aker 3.0.0.pre

data/spec/aker/cas/middleware/logout_responder_spec.rb

@@ -0,0 +1,47 @@
+require File.expand_path("../../../../spec_helper", __FILE__)
+require "rack/test"
+
+module Aker::Cas::Middleware
+  describe LogoutResponder do
+    include Rack::Test::Methods
+
+    let(:app) do
+      Rack::Builder.new do
+        use Aker::Cas::Middleware::LogoutResponder
+        run lambda { |env| [404, { "Content-Type" => "text/plain" }, []] }
+      end
+    end
+
+    let(:configuration) do
+      Aker::Configuration.new do
+        cas_parameters :logout_url => 'https://cas.example.edu/logout'
+        rack_parameters :logout_path => '/some/logout'
+      end
+    end
+
+    let(:env) do
+      { 'aker.configuration' => configuration }
+    end
+
+    describe '#call' do
+      it 'redirects to the CAS logout URL on GET {configured logout path}' do
+        get "/some/logout", {}, env
+
+        last_response.should be_redirect
+        last_response.location.should == 'https://cas.example.edu/logout'
+      end
+
+      it "does not respond to other paths" do
+        get "/", {}, env
+
+        last_response.status.should == 404
+      end
+
+      it "does not respond to other methods" do
+        post "/some/logout", {}, env
+
+        last_response.status.should == 404
+      end
+    end
+  end
+end

data/spec/aker/cas/middleware/ticket_remover_spec.rb

@@ -0,0 +1,49 @@
+require File.expand_path("../../../../spec_helper", __FILE__)
+require "rack/test"
+
+module Aker::Cas::Middleware
+  describe TicketRemover do
+    include Rack::Test::Methods
+
+    let(:app) do
+      Rack::Builder.new do
+        use Aker::Cas::Middleware::TicketRemover
+        run lambda { |env| [404, { "Content-Type" => "text/plain" }, ['Requested content']] }
+      end
+    end
+
+    let(:env) do
+      { }
+    end
+
+    describe '#call' do
+      it 'does nothing if not authenticated' do
+        get '/foo?ticket=ST-45&q=bar', {}, env
+
+        last_response.body.should == 'Requested content'
+      end
+
+      it 'does nothing if no ticket is present' do
+        get '/foo?q=bar', {}, env
+
+        last_response.body.should == 'Requested content'
+      end
+
+      context 'ticket is present and the user is authenticated' do
+        before do
+          env['aker.check'] = Aker::Rack::Facade.new(Aker.configuration, Aker::User.new('jo'))
+
+          get '/foo?ticket=ST-45&q=bar', {}, env
+        end
+
+        it 'sends a permanent redirect' do
+          last_response.status.should == 301
+        end
+
+        it 'redirects to the same URI without the ticket' do
+          last_response.headers['Location'].should == 'http://example.org/foo?q=bar'
+        end
+      end
+    end
+  end
+end

data/spec/aker/cas/proxy_mode_spec.rb

@@ -0,0 +1,185 @@
+require File.expand_path("../../../spec_helper", __FILE__)
+require File.expand_path("../../modes/a_aker_mode", __FILE__)
+require 'rack'
+
+module Aker::Cas
+  describe ProxyMode do
+    before do
+      @env = Rack::MockRequest.env_for('/')
+      @scope = mock
+      @mode = ProxyMode.new(@env, @scope)
+      @env['aker.configuration'] = Aker::Configuration.new
+    end
+
+    it_should_behave_like "a aker mode"
+
+    describe "#key" do
+      it "is :cas_proxy" do
+        ProxyMode.key.should == :cas_proxy
+      end
+    end
+
+    describe "#kind" do
+      it "is :cas_proxy" do
+        @mode.kind.should == :cas_proxy
+      end
+    end
+
+    describe "#credentials" do
+      it "finds two credentials" do
+        @env["HTTP_AUTHORIZATION"] = "CasProxy PT-1foo"
+
+        @mode.credentials.size.should == 2
+      end
+
+      describe "[0]" do
+        it "finds a proxy ticket that starts with PT" do
+          @env["HTTP_AUTHORIZATION"] = "CasProxy PT-1foo"
+
+          @mode.credentials.first.should == "PT-1foo"
+        end
+
+        it "finds a proxy ticket that starts with ST" do
+          @env["HTTP_AUTHORIZATION"] = "CasProxy ST-9936-bam"
+
+          @mode.credentials.first.should == "ST-9936-bam"
+        end
+
+        it "ignores an out-of-spec proxy ticket" do
+          @env["HTTP_AUTHORIZATION"] = "CasProxy MyAttackVector"
+
+          @mode.credentials.should == []
+        end
+
+        it "ignores tickets that contain characters not in [^0-9A-Za-z-]" do
+          @env["HTTP_AUTHORIZATION"] = "CasProxy ST-@@&%#"
+
+          @mode.credentials.should == []
+        end
+
+        it "returns an empty array if no proxy ticket is present" do
+          @mode.credentials.should == []
+        end
+      end
+
+      describe "[1]" do
+        it "is the service_url" do
+          @env["HTTP_AUTHORIZATION"] = "CasProxy ST-1701"
+
+          @env["SERVER_PORT"] = 80
+          @env["SERVER_HOST"] = "example.org"
+          @env["rack.url_scheme"] = "http"
+
+          @mode.credentials[1].should == "http://example.org"
+        end
+      end
+    end
+
+    describe "#valid?" do
+      it "returns false if there is no authorization header" do
+        @mode.should_not be_valid
+      end
+
+      it "returns false if the authorization header is for a different scheme" do
+        @env["HTTP_AUTHORIZATION"] = "Basic " + Base64.encode64("bas:baz")
+
+        @mode.should_not be_valid
+      end
+
+      it "returns true if the authorization header is for CasProxy" do
+        @env["HTTP_AUTHORIZATION"] = "CasProxy PT-5-256a"
+
+        @mode.should be_valid
+      end
+    end
+
+    describe "#scheme" do
+      it "returns CasProxy" do
+        @mode.scheme.should == "CasProxy"
+      end
+    end
+
+    describe "#challenge" do
+      it "includes the scheme and the realm" do
+        @mode.challenge.should == "CasProxy realm=\"Aker\""
+      end
+    end
+
+    describe "#service_url" do
+      before do
+        @env["rack.url_scheme"] = "http"
+        @env["SERVER_NAME"] = "local.example.net"
+        @env["SERVER_PORT"] = "80"
+        @env["SCRIPT_NAME"] = "/api"
+        @env["PATH_INFO"] = "/people/josephine"
+        @env["QUERY_STRING"] = "all=true"
+      end
+
+      it "includes the host and script name but not the path info or query string" do
+        @mode.service_url.should == "http://local.example.net/api"
+      end
+
+      it "prefers the HTTP Host header over the server name and port if present" do
+        @env["HTTP_HOST"] = "virtual.example.com:3400"
+        @env["SERVER_PORT"] = "8080"
+        @mode.service_url.should == "http://virtual.example.com:3400/api"
+      end
+
+      it "does not end with a slash if the script name is blank" do
+        @env["SCRIPT_NAME"] = ""
+        @mode.service_url.should == "http://local.example.net"
+      end
+
+      describe "for http" do
+        it "does not include the port if it is 80" do
+          @mode.service_url.should == "http://local.example.net/api"
+        end
+
+        it "includes the port if it isn't 80" do
+          @env["SERVER_PORT"] = "3000"
+          @mode.service_url.should == "http://local.example.net:3000/api"
+        end
+      end
+
+      describe "for https" do
+        before do
+          @env['rack.url_scheme'] = "https"
+        end
+
+        it "does not include the port if it is 443" do
+          @env["SERVER_PORT"] = "443"
+          @mode.service_url.should == "https://local.example.net/api"
+        end
+
+        it "includes the port if it isn't 443" do
+          @env["SERVER_PORT"] = "3003"
+          @mode.service_url.should == "https://local.example.net:3003/api"
+        end
+      end
+    end
+
+    describe "#authenticate!" do
+      before do
+        @authority = mock
+        @mode.stub!(:authority => @authority)
+        @env["HTTP_AUTHORIZATION"] = "CasProxy PT-1foo"
+      end
+
+      it "signals success if the proxy ticket is good" do
+        user = stub
+        @authority.should_receive(:valid_credentials?).
+          with(:cas_proxy, "PT-1foo", "http://example.org").and_return(user)
+        @mode.should_receive(:success!).with(user)
+
+        @mode.authenticate!
+      end
+
+      it "does not signal success if the proxy ticket is bad" do
+        @authority.stub!(:valid_credentials? => nil)
+        @mode.should_not_receive(:success!)
+
+        @mode.authenticate!
+      end
+    end
+  end
+end

data/spec/aker/cas/rack_proxy_callback_spec.rb

@@ -0,0 +1,190 @@
+require File.expand_path('../../../spec_helper', __FILE__)
+require 'rack'
+require 'fileutils'
+
+module Aker::Cas
+  shared_examples_for "rack proxy callback handler" do
+    describe "/receive_pgt" do
+      describe "with both a pgtId and pgtIou" do
+        before do
+          @response = Rack::MockRequest.new(@app).
+            get("/receive_pgt?pgtId=PGT-baz&pgtIou=PGTIOU-foo")
+        end
+
+        it "stores the pair" do
+          pstore = PStore.new(@store_filename)
+          pstore.transaction do
+            pstore["PGTIOU-foo"].should == "PGT-baz"
+          end
+        end
+
+        it "returns success" do
+          @response.status.should == 200
+        end
+
+        it "gives a worthwhile message" do
+          @response.headers["Content-Type"].should == "text/plain"
+          @response.body.should =~ /PGT and PGTIOU received./
+        end
+      end
+
+      describe "without a pgtId" do
+        before do
+          @response = Rack::MockRequest.new(@app).
+            get("/receive_pgt?pgtIou=PGTIOU-foo")
+        end
+
+        it "is a bad request" do
+          @response.status.should == 400
+        end
+
+        it "gives a worthwile error message" do
+          @response.headers["Content-Type"].should == "text/plain"
+          @response.body.should ==
+            "pgtId is a required query parameter." <<
+            "\nSee section 2.5.4 of the CAS protocol specification."
+        end
+      end
+
+      describe "without a pgtIou" do
+        before do
+          @response = Rack::MockRequest.new(@app).
+            get("/receive_pgt?pgtId=PGT-foo")
+        end
+
+        it "is a bad request" do
+          @response.status.should == 400
+        end
+
+        it "gives a worthwile error message" do
+          @response.headers["Content-Type"].should == "text/plain"
+          @response.body.should ==
+            "pgtIou is a required query parameter." <<
+            "\nSee section 2.5.4 of the CAS protocol specification."
+        end
+      end
+
+      describe "without either" do
+        before do
+          @response = Rack::MockRequest.new(@app).
+            get("/receive_pgt")
+        end
+
+        it "is OK, because the JA-SIG CAS server expects it to be" do
+          @response.status.should == 200
+        end
+
+        it "gives a worthwile error message" do
+          @response.headers["Content-Type"].should == "text/plain"
+          @response.body.should ==
+            "Both pgtId and pgtIou are required query parameters." <<
+            "\nSee section 2.5.4 of the CAS protocol specification."
+        end
+      end
+    end
+
+    describe "/retrieve_pgt" do
+      describe "with a known pgtIou" do
+        before do
+          pstore = PStore.new(@store_filename)
+          pstore.transaction do
+            pstore["PGTIOU-678"] = "PGT-876"
+          end
+
+          @response = Rack::MockRequest.new(@app).
+            get("/retrieve_pgt?pgtIou=PGTIOU-678")
+        end
+
+        it "is successful" do
+          @response.status.should == 200
+        end
+
+        it "returns the PGT" do
+          @response.headers["Content-Type"].should == "text/plain"
+          @response.body.should == "PGT-876"
+        end
+
+        it "deletes the PGT from the store once it has been retrieved" do
+          pstore = PStore.new(@store_filename)
+          pstore.transaction do
+            pstore["PGTIOU-678"].should be_nil
+          end
+        end
+      end
+
+      describe "with an unknown pgtIou" do
+        before do
+          @response = Rack::MockRequest.new(@app).
+            get("/retrieve_pgt?pgtIou=PGTIOU-1234")
+        end
+
+        it "returns 404" do
+          @response.status.should == 404
+        end
+
+        it "provides a helpful message" do
+          @response.headers["Content-Type"].should == "text/plain"
+          @response.body.should ==
+            "pgtIou=PGTIOU-1234 does not exist.  Perhaps it has already been retrieved."
+        end
+      end
+
+      describe "without a pgtIou" do
+        before do
+          @response = Rack::MockRequest.new(@app).
+            get("/retrieve_pgt")
+        end
+
+        it "is a bad request" do
+          @response.status.should == 400
+        end
+
+        it "provides a worthwhile error message" do
+          @response.headers["Content-Type"].should == "text/plain"
+          @response.body.should ==
+            "pgtIou is a required query parameter."
+        end
+      end
+    end
+  end
+
+  describe RackProxyCallback do
+    before do
+      @store_filename = "#{tmpdir}/#{File.basename(__FILE__)}.pstore"
+    end
+
+    after do
+      FileUtils.rm @store_filename if File.exist?(@store_filename)
+    end
+
+    describe "as middleware" do
+      before do
+        endpoint = lambda { |env| [200, {}, ["App invoked"]] }
+        @app = RackProxyCallback.new(endpoint, :store => @store_filename)
+      end
+
+      it_should_behave_like "rack proxy callback handler"
+
+      it "invokes the app for other paths" do
+        Rack::MockRequest.new(@app).get("/foo").should =~ /App invoked/
+      end
+
+      it "requires a filename for the store" do
+        lambda { RackProxyCallback.new(Object.new) }.
+          should raise_error(/Please specify a filename for the PGT store/)
+      end
+    end
+
+    describe "as an application" do
+      before do
+        @app = RackProxyCallback.application :store => @store_filename
+      end
+
+      it_should_behave_like "rack proxy callback handler"
+
+      it "404s for non-pgt requests" do
+        Rack::MockRequest.new(@app).get("/foo").status.should == 404
+      end
+    end
+  end
+end

data/spec/aker/cas/service_mode_spec.rb

@@ -0,0 +1,122 @@
+require File.expand_path("../../../spec_helper", __FILE__)
+require File.expand_path("../../modes/a_aker_mode", __FILE__)
+require 'rack'
+require 'uri'
+
+module Aker::Cas
+  describe ServiceMode do
+    before do
+      @env = ::Rack::MockRequest.env_for('/')
+      @scope = mock
+      @mode = ServiceMode.new(@env, @scope)
+    end
+
+    it_should_behave_like "a aker mode"
+
+    describe "#key" do
+      it "is :cas" do
+        ServiceMode.key.should == :cas
+      end
+    end
+
+    describe "#valid?" do
+      it "returns false if the ST parameter is not in the query string" do
+        @mode.should_not be_valid
+      end
+
+      it "returns true if the ticket parameter is in the query string" do
+        @env['QUERY_STRING'] = 'ticket=ST-1foo'
+
+        @mode.should be_valid
+      end
+    end
+
+    describe "#kind" do
+      it "is :cas" do
+        @mode.kind.should == :cas
+      end
+    end
+
+    describe "#credentials" do
+      before do
+        @env["PATH_INFO"] = "/qu/ux"
+        @env["QUERY_STRING"] = "foo=baz"
+      end
+
+      describe "when there's a service ticket" do
+        before do
+          @env["QUERY_STRING"] << "&ticket=ST-1foo"
+        end
+
+        it "returns two elements" do
+          @mode.credentials.size.should == 2
+        end
+
+        it "returns the service ticket first" do
+          @mode.credentials[0].should == "ST-1foo"
+        end
+
+        it "returns the service URL second" do
+          @mode.credentials[1].should == "http://example.org/qu/ux?foo=baz"
+        end
+      end
+
+      it "returns nil if no service ticket was supplied" do
+        @mode.credentials.should be_nil
+      end
+    end
+
+    describe "#authenticate!" do
+      before do
+        @authority = mock
+        @env['aker.authority'] = @authority
+        @env['QUERY_STRING'] = 'ticket=ST-1foo'
+      end
+
+      it "signals success if the service ticket is good" do
+        user = stub
+        @authority.should_receive(:valid_credentials?).
+          with(:cas, 'ST-1foo', "http://example.org/").and_return(user)
+        @mode.should_receive(:success!).with(user)
+
+        @mode.authenticate!
+      end
+
+      it "does not signal success if the service ticket is bad" do
+        @authority.stub!(:valid_credentials? => nil)
+        @mode.should_not_receive(:success!)
+
+        @mode.authenticate!
+      end
+    end
+
+    describe "#on_ui_failure" do
+      before do
+        @env['aker.configuration'] = Aker::Configuration.new do
+          cas_parameters :login_url => 'https://cas.example.edu/login'
+        end
+      end
+
+      it "redirects to the CAS server's login page" do
+        response = @mode.on_ui_failure
+        location = URI.parse(response.location)
+        response.should be_redirect
+
+        location.scheme.should == "https"
+        location.host.should == "cas.example.edu"
+        location.path.should == "/login"
+      end
+
+      it "includes the service URL" do
+        @env["PATH_INFO"] = "/foo?a=b&c=d"
+
+        actual_uri.query.should == "service=http%3A%2F%2Fexample.org%2Ffoo%3Fa%3Db%26c%3Dd"
+      end
+
+      def actual_uri
+        response = @mode.on_ui_failure
+        URI.parse(response.location)
+      end
+    end
+  end
+end

data/spec/aker/cas/service_url_spec.rb

@@ -0,0 +1,114 @@
+require File.expand_path('../../../spec_helper', __FILE__)
+
+require 'rack/request'
+require 'rack/mock'
+
+module Aker::Cas
+  describe ServiceUrl do
+    let(:env) { ::Rack::MockRequest.env_for('/') }
+
+    shared_examples_for '#service_url' do
+      it 'is the URL the user was trying to reach' do
+        env['PATH_INFO'] = '/qu/ux'
+        env['QUERY_STRING'] = 'a=b'
+        actual_url.should == 'http://example.org/qu/ux?a=b'
+      end
+
+      describe 'with warden\'s "attempted path" in the environment' do
+        before do
+          set_attempted_path
+        end
+
+        it 'uses it if present' do
+          env['PATH_INFO'] = '/unauthenticated'
+
+          actual_url.should == 'http://example.org/foo/quux'
+        end
+
+        it 'includes the port if not the default for http' do
+          env['rack.url_scheme'] = 'http'
+          env['SERVER_PORT'] = 81
+
+          actual_url.should == 'http://example.org:81/foo/quux'
+        end
+
+        it 'includes the port if not the default for https' do
+          env['rack.url_scheme'] = 'https'
+          env['SERVER_PORT'] = 80
+
+          actual_url.should == 'https://example.org:80/foo/quux'
+        end
+      end
+
+      it "filters out a service ticket that's the sole parameter" do
+        env['QUERY_STRING'] = 'ticket=ST-foo'
+        actual_url.should == 'http://example.org/'
+      end
+
+      it "filters out a service ticket that's the first parameter of several" do
+        env['QUERY_STRING'] = 'ticket=ST-bar&foo=baz'
+        actual_url.should == 'http://example.org/?foo=baz'
+      end
+
+      it "filters out a service ticket that's the last parameter of several" do
+        env['QUERY_STRING'] = 'foo=baz&ticket=ST-bar'
+        actual_url.should == 'http://example.org/?foo=baz'
+      end
+
+      it "filters out a service ticket that's in the middle of several" do
+        env['QUERY_STRING'] = 'foo=baz&ticket=ST-bar&zazz=quux'
+        actual_url.should == 'http://example.org/?foo=baz&zazz=quux'
+      end
+    end
+
+    context 'when mixed in' do
+      it_behaves_like '#service_url'
+
+      class WithRequest
+        include ServiceUrl
+
+        attr_reader :request, :env
+
+        def initialize(env)
+          @env = env
+          @request = Rack::Request.new(env)
+        end
+      end
+
+      class WithAttemptedPath < WithRequest
+        include Aker::Modes::Support::AttemptedPath
+      end
+
+      let(:with_request_only) { WithRequest.new(env).service_url }
+      let(:with_attempted_path) { WithAttemptedPath.new(env).service_url }
+      let(:actual_url) { with_attempted_path }
+
+      def set_attempted_path
+        env['warden.options'] = { :attempted_path => '/foo/quux' }
+      end
+
+      describe 'when the host class does not have an #attempted_path method' do
+        it 'does nothing with the attempted path' do
+          env['PATH_INFO'] = '/foo/bar'
+          set_attempted_path
+          with_request_only.should == 'http://example.org/foo/bar'
+        end
+      end
+    end
+
+    context 'when called directly' do
+      it_behaves_like '#service_url'
+
+      let(:request) { ::Rack::Request.new(env) }
+      let(:actual_url) { ServiceUrl.service_url(request, attempted_path) }
+
+      def attempted_path
+        @attempted_path
+      end
+
+      def set_attempted_path
+        @attempted_path = '/foo/quux'
+      end
+    end
+  end
+end