Added check to block the RP communicating with OPs that do not implement required minimum OpenID versions.

4 files changed, 56 insertions, 2 deletions

diff --git a/src/DotNetOpenId.Test/RelyingParty/OpenIdRelyingPartyTest.cs b/src/DotNetOpenId.Test/RelyingParty/OpenIdRelyingPartyTest.cs
index 37e9ab3..9da4360 100644
--- a/src/DotNetOpenId.Test/RelyingParty/OpenIdRelyingPartyTest.cs
+++ b/src/DotNetOpenId.Test/RelyingParty/OpenIdRelyingPartyTest.cs
@@ -391,5 +391,37 @@ namespace DotNetOpenId.Test.RelyingParty {
 			rp.Settings.MinimumRequiredOpenIdVersion = ProtocolVersion.V20;

 			rp.CreateRequest(id, TestSupport.Realm, TestSupport.ReturnTo);

 		}

+

+		/// <summary>

+		/// Verifies that an RP configured to require 2.0 OPs will fail on communicating with 1.x OPs

+		/// that merely advertise 2.0 support but don't really have it.

+		/// </summary>

+		[Test]

+		public void MinimumOPVersion20WithDeceptiveEndpointRealizedAtAuthentication() {

+			// Create an identifier that claims to have a 2.0 OP endpoint.

+			MockIdentifier id = TestSupport.GetMockIdentifier(TestSupport.Scenarios.AutoApproval, ProtocolVersion.V20);

+

+			var rp = TestSupport.CreateRelyingParty(null, null);

+

+			IAuthenticationRequest req = rp.CreateRequest(id, TestSupport.Realm, TestSupport.ReturnTo);

+			IResponse providerResponse = TestSupport.CreateProviderResponseToRequest(req, opReq => {

+				opReq.IsAuthenticated = true;

+			});

+

+			var opAuthWebResponse = (Response)providerResponse;

+			var opAuthResponse = (DotNetOpenId.Provider.EncodableResponse)opAuthWebResponse.EncodableMessage;

+			var rp2 =TestSupport. CreateRelyingParty(null, opAuthResponse.RedirectUrl,

+				opAuthResponse.EncodedFields.ToNameValueCollection());

+			rp2.Settings.MinimumRequiredOpenIdVersion = ProtocolVersion.V20;

+			// Rig an intercept between the provider and RP to make our own Provider LOOK like a 1.x provider.

+			var sniffer = new DirectMessageSniffWrapper(rp2.DirectMessageChannel);

+			rp2.DirectMessageChannel = sniffer;

+			sniffer.Receiving += (endpoint, fields) => {

+				fields.Remove(Protocol.v20.openidnp.ns);

+			};

+			var resp = rp2.Response;

+

+			Assert.AreEqual(AuthenticationStatus.Failed, resp.Status, "Authentication should have failed since OP is really a 1.x OP masquerading as a 2.0 OP.");

+		}

 	}

 }

diff --git a/src/DotNetOpenId/RelyingParty/DirectResponse.cs b/src/DotNetOpenId/RelyingParty/DirectResponse.cs
index c6b9ff2..39458fe 100644
--- a/src/DotNetOpenId/RelyingParty/DirectResponse.cs
+++ b/src/DotNetOpenId/RelyingParty/DirectResponse.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;

 using System.Text;

 using System.Diagnostics;

+using System.Globalization;

 

 namespace DotNetOpenId.RelyingParty {

 	[DebuggerDisplay("OpenId: {Protocol.Version}")]

@@ -14,6 +15,16 @@ namespace DotNetOpenId.RelyingParty {
 			Provider = provider;

 			Args = args;

 

+			// Make sure that the OP fulfills the required OpenID version.

+			// We don't use Provider.Protocol here because that's just a cache of

+			// what we _thought_ the OP would support, and our purpose is to double-check this.

+			if (Protocol.Detect(args).ProtocolVersion < relyingParty.Settings.MinimumRequiredOpenIdVersion) {

+				throw new OpenIdException(string.Format(CultureInfo.CurrentCulture,

+					Strings.MinimumOPVersionRequirementNotMet,

+					Protocol.Lookup(relyingParty.Settings.MinimumRequiredOpenIdVersion).Version,

+					provider.Protocol.Version));

+			}

+

 			if (Logger.IsErrorEnabled) {

 				if (!Args.ContainsKey(Protocol.openidnp.ns)) {

 					Logger.ErrorFormat("Direct response from provider lacked the {0} key.", Protocol.openid.ns);

@@ -22,7 +33,6 @@ namespace DotNetOpenId.RelyingParty {
 						Protocol.openid.ns, Args[Protocol.openidnp.ns], Protocol.QueryDeclaredNamespaceVersion);

 				}

 			}

-

 		}

 		protected OpenIdRelyingParty RelyingParty { get; private set; }

 		protected ServiceEndpoint Provider { get; private set; }

diff --git a/src/DotNetOpenId/Strings.Designer.cs b/src/DotNetOpenId/Strings.Designer.cs
index 28c186f..e12428e 100644
--- a/src/DotNetOpenId/Strings.Designer.cs
+++ b/src/DotNetOpenId/Strings.Designer.cs
@@ -1,7 +1,7 @@
 //------------------------------------------------------------------------------

 // <auto-generated>

 //     This code was generated by a tool.

-//     Runtime Version:2.0.50727.1434

+//     Runtime Version:2.0.50727.3053

 //

 //     Changes to this file may cause incorrect behavior and will be lost if

 //     the code is regenerated.

@@ -380,6 +380,15 @@ namespace DotNetOpenId {
         }

         

         /// <summary>

+        ///   Looks up a localized string similar to This Relying Party requires a Provider that supports at least OpenID version {0}, but Provider is detected to only support OpenID version {1}..

+        /// </summary>

+        internal static string MinimumOPVersionRequirementNotMet {

+            get {

+                return ResourceManager.GetString("MinimumOPVersionRequirementNotMet", resourceCulture);

+            }

+        }

+        

+        /// <summary>

         ///   Looks up a localized string similar to The XRDS document for XRI {0} is missing the required CanonicalID element..

         /// </summary>

         internal static string MissingCanonicalIDElement {

diff --git a/src/DotNetOpenId/Strings.resx b/src/DotNetOpenId/Strings.resx
index cdaec49..38afc13 100644
--- a/src/DotNetOpenId/Strings.resx
+++ b/src/DotNetOpenId/Strings.resx
@@ -226,6 +226,9 @@ Discovered endpoint info:
   <data name="MatchingArgumentsExpected" xml:space="preserve">

     <value>The '{0}' and '{1}' parameters must both be or not be '{2}'.</value>

   </data>

+  <data name="MinimumOPVersionRequirementNotMet" xml:space="preserve">

+    <value>This Relying Party requires a Provider that supports at least OpenID version {0}, but Provider is detected to only support OpenID version {1}.</value>

+  </data>

   <data name="MissingCanonicalIDElement" xml:space="preserve">

     <value>The XRDS document for XRI {0} is missing the required CanonicalID element.</value>

   </data>