Fixed bug where RP was willing to perform discovery on an asserted HTTP Identifier even with RequireSsl turned on.

4 files changed, 35 insertions, 2 deletions

diff --git a/src/DotNetOpenAuth.Test/OpenId/RelyingParty/PositiveAuthenticationResponseTests.cs b/src/DotNetOpenAuth.Test/OpenId/RelyingParty/PositiveAuthenticationResponseTests.cs
index 7a18c8e..c5257a6 100644
--- a/src/DotNetOpenAuth.Test/OpenId/RelyingParty/PositiveAuthenticationResponseTests.cs
+++ b/src/DotNetOpenAuth.Test/OpenId/RelyingParty/PositiveAuthenticationResponseTests.cs
@@ -59,6 +59,18 @@ namespace DotNetOpenAuth.Test.OpenId.RelyingParty {
 			Assert.AreEqual(AuthenticationStatus.Failed, authResponse.Status);
 		}
 
+		/// <summary>
+		/// Verifies that the RP rejects positive assertions with HTTP Claimed
+		/// Cdentifiers when RequireSsl is set to true.
+		/// </summary>
+		[TestMethod, ExpectedException(typeof(ProtocolException))]
+		public void InsecureIdentifiersRejectedWithRequireSsl() {
+			PositiveAssertionResponse assertion = this.GetPositiveAssertion();
+			var rp = CreateRelyingParty();
+			rp.SecuritySettings.RequireSsl = true;
+			var authResponse = new PositiveAuthenticationResponse(assertion, rp);
+		}
+
 		[TestMethod]
 		public void GetCallbackArguments() {
 			PositiveAssertionResponse assertion = this.GetPositiveAssertion();
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
index 3c4116a..4533f4d 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.Designer.cs
@@ -470,6 +470,15 @@ namespace DotNetOpenAuth.OpenId {
         }
         
         /// <summary>
+        ///   Looks up a localized string similar to Sorry.  This site only accepts OpenIDs that are HTTPS-secured, but {0} is not a secure Identifier..
+        /// </summary>
+        internal static string RequireSslNotSatisfiedByAssertedClaimedId {
+            get {
+                return ResourceManager.GetString("RequireSslNotSatisfiedByAssertedClaimedId", resourceCulture);
+            }
+        }
+        
+        /// <summary>
         ///   Looks up a localized string similar to The response is not ready.  Use IsResponseReady to check whether a response is ready first..
         /// </summary>
         internal static string ResponseNotReady {
diff --git a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
index 7356c10..5a84f32 100644
--- a/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
+++ b/src/DotNetOpenAuth/OpenId/OpenIdStrings.resx
@@ -301,4 +301,7 @@ Discovered endpoint info:
   <data name="UnsupportedChannelConfiguration" xml:space="preserve">
     <value>This feature is unavailable due to an unrecognized channel configuration.</value>
   </data>
-</root>
\ No newline at end of file
+  <data name="RequireSslNotSatisfiedByAssertedClaimedId" xml:space="preserve">
+    <value>Sorry.  This site only accepts OpenIDs that are HTTPS-secured, but {0} is not a secure Identifier.</value>
+  </data>
+</root>
diff --git a/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs b/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs
index b62a7c8..a065bcd 100644
--- a/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs
+++ b/src/DotNetOpenAuth/OpenId/RelyingParty/PositiveAuthenticationResponse.cs
@@ -240,6 +240,15 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 		private void VerifyDiscoveryMatchesAssertion() {
 			Logger.OpenId.Debug("Verifying assertion matches identifier discovery results...");
 
+			// Ensure that we abide by the RP's rules regarding RequireSsl for this discovery step.
+			Identifier claimedId = this.Response.ClaimedIdentifier;
+			if (this.relyingParty.SecuritySettings.RequireSsl) {
+				if (!claimedId.TryRequireSsl(out claimedId)) {
+					Logger.OpenId.ErrorFormat("This site is configured to accept only SSL-protected OpenIDs, but {0} was asserted and must be rejected.", this.Response.ClaimedIdentifier);
+					ErrorUtilities.ThrowProtocol(OpenIdStrings.RequireSslNotSatisfiedByAssertedClaimedId, this.Response.ClaimedIdentifier);
+				}
+			}
+
 			// While it LOOKS like we're performing discovery over HTTP again
 			// Yadis.IdentifierDiscoveryCachePolicy is set to HttpRequestCacheLevel.CacheIfAvailable
 			// which means that the .NET runtime is caching our discoveries for us.  This turns out
@@ -249,7 +258,7 @@ namespace DotNetOpenAuth.OpenId.RelyingParty {
 			// is signed by the RP before it's considered reliable.  In 1.x stateless mode, this RP
 			// doesn't (and can't) sign its own return_to URL, so its cached discovery information
 			// is merely a hint that must be verified by performing discovery again here.
-			var discoveryResults = this.response.ClaimedIdentifier.Discover(this.relyingParty.WebRequestHandler);
+			var discoveryResults = claimedId.Discover(this.relyingParty.WebRequestHandler);
 			ErrorUtilities.VerifyProtocol(discoveryResults.Contains(this.endpoint), OpenIdStrings.IssuedAssertionFailsIdentifierDiscovery, this.endpoint, discoveryResults.ToStringDeferred(true));
 		}
 	}