diff options
author | Andrew Arnott <andrewarnott@gmail.com> | 2009-05-30 09:40:27 -0700 |
---|---|---|
committer | Andrew Arnott <andrewarnott@gmail.com> | 2009-05-30 22:53:38 -0700 |
commit | 6462425c9e95c6814080b452c29ea69e4ea9995b (patch) | |
tree | 82fd0b3007010c66766dc476237e39aef29c56d3 /src | |
parent | 6930063b48757eb6ff29115871e5829697d291e0 (diff) | |
download | DotNetOpenAuth-6462425c9e95c6814080b452c29ea69e4ea9995b.zip DotNetOpenAuth-6462425c9e95c6814080b452c29ea69e4ea9995b.tar.gz DotNetOpenAuth-6462425c9e95c6814080b452c29ea69e4ea9995b.tar.bz2 |
Added RP security option to only discover OP Identifiers.
Diffstat (limited to 'src')
4 files changed, 48 insertions, 3 deletions
diff --git a/src/DotNetOpenAuth.Test/OpenId/RelyingParty/RelyingPartySecuritySettingsTests.cs b/src/DotNetOpenAuth.Test/OpenId/RelyingParty/RelyingPartySecuritySettingsTests.cs index 3f1cea0..7e342e1 100644 --- a/src/DotNetOpenAuth.Test/OpenId/RelyingParty/RelyingPartySecuritySettingsTests.cs +++ b/src/DotNetOpenAuth.Test/OpenId/RelyingParty/RelyingPartySecuritySettingsTests.cs @@ -40,5 +40,17 @@ namespace DotNetOpenAuth.Test.OpenId.RelyingParty { this.settings.RequireSsl = false; Assert.IsFalse(this.settings.RequireSsl); } + + /// <summary> + /// Verifies that the <see cref="RelyingPartySecuritySettings.RequireDirectedIdentity"/> + /// property getter/setter are implemented correctly. + /// </summary> + [TestMethod] + public void RequireDirectedIdentity() { + this.settings.RequireDirectedIdentity = true; + Assert.IsTrue(this.settings.RequireDirectedIdentity); + this.settings.RequireDirectedIdentity = false; + Assert.IsFalse(this.settings.RequireDirectedIdentity); + } } } diff --git a/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs b/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs index 7f7dd98..01821e9 100644 --- a/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs +++ b/src/DotNetOpenAuth/Configuration/OpenIdRelyingPartySecuritySettingsElement.cs @@ -36,6 +36,11 @@ namespace DotNetOpenAuth.Configuration { private const string RequireSslConfigName = "requireSsl"; /// <summary> + /// Gets the name of the @requireDirectedIdentity attribute. + /// </summary> + private const string RequireDirectedIdentityConfigName = "requireDirectedIdentity"; + + /// <summary> /// Gets the name of the @rejectUnsolicitedAssertions attribute. /// </summary> private const string RejectUnsolicitedAssertionsConfigName = "rejectUnsolicitedAssertions"; @@ -66,6 +71,16 @@ namespace DotNetOpenAuth.Configuration { } /// <summary> + /// Gets or sets a value indicating whether only OP Identifiers will be discoverable + /// when creating authentication requests. + /// </summary> + [ConfigurationProperty(RequireDirectedIdentityConfigName, DefaultValue = false)] + public bool RequireDirectedIdentity { + get { return (bool)this[RequireDirectedIdentityConfigName]; } + set { this[RequireDirectedIdentityConfigName] = value; } + } + + /// <summary> /// Gets or sets the minimum OpenID version a Provider is required to support in order for this library to interoperate with it. /// </summary> /// <remarks> @@ -142,6 +157,7 @@ namespace DotNetOpenAuth.Configuration { RelyingPartySecuritySettings settings = new RelyingPartySecuritySettings(); settings.RequireSsl = this.RequireSsl; + settings.RequireDirectedIdentity = this.RequireDirectedIdentity; settings.MinimumRequiredOpenIdVersion = this.MinimumRequiredOpenIdVersion; settings.MinimumHashBitLength = this.MinimumHashBitLength; settings.MaximumHashBitLength = this.MaximumHashBitLength; diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/AuthenticationRequest.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/AuthenticationRequest.cs index b3a9020..50db4cf 100644 --- a/src/DotNetOpenAuth/OpenId/RelyingParty/AuthenticationRequest.cs +++ b/src/DotNetOpenAuth/OpenId/RelyingParty/AuthenticationRequest.cs @@ -298,9 +298,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty { } // Filter disallowed endpoints. - if (relyingParty.SecuritySettings.RejectDelegatingIdentifiers) { - serviceEndpoints = serviceEndpoints.Where(se => se.ClaimedIdentifier == se.ProviderLocalIdentifier); - } + serviceEndpoints = relyingParty.SecuritySettings.FilterEndpoints(serviceEndpoints); // Call another method that defers request generation. return CreateInternal(userSuppliedIdentifier, relyingParty, realm, returnToUrl, serviceEndpoints, createNewAssociationsAsNeeded); diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs index 2019d16..4e2374c 100644 --- a/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs +++ b/src/DotNetOpenAuth/OpenId/RelyingParty/RelyingPartySecuritySettings.cs @@ -6,6 +6,8 @@ namespace DotNetOpenAuth.OpenId.RelyingParty { using System; + using System.Collections.Generic; + using System.Linq; using DotNetOpenAuth.Messaging; /// <summary> @@ -51,6 +53,12 @@ namespace DotNetOpenAuth.OpenId.RelyingParty { public bool RequireSsl { get; set; } /// <summary> + /// Gets or sets a value indicating whether only OP Identifiers will be discoverable + /// when creating authentication requests. + /// </summary> + public bool RequireDirectedIdentity { get; set; } + + /// <summary> /// Gets or sets the oldest version of OpenID the remote party is allowed to implement. /// </summary> /// <value>Defaults to <see cref="ProtocolVersion.V10"/></value> @@ -80,5 +88,16 @@ namespace DotNetOpenAuth.OpenId.RelyingParty { /// directly issued by the Provider that is sending the assertion. /// </remarks> public bool RejectDelegatingIdentifiers { get; set; } + + /// <summary> + /// Filters out any disallowed endpoints. + /// </summary> + /// <param name="endpoints">The endpoints discovered on an Identifier.</param> + /// <returns>A sequence of endpoints that satisfy all security requirements.</returns> + internal IEnumerable<ServiceEndpoint> FilterEndpoints(IEnumerable<ServiceEndpoint> endpoints) { + return endpoints + .Where(se => !this.RejectDelegatingIdentifiers || se.ClaimedIdentifier == se.ProviderLocalIdentifier) + .Where(se => !this.RequireDirectedIdentity || se.ClaimedIdentifier == se.Protocol.ClaimedIdentifierForOPIdentifier); + } } } |