Splitting up the OpenID profile into OpenID RP and OP. The core OpenID DLL compiles, but the RP and OP ones do not.

6 files changed, 293 insertions, 0 deletions

diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateDiffieHellmanProviderResponse.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateDiffieHellmanProviderResponse.cs
new file mode 100644
index 0000000..80743f7
--- /dev/null
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateDiffieHellmanProviderResponse.cs
@@ -0,0 +1,82 @@
+//-----------------------------------------------------------------------
+// <copyright file="AssociateDiffieHellmanResponse.cs" company="Andrew Arnott">
+//     Copyright (c) Andrew Arnott. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth.OpenId.Messages {
+	using System;
+	using System.Diagnostics.Contracts;
+	using System.Security.Cryptography;
+	using DotNetOpenAuth.Messaging;
+	using DotNetOpenAuth.Messaging.Reflection;
+	using DotNetOpenAuth.OpenId.Provider;
+	using Org.Mentalis.Security.Cryptography;
+
+	/// <summary>
+	/// The successful Diffie-Hellman association response message.
+	/// </summary>
+	/// <remarks>
+	/// Association response messages are described in OpenID 2.0 section 8.2.  This type covers section 8.2.3.
+	/// </remarks>
+	internal class AssociateDiffieHellmanProviderResponse : AssociateDiffieHellmanResponse {
+		/// <summary>
+		/// Initializes a new instance of the <see cref="AssociateDiffieHellmanProviderResponse"/> class.
+		/// </summary>
+		/// <param name="responseVersion">The OpenID version of the response message.</param>
+		/// <param name="originatingRequest">The originating request.</param>
+		internal AssociateDiffieHellmanProviderResponse(Version responseVersion, AssociateDiffieHellmanRequest originatingRequest)
+			: base(responseVersion, originatingRequest) {
+		}
+
+		/// <summary>
+		/// Creates the association at relying party side after the association response has been received.
+		/// </summary>
+		/// <param name="request">The original association request that was already sent and responded to.</param>
+		/// <returns>The newly created association.</returns>
+		/// <remarks>
+		/// The resulting association is <i>not</i> added to the association store and must be done by the caller.
+		/// </remarks>
+		protected override Association CreateAssociationAtRelyingParty(AssociateRequest request) {
+			throw new NotImplementedException();
+		}
+
+		/// <summary>
+		/// Creates the association at the provider side after the association request has been received.
+		/// </summary>
+		/// <param name="request">The association request.</param>
+		/// <param name="associationStore">The OpenID Provider's association store or handle encoder.</param>
+		/// <param name="securitySettings">The security settings of the Provider.</param>
+		/// <returns>
+		/// The newly created association.
+		/// </returns>
+		/// <remarks>
+		/// The response message is updated to include the details of the created association by this method,
+		/// but the resulting association is <i>not</i> added to the association store and must be done by the caller.
+		/// </remarks>
+		protected override Association CreateAssociationAtProvider(AssociateRequest request, IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
+			var diffieHellmanRequest = request as AssociateDiffieHellmanRequest;
+			ErrorUtilities.VerifyInternal(diffieHellmanRequest != null, "Expected a DH request type.");
+
+			this.SessionType = this.SessionType ?? request.SessionType;
+
+			// Go ahead and create the association first, complete with its secret that we're about to share.
+			Association association = HmacShaAssociation.Create(this.Protocol, this.AssociationType, AssociationRelyingPartyType.Smart, associationStore, securitySettings);
+
+			// We now need to securely communicate the secret to the relying party using Diffie-Hellman.
+			// We do this by performing a DH algorithm on the secret and setting a couple of properties
+			// that will be transmitted to the Relying Party.  The RP will perform an inverse operation
+			// using its part of a DH secret in order to decrypt the shared secret we just invented 
+			// above when we created the association.
+			using (DiffieHellman dh = new DiffieHellmanManaged(
+				diffieHellmanRequest.DiffieHellmanModulus ?? AssociateDiffieHellmanRequest.DefaultMod,
+				diffieHellmanRequest.DiffieHellmanGen ?? AssociateDiffieHellmanRequest.DefaultGen,
+				AssociateDiffieHellmanRequest.DefaultX)) {
+				HashAlgorithm hasher = DiffieHellmanUtilities.Lookup(this.Protocol, this.SessionType);
+				this.DiffieHellmanServerPublic = DiffieHellmanUtilities.EnsurePositive(dh.CreateKeyExchange());
+				this.EncodedMacKey = DiffieHellmanUtilities.SHAHashXorSecret(hasher, dh, diffieHellmanRequest.DiffieHellmanConsumerPublic, association.SecretKey);
+			}
+			return association;
+		}
+	}
+}
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateRequestProvider.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateRequestProvider.cs
new file mode 100644
index 0000000..5da8307
--- /dev/null
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateRequestProvider.cs
@@ -0,0 +1,94 @@
+namespace DotNetOpenAuth.OpenId.Messages {
+	using System;
+	using System.Collections.Generic;
+	using System.Linq;
+	using System.Text;
+
+	internal abstract class AssociateRequestProvider : AssociateRequest {
+		/// <summary>
+		/// Creates a Provider's response to an incoming association request.
+		/// </summary>
+		/// <param name="associationStore">The association store.</param>
+		/// <param name="securitySettings">The security settings on the Provider.</param>
+		/// <returns>
+		/// The appropriate association response that is ready to be sent back to the Relying Party.
+		/// </returns>
+		/// <remarks>
+		///   <para>If an association is created, it will be automatically be added to the provided
+		/// association store.</para>
+		///   <para>Successful association response messages will derive from <see cref="AssociateSuccessfulResponse"/>.
+		/// Failed association response messages will derive from <see cref="AssociateUnsuccessfulResponse"/>.</para>
+		/// </remarks>
+		internal IProtocolMessage CreateResponse(IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
+			Contract.Requires<ArgumentNullException>(associationStore != null);
+			Contract.Requires<ArgumentNullException>(securitySettings != null);
+
+			IProtocolMessage response;
+			if (securitySettings.IsAssociationInPermittedRange(Protocol, this.AssociationType) &&
+				HmacShaAssociation.IsDHSessionCompatible(Protocol, this.AssociationType, this.SessionType)) {
+				response = this.CreateResponseCore();
+
+				// Create and store the association if this is a successful response.
+				var successResponse = response as AssociateSuccessfulResponse;
+				if (successResponse != null) {
+					successResponse.CreateAssociation(this, associationStore, securitySettings);
+				}
+			} else {
+				response = this.CreateUnsuccessfulResponse(securitySettings);
+			}
+
+			return response;
+		}
+
+		/// <summary>
+		/// Creates a Provider's response to an incoming association request.
+		/// </summary>
+		/// <returns>
+		/// The appropriate association response message.
+		/// </returns>
+		/// <remarks>
+		/// <para>If an association can be successfully created, the 
+		/// <see cref="AssociateSuccessfulResponse.CreateAssociation"/> method must not be
+		/// called by this method.</para>
+		/// <para>Successful association response messages will derive from <see cref="AssociateSuccessfulResponse"/>.
+		/// Failed association response messages will derive from <see cref="AssociateUnsuccessfulResponse"/>.</para>
+		/// </remarks>
+		protected abstract IProtocolMessage CreateResponseCore();
+
+		/// <summary>
+		/// Creates a response that notifies the Relying Party that the requested
+		/// association type is not supported by this Provider, and offers
+		/// an alternative association type, if possible.
+		/// </summary>
+		/// <param name="securitySettings">The security settings that apply to this Provider.</param>
+		/// <returns>The response to send to the Relying Party.</returns>
+		private AssociateUnsuccessfulResponse CreateUnsuccessfulResponse(ProviderSecuritySettings securitySettings) {
+			Contract.Requires<ArgumentNullException>(securitySettings != null);
+
+			var unsuccessfulResponse = new AssociateUnsuccessfulResponse(this.Version, this);
+
+			// The strategy here is to suggest that the RP try again with the lowest
+			// permissible security settings, giving the RP the best chance of being
+			// able to match with a compatible request.
+			bool unencryptedAllowed = this.Recipient.IsTransportSecure();
+			bool useDiffieHellman = !unencryptedAllowed;
+			string associationType, sessionType;
+			if (HmacShaAssociation.TryFindBestAssociation(Protocol, false, securitySettings, useDiffieHellman, out associationType, out sessionType)) {
+				ErrorUtilities.VerifyInternal(this.AssociationType != associationType, "The RP asked for an association that should have been allowed, but the OP is trying to suggest the same one as an alternative!");
+				unsuccessfulResponse.AssociationType = associationType;
+				unsuccessfulResponse.SessionType = sessionType;
+				Logger.OpenId.InfoFormat(
+					"Association requested of type '{0}' and session '{1}', which the Provider does not support.  Sending back suggested alternative of '{0}' with session '{1}'.",
+					this.AssociationType,
+					this.SessionType,
+					unsuccessfulResponse.AssociationType,
+					unsuccessfulResponse.SessionType);
+			} else {
+				Logger.OpenId.InfoFormat("Association requested of type '{0}' and session '{1}', which the Provider does not support.  No alternative association type qualified for suggesting back to the Relying Party.", this.AssociationType, this.SessionType);
+			}
+
+			return unsuccessfulResponse;
+		}
+
+	}
+}
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateSuccessfulResponseProvider.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateSuccessfulResponseProvider.cs
new file mode 100644
index 0000000..3a71bba
--- /dev/null
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateSuccessfulResponseProvider.cs
@@ -0,0 +1,27 @@
+namespace DotNetOpenAuth.OpenId.Messages {
+	using System;
+	using System.Collections.Generic;
+	using System.Linq;
+	using System.Text;
+	using DotNetOpenAuth.OpenId.Provider;
+
+	internal abstract class AssociateSuccessfulResponseProvider : AssociateSuccessfulResponse {
+		/// <summary>
+		/// Called to create the Association based on a request previously given by the Relying Party.
+		/// </summary>
+		/// <param name="request">The prior request for an association.</param>
+		/// <param name="associationStore">The Provider's association store.</param>
+		/// <param name="securitySettings">The security settings of the Provider.</param>
+		/// <returns>
+		/// The created association.
+		/// </returns>
+		/// <remarks>
+		///   <para>The caller will update this message's <see cref="ExpiresIn"/> and <see cref="AssociationHandle"/>
+		/// properties based on the <see cref="Association"/> returned by this method, but any other
+		/// association type specific properties must be set by this method.</para>
+		///   <para>The response message is updated to include the details of the created association by this method,
+		/// but the resulting association is <i>not</i> added to the association store and must be done by the caller.</para>
+		/// </remarks>
+		protected abstract Association CreateAssociationAtProvider(AssociateRequest request, IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings);
+	}
+}
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateSuccessfulResponseProviderContract.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateSuccessfulResponseProviderContract.cs
new file mode 100644
index 0000000..9824316
--- /dev/null
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateSuccessfulResponseProviderContract.cs
@@ -0,0 +1,18 @@
+namespace DotNetOpenAuth.OpenId.Messages {
+	using System;
+	using System.Collections.Generic;
+	using System.Linq;
+	using System.Text;
+	using System.Diagnostics.Contracts;
+	using DotNetOpenAuth.OpenId.Provider;
+
+	[ContractClassFor(typeof(AssociateSuccessfulResponseProvider))]
+	internal abstract class AssociateSuccessfulResponseProviderContract : AssociateSuccessfulResponseProvider {
+		protected override Association CreateAssociationAtProvider(AssociateRequest request, IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
+			Contract.Requires<ArgumentNullException>(request != null);
+			Contract.Requires<ArgumentNullException>(associationStore != null);
+			Contract.Requires<ArgumentNullException>(securitySettings != null);
+			throw new NotImplementedException();
+		}
+	}
+}
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateUnencryptedResponseProvider.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateUnencryptedResponseProvider.cs
new file mode 100644
index 0000000..c390a5e
--- /dev/null
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/AssociateUnencryptedResponseProvider.cs
@@ -0,0 +1,40 @@
+//-----------------------------------------------------------------------
+// <copyright file="AssociateUnencryptedResponseProvider.cs" company="Andrew Arnott">
+//     Copyright (c) Andrew Arnott. All rights reserved.
+// </copyright>
+//-----------------------------------------------------------------------
+
+namespace DotNetOpenAuth.OpenId.Messages {
+	using System;
+	using System.Collections.Generic;
+	using System.Linq;
+	using System.Text;
+	using DotNetOpenAuth.OpenId.Provider;
+
+	internal class AssociateUnencryptedResponseProvider : AssociateUnencryptedResponse {
+		/// <summary>
+		/// Called to create the Association based on a request previously given by the Relying Party.
+		/// </summary>
+		/// <param name="request">The prior request for an association.</param>
+		/// <param name="associationStore">The Provider's association store.</param>
+		/// <param name="securitySettings">The security settings of the Provider.</param>
+		/// <returns>
+		/// The created association.
+		/// </returns>
+		/// <remarks>
+		///   <para>The caller will update this message's
+		///   <see cref="AssociateSuccessfulResponse.ExpiresIn"/> and
+		///   <see cref="AssociateSuccessfulResponse.AssociationHandle"/>
+		/// properties based on the <see cref="Association"/> returned by this method, but any other
+		/// association type specific properties must be set by this method.</para>
+		///   <para>The response message is updated to include the details of the created association by this method,
+		/// but the resulting association is <i>not</i> added to the association store and must be done by the caller.</para>
+		/// </remarks>
+		protected override Association CreateAssociationAtProvider(AssociateRequest request, IProviderAssociationStore associationStore, ProviderSecuritySettings securitySettings) {
+			Association association = HmacShaAssociation.Create(Protocol, this.AssociationType, AssociationRelyingPartyType.Smart, associationStore, securitySettings);
+			this.MacKey = association.SecretKey;
+			return association;
+		}
+
+	}
+}
diff --git a/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/CheckAuthenticationResponseProvider.cs b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/CheckAuthenticationResponseProvider.cs
new file mode 100644
index 0000000..3853693
--- /dev/null
+++ b/src/DotNetOpenAuth.OpenId.Provider/OpenId/Messages/CheckAuthenticationResponseProvider.cs
@@ -0,0 +1,32 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+
+namespace DotNetOpenAuth.OpenId.Messages {
+	class CheckAuthenticationResponseProvider : CheckAuthenticationResponse {
+
+		/// <summary>
+		/// Initializes a new instance of the <see cref="CheckAuthenticationResponse"/> class
+		/// for use by the Provider.
+		/// </summary>
+		/// <param name="request">The request that this message is responding to.</param>
+		/// <param name="provider">The OpenID Provider that is preparing to send this response.</param>
+		internal CheckAuthenticationResponseProvider(CheckAuthenticationRequest request, OpenIdProvider provider)
+			: base(request.Version, request) {
+			Contract.Requires<ArgumentNullException>(provider != null);
+
+			// The channel's binding elements have already set the request's IsValid property
+			// appropriately.  We just copy it into the response message.
+			this.IsValid = request.IsValid;
+
+			// Confirm the RP should invalidate the association handle only if the association
+			// is not valid (any longer).  OpenID 2.0 section 11.4.2.2.
+			IndirectSignedResponse signedResponse = new IndirectSignedResponse(request, provider.Channel);
+			string invalidateHandle = ((ITamperResistantOpenIdMessage)signedResponse).InvalidateHandle;
+			if (!string.IsNullOrEmpty(invalidateHandle) && !provider.AssociationStore.IsValid(signedResponse, false, invalidateHandle)) {
+				this.InvalidateHandle = invalidateHandle;
+			}
+		}
+	}
+}