 lib/Net/OpenID/IndirectMessage.pm | 60 +++++++++++++++++++++++++++++++--------
 1 file changed, 48 insertions(+), 12 deletions(-)

diff --git a/lib/Net/OpenID/IndirectMessage.pm b/lib/Net/OpenID/IndirectMessage.pm
index 16e4b8e..37cff29 100644
--- a/lib/Net/OpenID/IndirectMessage.pm
+++ b/lib/Net/OpenID/IndirectMessage.pm
@@ -53,11 +53,31 @@ sub new {
         $enumer = sub { keys %{$p}; };
     }
     elsif (ref $what eq "CODE") {
+        my @keys = ();
+        my $enumerated;
         $getter = $what;
-        # We can't enumerate with just a coderef.
-        # OpenID 2 spec only requires enumeration to support
-        # extension namespaces, so we don't care too much.
-        $enumer = sub { return (); };
+        $enumer = sub {
+            unless ($enumerated) {
+                $enumerated = 1;
+                # In Consumer/Common 1.03 and predecessors, coderefs
+                # did not have to be able to enumerate all keys.
+                # Therefore, we must cope with legacy coderefs being
+                # passed in which don't expect to be called with no
+                # arguments, and then, most likely, fail in one of
+                # three ways:
+                #   (1) return empty list
+                #   (2) retrieve undef/'' value for undef/'' key.
+                #   (3) raise an error
+                # We normalize these all to empty list, which our
+                # caller can then recognize as obviously wrong
+                # and do something about it.
+                eval { @keys = $what->() };
+                @keys = ()
+                  if (@keys == 1 &&
+                      !(defined($keys[0]) && length($keys[0])));
+            }
+            return @keys;
+        }
     }
     else {
         $what = 'undef' if !defined $what;
@@ -120,11 +140,6 @@ sub get {
     my $self = shift;
     my $key = shift or Carp::croak("No argument name supplied to get method");
 
-    # NOTE: There is intentionally no way to get all of the keys in the core
-    # namespace because that means we don't need to be able to enumerate
-    # to support the core protocol, and there is no requirement to enumerate
-    # anyway.
-
     # Arguments can only contain letters, numbers, underscores and dashes
     Carp::croak("Invalid argument key $key") unless $key =~ /^[\w\-]+$/;
     Carp::croak("Too many arguments") if scalar(@_);
@@ -145,6 +160,27 @@ sub getter {
     return $self->{getter};
 }
 
+# NOTE RE all_parameters():
+#
+# It was originally thought that enumeration of URL parameters was
+# unnecessary except to support extensions, i.e., that support of the
+# core protocol did not need it.  While this is true in OpenID 1.1, it
+# is not the case in OpenID 2.0 where check_authentication requires
+# sending back a complete copy of the positive assertion message
+# that was received indirectly.
+#
+# In cases where legacy client code is not supplying a real enumerator,
+# this routine will return an empty list and callers will need to
+# check for this.  Recall that actual messages in all versions of the
+# Openid protocol (thus far) are guaranteed to have at least an
+# 'openid.mode' parameter.
+
+sub all_parameters {
+    my $self = shift;
+
+    return $self->{enumer}->();
+}
+
 sub get_ext {
     my $self = shift;
     my $namespace = shift or Carp::croak("No namespace URI supplied to get_ext method");
@@ -164,7 +200,7 @@ sub get_ext {
         my $prefix = "openid.$alias.";
         my $prefixlen = length($prefix);
         my $ret = {};
-        foreach my $key ($self->{enumer}->()) {
+        foreach my $key ($self->all_parameters) {
             next unless substr($key, 0, $prefixlen) eq $prefix;
             $ret->{substr($key, $prefixlen)} = $self->{getter}->($key);
         }
@@ -186,11 +222,11 @@ sub has_ext {
 sub _compute_extension_prefixes {
     my ($self) = @_;
 
-    return unless $self->{enumer};
+    # return unless $self->{enumer};
 
     $self->{extension_prefixes} = {};
     if ($self->protocol_version != 1) {
-        foreach my $key ($self->{enumer}->()) {
+        foreach my $key ($self->all_parameters) {
             next unless $key =~ /^openid\.ns\.(\w+)$/;
             my $alias = $1;
             my $uri = $self->{getter}->($key);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-perl/packages/libnet-openid-common-perl.git

More information about the Pkg-perl-cvs-commits mailing list