aker-cas_cli 1.0.0

data/.gitignore

@@ -0,0 +1,16 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+spec/tmp
+tmp

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format nested

data/.rvmrc

@@ -0,0 +1 @@
+rvm_gemset_create_on_use_flag=1; rvm gemset use aker-cas_cli

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+# Aker CAS CLI history
+
+## 1.0.0
+
+- Initial version.

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in aker-cas_cli.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2012 Rhett Sutphin
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,78 @@
+Aker CAS CLI
+============
+
+Aker CAS CLI is a library that addresses a very specific problem: you
+have a ruby application which uses a service that authenticates only
+with CAS proxy tickets. You need to perform offline (non-interactive)
+tasks that hit this PT-protected service.
+
+Aker CAS CLI takes a username and password, screen-scrapes its way
+through an interactive CAS login, and gives you an `Aker::User` just
+as if a user of your application had done an interactive CAS login.
+
+## Sample use
+
+    # E.g., in a rake task in an Aker-protected Rails app
+    task :some_job => :environment do |t|
+      cas_cli = Aker::CasCli.new(Aker.configuration)
+      username, password = get_username_and_password_from_somewhere
+      user = cas_cli.authenticate(username, password)
+      if user
+        run_some_job_as(user)
+      else
+        fail "Could not authenticate #{user} for #{t.name}"
+      end
+    end
+
+## Assumptions
+
+* Your CAS server only requires a username and password. It doesn't
+  use X509 certificates, two-factor authentication, or any additional
+  custom fields on the login form.
+
+## Use
+
+Aker CAS CLI relies on the Aker CAS authority. The CAS authority must
+be configured in the Aker::Configuration you pass to Aker CAS CLI. If
+you're using Aker CAS CLI for a job implemented within your
+Aker-protected application, the application's Aker configuration is
+probably fine. This is what's used under "sample use," above.
+
+Otherwise, you'll first need to create an appropriate Aker
+configuration. Example:
+
+    Aker.configure do
+      authority :cas
+
+      cas_parameters :cas_base_url => https://cas.myinst.edu/cas,
+                     :proxy_retrieval_url => https://cas.myinst.edu/cas-callback/retrieve_pgt,
+                     :proxy_callback_url => https://cas.myinst.edu/cas-callback/receive_pgt
+    end
+
+See [Aker's documentation][aker-doc] for more information about
+configuring Aker, Aker authorities, etc.
+
+[aker-doc]: http://rubydoc.info/gems/aker/file/README.md
+
+## Why isn't Aker CAS CLI an Aker authority?
+
+An Aker authority also has the form of a module/class providing a
+method which takes a username and password, validates the pair, and
+returns an Aker::User. However, Aker CAS CLI is _not_ intended to be
+used as part of the security configuration for Aker-protected
+applications. Aker provides features (multiple API modes, e.g.) which
+should obviate the need to ever scrape a CAS server's interactive
+login page as part of the regular operation of an Aker-protected
+application. This library is for interacting with non-Aker-protected
+services which have no alternatives to CAS PTs.
+
+## Credits
+
+Aker CAS CLI was developed at and for the [Northwestern University
+Biomedical Informatics Center][NUBIC].
+
+[NUBIC]: http://www.nucats.northwestern.edu/centers/nubic/index.html
+
+### Copyright
+
+Copyright (c) 2012 Rhett Sutphin. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new do |t|
+  t.pattern = "spec/**/*_spec.rb"
+end

data/aker-cas_cli.gemspec

@@ -0,0 +1,27 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/aker/cas_cli/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Rhett Sutphin"]
+  gem.email         = ["rhett@detailedbalance.net"]
+  gem.summary       = %q{Provides an Aker-compatible way to acquire CAS proxy tickets in a non-interactive context.}
+  gem.description   = gem.summary + " See README.md for more information."
+  gem.homepage      = "https://github.com/NUBIC/aker-cas_cli"
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.name          = "aker-cas_cli"
+  gem.require_paths = ["lib"]
+  gem.version       = Aker::CasCli::VERSION
+
+  gem.add_dependency 'aker', '~> 3.0'
+  gem.add_dependency 'mechanize', '~> 2.1.0'
+
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rspec', '~> 2.6'
+  gem.add_development_dependency 'rubycas-server', '~> 1.0'
+  gem.add_development_dependency 'childprocess', '~> 0.2.9'
+  gem.add_development_dependency 'sqlite3'
+  gem.add_development_dependency 'thin'
+end

data/lib/aker/cas_cli.rb

@@ -0,0 +1,82 @@
+require 'aker'
+require 'mechanize'
+require 'uri'
+require 'cgi'
+
+module Aker
+  class CasCli
+    autoload :VERSION, 'aker/cas_cli/version'
+
+    include Aker::Cas::ConfigurationHelper
+
+    CLI_SERVICE = 'https://cas-cli.example.edu'
+
+    ##
+    # @return [Aker::Configuration] the Aker parameters governing this
+    #   instance.
+    attr_reader :configuration
+
+    ##
+    # Creates a new instance.
+    #
+    # @param [Aker::Configuration] configuration the Aker
+    #   configuration to use. This configuration should have the :cas
+    #   authority (or an appropriate substitute) configured into its
+    #   authority chain.
+    # @param [Hash] mechanize_options attribute values for the
+    #   mechanize agent used to do the scraping. Use this, e.g., to
+    #   specify the SSL CA to use.
+    def initialize(configuration, mechanize_options={})
+      @configuration = configuration
+      @agent = Mechanize.new do |a|
+        mechanize_options.each do |attr, value|
+          a.send("#{attr}=", value)
+        end
+        a.redirect_ok = false
+      end
+    end
+
+    ##
+    # Attempts to verify the provided credentials. Verification is
+    # attempted through screen-scraping the login form provided by the
+    # CAS server configured in {#configuration}.
+    #
+    # @return [Aker::User,nil] the authenticated user, or nil if the
+    #   credentials are invalid.
+    def authenticate(username, password)
+      login_result = do_login(username, password)
+      return unless login_result
+
+      if st = extract_service_ticket_if_successful(login_result)
+        configuration.composite_authority.valid_credentials?(:cas, st, CLI_SERVICE)
+      end
+    end
+
+    private
+
+    # @return [Mechanize::Page]
+    def do_login(username, password)
+      login_page = @agent.get cas_login_url, :service => CLI_SERVICE
+      login_form = login_page.forms.find { |f| f.field_with(:name => 'username') }
+      login_form['username'] = username
+      login_form['password'] = password
+      begin
+        login_form.submit
+      rescue Mechanize::UnauthorizedError
+        nil
+      end
+    end
+
+    def extract_service_ticket_if_successful(result_page)
+      if result_page.code =~ /^3\d\d$/
+        location = result_page.header['Location']
+        return unless location && location =~ %r{^#{Regexp.escape CLI_SERVICE}}
+
+        target = URI.parse(location)
+        return unless target.query
+
+        CGI.parse(target.query)['ticket'].first
+      end
+    end
+  end
+end

data/lib/aker/cas_cli/version.rb

@@ -0,0 +1,5 @@
+module Aker
+  class CasCli
+    VERSION = "1.0.0"
+  end
+end

data/spec/aker/cas_cli/version_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+module Aker
+  describe CasCli, "::VERSION" do
+    it "exists" do
+      lambda { CasCli::VERSION }.should_not raise_error
+    end
+
+    it "has 3 or 4 dot separated parts" do
+      CasCli::VERSION.split('.').size.should be_between(3, 4)
+    end
+  end
+end

data/spec/aker/cas_cli_spec.rb

@@ -0,0 +1,61 @@
+require 'spec_helper'
+require 'aker'
+
+module Aker
+  describe CasCli, :integrated do
+    let(:cas_cli) { CasCli.new(aker_config, mechanize_options) }
+
+    let(:username) { 'mr261' }
+    let(:correct_password) { 's3r3nity' }
+
+    let(:aker_config) {
+      ex = self
+      callback_server = spawned_rack_servers['proxy_callback']
+      logfile = File.join(tmpdir, 'aker.log')
+      Aker::Configuration.new do
+        authority :cas
+        cas_parameters :base_url => ex.cas_server.base_url,
+                       :proxy_retrieval_url => File.join(callback_server.base_url, 'retrieve_pgt'),
+                       :proxy_callback_url => File.join(callback_server.base_url, 'receive_pgt')
+        logger Logger.new(File.open(logfile, 'w'))
+      end
+    }
+
+    let(:mechanize_options) {
+      { :verify_mode => OpenSSL::SSL::VERIFY_NONE }
+    }
+
+    before do
+      cas_server.add_user(username, correct_password)
+    end
+
+    context 'when authenticating' do
+      it 'returns an Aker::User for valid credentials' do
+        cas_cli.authenticate(username, correct_password).should be_an Aker::User
+      end
+
+      it 'returns nil for invalid credentials' do
+        cas_cli.authenticate(username, 'bilbo').should be_nil
+      end
+    end
+
+    context 'an authenticated user' do
+      let(:user) { cas_cli.authenticate(username, correct_password) }
+      let(:service_url) { 'https://srvc.example.net/mail' }
+
+      it 'has the correct username' do
+        user.username.should == username
+      end
+
+      it 'can request PTs' do
+        lambda { user.cas_proxy_ticket(service_url) }.should_not raise_error
+      end
+
+      it 'receives valid PTs' do
+        pt = user.cas_proxy_ticket(service_url)
+        proxied = aker_config.composite_authority.valid_credentials?(:cas_proxy, pt, service_url)
+        proxied.username.should == user.username
+      end
+    end
+  end
+end

data/spec/disable_ssl_verify.rb

@@ -0,0 +1,5 @@
+require 'openssl'
+# This is necessary because there doesn't seem to be a consistent way
+# to specify a CA to trust across all the various uses of Net::HTTP in
+# all the libraries everywhere.
+OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:verify_mode] = OpenSSL::SSL::VERIFY_NONE

data/spec/patch_castanet_7.rb

@@ -0,0 +1,19 @@
+# A monkeypatch for Castanet issue #7.
+
+require 'castanet/service_ticket'
+
+module Castanet
+  class ServiceTicket
+    def retrieve_pgt!
+      uri = URI.parse(proxy_retrieval_url).tap do |u|
+        u.query = query(['pgtIou', pgt_iou])
+      end
+
+      net_http(uri).start do |h|
+        u = uri.dup
+        u.scheme = u.host = u.port = nil
+        self.pgt = h.get(u.to_s).body
+      end
+    end
+  end
+end

data/spec/servers/integrated-test-ssl.crt

@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICZzCCAdACCQCQNK6TkFeYcjANBgkqhkiG9w0BAQUFADB4MQswCQYDVQQGEwJV
+UzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNVBAcTB0NoaWNhZ28xIDAeBgNVBAoT
+F05vcnRod2VzdGVybiBVbml2ZXJzaXR5MQ4wDAYDVQQLEwVOVUJJQzESMBAGA1UE
+AxMJbG9jYWxob3N0MB4XDTEwMDUwNDAwMjQyMVoXDTIwMDUwMzAwMjQyMVoweDEL
+MAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdDaGljYWdv
+MSAwHgYDVQQKExdOb3J0aHdlc3Rlcm4gVW5pdmVyc2l0eTEOMAwGA1UECxMFTlVC
+SUMxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAwaBsmiJw9zsK79bzFXUkFUqMVVQrQ0DOFY8bGDsO2S52RdrLGT4185xVyYlY
+YrPDMtRPvByd+jtxK9JsR8wUgU5PXSMgiww19abliZPlnhw2ZJTemnAaxxFmTSxC
+9q1WD7QUdeyjlPHIpiy6gfNUGHx1Bwegt7b8txX+V2GSOzkCAwEAATANBgkqhkiG
+9w0BAQUFAAOBgQBDWYtAHTZLCFS/CA0TE3ioQpMQDqv6UsirnE+oKFucPBbaxorF
+eZ3O2UK0crd2SA33Ko7ZS3F0u6sq13BquYMaZ9cZ0lkdh/b0oLxjSWQNUVy5pFlx
+dG4jRfMer6xYfm9398bmI5xtWGrng3wO2nvwdVrO0eFHwWBXmvEBlbt8ug==
+-----END CERTIFICATE-----

data/spec/servers/integrated-test-ssl.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXgIBAAKBgQDBoGyaInD3Owrv1vMVdSQVSoxVVCtDQM4VjxsYOw7ZLnZF2ssZ
+PjXznFXJiVhis8My1E+8HJ36O3Er0mxHzBSBTk9dIyCLDDX1puWJk+WeHDZklN6a
+cBrHEWZNLEL2rVYPtBR17KOU8cimLLqB81QYfHUHB6C3tvy3Ff5XYZI7OQIDAQAB
+AoGAbzM469R32CTahR+Hf31E+c1UhvTN29PuB0emoeXZAzXByyB6n8awqXXRdusg
+DZ97rUdte3Vb7QgSWL6CXUGBTDm2GZ+4dmrCldxFp+2lFkHMQt8AfhTCJA273Kqa
+u7zE/AvXzIGfBPQaoofp8G2uVqZippFhj5GpErNFlQEWGrkCQQDo6Oy+a5L93y4X
+fhJ8dp1PmtG1iUYyFVkHO3dMDZAqE1Qhsk/p9I2yKJ+uN7SD2sQQV/yRoP+aojha
+Kdkw7oV/AkEA1NKFhT7PXDz0z/tws+e4H+IoE/70W57UFCcXgijel5sz7Y23pqyk
+0jr51uNiJiWnXsKBLS4BMV2+aIWNHzFLRwJBALUwvzxEI84sWYcdJPR+slLDdnFr
+oZhE00W1FVGtG4IgF0s/lLvE7Ja008SMwXnyLqUoTexc+3woxv4doEFYzbECQQCF
+d3Ec2wMYCXJObJWFfbBO7nnL8Hw2aSj/anSnwBG4ajDqrZGbCXJkFXBRf1AyNDL+
+jmSMfOlqmCutSPPzt+pJAkEA5xUkO2t7G38LCeY8HkxlJvKoendV5tJVgTu2qD3L
+JESaQtvBesARboJqx1eFw1h3VWjbIuv/GqDuroqUfDbe6g==
+-----END RSA PRIVATE KEY-----

data/spec/servers/proxy_callback.ru.erb

@@ -0,0 +1,4 @@
+require 'aker'
+
+run Aker::Cas::RackProxyCallback.application(
+  :store => '<%= File.join(tmpdir, "proxy_callback.pstore") %>')

data/spec/servers/rubycas_server.rb

@@ -0,0 +1,114 @@
+require 'sqlite3'
+require 'pathname'
+
+require 'servers/spawned_http_server'
+
+module Aker
+  module Spec
+    class RubycasServer < SpawnedHttpServer
+      module Setup
+        attr_accessor :cas_server
+      end
+
+      class << self
+        def run_with_rspec_tag(tag, rspec_config)
+          rspec_config.include Setup
+
+          rspec_config.before(:each, tag) do
+            self.cas_server = Aker::Spec::RubycasServer.new(
+              :port => 6003,
+              :tmpdir => tmpdir
+            )
+            self.cas_server.start
+          end
+
+          rspec_config.after(:each, tag) do
+            if self.cas_server
+              self.cas_server.stop
+              self.cas_server.clear_users
+            end
+          end
+        end
+      end
+
+      def initialize(options={})
+        super({ :name => 'rubycas-server', :ssl => true }.merge(options))
+
+        init_user_db
+      end
+
+      def add_user(username, password)
+        with_user_db do |db|
+          db.execute("INSERT INTO users (username, password) VALUES ('#{username}', '#{password}')")
+        end
+      end
+
+      def clear_users
+        with_user_db do |db|
+          db.execute("DELETE FROM users")
+        end
+      end
+
+      def server_command
+        [
+          'ruby',
+          '-r',
+          File.expand_path('../../disable_ssl_verify.rb', __FILE__),
+          '-S',
+          'rubycas-server',
+          '-c',
+          config_file
+        ]
+      end
+
+      def config_file
+        @config_file ||= write_config_file
+      end
+
+      private
+
+      def users_db_file
+        Pathname.new File.join(tmpdir, 'rubycas_users.sqlite')
+      end
+
+      def cas_db_file
+        Pathname.new File.join(tmpdir, 'rubycas_db.sqlite')
+      end
+
+      def cas_log_file
+        Pathname.new File.join(tmpdir, 'rubycas.log')
+      end
+
+      def with_user_db(&block)
+        SQLite3::Database.new(users_db_file.to_s) do |db|
+          yield db
+        end
+      end
+
+      def init_user_db
+        with_user_db do |db|
+          db.execute(%q{
+            CREATE TABLE IF NOT EXISTS users (
+              username VARCHAR(50) NOT NULL, password VARCHAR(32) NOT NULL)
+          })
+        end
+      end
+
+      def write_config_file
+        File.open(config_file_name, 'w') do |f|
+          f.write config_file_template.result(binding)
+        end
+        config_file_name
+      end
+
+      def config_file_name
+        File.join(tmpdir, 'rubycas_server_config.yml')
+      end
+
+      def config_file_template
+        @config_file_template ||= ERB.new(
+          File.read(File.expand_path('../rubycas_server_config.yml.erb', __FILE__)))
+      end
+    end
+  end
+end

data/spec/servers/rubycas_server_config.yml.erb

@@ -0,0 +1,23 @@
+server: webrick
+port: <%= port %>
+ssl_cert: <%= ssl_cert %>
+ssl_key: <%= ssl_key %>
+
+database:
+  adapter: sqlite3
+  database: <%= cas_db_file %>
+
+authenticator:
+  class: CASServer::Authenticators::SQL
+  database:
+    adapter: sqlite3
+    database: <%= users_db_file %>
+  user_table: users
+  username_column: username
+  password_column: password
+
+default_locale: en
+
+log:
+  file: <%= cas_log_file %>
+  level: INFO

data/spec/servers/spawned_http_server.rb

@@ -0,0 +1,101 @@
+require 'net/http'
+require 'fileutils'
+require 'childprocess'
+
+require 'disable_ssl_verify'
+
+module Aker
+  module Spec
+    class SpawnedHttpServer
+      include FileUtils
+
+      attr_reader :host, :port, :tmpdir, :name
+
+      def initialize(options={})
+        @port = options.delete(:port) or raise 'Please specify a port'
+        @host = options.delete(:host) || 'localhost'
+        @timeout = options.delete(:timeout) || 30
+        @tmpdir = options.delete(:tmpdir) or raise 'Please specify tmpdir'
+        @ssl = options.delete(:ssl) || false
+        @name = options.delete(:name) || "http-#{@port}"
+      end
+
+      # @return [Array]
+      def server_command
+        raise NoMethodError.new 'Need to implement server_command'
+      end
+
+      def process
+        @process ||= ChildProcess.build(*server_command).tap do |p|
+          p.io.stdout = File.open(File.join(tmpdir, "#{name}.out"), 'w')
+          p.io.stderr = File.open(File.join(tmpdir, "#{name}.err"), 'w')
+        end
+      end
+
+      def start
+        wait_for(
+          "port #{port} to be available",
+          lambda { !http_available?(base_url) },
+          5)
+
+        process.start
+
+        wait_for(
+          "#{name} to start responding",
+          lambda { http_available?(base_url) },
+          5)
+      end
+
+      def stop
+        process.stop
+        wait_for(
+          "the process #{name} (#{process.pid}) to stop",
+          lambda { !http_available?(base_url) },
+          @timeout)
+      end
+
+      def base_url
+        "http#{ssl? ? 's' : ''}://#{host}:#{port}/"
+      end
+
+      def ssl?
+        @ssl
+      end
+
+      protected
+
+      def ssl_cert
+        Pathname.new File.expand_path('../integrated-test-ssl.crt', __FILE__)
+      end
+
+      def ssl_key
+        Pathname.new File.expand_path('../integrated-test-ssl.key', __FILE__)
+      end
+
+      def http_available?(url)
+        url = URI.parse(url)
+        begin
+          session = Net::HTTP.new(url.host, url.port)
+          session.use_ssl = ssl?
+          session.start do |http|
+            status = http.get(url.request_uri).code
+            # anything indicating a functioning server
+            return status =~ /[1234]\d\d/
+          end
+        rescue => e
+          false
+        end
+      end
+
+      def wait_for(what, proc, timeout)
+        start = Time.now
+        until proc.call || (Time.now - start > timeout)
+          sleep 1
+        end
+        unless proc.call
+          raise "Wait for #{what} expired (took more than #{timeout} seconds)"
+        end
+      end
+    end
+  end
+end

data/spec/servers/spawned_rack_server.rb

@@ -0,0 +1,93 @@
+module Aker
+  module Spec
+    class SpawnedRackServer < SpawnedHttpServer
+      attr_reader :rackup_file_template
+
+      module Setup
+        def spawned_rack_servers
+          @spawned_rack_servers ||= {}
+        end
+      end
+
+      class << self
+        def run_with_rspec_tag(tag, rspec_config, options={})
+          name = options[:name] || fail('Please specify a name')
+
+          rspec_config.include Setup
+
+          rspec_config.before(:each, tag) do
+            server = SpawnedRackServer.new(options.dup)
+            spawned_rack_servers[name] = server
+
+            server.start
+          end
+
+          rspec_config.after(:each, tag) do
+            spawned_rack_servers[name].stop
+          end
+        end
+      end
+
+      def initialize(options={})
+        super(options)
+        @rackup_file_template = options.delete(:rackup_file) or fail('Please specify a rackup file')
+      end
+
+      def server_command
+        [
+          'bundle',
+          'exec',
+          'thin',
+          '--rackup', rackup_file,
+          '--pid', pid_file,
+          '--log', log_file,
+          '--address', host,
+          '--port', port,
+          '--require', File.expand_path('../../disable_ssl_verify.rb', __FILE__),
+          '--trace'
+        ].tap do |cmd|
+          if ssl?
+            cmd.concat([
+                '--ssl',
+                '--ssl-key-file', ssl_key.to_s,
+                '--ssl-cert-file', ssl_cert.to_s,
+                '--ssl-verify'
+              ])
+          end
+          cmd.concat(%w(start))
+        end
+      end
+
+      protected
+
+      def rackup_file
+        @rackup_file ||= create_rackup_file
+      end
+
+      def create_rackup_file
+        File.open(rackup_file_name, 'w') do |f|
+          f.write ERB.new(File.read(rackup_file_template)).result
+        end
+
+        rackup_file_name
+      end
+
+      def rackup_file_name
+        @rackup_file_name ||= tmpfile('ru')
+      end
+
+      def pid_file
+        @pid_file ||= tmpfile('pid')
+      end
+
+      def log_file
+        @log_file ||= tmpfile('log')
+      end
+
+      def tmpfile(ext)
+        File.join(tmpdir, [name, ext].join('.'))
+      end
+    end
+  end
+end
+

data/spec/spec_helper.rb

@@ -0,0 +1,40 @@
+require 'pathname'
+
+require 'servers/rubycas_server'
+require 'servers/spawned_rack_server'
+require 'patch_castanet_7'
+
+require 'aker/cas_cli'
+
+# This file was generated by the `rspec --init` command. Conventionally, all
+# specs live under a `spec` directory, which RSpec adds to the `$LOAD_PATH`.
+# Require this file using `require "spec_helper.rb"` to ensure that it is only
+# loaded once.
+#
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  def tmpdir
+    @tmpdir ||= create_tmpdir
+  end
+
+  def create_tmpdir
+    Pathname.new(File.expand_path('../tmp', __FILE__)).tap { |p| p.mkpath }
+  end
+
+  config.after(:each) do
+    @tmpdir.rmtree if (@tmpdir && !ENV['KEEP_TMPDIR'])
+  end
+
+  Aker::Spec::RubycasServer.run_with_rspec_tag(:integrated, config)
+  Aker::Spec::SpawnedRackServer.run_with_rspec_tag(:integrated, config,
+    :name => 'proxy_callback',
+    :rackup_file => File.expand_path('../servers/proxy_callback.ru.erb', __FILE__),
+    :ssl => true,
+    :port => '6012',
+    :tmpdir => tmpdir
+  );
+end

metadata

@@ -0,0 +1,176 @@
+--- !ruby/object:Gem::Specification
+name: aker-cas_cli
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+  prerelease: 
+platform: ruby
+authors:
+- Rhett Sutphin
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-04-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: aker
+  requirement: &70174410929520 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70174410929520
+- !ruby/object:Gem::Dependency
+  name: mechanize
+  requirement: &70174410928960 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 2.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: *70174410928960
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &70174410926280 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70174410926280
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &70174410902700 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.6'
+  type: :development
+  prerelease: false
+  version_requirements: *70174410902700
+- !ruby/object:Gem::Dependency
+  name: rubycas-server
+  requirement: &70174410901580 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: *70174410901580
+- !ruby/object:Gem::Dependency
+  name: childprocess
+  requirement: &70174410900540 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.2.9
+  type: :development
+  prerelease: false
+  version_requirements: *70174410900540
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: &70174410899720 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70174410899720
+- !ruby/object:Gem::Dependency
+  name: thin
+  requirement: &70174410898640 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *70174410898640
+description: Provides an Aker-compatible way to acquire CAS proxy tickets in a non-interactive
+  context. See README.md for more information.
+email:
+- rhett@detailedbalance.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .rvmrc
+- CHANGELOG.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- aker-cas_cli.gemspec
+- lib/aker/cas_cli.rb
+- lib/aker/cas_cli/version.rb
+- spec/aker/cas_cli/version_spec.rb
+- spec/aker/cas_cli_spec.rb
+- spec/disable_ssl_verify.rb
+- spec/patch_castanet_7.rb
+- spec/servers/integrated-test-ssl.crt
+- spec/servers/integrated-test-ssl.key
+- spec/servers/proxy_callback.ru.erb
+- spec/servers/rubycas_server.rb
+- spec/servers/rubycas_server_config.yml.erb
+- spec/servers/spawned_http_server.rb
+- spec/servers/spawned_rack_server.rb
+- spec/spec_helper.rb
+homepage: https://github.com/NUBIC/aker-cas_cli
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 302306881262572391
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 302306881262572391
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.15
+signing_key: 
+specification_version: 3
+summary: Provides an Aker-compatible way to acquire CAS proxy tickets in a non-interactive
+  context.
+test_files:
+- spec/aker/cas_cli/version_spec.rb
+- spec/aker/cas_cli_spec.rb
+- spec/disable_ssl_verify.rb
+- spec/patch_castanet_7.rb
+- spec/servers/integrated-test-ssl.crt
+- spec/servers/integrated-test-ssl.key
+- spec/servers/proxy_callback.ru.erb
+- spec/servers/rubycas_server.rb
+- spec/servers/rubycas_server_config.yml.erb
+- spec/servers/spawned_http_server.rb
+- spec/servers/spawned_rack_server.rb
+- spec/spec_helper.rb