aker 3.0.0.pre
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG.md +210 -0
- data/README.md +282 -0
- data/assets/aker/form/login.css +73 -0
- data/assets/aker/form/login.html.erb +44 -0
- data/lib/aker/authorities/automatic_access.rb +36 -0
- data/lib/aker/authorities/composite.rb +301 -0
- data/lib/aker/authorities/static.rb +283 -0
- data/lib/aker/authorities/support/find_sole_user.rb +24 -0
- data/lib/aker/authorities/support.rb +9 -0
- data/lib/aker/authorities.rb +46 -0
- data/lib/aker/cas/authority.rb +79 -0
- data/lib/aker/cas/configuration_helper.rb +85 -0
- data/lib/aker/cas/middleware/logout_responder.rb +49 -0
- data/lib/aker/cas/middleware/ticket_remover.rb +35 -0
- data/lib/aker/cas/middleware.rb +6 -0
- data/lib/aker/cas/proxy_mode.rb +108 -0
- data/lib/aker/cas/rack_proxy_callback.rb +188 -0
- data/lib/aker/cas/service_mode.rb +88 -0
- data/lib/aker/cas/service_url.rb +62 -0
- data/lib/aker/cas/user_ext.rb +64 -0
- data/lib/aker/cas.rb +31 -0
- data/lib/aker/central_parameters.rb +101 -0
- data/lib/aker/configuration.rb +534 -0
- data/lib/aker/deprecation.rb +105 -0
- data/lib/aker/form/custom_views_mode.rb +80 -0
- data/lib/aker/form/login_form_asset_provider.rb +56 -0
- data/lib/aker/form/middleware/custom_view_login_responder.rb +19 -0
- data/lib/aker/form/middleware/login_renderer.rb +72 -0
- data/lib/aker/form/middleware/login_responder.rb +71 -0
- data/lib/aker/form/middleware/logout_responder.rb +26 -0
- data/lib/aker/form/middleware.rb +10 -0
- data/lib/aker/form/mode.rb +118 -0
- data/lib/aker/form.rb +26 -0
- data/lib/aker/group.rb +67 -0
- data/lib/aker/group_membership.rb +162 -0
- data/lib/aker/ldap/authority.rb +392 -0
- data/lib/aker/ldap/user_ext.rb +19 -0
- data/lib/aker/ldap.rb +22 -0
- data/lib/aker/modes/base.rb +85 -0
- data/lib/aker/modes/http_basic.rb +100 -0
- data/lib/aker/modes/support/attempted_path.rb +22 -0
- data/lib/aker/modes/support/rfc_2617.rb +32 -0
- data/lib/aker/modes/support.rb +12 -0
- data/lib/aker/modes.rb +48 -0
- data/lib/aker/rack/authenticate.rb +37 -0
- data/lib/aker/rack/configuration_helper.rb +18 -0
- data/lib/aker/rack/default_logout_responder.rb +36 -0
- data/lib/aker/rack/environment_helper.rb +34 -0
- data/lib/aker/rack/facade.rb +102 -0
- data/lib/aker/rack/failure.rb +69 -0
- data/lib/aker/rack/logout.rb +63 -0
- data/lib/aker/rack/request_ext.rb +19 -0
- data/lib/aker/rack/session_timer.rb +95 -0
- data/lib/aker/rack/setup.rb +77 -0
- data/lib/aker/rack.rb +107 -0
- data/lib/aker/test/helpers.rb +22 -0
- data/lib/aker/test.rb +8 -0
- data/lib/aker/user.rb +231 -0
- data/lib/aker/version.rb +3 -0
- data/lib/aker.rb +51 -0
- data/spec/aker/aker-sample.yml +11 -0
- data/spec/aker/authorities/automatic_access_spec.rb +52 -0
- data/spec/aker/authorities/composite_spec.rb +488 -0
- data/spec/aker/authorities/nu-schema.jar +0 -0
- data/spec/aker/authorities/static_spec.rb +455 -0
- data/spec/aker/authorities/support/find_sole_user_spec.rb +33 -0
- data/spec/aker/authorities_spec.rb +16 -0
- data/spec/aker/cas/authority_spec.rb +106 -0
- data/spec/aker/cas/configuration_helper_spec.rb +92 -0
- data/spec/aker/cas/middleware/logout_responder_spec.rb +47 -0
- data/spec/aker/cas/middleware/ticket_remover_spec.rb +49 -0
- data/spec/aker/cas/proxy_mode_spec.rb +185 -0
- data/spec/aker/cas/rack_proxy_callback_spec.rb +190 -0
- data/spec/aker/cas/service_mode_spec.rb +122 -0
- data/spec/aker/cas/service_url_spec.rb +114 -0
- data/spec/aker/cas/user_ext_spec.rb +27 -0
- data/spec/aker/cas_spec.rb +19 -0
- data/spec/aker/central_parameters_spec.rb +44 -0
- data/spec/aker/configuration_spec.rb +465 -0
- data/spec/aker/deprecation_spec.rb +115 -0
- data/spec/aker/form/a_form_mode.rb +129 -0
- data/spec/aker/form/custom_views_mode_spec.rb +34 -0
- data/spec/aker/form/login_form_asset_provider_spec.rb +80 -0
- data/spec/aker/form/middleware/a_form_login_responder.rb +89 -0
- data/spec/aker/form/middleware/custom_view_login_responder_spec.rb +47 -0
- data/spec/aker/form/middleware/login_renderer_spec.rb +56 -0
- data/spec/aker/form/middleware/login_responder_spec.rb +34 -0
- data/spec/aker/form/middleware/logout_responder_spec.rb +55 -0
- data/spec/aker/form/mode_spec.rb +15 -0
- data/spec/aker/form_spec.rb +11 -0
- data/spec/aker/group_membership_spec.rb +208 -0
- data/spec/aker/group_spec.rb +66 -0
- data/spec/aker/ldap/authority_spec.rb +414 -0
- data/spec/aker/ldap/ldap-users.ldif +197 -0
- data/spec/aker/ldap_spec.rb +11 -0
- data/spec/aker/modes/a_aker_mode.rb +41 -0
- data/spec/aker/modes/http_basic_spec.rb +127 -0
- data/spec/aker/modes/support/attempted_path_spec.rb +32 -0
- data/spec/aker/modes_spec.rb +11 -0
- data/spec/aker/rack/authenticate_spec.rb +78 -0
- data/spec/aker/rack/default_logout_responder_spec.rb +67 -0
- data/spec/aker/rack/facade_spec.rb +154 -0
- data/spec/aker/rack/failure_spec.rb +151 -0
- data/spec/aker/rack/logout_spec.rb +63 -0
- data/spec/aker/rack/request_ext_spec.rb +29 -0
- data/spec/aker/rack/session_timer_spec.rb +134 -0
- data/spec/aker/rack/setup_spec.rb +87 -0
- data/spec/aker/rack_spec.rb +216 -0
- data/spec/aker/test/helpers_spec.rb +44 -0
- data/spec/aker/user_spec.rb +362 -0
- data/spec/aker_spec.rb +80 -0
- data/spec/deprecation_helper.rb +58 -0
- data/spec/java_helper.rb +5 -0
- data/spec/logger_helper.rb +17 -0
- data/spec/matchers.rb +31 -0
- data/spec/mock_builder.rb +25 -0
- data/spec/spec_helper.rb +52 -0
- metadata +265 -0
@@ -0,0 +1,64 @@
|
|
1
|
+
require 'aker/cas'
|
2
|
+
|
3
|
+
require 'castanet'
|
4
|
+
|
5
|
+
module Aker::Cas
|
6
|
+
##
|
7
|
+
# Extensions for {Aker::User} instances that come from CAS
|
8
|
+
# credentials.
|
9
|
+
module UserExt
|
10
|
+
include Castanet::Client
|
11
|
+
|
12
|
+
##
|
13
|
+
# The base URL of the CAS server.
|
14
|
+
#
|
15
|
+
# This is typically set by {Authority#valid_credentials?}.
|
16
|
+
#
|
17
|
+
# @see Aker::Cas::ConfigurationHelper#cas_url
|
18
|
+
# @return [String]
|
19
|
+
attr_accessor :cas_url
|
20
|
+
|
21
|
+
##
|
22
|
+
# The proxy callback URL used by the CAS server.
|
23
|
+
#
|
24
|
+
# This is typically set by {Authority#valid_credentials?}.
|
25
|
+
#
|
26
|
+
# @see Aker::Cas::ConfigurationHelper#proxy_callback_url
|
27
|
+
# @return [String, nil]
|
28
|
+
attr_accessor :proxy_callback_url
|
29
|
+
|
30
|
+
##
|
31
|
+
# The proxy retrieval URL from which Aker will retrieve PGTs.
|
32
|
+
#
|
33
|
+
# This is typically set by {Authority#valid_credentials?}.
|
34
|
+
#
|
35
|
+
# @see Aker::Cas::ConfigurationHelper#proxy_retrieval_url
|
36
|
+
# @return [String, nil]
|
37
|
+
attr_accessor :proxy_retrieval_url
|
38
|
+
|
39
|
+
##
|
40
|
+
# The proxy granting ticket associated with the {Aker::User}, or nil if no
|
41
|
+
# PGT exists.
|
42
|
+
#
|
43
|
+
# @return [String, nil]
|
44
|
+
attr_accessor :pgt
|
45
|
+
|
46
|
+
##
|
47
|
+
# Returns a proxy ticket so that an application may authenticate
|
48
|
+
# to another CAS-using service on behalf of this user. Each
|
49
|
+
# invocation will request and return a fresh ticket.
|
50
|
+
#
|
51
|
+
# @param [String] service_base_url the URL by which CAS knows the
|
52
|
+
# service that this proxy will be used for. For aker-protected
|
53
|
+
# applications, this will always be the base URL for the whole
|
54
|
+
# application — i.e., the URL for the server plus the mount
|
55
|
+
# point for the application, if any.
|
56
|
+
#
|
57
|
+
# @see ProxyMode#service_url
|
58
|
+
#
|
59
|
+
# @return [String] a new ticket
|
60
|
+
def cas_proxy_ticket(service_base_url)
|
61
|
+
issue_proxy_ticket(pgt, service_base_url).ticket
|
62
|
+
end
|
63
|
+
end
|
64
|
+
end
|
data/lib/aker/cas.rb
ADDED
@@ -0,0 +1,31 @@
|
|
1
|
+
require 'aker'
|
2
|
+
|
3
|
+
module Aker
|
4
|
+
##
|
5
|
+
# Common code for dealing with CAS servers.
|
6
|
+
module Cas
|
7
|
+
autoload :Authority, 'aker/cas/authority'
|
8
|
+
autoload :ConfigurationHelper, 'aker/cas/configuration_helper'
|
9
|
+
autoload :Middleware, 'aker/cas/middleware'
|
10
|
+
autoload :ProxyMode, 'aker/cas/proxy_mode'
|
11
|
+
autoload :RackProxyCallback, 'aker/cas/rack_proxy_callback'
|
12
|
+
autoload :ServiceMode, 'aker/cas/service_mode'
|
13
|
+
autoload :ServiceUrl, 'aker/cas/service_url'
|
14
|
+
autoload :UserExt, 'aker/cas/user_ext'
|
15
|
+
|
16
|
+
##
|
17
|
+
# @private
|
18
|
+
class Slice < Aker::Configuration::Slice
|
19
|
+
def initialize
|
20
|
+
super do
|
21
|
+
alias_authority :cas, Authority
|
22
|
+
|
23
|
+
register_mode ProxyMode
|
24
|
+
register_mode ServiceMode
|
25
|
+
end
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
Aker::Configuration.add_default_slice(Aker::Cas::Slice.new)
|
@@ -0,0 +1,101 @@
|
|
1
|
+
require 'aker'
|
2
|
+
require 'yaml'
|
3
|
+
|
4
|
+
module Aker
|
5
|
+
##
|
6
|
+
# Provides consistent access to server-based defaults for
|
7
|
+
# configuration parameters. These defaults are stored in a YAML file
|
8
|
+
# on the server and updated separately from application
|
9
|
+
# deployments. E.g., you might have the following in
|
10
|
+
# /etc/nubic/aker-prod.yml:
|
11
|
+
#
|
12
|
+
# ldap:
|
13
|
+
# server: ldap.example.org
|
14
|
+
# user: cn=foo
|
15
|
+
# password: 13635;nefvqerg35245gk
|
16
|
+
# policy:
|
17
|
+
# session_timeout_seconds: 1500
|
18
|
+
#
|
19
|
+
# The top level keys in this file correspond to parameter groups in
|
20
|
+
# a {Aker::Configuration}. If this file were loaded like so,
|
21
|
+
#
|
22
|
+
# Aker.configure {
|
23
|
+
# central '/etc/nubic/aker-prod.yml'
|
24
|
+
# }
|
25
|
+
#
|
26
|
+
# it would be equivalent to the following:
|
27
|
+
#
|
28
|
+
# Aker.configure {
|
29
|
+
# ldap_parameters :server => 'ldap.example.org',
|
30
|
+
# :user => 'cn=foo',
|
31
|
+
# :password => '13635;nefvqerg35245gk'
|
32
|
+
# policy_parameters :session_timeout_seconds => 1500
|
33
|
+
# }
|
34
|
+
#
|
35
|
+
# The `central` approach has several benefits:
|
36
|
+
#
|
37
|
+
# * It is simultaneously updateable for all applications on a
|
38
|
+
# server.
|
39
|
+
# * It separates system administration tasks from application
|
40
|
+
# developer concerns.
|
41
|
+
# * It provides an easy alternative to checking sensitive
|
42
|
+
# information (in this example, the LDAP password) into the VCS.
|
43
|
+
# * No flexibility is lost — individual applications may still
|
44
|
+
# override parameter values if necessary.
|
45
|
+
#
|
46
|
+
# @see https://github.com/NUBIC/bcdatabase
|
47
|
+
# Bcdatabase: a tool which provides similar capabilities for
|
48
|
+
# database and service configurations.
|
49
|
+
class CentralParameters < Hash
|
50
|
+
##
|
51
|
+
# Creates a new instance with the given overrides.
|
52
|
+
#
|
53
|
+
# @param [String, Hash] values if a hash, it is used as a set of
|
54
|
+
# overrides directly. Otherwise it is interpreted as the filename
|
55
|
+
# for the system central parameters YAML file.
|
56
|
+
def initialize(values = {})
|
57
|
+
super
|
58
|
+
|
59
|
+
unless values.is_a? Hash
|
60
|
+
values = YAML::load( File.open(values) )
|
61
|
+
end
|
62
|
+
|
63
|
+
values = nested_symbolize_keys!(deep_clone(values))
|
64
|
+
update(values)
|
65
|
+
end
|
66
|
+
|
67
|
+
##
|
68
|
+
# Returns the value or (more likely) hash of values corresponding
|
69
|
+
# to the given top-level configuration section.
|
70
|
+
#
|
71
|
+
# Note that, no matter the structure of the values hash provided
|
72
|
+
# on construction, all keys in any hashes returned by this method
|
73
|
+
# will be symbols.
|
74
|
+
#
|
75
|
+
# @param [Symbol] key the configuration section to access
|
76
|
+
def [](key)
|
77
|
+
super
|
78
|
+
end
|
79
|
+
|
80
|
+
#######
|
81
|
+
private
|
82
|
+
|
83
|
+
def deep_clone(src)
|
84
|
+
clone = { }
|
85
|
+
src.each_pair do |k, v|
|
86
|
+
clone[k] = v.is_a?(Hash) ? deep_clone(v) : v
|
87
|
+
end
|
88
|
+
clone
|
89
|
+
end
|
90
|
+
|
91
|
+
def nested_symbolize_keys!(target)
|
92
|
+
target.keys.each do |k|
|
93
|
+
v = target[k]
|
94
|
+
nested_symbolize_keys!(v) if v.respond_to?(:keys)
|
95
|
+
target.delete(k)
|
96
|
+
target[k.to_sym] = v
|
97
|
+
end
|
98
|
+
target
|
99
|
+
end
|
100
|
+
end
|
101
|
+
end
|