bmedia-casserver 1.1.1

data/spec/alt_config.yml

@@ -0,0 +1,50 @@
+server: webrick
+port: 6543
+#ssl_cert: test.pem
+uri_path: /test
+#bind_address: 0.0.0.0
+
+# database:
+#   adapter: mysql
+#   database: casserver
+#   username: root
+#   password: 
+#   host: localhost
+#   reconnect: true
+database:
+ adapter: sqlite3
+ database: spec/casserver_spec.db
+ 
+disable_auto_migrations: true
+
+quiet: true
+
+authenticator:
+  class: CASServer::Authenticators::Test
+  password: spec_password
+
+theme: simple
+
+organization: "RSPEC-TEST"
+
+infoline: "This is an rspec test."
+
+#custom_views: /path/to/custom/views
+
+default_locale: en
+
+log:
+  file: casserver_spec.log
+  level: DEBUG
+
+#db_log:
+#  file: casserver_spec_db.log
+
+enable_single_sign_out: true
+
+#maximum_unused_login_ticket_lifetime: 300
+#maximum_unused_service_ticket_lifetime: 300
+
+#maximum_session_lifetime: 172800
+
+#downcase_username: true

data/spec/authenticators/active_resource_spec.rb

@@ -0,0 +1,109 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/../spec_helper'
+
+require 'casserver/authenticators/active_resource'
+
+describe CASServer::Authenticators::Helpers::Identity do
+
+  it { should be_an ActiveResource::Base }
+
+  it "class should respond to :authenticate" do
+    subject.class.should respond_to :authenticate
+  end
+
+  it "class should have a method_name accessor" do
+    CASServer::Authenticators::Helpers::Identity.method_name.should == :authenticate
+  end
+
+  it "class should have a method_name accessor" do
+    CASServer::Authenticators::Helpers::Identity.method_type.should == :post
+  end
+
+  it "class method_type accessor should validate type" do
+    expect {
+      CASServer::Authenticators::Helpers::Identity.method_type = :foo
+    }.to raise_error(ArgumentError)
+  end
+
+end
+
+describe CASServer::Authenticators::ActiveResource do
+
+  describe "#setup" do
+
+    it "should configure the identity object" do
+      CASServer::Authenticators::Helpers::Identity.should_receive(:user=).with('httpuser').once
+      CASServer::Authenticators::ActiveResource.setup :site => 'http://api.example.org', :user => 'httpuser'
+    end
+
+    it "should configure the method_type" do
+      CASServer::Authenticators::Helpers::Identity.should_receive(:method_type=).with('get').once
+      CASServer::Authenticators::ActiveResource.setup :site => 'http://api.example.org', :method_type => 'get'
+    end
+
+    it "should raise if site option is missing" do
+      expect {
+        CASServer::Authenticators::ActiveResource.setup({}).should
+      }.to raise_error(CASServer::AuthenticatorError, /site option/)
+    end
+  end
+
+  describe "#validate" do
+
+    let(:credentials) { {:username => 'validusername',
+                         :password => 'validpassword',
+                         :service => 'test.service'} }
+
+    let(:auth) { CASServer::Authenticators::ActiveResource.new }
+
+    def mock_authenticate identity = nil
+      identity = CASServer::Authenticators::Helpers::Identity.new if identity.nil?
+      CASServer::Authenticators::Helpers::Identity.stub!(:authenticate).and_return(identity)
+    end
+
+    def sample_identity attrs = {}
+      identity = CASServer::Authenticators::Helpers::Identity.new
+      attrs.each { |k,v| identity.send "#{k}=", v }
+      identity
+    end
+
+    it "should call Identity#autenticate with the given params" do
+      CASServer::Authenticators::Helpers::Identity.should_receive(:authenticate).with(credentials).once
+      auth.validate(credentials)
+    end
+
+    it "should return identity object attributes as extra attributes" do
+      auth.configure({}.with_indifferent_access)
+      identity = sample_identity({:email => 'foo@example.org'})
+      mock_authenticate identity
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == identity.attributes
+    end
+
+    it "should return false when http raises" do
+      CASServer::Authenticators::Helpers::Identity.stub!(:authenticate).and_raise(ActiveResource::ForbiddenAccess.new({}))
+      auth.validate(credentials).should be_false
+    end
+
+    it "should apply extra_attribute filter" do
+      auth.configure({ :extra_attributes => 'age'}.with_indifferent_access)
+      mock_authenticate sample_identity({ :email => 'foo@example.org', :age => 28 })
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == { "age" => "28" }
+    end
+
+    it "should only extract not filtered attributes" do
+      auth.configure({ :filter_attributes => 'age'}.with_indifferent_access)
+      mock_authenticate sample_identity({ :email => 'foo@example.org', :age => 28 })
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == { "email" => 'foo@example.org' }
+    end
+
+    it "should filter password if filter attributes is not given" do
+      auth.configure({}.with_indifferent_access)
+      mock_authenticate sample_identity({ :email => 'foo@example.org', :password => 'secret' })
+      auth.validate(credentials).should be_true
+      auth.extra_attributes.should == { "email" => 'foo@example.org' }
+    end
+  end
+end

data/spec/authenticators/ldap_spec.rb

@@ -0,0 +1,53 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/../spec_helper'
+
+require 'casserver/authenticators/ldap'
+
+describe CASServer::Authenticators::LDAP do
+  before do
+    @ldap_entry = mock(Net::LDAP::Entry.new)
+    @ldap_entry.stub!(:[]).and_return("Test")
+    
+    @ldap = mock(Net::LDAP)
+    @ldap.stub!(:host=)
+    @ldap.stub!(:port=)
+    @ldap.stub!(:encryption)
+    @ldap.stub!(:bind_as).and_return(true)
+    @ldap.stub!(:authenticate).and_return(true)
+    @ldap.stub!(:search).and_return([@ldap_entry])
+    
+    Net::LDAP.stub!(:new).and_return(@ldap)
+  end
+  
+  describe '#validate' do
+
+    it 'validate with preauthentication and with extra attributes' do
+      auth = CASServer::Authenticators::LDAP.new
+
+      auth_config = HashWithIndifferentAccess.new(
+        :ldap => {
+          :host => "ad.example.net",
+          :port => 389,
+          :base => "dc=example,dc=net",
+          :filter => "(objectClass=person)",
+          :auth_user => "authenticator",
+          :auth_password => "itsasecret"
+        },
+        :extra_attributes => [:full_name, :address]
+      )
+      
+      auth.configure(auth_config.merge('auth_index' => 0))
+      auth.validate(
+        :username => 'validusername',
+        :password => 'validpassword',
+        :service =>  'test.service',
+        :request => {}
+      ).should == true
+      
+      auth.extra_attributes.should == {:full_name => 'Test', :address => 'Test'}
+    end
+    
+  end
+end
+
+

data/spec/casserver_spec.rb

@@ -0,0 +1,156 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/spec_helper'
+
+$LOG = Logger.new(File.basename(__FILE__).gsub('.rb','.log'))
+
+RSpec.configure do |config|
+  config.include Capybara::DSL
+end
+
+VALID_USERNAME = 'spec_user'
+VALID_PASSWORD = 'spec_password'
+
+ATTACK_USERNAME = '%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&password=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&lt=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E&service=%3E%22%27%3E%3Cscript%3Ealert%2826%29%3C%2Fscript%3E'
+INVALID_PASSWORD = 'invalid_password'
+
+describe 'CASServer' do
+
+  before do
+    @target_service = 'http://my.app.test'
+  end
+
+  describe "/login" do
+    before do
+      load_server(File.dirname(__FILE__) + "/default_config.yml")
+      reset_spec_database
+    end
+
+    it "logs in successfully with valid username and password without a target service" do
+      visit "/login"
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("You have successfully logged in")
+    end
+
+    it "fails to log in with invalid password" do
+      visit "/login"
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => INVALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("Incorrect username or password")
+    end
+
+    it "logs in successfully with valid username and password and redirects to target service" do
+      visit "/login?service="+CGI.escape(@target_service)
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
+
+      click_button 'login-submit'
+
+      page.current_url.should =~ /^#{Regexp.escape(@target_service)}\/?\?ticket=ST\-[1-9rA-Z]+/
+    end
+
+    it "preserves target service after invalid login" do
+      visit "/login?service="+CGI.escape(@target_service)
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => INVALID_PASSWORD
+      click_button 'login-submit'
+
+      page.should have_content("Incorrect username or password")
+      page.should have_xpath('//input[@id="service"]', :value => @target_service)
+    end
+
+    it "uses appropriate localization based on Accept-Language header" do
+      
+      page.driver.options[:headers] = {'HTTP_ACCEPT_LANGUAGE' => 'pl'}
+      #visit "/login?lang=pl"
+      visit "/login"
+      page.should have_content("Użytkownik")
+
+      page.driver.options[:headers] = {'HTTP_ACCEPT_LANGUAGE' => 'pt_BR'}
+      #visit "/login?lang=pt_BR"
+      visit "/login"
+      page.should have_content("Usuário")
+
+      page.driver.options[:headers] = {'HTTP_ACCEPT_LANGUAGE' => 'en'}
+      #visit "/login?lang=en"
+      visit "/login"
+      page.should have_content("Username")
+    end
+
+    it "is not vunerable to Cross Site Scripting" do
+      visit '/login?service=%22%2F%3E%3cscript%3ealert%2832%29%3c%2fscript%3e'
+      page.should_not have_content("alert(32)")
+      page.should_not have_xpath("//script")
+      #page.should have_xpath("<script>alert(32)</script>")
+    end
+
+  end # describe '/login'
+
+
+  describe '/logout' do
+
+    before do
+      load_server(File.dirname(__FILE__) + "/default_config.yml")
+      reset_spec_database
+    end
+
+    it "logs out successfully" do
+      visit "/logout"
+
+      page.should have_content("You have successfully logged out")
+    end
+
+    it "logs out successfully and redirects to target service" do
+      visit "/logout?gateway=true&service="+CGI.escape(@target_service)
+
+      page.current_url.should =~ /^#{Regexp.escape(@target_service)}\/?/
+    end
+
+  end # describe '/logout'
+
+  describe 'Configuration' do
+    it "uri_path value changes prefix of routes" do
+      load_server(File.dirname(__FILE__) + "/alt_config.yml")
+      @target_service = 'http://my.app.test'
+
+      visit "/test/login"
+      page.status_code.should_not == 404
+
+      visit "/test/logout"
+      page.status_code.should_not == 404
+    end
+  end
+
+  describe "proxyValidate" do
+    before do
+      load_server(File.dirname(__FILE__) + "/default_config.yml")
+      reset_spec_database
+
+      visit "/login?service="+CGI.escape(@target_service)
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
+
+      click_button 'login-submit'
+
+      page.current_url.should =~ /^#{Regexp.escape(@target_service)}\/?\?ticket=ST\-[1-9rA-Z]+/
+      @ticket = page.current_url.match(/ticket=(.*)$/)[1]
+    end
+
+    it "should have extra attributes in proper format" do
+      visit "/serviceValidate?service=#{CGI.escape(@target_service)}&ticket=#{@ticket}"
+
+      encoded_utf_string = "&#1070;&#1090;&#1092;" # actual string is "Ютф"
+      page.body.should match("<test_utf_string>#{encoded_utf_string}</test_utf_string>")
+      page.body.should match("<test_numeric>123.45</test_numeric>")
+      page.body.should match("<test_utf_string>&#1070;&#1090;&#1092;</test_utf_string>")
+    end
+  end
+end

data/spec/default_config.yml

@@ -0,0 +1,50 @@
+server: webrick
+port: 6543
+#ssl_cert: test.pem
+#uri_path: /cas
+#bind_address: 0.0.0.0
+
+# database:
+#   adapter: mysql
+#   database: casserver
+#   username: root
+#   password: 
+#   host: localhost
+#   reconnect: true
+database:
+ adapter: sqlite3
+ database: spec/casserver_spec.db
+ 
+disable_auto_migrations: true
+
+quiet: true
+
+authenticator:
+  class: CASServer::Authenticators::Test
+  password: spec_password
+
+theme: simple
+
+organization: "RSPEC-TEST"
+
+infoline: "This is an rspec test."
+
+#custom_views: /path/to/custom/views
+
+default_locale: en
+
+log:
+  file: casserver_spec.log
+  level: DEBUG
+
+#db_log:
+#  file: casserver_spec_db.log
+
+enable_single_sign_out: true
+
+#maximum_unused_login_ticket_lifetime: 300
+#maximum_unused_service_ticket_lifetime: 300
+
+#maximum_session_lifetime: 172800
+
+#downcase_username: true

data/spec/model_spec.rb

@@ -0,0 +1,42 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/spec_helper'
+
+module CASServer
+end
+require 'casserver/model'
+
+describe CASServer::Model::LoginTicket, '.cleanup(max_lifetime, max_unconsumed_lifetime)' do
+  let(:max_lifetime) { -1 }
+  let(:max_unconsumed_lifetime) { -2 }
+
+  before do
+    load_server(File.dirname(__FILE__) + "/default_config.yml")
+    reset_spec_database
+    
+    CASServer::Model::LoginTicket.create :ticket => 'test', :client_hostname => 'test.local'
+  end
+
+  it 'should destroy all tickets created before the max lifetime' do
+    expect {
+      CASServer::Model::LoginTicket.cleanup(max_lifetime, max_unconsumed_lifetime)
+    }.to change(CASServer::Model::LoginTicket, :count).by(-1)
+  end
+
+  it 'should destroy all unconsumed tickets not exceeding the max lifetime' do
+    expect {
+      CASServer::Model::LoginTicket.cleanup(max_lifetime, max_unconsumed_lifetime)
+    }.to change(CASServer::Model::LoginTicket, :count).by(-1)
+  end
+end
+
+describe CASServer::Model::LoginTicket, '#to_s' do
+  let(:ticket) { 'test' }
+
+  before do
+    @login_ticket = CASServer::Model::LoginTicket.new :ticket => ticket
+  end
+
+  it 'should delegate #to_s to #ticket' do
+    @login_ticket.to_s.should == ticket
+  end
+end

data/spec/spec.opts

@@ -0,0 +1,4 @@
+--colour
+--format nested
+--loadby mtime
+--reverse

data/spec/spec_helper.rb

@@ -0,0 +1,89 @@
+require 'rubygems'
+require 'sinatra'
+require 'rack/test'
+require 'rspec'
+#require 'spec/autorun'
+#require 'spec/interop/test'
+require 'logger'
+require 'ostruct'
+
+require 'capybara'
+require 'capybara/dsl'
+
+# set test environment
+set :environment, :test
+set :run, false
+set :raise_errors, true
+set :logging, false
+
+
+if Dir.getwd =~ /\/spec$/
+  # Avoid potential weirdness by changing the working directory to the CASServer root
+  FileUtils.cd('..')
+end
+
+def silence_warnings
+  old_verbose, $VERBOSE = $VERBOSE, nil
+  yield
+ensure
+  $VERBOSE = old_verbose
+end
+
+# Ugly monkeypatch to allow us to test for correct redirection to
+# external services.
+#
+# This will likely break in the future when Capybara or RackTest are upgraded.
+class Capybara::RackTest::Browser
+  def current_url
+    if @redirected_to_external_url
+      @redirected_to_external_url
+    else
+      request.url rescue ""
+    end
+  end
+
+  def follow_redirects!
+    if last_response.redirect? && last_response['Location'] =~ /^http[s]?:/
+      puts "FOLLOWING REDIECT: #{last_response['Location']}"
+      @redirected_to_external_url = last_response['Location']
+    else
+      5.times do
+        follow_redirect! if last_response.redirect?
+      end
+      raise Capybara::InfiniteRedirectError, "redirected more than 5 times, check for infinite redirects." if last_response.redirect?
+    end
+  end
+end
+
+# This called in specs' `before` block.
+# Due to the way Sinatra applications are loaded,
+# we're forced to delay loading of the server code
+# until the start of each test so that certain 
+# configuraiton options can be changed (e.g. `uri_path`)
+def load_server(config_file)
+  ENV['CONFIG_FILE'] = config_file
+  
+  silence_warnings do
+    load File.dirname(__FILE__) + '/../lib/casserver/server.rb'
+  end
+  
+  CASServer::Server.enable(:raise_errors)
+  CASServer::Server.disable(:show_exceptions)
+
+  #Capybara.current_driver = :selenium
+  Capybara.app = CASServer::Server
+end
+
+# Deletes the sqlite3 database specified in the app's config
+# and runs the db:migrate rake tasks to rebuild the database schema.
+def reset_spec_database
+  raise "Cannot reset the spec database because config[:database][:database] is not defined." unless
+    CASServer::Server.config[:database] && CASServer::Server.config[:database][:database]
+
+  FileUtils.rm_f(CASServer::Server.config[:database][:database])
+  
+  ActiveRecord::Base.logger = Logger.new(STDOUT)
+  ActiveRecord::Base.logger.level = Logger::ERROR
+  ActiveRecord::Migration.verbose = false
+  ActiveRecord::Migrator.migrate("db/migrate")
+end

data/spec/utils_spec.rb

@@ -0,0 +1,53 @@
+# encoding: UTF-8
+require File.dirname(__FILE__) + '/spec_helper'
+
+module CASServer
+end
+require 'casserver/utils'
+
+describe CASServer::Utils, '#random_string(max_length = 29)' do
+  before do
+    load_server(File.dirname(__FILE__) + "/default_config.yml")
+    reset_spec_database
+  end
+  
+  context 'when max length is not passed in' do
+    it 'should return a random string of length 29' do
+      subject.random_string.length.should == 29
+    end
+  end
+
+  context 'when max length is passed in' do
+    it 'should return a random string of the desired length' do
+      subject.random_string(30).length.should == 30
+    end
+  end
+
+  it 'should include the letter r in the random string' do
+    subject.random_string.should include 'r'
+  end
+
+  it 'should return a random string' do
+    random_string = subject.random_string
+    another_random_string = subject.random_string
+    random_string.should_not == another_random_string
+  end
+end
+
+describe CASServer::Utils, '#log_controller_action(controller, params)' do
+  let(:params) { {} }
+  let(:params_with_password) { { 'password' => 'test' } }
+  let(:params_with_password_filtered) { { 'password' => '******' } }
+
+  it 'should log the controller action' do
+    $LOG.should_receive(:debug).with 'Processing application::instance_eval {}'
+
+    subject.log_controller_action('application', params)
+  end
+
+  it 'should filter password parameters in the log' do
+    $LOG.should_receive(:debug).with "Processing application::instance_eval #{params_with_password_filtered.inspect}"
+
+    subject.log_controller_action('application', params_with_password)
+  end
+end

data/tasks/bundler.rake

@@ -0,0 +1,4 @@
+require 'bundler'
+namespace :bundler do
+  Bundler::GemHelper.install_tasks
+end

data/tasks/db/migrate.rake

@@ -0,0 +1,12 @@
+namespace :db do
+  desc "bring your CAS server database schema up to date (options CONFIG=/path/to/config.yml)"
+  task :migrate do |t|
+    $:.unshift File.dirname(__FILE__) + "/../../lib"
+    
+    require 'casserver/server'
+    
+    CASServer::Model::Base.logger = Logger.new(STDOUT)
+    ActiveRecord::Migration.verbose = true
+    ActiveRecord::Migrator.migrate("db/migrate")
+  end
+end

data/tasks/spec.rake

@@ -0,0 +1,10 @@
+begin
+  require 'rspec/core/rake_task'
+  desc 'Run RSpecs to confirm that all functionality is working as expected'
+  RSpec::Core::RakeTask.new('spec') do |t|
+    t.rspec_opts = ['--colour', '--format nested']
+    t.pattern = 'spec/**/*_spec.rb'
+  end
+rescue LoadError
+  puts "Hiding spec tasks because RSpec is not available"
+end