bcms_cas 1.0.0

data/README.markdown

@@ -0,0 +1,92 @@
+# Central Authentication Server Module
+
+This module allows BrowserCMS to integrate with a Central Authentication Server (CAS) to allow users to log in to a BrowserCMS site,
+using credentials stored in an external system. This module requires an existing CAS server to be running (See http://code.google.com/p/rubycas-server/)
+as an example of a server.
+
+This module will allow user to login to the public area of the CMS, using the Login Form Portlet. It does not handle users that need to
+log into the CMS administrative area. It also handles single logout by redirecting the user to cas /logout service.
+
+## A. Instructions
+Here are the necessary steps to install this module.
+
+1. Configure your CAS server and test that you can login directly via their /login page.
+2. Install the rubycas-client gem (See B below)
+3. Install the bcms_cas module, and configure it to point to your CAS server (see C below).
+4. Migrate the database to add the CAS Group (See D below)
+5. Alter the Login Form Portlet to submit to the CAS server. (See E below)
+
+## B. Installing RubyCAS-Client
+This project depends on RubyCAS-client (http://code.google.com/p/rubycas-client/). RubyCAS-Client is a standard Rails PluginGem, and the instructions
+for installing in into a Rails project can be found on their website. The following command will probably work though:
+
+    gem install rubycas-client
+
+This will add the latest version of a gem. The bcms_cas module will require the necessary files, so you do not need to
+make any configuration changes in your rails project.
+
+## C. Installing/Configuring the Module
+To install a BrowserCMS module follow the instructions here http://www.browsercms.org/doc/guides/html/installing_modules.html .
+After that you will need to configure the rubycas-client to point to the correct CAS server, along with any other
+configuration options you need. Add the following to your config/initializers/browsercms.rb:
+
+
+    CASClient::Frameworks::Rails::Filter.configure(
+      :cas_base_url => "https://cas.yourdomainname.org",
+      :extra_attributes_session_key => :cas_extra_attributes
+    )
+
+Make sure your SITE_DOMAIN variable in production/development is correctly set to the right top level domain. This will be needed
+to allow redirects between the servers to happen correctly (it requires Absolute URLs). For example, in config/environments/production.rb:
+
+    SITE_DOMAIN="www.yourdomainname.com"
+
+### Extra Attributes (Optional)
+The :extra_attributes_session_key may not be needed, depending on what type of Authenticator your CAS server is using. You can
+safely leave it out if you are just using the normal CMS logic. A CAS server can send additional information back, and these will be stored as
+session variables that can be accessed in other methods.
+
+## D. Add/Configure the 'CAS Authenticated User' Group
+When you run rake db:migrate, this module will add a new group to the CMS called 'CAS Authenticated Users'. All users that
+log in successfully will be assigned to members of this group. You will potentially want to rename this group to something
+that more accurately reflects who these users are (i.e. Members, Staff, etc) and then set which sections of the website this
+group can visit.
+
+## E. Configure Login Form Portlet
+Alter the Login Form portlet to look something like this:
+
+    <% form_tag "https://cas.yourdomainname.org" do %>
+        <%= login_ticket_tag %>
+        <%= service_url_tag %>
+        <p>
+            <%= label_tag :login %>
+            <%= text_field_tag :username, @login %>
+        </p>
+        <p>
+            <%= label_tag :password %>
+            <%= password_field_tag :password %>
+            </p>
+        <p>
+            <%= label_tag :remember_me %>
+            <%= check_box_tag :remember_me, '1', @remember_me %>
+        </p>
+        <p><%= submit_tag "Login" %></p>
+    <% end %>
+
+The key changes are:
+
+1. The form needs to submit directly to the CAS server
+2. You need to add helpers for login_ticket_tag and service_url_tag. These generate hidden parameters CAS services need.
+3. Change the username parameter from :login to :username
+
+F. Known Issues
+
+* Every page is secured by the CASClient Gateway Filter, which means a lot of redirects. This is potentially a big performance hit, and would require modifying the filter so it only handles checking login_tickets, rather than redirects. 
+* A user logged in using CAS will be assigned to a single group. There is no way to map a user to different groups (i.e. Platnium or Gold Members). Could potentially be done via cas extra info.
+* The internal CMS User database is bypassed/not used for login for front end pages. This means it would fail the cmsadmin user tried to login via the Login Form.
+* [Low] LoginPortlet Form tag should pull from CAS automatically (requires changes to CMS core)
+* [Low] username/login field is different between CMS and CAS (requires core changes)
+* The CAS Login page has to be styled to match the look and feel of the site.
+* If the user types in wrong username/pw on CMS login form, they will be left on the CAS Login page, with message.
+* Every hit to a page with the login form portlet is fetching a LT from CAS. This is potentially slow. [Performance]
+

data/app/models/cas_user.rb

@@ -0,0 +1,20 @@
+#
+# This represents a user was autheniticated using a CAS service. Their user data is not saved in the database (in the users table_,
+# but is retrieved from an external service and stored purely as session data.
+#
+#
+class CasUser < GuestUser
+
+  GROUP_NAME = "cas_group"
+
+  def initialize(attributes={})
+    super({ :first_name => "CAS", :last_name => "User"}.merge(attributes))
+    @guest = false
+  end
+
+  # Using a single group for now. (This will need to be mapped to more groups later).
+  def group
+    @group ||= Group.find_by_code(GROUP_NAME)
+  end
+
+end

data/app/portlets/helpers/login_portlet_helper.rb

@@ -0,0 +1,15 @@
+# This assumes there is no existing LoginPortletHelper defined in the Core CMS project, and provides one
+# to simplify what users need to do in the form.
+module LoginPortletHelper
+
+  # Generates the hidden field for the service_url that the CAS server expects, which tells it where to redirect to. Must create
+  # an absolute URL.
+  def service_url_tag
+    hidden_field_tag :service, Cas::Utils.service_url(@portlet, @page, session[:return_to])
+  end
+
+  # Generates the hidden field for the login ticket that CAS server expects.
+  def login_ticket_tag
+    hidden_field_tag :lt, Cas::Utils.fetch_lt_from_cas
+  end
+end

data/db/migrate/20091002162550_add_cas_user_group.rb

@@ -0,0 +1,9 @@
+class AddCasUserGroup < ActiveRecord::Migration
+  def self.up
+    group = Group.create!(:name=>"CAS Authenticated Users", :code=>"cas_group", :group_type=>GroupType.find_by_name("Registered Public User"))
+    group.sections = Section.all
+  end
+
+  def self.down
+  end
+end

data/lib/bcms_cas/routes.rb

@@ -0,0 +1,7 @@
+module Cms::Routes
+  def routes_for_bcms_cas
+    namespace(:cms) do |cms|
+      #cms.content_blocks :cas
+    end  
+  end
+end

data/lib/bcms_cas.rb

@@ -0,0 +1,2 @@
+require 'bcms_cas/routes'
+require 'cas/authentication'

data/lib/cas/authentication.rb

@@ -0,0 +1,67 @@
+require 'cas/utils'
+require 'casclient'
+require 'casclient/frameworks/rails/filter'
+
+#
+# Augments the core Cms::Controllers to add Cas Authentication behavior.
+#
+module Cas
+  module Authentication
+
+    # Called when this module is included on the given class.
+    def self.included(controller_class)
+      controller_class.send(:include, InstanceMethods)
+
+      controller_class.skip_filter :check_access_to_page
+      controller_class.before_filter CASClient::Frameworks::Rails::GatewayFilter
+      controller_class.before_filter :login_from_cas_ticket
+      controller_class.before_filter :check_access_to_page_normally
+    end
+
+    # Each instance of the controller will gain these methods.
+    module InstanceMethods
+      def check_access_to_page_normally
+        logger.warn "Checking auth using normal Cms filter."
+        check_access_to_page
+      end
+
+      # Attempts to set the current user based on the session attribute set by CAS.
+      def login_from_cas_ticket
+        logger.debug "Attempting to login using CAS session variable."
+        if session[:cas_user]
+          logger.warn "Who is @current_user '#{@current_user.login}'?" if @current_user
+          logger.warn "Who is User.current '#{User.current.login}'?" if User.current
+
+          user = CasUser.new(:login=>session[:cas_user])
+
+          # Having to set both of these feels very duplicative. Ideally I would like a way
+          #   to set only once, but calling current_user= has sideeffects.
+          @current_user = User.current = user
+
+          logger.info "Found session[:cas_user]. Created CasUser with login '#{user.login}' and set as current_user." if @current_user
+        end
+        @current_user
+      end
+    end
+  end
+  Cms::ContentController.send(:include, Cas::Authentication)
+
+
+  # Extends the core SessionController to properly destroy the local session on logout, and redirect to CAS for Single Log out.
+  module SingleLogOut
+    def self.included(controller_class)
+      controller_class.send(:include, InstanceMethods)
+      controller_class.alias_method_chain :destroy, :cas
+    end
+
+    module InstanceMethods
+
+      def destroy_with_cas
+        logger.info "Handle single logout."
+        logout_user
+        Cas::Utils.logout(self, "http://#{SITE_DOMAIN}/")
+      end
+    end
+  end
+  Cms::SessionsController.send(:include, Cas::SingleLogOut)
+end

data/lib/cas/utils.rb

@@ -0,0 +1,72 @@
+#
+# Customizes behavior of CASFilter.
+#
+module Cas
+  class Utils
+    # This is a wrapper around the default behavior of the CASClient Rails filter.
+    #
+    # The only difference is that it generates a return URL that the user can click on to get back to the homepage.
+    def self.logout(controller, service = nil)
+      # Copy/Paste from Filter
+      referer = reset_session_and_get_referrer(controller, service)
+
+      # New lines
+      client = CASClient::Frameworks::Rails::Filter.client
+
+      # Adding gateway=true param to this logout URL will cause immediate redirect, which is preferable
+      #   since it means users aren't left stranded on the CAS server logout page.
+      url = client.logout_url(referer, referer)
+      controller.send(:redirect_to, "#{url}&gateway=true")
+    end
+
+    # Copy/Paste from CAS Filter
+    def self.reset_session_and_get_referrer(controller, service)
+      referer = service || controller.request.referer
+      st = controller.session[:cas_last_valid_ticket]
+      delete_service_session_lookup(st) if st
+      controller.send(:reset_session)
+      referer
+    end
+    #
+    # Gets a valid login_ticket from the CAS Server, which will allow us to submit directly from our CMS login forms.
+    #
+    def self.fetch_lt_from_cas
+      url = URI.parse("#{self.cas_server_url}/loginTicket")
+      post = Net::HTTP::Post.new(url.path)
+      post.set_form_data({'dummy'=>'data'})
+
+      https = Net::HTTP.new(url.host, url.port)
+      https.use_ssl = true
+
+      res = https.start {|http| http.request(post) }
+      lt = res.body
+      lt
+    end
+
+    def self.check(portlet)
+      portlet.current_page.path
+    end
+
+    # Calculates which URL the user should be redirect to, after completing registration on the CAS server.
+    def self.service_url(portlet, page, redirect_to = nil)
+      path = page.path if page
+      path = "" unless page
+      goto = redirect_to || portlet.success_url || path
+      unless goto.starts_with?("http://")
+        goto = to_absolute_url(goto)
+      end
+      goto
+    end
+
+    # Looks up the URL of the CAS server from the environment
+    def self.cas_server_url
+      CASClient::Frameworks::Rails::Filter.config[:cas_base_url]
+    end
+
+    private
+
+    def self.to_absolute_url(path)
+      "http://#{SITE_DOMAIN}#{path}"
+    end
+  end
+end

data/rails/init.rb

@@ -0,0 +1,3 @@
+gem_root = File.expand_path(File.join(File.dirname(__FILE__), ".."))
+Cms.add_to_rails_paths gem_root
+Cms.add_generator_paths gem_root, "db/migrate/[0-9]*_*.rb"

data/test/performance/browsing_test.rb

@@ -0,0 +1,9 @@
+require 'test_helper'
+require 'performance_test_help'
+
+# Profiling results for each test method are written to tmp/performance.
+class BrowsingTest < ActionController::PerformanceTest
+  def test_homepage
+    get '/'
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,38 @@
+ENV["RAILS_ENV"] = "test"
+require File.expand_path(File.dirname(__FILE__) + "/../config/environment")
+require 'test_help'
+
+class ActiveSupport::TestCase
+  # Transactional fixtures accelerate your tests by wrapping each test method
+  # in a transaction that's rolled back on completion.  This ensures that the
+  # test database remains unchanged so your fixtures don't have to be reloaded
+  # between every test method.  Fewer database queries means faster tests.
+  #
+  # Read Mike Clark's excellent walkthrough at
+  #   http://clarkware.com/cgi/blosxom/2005/10/24#Rails10FastTesting
+  #
+  # Every Active Record database supports transactions except MyISAM tables
+  # in MySQL.  Turn off transactional fixtures in this case; however, if you
+  # don't care one way or the other, switching from MyISAM to InnoDB tables
+  # is recommended.
+  #
+  # The only drawback to using transactional fixtures is when you actually 
+  # need to test transactions.  Since your test is bracketed by a transaction,
+  # any transactions started in your code will be automatically rolled back.
+  self.use_transactional_fixtures = true
+
+  # Instantiated fixtures are slow, but give you @david where otherwise you
+  # would need people(:david).  If you don't want to migrate your existing
+  # test cases which use the @david style and don't mind the speed hit (each
+  # instantiated fixtures translates to a database query per test method),
+  # then set this back to true.
+  self.use_instantiated_fixtures  = false
+
+  # Setup all fixtures in test/fixtures/*.(yml|csv) for all tests in alphabetical order.
+  #
+  # Note: You'll currently still have to declare fixtures explicitly in integration tests
+  # -- they do not yet inherit this setting
+  fixtures :all
+
+  # Add more helper methods to be used by all tests here...
+end

data/test/unit/cas/cas_authentication_test.rb

@@ -0,0 +1,108 @@
+require 'test_helper'
+require 'mocha'
+
+class MyController < ActionController::Base
+  include Cms::Authentication::Controller
+
+  def get_at_current_user
+    @current_user
+  end
+
+  def flash
+    {}
+  end
+
+  def destroy
+    "Exists only to be alias_method_chained"
+  end
+end
+
+class CasAuthTest < ActiveSupport::TestCase
+
+  def setup
+    MyController.expects(:skip_filter).with(:check_access_to_page)
+    MyController.expects(:before_filter).with(CASClient::Frameworks::Rails::GatewayFilter)
+    MyController.expects(:before_filter).with(:login_from_cas_ticket)
+    MyController.expects(:before_filter).with(:check_access_to_page_normally)
+
+    MyController.send(:include, Cas::Authentication)
+
+  end
+
+  def teardown
+    User.current = nil
+  end
+
+
+  test "Alias's the existing filter to a different name." do
+    c = MyController.new
+    c.expects(:check_access_to_page)
+
+    c.check_access_to_page_normally
+  end
+
+  test "adds current_user and login from session to class" do
+    c = MyController.new
+
+    assert c.respond_to?(:current_user)
+    assert c.respond_to?(:login_from_cas_ticket)
+
+  end
+
+
+  test "login_from_cas_ticket will create and set the current user and User.current if a session attribute was found." do
+    c = MyController.new
+    c.session = {}
+    c.session[:cas_user] = "1234"
+
+    User.current = Group.find_by_code("guest")
+
+    c.login_from_cas_ticket
+
+    current_user = c.get_at_current_user
+    assert_equal CasUser, current_user.class
+    assert_equal "1234", current_user.login
+    assert_equal current_user, User.current
+  end
+
+  test "Cms::ContentController gets augmented" do
+    assert (Cms::ContentController.new.respond_to? :check_access_to_page_normally)
+  end
+
+end
+
+class CasSessionControllerTest < ActiveSupport::TestCase
+
+
+  test "alias_method_chain the normal methods" do
+    MyController.send(:include, Cas::SingleLogOut)
+
+    c = MyController.new
+    
+    assert( c.respond_to? :destroy)
+    assert( c.respond_to? :destroy_with_cas)
+    assert( c.respond_to? :destroy_without_cas)
+
+  end
+
+  test "destroy_with_cas redirects to server and calls logout_user" do
+    MyController.send(:include, Cas::SingleLogOut)
+    c = MyController.new
+
+    c.expects(:logout_user)
+
+    Cas::Utils.expects(:logout).with(c, "http://#{SITE_DOMAIN}/")
+
+    c.destroy_with_cas
+
+
+  end
+
+  test "that BrowserCMS 3.0.3 installed." do
+    assert Cms::SessionsController.new.respond_to?(:logout_user), "Need to have BrowserCMS 3.0.3 installed for Cas module to work."
+  end
+  
+  test "Cms::SessionController gets augmented" do
+    assert (Cms::SessionsController.new.respond_to? :destroy_with_cas)    
+  end
+end

data/test/unit/cas_user_test.rb

@@ -0,0 +1,35 @@
+require 'test_helper'
+
+class CasUserTest < ActiveSupport::TestCase
+
+  def setup
+    @s = Section.create!(:name=>"root", :root=>true, :path=>"/")
+    @p = Page.create!(:name=>"Home", :section=>@s, :path=>"/p")
+    @g = Group.create!(:name=>"G", :code=>"cas_group")
+    @g.sections = Section.all
+  end
+
+  test "group returns the cas_group" do
+    user = CasUser.new
+
+    assert_equal @g, user.group
+  end
+
+  test "cas_user should be able to view all sections (based on group)" do
+    user = CasUser.new
+
+    assert user.able_to_view?(@p)
+  end
+
+  test "setting login" do
+    user = CasUser.new(:login=>"bob")
+    assert_equal "bob", user.login
+  end
+
+  test "that CasUsers are not considered guests" do
+    user = CasUser.new
+    assert !user.guest?
+  end
+
+
+end

data/test/unit/cas_utils_test.rb

@@ -0,0 +1,83 @@
+require 'test_helper'
+require 'mocha'
+
+class CasUtilsTest < ActiveSupport::TestCase
+
+  def setup
+    @current_page = Page.new(:path=>"/expected")
+    @portlet = LoginPortlet.new
+  end
+
+  test "service_url returns absolute success_url if specified" do
+    @portlet.success_url = "/stuff"
+    assert_equal "http://localhost:3000/stuff", Cas::Utils.service_url(@portlet, @current_page), "This really need to be an absolute path for it work w/ CAS."
+  end
+
+  test "service_url returns current page if specified" do
+    p = LoginPortlet.new
+    p.current_page = Page.new(:path=>"/expected")
+
+    s = Cas::Utils.service_url(p, @current_page)
+    assert_equal "http://localhost:3000/expected", s
+  end
+
+  test "service_url returns redirect_to if available" do
+    s = Cas::Utils.service_url(@portlet, @current_page, "/redirected")
+    assert_equal "http://localhost:3000/redirected", s
+  end
+
+  test "Nil page doesn't cause Nil exception" do
+    s = Cas::Utils.service_url(@portlet, nil, nil)
+    assert_equal "http://localhost:3000", s
+  end
+
+  test "Portlets work as expected (CMS Core check)" do
+    p = LoginPortlet.new
+
+    assert_equal nil, p.success_url, "Validate that LoginPortlet returns nil if no success_url is set (rather than an empty string."
+  end
+
+  test "cas_server_url looks up CAS server from config in environment" do
+    expected = "https://127.0.0.1"
+    CASClient::Frameworks::Rails::Filter.expects(:config).returns({:cas_base_url=>expected})
+
+    assert_equal expected, Cas::Utils.cas_server_url
+  end
+
+  test "get login ticket" do
+    expected_host = "https://random.com"
+    Cas::Utils.expects(:cas_server_url).with.returns(expected_host)
+
+    Net::HTTP.any_instance.stubs(:start).returns(mock(:body=>"Ticket 100"))
+    uri = stub(:path=>"#{expected_host}/loginTicket", :host=>"", :port=>80)
+    URI.expects(:parse).with("#{expected_host}/loginTicket").returns(uri)
+
+    ticket = Cas::Utils.fetch_lt_from_cas
+    assert_equal "Ticket 100", ticket
+  end
+
+  # Verification test of CasClient API behavior.
+  test "[CASClient] Verify expected behavior of CASClient#logout_url" do
+    destination_url = "localhost"
+
+    client = CASClient::Client.new({:cas_base_url=>"/", :logout_url=>"/"})
+
+    logout_url = client.logout_url(destination_url, destination_url)
+    assert_equal "/?destination=localhost&url=localhost", logout_url, "Verifies that logout_url generates a correct URL."
+    assert_equal String, logout_url.class
+  end
+
+  test "Cas::Utils#logout redirects and attaches gateway=true to logout_url" do
+    destination_url = "localhost"
+    logout_url = "/?destination=localhost&url=localhost"
+
+    CASClient::Frameworks::Rails::Filter.expects(:client).returns(CASClient::Client.new({:cas_base_url=>""}))
+    CASClient::Client.any_instance.expects(:logout_url).with(destination_url, destination_url).returns(logout_url)
+
+    controller = stub()
+    controller.expects(:redirect_to).with("#{logout_url}&gateway=true")
+    Cas::Utils.expects(:reset_session_and_get_referrer).returns(destination_url)
+    
+    Cas::Utils.logout(controller, "/")
+  end
+end

data/test/unit/helpers/login_portlet_helper_test.rb

@@ -0,0 +1,10 @@
+require 'test_helper'
+require 'mocha'
+
+class LoginPortletHelperTest < ActionView::TestCase
+
+  test "Fetching login ticket" do
+    ticket = Cas::Utils.expects(:fetch_lt_from_cas).with().returns("ABC")
+    assert_equal hidden_field_tag( :lt, "ABC"), login_ticket_tag
+  end
+end

metadata

@@ -0,0 +1,68 @@
+--- !ruby/object:Gem::Specification 
+name: bcms_cas
+version: !ruby/object:Gem::Version 
+  version: 1.0.0
+platform: ruby
+authors: 
+- BrowserMedia
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-11-05 00:00:00 -05:00
+default_executable: 
+dependencies: []
+
+description: 
+email: github@browsermedia.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README.markdown
+files: 
+- app/models/cas_user.rb
+- app/portlets/helpers/login_portlet_helper.rb
+- db/migrate/20091002162550_add_cas_user_group.rb
+- lib/bcms_cas.rb
+- lib/bcms_cas/routes.rb
+- lib/cas/authentication.rb
+- lib/cas/utils.rb
+- rails/init.rb
+- README.markdown
+has_rdoc: true
+homepage: http://browsercms.org
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: browsercms
+rubygems_version: 1.3.4
+signing_key: 
+specification_version: 3
+summary: A CAS Module for BrowserCMS
+test_files: 
+- test/performance/browsing_test.rb
+- test/test_helper.rb
+- test/unit/cas/cas_authentication_test.rb
+- test/unit/cas_user_test.rb
+- test/unit/cas_utils_test.rb
+- test/unit/helpers/login_portlet_helper_test.rb