arpitjain11-rubycas-server 0.8.0.20090612

Sign up to get free protection for your applications and to get access to all the features.
Files changed (78) hide show
  1. data/CHANGELOG.txt +1 -0
  2. data/History.txt +272 -0
  3. data/LICENSE.txt +504 -0
  4. data/Manifest.txt +85 -0
  5. data/PostInstall.txt +3 -0
  6. data/README.rdoc +26 -0
  7. data/Rakefile +4 -0
  8. data/bin/rubycas-server +13 -0
  9. data/bin/rubycas-server-ctl +9 -0
  10. data/config/hoe.rb +78 -0
  11. data/config/requirements.rb +15 -0
  12. data/config.example.yml +544 -0
  13. data/config.ru +38 -0
  14. data/custom_views.example.rb +11 -0
  15. data/lib/casserver/authenticators/active_directory_ldap.rb +11 -0
  16. data/lib/casserver/authenticators/base.rb +48 -0
  17. data/lib/casserver/authenticators/client_certificate.rb +46 -0
  18. data/lib/casserver/authenticators/google.rb +54 -0
  19. data/lib/casserver/authenticators/ldap.rb +147 -0
  20. data/lib/casserver/authenticators/ntlm.rb +88 -0
  21. data/lib/casserver/authenticators/open_id.rb +22 -0
  22. data/lib/casserver/authenticators/sql.rb +102 -0
  23. data/lib/casserver/authenticators/sql_encrypted.rb +76 -0
  24. data/lib/casserver/authenticators/sql_md5.rb +19 -0
  25. data/lib/casserver/authenticators/sql_rest_auth.rb +77 -0
  26. data/lib/casserver/authenticators/test.rb +19 -0
  27. data/lib/casserver/cas.rb +322 -0
  28. data/lib/casserver/conf.rb +75 -0
  29. data/lib/casserver/controllers.rb +457 -0
  30. data/lib/casserver/load_picnic.rb +19 -0
  31. data/lib/casserver/localization.rb +82 -0
  32. data/lib/casserver/models.rb +265 -0
  33. data/lib/casserver/postambles.rb +174 -0
  34. data/lib/casserver/utils.rb +30 -0
  35. data/lib/casserver/version.rb +9 -0
  36. data/lib/casserver/views.rb +245 -0
  37. data/lib/casserver.rb +58 -0
  38. data/lib/rubycas-server/version.rb +1 -0
  39. data/lib/rubycas-server.rb +1 -0
  40. data/po/de_DE/rubycas-server.po +119 -0
  41. data/po/es_ES/rubycas-server.po +115 -0
  42. data/po/fr_FR/rubycas-server.po +116 -0
  43. data/po/ja_JP/rubycas-server.po +118 -0
  44. data/po/pl_PL/rubycas-server.po +115 -0
  45. data/po/pt_BR/rubycas-server.po +115 -0
  46. data/po/ru_RU/rubycas-server.po +110 -0
  47. data/po/rubycas-server.pot +104 -0
  48. data/public/themes/cas.css +121 -0
  49. data/public/themes/notice.png +0 -0
  50. data/public/themes/ok.png +0 -0
  51. data/public/themes/simple/bg.png +0 -0
  52. data/public/themes/simple/login_box_bg.png +0 -0
  53. data/public/themes/simple/logo.png +0 -0
  54. data/public/themes/simple/theme.css +28 -0
  55. data/public/themes/urbacon/bg.png +0 -0
  56. data/public/themes/urbacon/login_box_bg.png +0 -0
  57. data/public/themes/urbacon/logo.png +0 -0
  58. data/public/themes/urbacon/theme.css +33 -0
  59. data/public/themes/warning.png +0 -0
  60. data/resources/init.d.sh +58 -0
  61. data/script/console +10 -0
  62. data/script/destroy +14 -0
  63. data/script/generate +14 -0
  64. data/script/txt2html +82 -0
  65. data/setup.rb +1585 -0
  66. data/tasks/deployment.rake +34 -0
  67. data/tasks/environment.rake +7 -0
  68. data/tasks/localization.rake +11 -0
  69. data/tasks/website.rake +17 -0
  70. data/vendor/isaac_0.9.1/LICENSE +26 -0
  71. data/vendor/isaac_0.9.1/README +78 -0
  72. data/vendor/isaac_0.9.1/TODO +3 -0
  73. data/vendor/isaac_0.9.1/VERSIONS +3 -0
  74. data/vendor/isaac_0.9.1/crypt/ISAAC.rb +171 -0
  75. data/vendor/isaac_0.9.1/isaac.gemspec +39 -0
  76. data/vendor/isaac_0.9.1/setup.rb +596 -0
  77. data/vendor/isaac_0.9.1/test/TC_ISAAC.rb +76 -0
  78. metadata +193 -0
@@ -0,0 +1,48 @@
1
+ module CASServer
2
+ module Authenticators
3
+ class Base
4
+ attr_accessor :options
5
+ attr_reader :username # make this accessible so that we can pick up any
6
+ # transformations done within the authenticator
7
+
8
+ def validate(credentials)
9
+ raise NotImplementedError, "This method must be implemented by a class extending #{self.class}"
10
+ end
11
+
12
+ def configure(options)
13
+ raise ArgumentError, "options must be a HashWithIndifferentAccess" unless options.kind_of? HashWithIndifferentAccess
14
+ @options = options.dup
15
+ @extra_attributes = {}
16
+ end
17
+
18
+ def extra_attributes
19
+ @extra_attributes
20
+ end
21
+
22
+ protected
23
+ def read_standard_credentials(credentials)
24
+ @username = credentials[:username]
25
+ @password = credentials[:password]
26
+ @service = credentials[:service]
27
+ @request = credentials[:request]
28
+ end
29
+
30
+ def extra_attributes_to_extract
31
+ if @options[:extra_attributes].kind_of? Array
32
+ attrs = @options[:extra_attributes]
33
+ elsif @options[:extra_attributes].kind_of? String
34
+ attrs = @options[:extra_attributes].split(',').collect{|col| col.strip}
35
+ else
36
+ $LOG.error("Can't figure out attribute list from #{@options[:extra_attributes].inspect}. This must be an Aarray of column names or a comma-separated list.")
37
+ attrs = []
38
+ end
39
+
40
+ $LOG.debug("#{self.class.name} will try to extract the following extra_attributes: #{attrs.inspect}")
41
+ return attrs
42
+ end
43
+ end
44
+ end
45
+
46
+ class AuthenticatorError < Exception
47
+ end
48
+ end
@@ -0,0 +1,46 @@
1
+ require 'casserver/authenticators/base'
2
+
3
+ # NOT YET IMPLEMENTED
4
+ #
5
+ # This authenticator will authenticate the user based on a client SSL certificate.
6
+ #
7
+ # You will probably want to use this along with another authenticator, chaining
8
+ # it so that if the client does not provide a certificate, the server can
9
+ # fall back to some other authentication mechanism.
10
+ #
11
+ # Here's an example of how to use two chained authenticators in the config.yml
12
+ # file. The server will first use the ClientCertificate authenticator, and
13
+ # only fall back to the SQL authenticator of the first one fails:
14
+ #
15
+ # authenticator:
16
+ # -
17
+ # class: CASServer::Authenticators::ClientCertificate
18
+ # -
19
+ # class: CASServer::Authenticators::SQL
20
+ # database:
21
+ # adapter: mysql
22
+ # database: some_database_with_users_table
23
+ # user: root
24
+ # password:
25
+ # server: localhost
26
+ # user_table: user
27
+ # username_column: username
28
+ # password_column: password
29
+ #
30
+ class CASServer::Authenticators::ClientCertificate < CASServer::Authenticators::Base
31
+ def validate(credentials)
32
+ read_standard_credentials(credentials)
33
+
34
+ @client_cert = credentials[:request]['SSL_CLIENT_CERT']
35
+
36
+ # note that I haven't actually tested to see if SSL_CLIENT_CERT gets
37
+ # filled with data when a client cert is provided, but this should be
38
+ # the case at least in theory :)
39
+
40
+ return false if @client_cert.blank?
41
+
42
+ # IMPLEMENT SSL CERTIFICATE VALIDATION CODE HERE
43
+
44
+ return true # if SSL certificate is valid, false otherwise
45
+ end
46
+ end
@@ -0,0 +1,54 @@
1
+ require 'casserver/authenticators/base'
2
+ require 'uri'
3
+ require 'net/http'
4
+ require 'net/https'
5
+ require 'timeout'
6
+
7
+ # Validates Google accounts against Google's authentication service -- in other
8
+ # words, this authenticator allows users to log in to CAS using their
9
+ # Gmail/Google accounts.
10
+ class CASServer::Authenticators::Google < CASServer::Authenticators::Base
11
+ def validate(credentials)
12
+ read_standard_credentials(credentials)
13
+
14
+ return false if @username.blank? || @password.blank?
15
+
16
+ auth_data = {
17
+ 'Email' => @username,
18
+ 'Passwd' => @password,
19
+ 'service' => 'xapi',
20
+ 'source' => 'RubyCAS-Server',
21
+ 'accountType' => 'HOSTED_OR_GOOGLE'
22
+ }
23
+
24
+ url = URI.parse('https://www.google.com/accounts/ClientLogin')
25
+ http = Net::HTTP.new(url.host, url.port)
26
+ http.use_ssl = true
27
+
28
+ # TODO: make the timeout configurable
29
+ wait_seconds = 10
30
+ begin
31
+ timeout(wait_seconds) do
32
+ res = http.start do |conn|
33
+ req = Net::HTTP::Post.new(url.path)
34
+ req.set_form_data(auth_data,'&')
35
+ conn.request(req)
36
+ end
37
+
38
+ case res
39
+ when Net::HTTPSuccess
40
+ true
41
+ when Net::HTTPForbidden
42
+ false
43
+ else
44
+ $LOG.error("Unexpected response from Google while validating credentials: #{res.inspect} ==> #{res.body}.")
45
+ raise CASServer::AuthenticatorError, "Unexpected response received from Google while validating credentials."
46
+ end
47
+ end
48
+ rescue Timeout::Error
49
+ $LOG.error("Google did not respond to the credential validation request. We waited for #{wait_seconds.inspect} seconds before giving up.")
50
+ raise CASServer::AuthenticatorError, "Timeout while waiting for Google to validate credentials."
51
+ end
52
+
53
+ end
54
+ end
@@ -0,0 +1,147 @@
1
+ require 'casserver/authenticators/base'
2
+
3
+ begin
4
+ require 'net/ldap'
5
+ rescue LoadError
6
+ require 'rubygems'
7
+ begin
8
+ gem 'ruby-net-ldap', '~> 0.0.4'
9
+ rescue Gem::LoadError
10
+ $stderr.puts
11
+ $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
12
+ $stderr.puts
13
+ $stderr.puts "To use the LDAP/AD authenticator, you must first install the 'ruby-net-ldap' gem."
14
+ $stderr.puts
15
+ $stderr.puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
16
+ exit 1
17
+ end
18
+ require 'net/ldap'
19
+ end
20
+
21
+ # Basic LDAP authenticator. Should be compatible with OpenLDAP and other similar LDAP servers,
22
+ # although it hasn't been officially tested. See example config file for details on how
23
+ # to configure it.
24
+ class CASServer::Authenticators::LDAP < CASServer::Authenticators::Base
25
+ def validate(credentials)
26
+ read_standard_credentials(credentials)
27
+
28
+ return false if @password.blank?
29
+
30
+ raise CASServer::AuthenticatorError, "Cannot validate credentials because the authenticator hasn't yet been configured" unless @options
31
+ raise CASServer::AuthenticatorError, "Invalid LDAP authenticator configuration!" unless @options[:ldap]
32
+ raise CASServer::AuthenticatorError, "You must specify a server host in the LDAP configuration!" unless @options[:ldap][:host] || @options[:ldap][:server]
33
+
34
+ raise CASServer::AuthenticatorError, "The username '#{@username}' contains invalid characters." if (@username =~ /[*\(\)\0\/]/)
35
+
36
+ preprocess_username
37
+
38
+ @ldap = Net::LDAP.new
39
+
40
+
41
+ @options[:ldap][:host] ||= @options[:ldap][:server]
42
+ @ldap.host = @options[:ldap][:host]
43
+ @ldap.port = @options[:ldap][:port] if @options[:ldap][:port]
44
+ @ldap.encryption(@options[:ldap][:encryption].intern) if @options[:ldap][:encryption]
45
+
46
+ begin
47
+ if @options[:ldap][:auth_user]
48
+ bind_success = bind_by_username_with_preauthentication
49
+ else
50
+ bind_success = bind_by_username
51
+ end
52
+
53
+ return false unless bind_success
54
+
55
+ entry = find_user
56
+ extract_extra_attributes(entry)
57
+
58
+ return true
59
+ rescue Net::LDAP::LdapError => e
60
+ raise CASServer::AuthenticatorError,
61
+ "LDAP authentication failed with '#{e}'. Check your authenticator configuration."
62
+ end
63
+ end
64
+
65
+ protected
66
+ def default_username_attribute
67
+ "cn"
68
+ end
69
+
70
+ private
71
+ # Add prefix to username, if :username_prefix was specified in the :ldap config.
72
+ def preprocess_username
73
+ @username = @options[:ldap][:username_prefix] + @username if @options[:ldap][:username_prefix]
74
+ end
75
+
76
+ # Attempt to bind with the LDAP server using the username and password entered by
77
+ # the user. If a :filter was specified in the :ldap config, the filter will be
78
+ # added to the LDAP query for the username.
79
+ def bind_by_username
80
+ username_attribute = options[:ldap][:username_attribute] || default_username_attribute
81
+
82
+ @ldap.bind_as(:base => @options[:ldap][:base], :password => @password, :filter => user_filter)
83
+ end
84
+
85
+ # If an auth_user is specified, we will connect ("pre-authenticate") with the
86
+ # LDAP server using the authenticator account, and then attempt to bind as the
87
+ # user who is actually trying to authenticate. Note that you need to set up
88
+ # the special authenticator account first. Also, auth_user must be the authenticator
89
+ # user's full CN, which is probably not the same as their username.
90
+ #
91
+ # This pre-authentication process is necessary because binding can only be done
92
+ # using the CN, so having just the username is not enough. We connect as auth_user,
93
+ # and then try to find the target user's CN based on the given username. Then we bind
94
+ # as the target user to validate their credentials.
95
+ def bind_by_username_with_preauthentication
96
+ raise CASServer::AuthenticatorError, "A password must be specified in the configuration for the authenticator user!" unless
97
+ @options[:ldap][:auth_password]
98
+
99
+ @ldap.authenticate(@options[:ldap][:auth_user], @options[:ldap][:auth_password])
100
+
101
+ @ldap.bind_as(:base => @options[:ldap][:base], :password => @password, :filter => user_filter)
102
+ end
103
+
104
+ # Combine the filter for finding the user with the optional extra filter specified in the config
105
+ # (if any).
106
+ def user_filter
107
+ username_attribute = options[:ldap][:username_attribute] || default_username_attribute
108
+
109
+ filter = Net::LDAP::Filter.eq(username_attribute, @username)
110
+ unless @options[:ldap][:filter].blank?
111
+ filter &= Net::LDAP::Filter.construct(@options[:ldap][:filter])
112
+ end
113
+
114
+ filter
115
+ end
116
+
117
+ # Finds the user based on the user_filter (this is called after authentication).
118
+ # We do this to make it possible to extract extra_attributes.
119
+ def find_user
120
+ results = @ldap.search( :base => options[:ldap][:base], :filter => user_filter)
121
+ return results.first
122
+ end
123
+
124
+ def extract_extra_attributes(ldap_entry)
125
+ @extra_attributes = {}
126
+ extra_attributes_to_extract.each do |attr|
127
+ v = !ldap_entry[attr].blank? && ldap_entry[attr].first
128
+ if v
129
+ if ldap_entry[attr].kind_of?(Array)
130
+ @extra_attributes[attr] = []
131
+ ldap_entry[attr].each do |a|
132
+ @extra_attributes[attr] << a
133
+ end
134
+ else
135
+ @extra_attributes[attr] = v.to_s
136
+ end
137
+ end
138
+ end
139
+
140
+ if @extra_attributes.empty?
141
+ $LOG.warn("#{self.class}: Did not read any extra_attributes for user #{@username.inspect} even though an :extra_attributes option was provided.")
142
+ else
143
+ $LOG.debug("#{self.class}: Read the following extra_attributes for user #{@username.inspect}: #{@extra_attributes.inspect}")
144
+ end
145
+ ldap_entry
146
+ end
147
+ end
@@ -0,0 +1,88 @@
1
+ # THIS AUTHENTICATOR DOES NOT WORK (not even close!)
2
+ #
3
+ # I started working on this but run into a wall, so I am commiting what I've got
4
+ # done and leaving it here with hopes of one day finishing it.
5
+ #
6
+ # The main problem is that although I've got the Lan Manager/NTLM password hash,
7
+ # I'm not sure what to do with it. i.e. I need to check it against the AD or SMB
8
+ # server or something... maybe faking an SMB share connection and using the LM
9
+ # response for authentication might do the trick?
10
+
11
+ require 'casserver/authenticators/base'
12
+
13
+ # Ruby/NTLM package from RubyForge
14
+ require 'net/ntlm'
15
+
16
+ module CASServer
17
+ module Authenticators
18
+ class NTLM
19
+ # This will have to be somehow called by the top of the 'get' method
20
+ # in the Login controller (maybe via a hook?)... if this code fails
21
+ # then the controller should fall back to some other method of authentication
22
+ # (probably AD/LDAP or something).
23
+ def filter_for_top_of_login_get_controller_method
24
+ $LOG.debug @env.inspect
25
+ if @env['HTTP_AUTHORIZATION'] =~ /NTLM ([^\s]+)/
26
+ # if we're here, then the client has sent back a Type1 or Type3 message
27
+ # in reply to our NTLM challenge or our Type2 message
28
+ data_raw = Base64.decode64($~[1])
29
+ $LOG.debug "T1 RAW: #{t1_raw}"
30
+ t = Net::NTLM::Message::Message.parse(t1_raw)
31
+ if t.kind_of? Net::NTLM::Type1
32
+ t1 = t
33
+ elsif t.kind_of? Net::NTLM::Type3
34
+ t3 = t
35
+ else
36
+ raise "Invalid NTLM reply from client."
37
+ end
38
+
39
+ if t1
40
+ $LOG.debug "T1: #{t1.inspect}"
41
+
42
+ # now put together a Type2 message asking for the client to send
43
+ # back NTLM credentials (LM hash and such)
44
+ t2 = Net::NTLM::Message::Type2.new
45
+ t2.set_flag :UNICODE
46
+ t2.set_flag :NTLM
47
+ t2.context = 0x0000000000000000 # this can probably just be left unassigned
48
+ t2.challenge = 0x0123456789abcdef # this should be a random 8-byte integer
49
+
50
+ $LOG.debug "T2: #{t2.inspect}"
51
+ $LOG.debug "T2: #{t2.serialize}"
52
+ headers["WWW-Authenticate"] = "NTLM #{t2.encode64}"
53
+
54
+ # the client should respond to this with a Type3 message...
55
+ r('401', '', headers)
56
+ return
57
+ else
58
+ # NOTE: for some reason the server never receives the T3 response, even though monitoring
59
+ # the HTTP traffic I can see that the client does send it back... there's probably
60
+ # another bug hiding somewhere here
61
+
62
+ lm_response = t3.lm_response
63
+ ntlm_response = t3.ntlm_response
64
+ username = t3.user
65
+ # this is where we run up against a wall... we need some way to check the lm and/or ntlm
66
+ # reponse against the authentication server (probably Active Directory)... maybe a samba
67
+ # call would do it?
68
+ $LOG.debug "T3 LM: #{lm_response.inspect}"
69
+ $LOG.debug "T3 NTLM: #{ntlm_response.inspect}"
70
+
71
+ # assuming the authentication was successful, we'll now need to do something in the
72
+ # controller acting as if we'd received correct login credentials (i.e. proceed as if
73
+ # CAS authentication was successful).... if authentication failed, then we should
74
+ # just fall back to old-school web-based authentication, asking the user to enter
75
+ # their username and password the normal CAS way
76
+ end
77
+ else
78
+ # this sends the initial NTLM challenge, asking the browser
79
+ # to send back a Type1 message
80
+ headers['WWW-Authenticate'] = "NTLM"
81
+ headers['Connection'] = "Close"
82
+ r('401', '', headers)
83
+ return
84
+ end
85
+ end
86
+ end
87
+ end
88
+ end
@@ -0,0 +1,22 @@
1
+ require 'casserver/authenticators/base'
2
+
3
+ require 'openid'
4
+ require 'openid/extensions/sreg'
5
+ require 'openid/extensions/pape'
6
+ require 'openid/store/memory'
7
+
8
+
9
+ # CURRENTLY UNIMPLEMENTED
10
+ # This is just starter code.
11
+ class CASServer::Authenticators::OpenID < CASServer::Authenticators::Base
12
+
13
+ def validate(credentials)
14
+ raise NotImplementedError, "The OpenID authenticator is not yet implemented. "+
15
+ "See http://code.google.com/p/rubycas-server/issues/detail?id=36 if you are interested in helping this along."
16
+
17
+ read_standard_credentials(credentials)
18
+
19
+ store = OpenID::Store::Memory.new
20
+ consumer = OpenID::Consumer.new({}, store)
21
+ end
22
+ end
@@ -0,0 +1,102 @@
1
+ require 'casserver/authenticators/base'
2
+
3
+ begin
4
+ require 'active_record'
5
+ rescue LoadError
6
+ require 'rubygems'
7
+ require 'active_record'
8
+ end
9
+
10
+ # Authenticates against a plain SQL table.
11
+ #
12
+ # This assumes that all of your users are stored in a table that has a 'username'
13
+ # column and a 'password' column. When the user logs in, CAS conects to the
14
+ # database and looks for a matching username/password in the users table. If a
15
+ # matching username and password is found, authentication is successful.
16
+ #
17
+ # Any database backend supported by ActiveRecord can be used.
18
+ #
19
+ # Config example:
20
+ #
21
+ # authenticator:
22
+ # class: CASServer::Authenticators::SQL
23
+ # database:
24
+ # adapter: mysql
25
+ # database: some_database_with_users_table
26
+ # username: root
27
+ # password:
28
+ # server: localhost
29
+ # user_table: users
30
+ # username_column: username
31
+ # password_column: password
32
+ #
33
+ # When replying to a CAS client's validation request, the server will normally
34
+ # provide the client with the authenticated user's username. However it is now
35
+ # possible for the server to provide the client with additional attributes.
36
+ # You can configure the SQL authenticator to provide data from additional
37
+ # columns in the users table by listing the names of the columns under the
38
+ # 'extra_attributes' option. Note though that this functionality is experimental.
39
+ # It should work with RubyCAS-Client, but may or may not work with other CAS
40
+ # clients.
41
+ #
42
+ # For example, with this configuration, the 'full_name' and 'access_level'
43
+ # columns will be provided to your CAS clients along with the username:
44
+ #
45
+ # authenticator:
46
+ # class: CASServer::Authenticators::SQL
47
+ # database:
48
+ # adapter: mysql
49
+ # database: some_database_with_users_table
50
+ # user_table: users
51
+ # username_column: username
52
+ # password_column: password
53
+ # extra_attributes: full_name, access_level
54
+ #
55
+ class CASServer::Authenticators::SQL < CASServer::Authenticators::Base
56
+
57
+ def validate(credentials)
58
+ read_standard_credentials(credentials)
59
+
60
+ raise CASServer::AuthenticatorError, "Cannot validate credentials because the authenticator hasn't yet been configured" unless @options
61
+ raise CASServer::AuthenticatorError, "Invalid authenticator configuration!" unless @options[:database]
62
+
63
+ CASUser.establish_connection @options[:database]
64
+ CASUser.set_table_name @options[:user_table] || "users"
65
+
66
+ username_column = @options[:username_column] || 'username'
67
+ password_column = @options[:password_column] || 'password'
68
+
69
+ results = CASUser.find(:all, :conditions => ["#{username_column} = ? AND #{password_column} = ?", @username, @password])
70
+
71
+ if results.size > 0
72
+ $LOG.warn("#{self.class}: Multiple matches found for user #{@username.inspect}") if results.size > 1
73
+
74
+ unless @options[:extra_attributes].blank?
75
+ if results.size > 1
76
+ $LOG.warn("#{self.class}: Unable to extract extra_attributes because multiple matches were found for #{@username.inspect}")
77
+ else
78
+ user = results.first
79
+
80
+ @extra_attributes = {}
81
+ extra_attributes_to_extract.each do |col|
82
+ @extra_attributes[col] = user.send(col)
83
+ end
84
+
85
+ if @extra_attributes.empty?
86
+ $LOG.warn("#{self.class}: Did not read any extra_attributes for user #{@username.inspect} even though an :extra_attributes option was provided.")
87
+ else
88
+ $LOG.debug("#{self.class}: Read the following extra_attributes for user #{@username.inspect}: #{@extra_attributes.inspect}")
89
+ end
90
+ end
91
+ end
92
+
93
+ return true
94
+ else
95
+ return false
96
+ end
97
+ end
98
+
99
+ class CASUser < ActiveRecord::Base
100
+ end
101
+
102
+ end
@@ -0,0 +1,76 @@
1
+ require 'casserver/authenticators/base'
2
+
3
+ require 'digest/sha1'
4
+ require 'digest/sha2'
5
+
6
+ $: << File.dirname(File.expand_path(__FILE__)) + "/../../../vendor/isaac_0.9.1"
7
+ require 'crypt/ISAAC'
8
+
9
+ begin
10
+ require 'active_record'
11
+ rescue LoadError
12
+ require 'rubygems'
13
+ require 'active_record'
14
+ end
15
+
16
+ # This is a more secure version of the SQL authenticator. Passwords are encrypted
17
+ # rather than being stored in plain text.
18
+ #
19
+ # Based on code contributed by Ben Mabey.
20
+ #
21
+ # Using this authenticator requires some configuration on the client side. Please see
22
+ # http://code.google.com/p/rubycas-server/wiki/UsingTheSQLEncryptedAuthenticator
23
+ class CASServer::Authenticators::SQLEncrypted < CASServer::Authenticators::Base
24
+
25
+ def validate(credentials)
26
+ read_standard_credentials(credentials)
27
+
28
+ raise CASServer::AuthenticatorError, "Cannot validate credentials because the authenticator hasn't yet been configured" unless @options
29
+ raise CASServer::AuthenticatorError, "Invalid authenticator configuration!" unless @options[:database]
30
+
31
+ CASUser.establish_connection @options[:database]
32
+ CASUser.set_table_name @options[:user_table] || "users"
33
+
34
+ username_column = @options[:username_column] || "username"
35
+
36
+ results = CASUser.find(:all, :conditions => ["#{username_column} = ?", @username])
37
+
38
+ if results.size > 0
39
+ $LOG.warn("Multiple matches found for user '#{@username}'") if results.size > 1
40
+ user = results.first
41
+ return user.encrypted_password == user.encrypt(@password)
42
+ else
43
+ return false
44
+ end
45
+ end
46
+
47
+ # Include this module into your application's user model.
48
+ #
49
+ # Your model must have an 'encrypted_password' column where the password will be stored,
50
+ # and an 'encryption_salt' column that will be populated with a random string before
51
+ # the user record is first created.
52
+ module EncryptedPassword
53
+ def self.included(mod)
54
+ raise "#{self} should be inclued in an ActiveRecord class!" unless mod.respond_to?(:before_save)
55
+ mod.before_save :generate_encryption_salt
56
+ end
57
+
58
+ def encrypt(str)
59
+ generate_encryption_salt unless encryption_salt
60
+ Digest::SHA256.hexdigest("#{encryption_salt}::#{str}")
61
+ end
62
+
63
+ def password=(password)
64
+ self[:encrypted_password] = encrypt(password)
65
+ end
66
+
67
+ def generate_encryption_salt
68
+ self.encryption_salt = Digest::SHA1.hexdigest(Crypt::ISAAC.new.rand(2**31).to_s) unless
69
+ encryption_salt
70
+ end
71
+ end
72
+
73
+ class CASUser < ActiveRecord::Base
74
+ include EncryptedPassword
75
+ end
76
+ end
@@ -0,0 +1,19 @@
1
+ require 'casserver/authenticators/sql'
2
+
3
+ require 'digest/md5'
4
+
5
+ # Essentially the same as the standard SQL authenticator, but this version
6
+ # assumes that your password is stored as an MD5 hash.
7
+ #
8
+ # This was contributed by malcomm for Drupal authentication. To work with
9
+ # Drupal, you should use 'name' for the :username_column config option, and
10
+ # 'pass' for the :password_column.
11
+ class CASServer::Authenticators::SQLMd5 < CASServer::Authenticators::SQL
12
+
13
+ protected
14
+ def read_standard_credentials(credentials)
15
+ super
16
+ @password = Digest::MD5.hexdigest(@password)
17
+ end
18
+
19
+ end
@@ -0,0 +1,77 @@
1
+ require 'casserver/authenticators/base'
2
+
3
+ require 'digest/sha1'
4
+
5
+ begin
6
+ require 'active_record'
7
+ rescue LoadError
8
+ require 'rubygems'
9
+ require 'active_record'
10
+ end
11
+
12
+ # This is a version of the SQL authenticator that works nicely with RestfulAuthentication.
13
+ # Passwords are encrypted the same way as it done in RestfulAuthentication.
14
+ # Before use you this, you MUST configure rest_auth_digest_streches and rest_auth_site_key in
15
+ # config.
16
+ #
17
+ # Using this authenticator requires restful authentication plugin on rails (client) side.
18
+ #
19
+ # * git://github.com/technoweenie/restful-authentication.git
20
+ #
21
+ class CASServer::Authenticators::SQLRestAuth < CASServer::Authenticators::Base
22
+
23
+ def validate(credentials)
24
+ read_standard_credentials(credentials)
25
+
26
+ raise CASServer::AuthenticatorError, "Cannot validate credentials because the authenticator hasn't yet been configured" unless @options
27
+ raise CASServer::AuthenticatorError, "Invalid authenticator configuration!" unless @options[:database]
28
+
29
+ CASUser.establish_connection @options[:database]
30
+ CASUser.set_table_name @options[:user_table] || "users"
31
+
32
+ username_column = @options[:username_column] || "email"
33
+
34
+ results = CASUser.find(:all, :conditions => ["#{username_column} = ?", @username])
35
+
36
+ if results.size > 0
37
+ $LOG.warn("Multiple matches found for user '#{@username}'") if results.size > 1
38
+ user = results.first
39
+ return (user.crypted_password == user.encrypt(@password))
40
+ else
41
+ return false
42
+ end
43
+ end
44
+
45
+ module EncryptedPassword
46
+
47
+ # XXX: this constants MUST be defined in config.
48
+ # For more details # look at restful-authentication docs.
49
+ #
50
+ REST_AUTH_DIGEST_STRETCHES = $CONF.rest_auth_digest_streches
51
+ REST_AUTH_SITE_KEY = $CONF.rest_auth_site_key
52
+
53
+ def self.included(mod)
54
+ raise "#{self} should be inclued in an ActiveRecord class!" unless mod.respond_to?(:before_save)
55
+ end
56
+
57
+ def encrypt(password)
58
+ password_digest(password, self.salt)
59
+ end
60
+
61
+ def secure_digest(*args)
62
+ Digest::SHA1.hexdigest(args.flatten.join('--'))
63
+ end
64
+
65
+ def password_digest(password, salt)
66
+ digest = REST_AUTH_SITE_KEY
67
+ REST_AUTH_DIGEST_STRETCHES.times do
68
+ digest = secure_digest(digest, salt, password, REST_AUTH_SITE_KEY)
69
+ end
70
+ digest
71
+ end
72
+ end
73
+
74
+ class CASUser < ActiveRecord::Base
75
+ include EncryptedPassword
76
+ end
77
+ end