authlogic_cloudfuji 0.9.3

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

data/Gemfile

@@ -0,0 +1,4 @@
+source 'http://rubygems.org'
+
+# Specify your gem's dependencies in authlogic_cloudfuji.gemspec
+gemspec

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/app/controllers/authlogic/cas/cas_authentication_controller.rb

@@ -0,0 +1,7 @@
+module Authlogic
+  module Cas
+    class CasAuthenticationController < ::ApplicationController
+      include ::Authlogic::Cas::ControllerActions::Session
+    end
+  end
+end

data/app/controllers/authlogic/cas/cas_client_controller.rb

@@ -0,0 +1,7 @@
+module Authlogic
+  module Cas
+    class CasClientController < ::ApplicationController
+      include ::Authlogic::Cas::ControllerActions::Service
+    end
+  end
+end

data/authlogic_bushido.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["Akash Manohar J"]
+  gem.email         = ["akash@akash.im"]
+  gem.description   = %q{Cloudfuji support for Authlogic}
+  gem.summary       = %q{Cloudfuji support for Authlogic}
+  gem.homepage      = "http://github.com/Cloudfuji/authlogic_cloudfuji"
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.name          = "authlogic_cloudfuji"
+  gem.require_paths = ["lib"]
+  gem.version       = "0.9.3"
+
+  gem.add_development_dependency 'rspec-rails'
+  gem.add_development_dependency 'sqlite3'
+  gem.add_development_dependency 'rails', '>= 3.2.1'
+  gem.add_dependency 'rubycas-client', '2.2.1'
+  gem.add_dependency 'authlogic'
+end

data/config/routes.rb

@@ -0,0 +1,3 @@
+Rails.application.routes.draw do
+  authlogic_cas_routes
+end

data/lib/authlogic_bushido.rb

@@ -0,0 +1 @@
+require File.expand_path(File.dirname(__FILE__)) + '/authlogic_cas'

data/lib/authlogic_cas.rb

@@ -0,0 +1,104 @@
+require 'rails'
+require 'rubycas-client'
+require 'authlogic/random'
+require 'authlogic_cas/engine'
+require 'authlogic_cas/rails_routes'
+require 'authlogic_cas/single_sign_out/cache'
+require 'authlogic_cas/controller_actions/service'
+require 'authlogic_cas/controller_actions/session'
+
+
+module Authlogic
+  module Cas
+
+    @@cas_base_url = "https://cloudfuji.com/cas"
+
+    # The login URL of the CAS server.  If undefined, will default based on cas_base_url.
+    @@cas_login_url = nil
+
+    # The login URL of the CAS server.  If undefined, will default based on cas_base_url.
+    @@cas_logout_url = nil
+
+    # The login URL of the CAS server.  If undefined, will default based on cas_base_url.
+    @@cas_validate_url = nil
+
+    # Should devise_cas_authenticatable enable single-sign-out? Requires use of a supported
+    # session_store. Currently supports active_record or redis.
+    # False by default.
+    @@cas_enable_single_sign_out = true
+
+    # Should devise_cas_authenticatable attempt to create new user records for
+    # unknown usernames?  True by default.
+    @@cas_create_user = true
+
+    # The model attribute used for query conditions. Should be the same as
+    # the rubycas-server username_column. :username by default
+    @@cas_username_column = :ido_id
+
+    # Name of the parameter passed in the logout query
+    @@cas_destination_logout_param_name = nil
+    
+    mattr_accessor(
+      :cas_base_url,
+      :authentication_model,
+      :actor_model,
+      :cas_login_url,
+      :cas_logout_url,
+      :cas_validate_url,
+      :cas_create_user,
+      :cas_destination_logout_param_name,
+      :cas_username_column,
+      :cas_enable_single_sign_out)
+
+
+    class << self
+    
+      def cas_client
+        @@cas_client ||= ::CASClient::Client.new(
+          :cas_destination_logout_param_name => @@cas_destination_logout_param_name,
+          :cas_base_url => @@cas_base_url,
+          :login_url => @@cas_login_url,
+          :logout_url => @@cas_logout_url,
+          :validate_url => @@cas_validate_url,
+          :enable_single_sign_out => @@cas_enable_single_sign_out
+          )
+      end
+      
+
+      def setup_authentication
+        define_authentication_method_for Authlogic::Cas.actor_model
+      end
+
+
+      def define_authentication_method_for(model)
+        model.instance_eval do
+          define_singleton_method :authenticate_with_cas_ticket do |ticket|
+            ::Authlogic::Cas.cas_client.validate_service_ticket(ticket) unless ticket.has_been_validated?
+            return nil if not ticket.is_valid?
+
+            conditions = {::Authlogic::Cas.cas_username_column => ticket.respond_to?(:user) ? ticket.user : ticket.response.user}
+            resource   = find(:first, :conditions => conditions)
+
+            resource = new(conditions.merge({:persistence_token => ::Authlogic::Random.hex_token})) if (resource.nil? and ::Authlogic::Cas.cas_create_user?)
+
+            return nil if not resource
+
+            if resource.respond_to? :cloudfuji_extra_attributes
+              extra_attributes = ticket.respond_to?(:extra_attributes) ? ticket.extra_attributes : ticket.response.extra_attributes
+              resource.cloudfuji_extra_attributes(extra_attributes)
+            end
+
+            resource.save
+            resource
+          end
+
+        end
+      end
+
+      def cas_create_user?
+        cas_create_user
+      end
+
+    end
+  end
+end

data/lib/authlogic_cas/controller_actions/service.rb

@@ -0,0 +1,72 @@
+module Authlogic
+  module Cas
+    module ControllerActions
+      module Service
+        def service
+          cas_scope    = ::Authlogic::Cas.actor_model
+          ticket       = ticket_from params
+          auth_result  = cas_scope.authenticate_with_cas_ticket(ticket)
+          
+          (redirect_to(root_path, :notice => "Could not authenticate user") && return) if not auth_result
+
+          if ::Authlogic::Cas.cas_enable_single_sign_out
+            unique_cas_id = ticket.respond_to?(:user) ? ticket.user : ticket.response.user
+            ::Authlogic::Cas::SingleSignOut::Cache.store_unique_cas_id_for_service_ticket(ticket.ticket, unique_cas_id)
+          end
+
+          if Authlogic::Cas.authentication_model.create(auth_result)
+            redirect_to(root_path)
+          else
+            redirect_to(root_path, :notice => "Could not login. Try again please.")
+          end
+        end
+
+        def single_signout
+          if ::Authlogic::Cas.cas_enable_single_sign_out
+            service_ticket = read_service_ticket_name
+
+            if service_ticket
+              logger.info "Intercepted single-sign-out request for CAS session #{service_ticket}."
+              unique_cas_id = ::Authlogic::Cas::SingleSignOut::Cache.find_unique_cas_id_by_service_ticket(service_ticket)
+              update_persistence_token_for(unique_cas_id)
+            end
+          else
+            logger.warn "Ignoring CAS single-sign-out request as feature is not currently enabled."
+          end
+
+          render :nothing => true
+        end
+
+        protected
+
+        def update_persistence_token_for(unique_cas_id)
+          user = User.send("find_by_#{::Authlogic::Cas.cas_username_column.to_s}", unique_cas_id)
+          user.update_attribute(:persistence_token, ::Authlogic::Random.hex_token) if user
+        end
+        
+        def ticket_from(controller_params)
+          ticket_name = controller_params[:ticket]
+          return nil unless ticket_name
+
+          if ticket_name =~ /^PT-/
+            ::CASClient::ProxyTicket.new(ticket_name, cas_service_url, controller_params[:renew])
+          else
+            ::CASClient::ServiceTicket.new(ticket_name, cas_service_url, controller_params[:renew])
+          end
+        end
+        
+        def read_service_ticket_name
+          if request.headers['CONTENT_TYPE'] =~ %r{^multipart/}
+            false
+          elsif request.post? && params['logoutRequest'] =~
+              %r{^<samlp:LogoutRequest.*?<samlp:SessionIndex>(.*)</samlp:SessionIndex>}m
+            $~[1]
+          else
+            false
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/authlogic_cas/controller_actions/session.rb

@@ -0,0 +1,32 @@
+module Authlogic
+  module Cas
+    module ControllerActions
+      module Session
+
+        def new_cas_session
+          redirect_to(cas_login_url) unless returning_from_cas?
+        end
+
+        def destroy_cas_session
+          @user_session = ::Authlogic::Cas.authentication_model.find
+          @user_session.destroy if @user_session
+          redirect_to ::Authlogic::Cas.cas_client.logout_url
+        end
+
+        protected
+
+        def returning_from_cas?
+          params[:ticket] || request.referer =~ /^#{::Authlogic::Cas.cas_client.cas_base_url}/
+        end
+
+
+        def cas_login_url
+          login_url_from_cas_client = ::Authlogic::Cas.cas_client.add_service_to_login_url(cas_service_url)
+          redirect_url = ""# "&redirect=#{cas_return_to_url}"
+          return "#{login_url_from_cas_client}#{redirect_url}"
+        end
+
+      end
+    end
+  end
+end

data/lib/authlogic_cas/engine.rb

@@ -0,0 +1,6 @@
+module Authlogic
+  module Cas
+    class Engine < Rails::Engine
+    end
+  end
+end

data/lib/authlogic_cas/rails_routes.rb

@@ -0,0 +1,16 @@
+module ActionDispatch::Routing
+   class RouteSet #:nodoc:
+     Mapper.class_eval do
+       def authlogic_cas_routes
+         Rails.application.routes.draw do
+           scope :module => :authlogic do
+             scope :module => :cas do
+               match "cas_client/service" => "cas_client#service",        :via => :get,  :as => "cas_service"
+               match "cas_client/service" => "cas_client#single_signout", :via => :post, :as => "cas_single_signout" 
+             end
+           end
+         end
+       end
+     end
+   end
+ end

data/lib/authlogic_cas/single_sign_out/cache.rb

@@ -0,0 +1,38 @@
+module Authlogic
+  module Cas
+    module SingleSignOut
+      class Cache
+
+        class << self
+        
+          def logger
+            @logger ||= Rails.logger
+          end
+          
+          def delete_service_ticket(service_ticket_name)
+            logger.info("Deleting index #{service_ticket_name}")
+            Rails.cache.delete(cache_key(service_ticket_name))
+          end
+          
+          def find_unique_cas_id_by_service_ticket(service_ticket_name)
+            unique_cas_id = Rails.cache.read(cache_key(service_ticket_name))
+            logger.debug("Found session id #{unique_cas_id.inspect} for index #{service_ticket_name.inspect}")
+            unique_cas_id
+          end
+          
+          def store_unique_cas_id_for_service_ticket(service_ticket_name, unique_cas_id)
+            Rails.cache.write(cache_key(service_ticket_name), unique_cas_id)
+          end
+          
+          protected
+          
+          def cache_key(service_ticket_name)
+            "authlogic_cas:#{service_ticket_name}"
+          end
+
+        end
+      end
+    end
+  end
+end
+

data/spec/authlogic_cas_spec.rb

@@ -0,0 +1,150 @@
+require 'spec_helper'
+
+describe "Authlogic::Cas" do
+
+  subject { ::Authlogic::Cas }
+
+  before :all do
+    ActorExample = Class.new
+    subject.actor_model = ActorExample
+  end
+  
+  it "should have methods to set actor_model and the authentication_model" do
+    subject.respond_to?(:actor_model).should be_true
+    subject.respond_to?(:actor_model=).should be_true
+    subject.respond_to?(:authentication_model).should be_true
+    subject.respond_to?(:authentication_model=).should be_true
+  end
+  
+  describe "defaults" do
+    it "should have the Cloudfuji CAS server as the default" do
+      subject.cas_base_url.should == "https://cloudfuji.com/cas"
+    end
+
+    it "should have cas_create_user set to true" do
+      subject.cas_create_user.should be_true
+    end
+
+    it "should have single signout enabled" do
+      subject.cas_enable_single_sign_out.should be_true
+    end
+
+    it "should have cas_username_column set to ido_id" do
+      subject.cas_username_column.should == :ido_id
+    end
+  end
+
+  
+  describe "cas_client" do
+    it "should return an instance of CASClient" do
+      subject.cas_client.should be_kind_of(::CASClient::Client)
+    end
+  end
+
+  
+  describe "setup_authentication" do
+    it "should define authentication method for the actor model" do
+      subject.should_receive(:define_authentication_method_for).with(subject.actor_model)
+      subject.setup_authentication
+    end
+  end
+
+  
+  describe "define_authentication_method_for" do
+    it "should define the authentication_with_cas_ticket method on the specified model" do
+      ActorExample.respond_to?(:authenticate_with_cas_ticket).should be_false
+      
+      subject.define_authentication_method_for(ActorExample)
+      ActorExample.respond_to?(:authenticate_with_cas_ticket).should be_true
+    end
+  end
+
+  describe "authenticate_with_cas_ticket" do
+    before :all do
+      subject.define_authentication_method_for(ActorExample)
+    end
+
+    before :each do
+      @example_ticket = double ::CASClient::ServiceTicket
+    end
+    
+    it "should check if a ticket has been validated" do
+      @example_ticket.stub!(:has_been_validated?).and_return(true)
+      @example_ticket.stub!(:is_valid?).and_return(false)
+      
+      ActorExample.authenticate_with_cas_ticket(@example_ticket)
+    end
+
+    it "should validate ticket if it has not been validated" do
+      @example_ticket.stub!(:has_been_validated?).and_return(false)
+      @example_ticket.stub!(:is_valid?).and_return(false)
+
+      subject.cas_client.should_receive(:validate_service_ticket).with(@example_ticket)
+      ActorExample.authenticate_with_cas_ticket(@example_ticket)
+    end
+
+    it "should return nil if the ticket is not valid" do
+      @example_ticket.stub!(:has_been_validated?).and_return(true)
+      @example_ticket.stub!(:is_valid?).and_return(false)
+
+      ActorExample.authenticate_with_cas_ticket(@example_ticket).should be_nil
+    end
+
+    it "should try to find the user and create a session for the user" do
+      @example_user = ActorExample.new
+      @example_user.stub!(:save)
+
+      @example_ticket.stub!(:has_been_validated?).and_return(true)
+      @example_ticket.stub!(:is_valid?).and_return(true)
+      @example_ticket.stub!(:user).and_return("example_unique_user_id")
+      
+      
+      ActorExample.stub!(:find).and_return(@example_user)
+
+      ActorExample.authenticate_with_cas_ticket(@example_ticket).should == @example_user
+    end
+
+    it "should create a new user incase the user with the unique CAS ID isn't found" do
+      @example_user = ActorExample.new
+      @example_user.stub!(:save)
+
+      @example_ticket.stub!(:has_been_validated?).and_return(true)
+      @example_ticket.stub!(:is_valid?).and_return(true)
+      @example_ticket.stub!(:user).and_return("example_unique_user_id")
+      
+      ActorExample.should_receive(:find).and_return(nil)
+      ActorExample.should_receive(:new).and_return(@example_user)      
+
+      ActorExample.authenticate_with_cas_ticket(@example_ticket).should == @example_user
+    end
+
+    it "should call the cloudfuji_extra_attributes method on the actor model if defined" do
+      @example_user = ActorExample.new
+      @example_user.stub!(:save)
+      @example_user.stub!(:cloudfuji_extra_attributes)
+      
+      @example_ticket.stub!(:has_been_validated?).and_return(true)
+      @example_ticket.stub!(:is_valid?).and_return(true)
+      @example_ticket.stub!(:user).and_return("example_unique_user_id")
+      @example_ticket.stub!(:extra_attributes).and_return({})
+      ActorExample.stub!(:find).and_return(@example_user)
+
+      @example_user.should_receive(:cloudfuji_extra_attributes)
+
+      ActorExample.authenticate_with_cas_ticket(@example_ticket).should == @example_user
+    end
+  end
+
+  describe "cas_create_user?" do
+    it "should return true if @@cas_create_user is true" do
+      subject.cas_create_user = true
+      subject.cas_create_user?.should be_true
+    end
+
+    it "should return true if @@cas_create_user is false" do
+      subject.cas_create_user = false
+      subject.cas_create_user?.should be_false
+    end
+  end
+  
+end