casino 1.3.2 → 2.0.0

data/spec/processor/logout_other_sessions_spec.rb

@@ -0,0 +1,53 @@
+require 'spec_helper'
+
+describe CASino::OtherSessionsDestroyerProcessor do
+  describe '#process' do
+    let(:listener) { Object.new }
+    let(:processor) { described_class.new(listener) }
+    let(:cookies) { { tgt: tgt } }
+    let(:url) { nil }
+    let(:params) { { :service => url } unless url.nil? }
+
+    before(:each) do
+      listener.stub(:other_sessions_destroyed)
+    end
+
+    context 'with an existing ticket-granting ticket' do
+      let(:user) { FactoryGirl.create :user }
+      let!(:other_users_ticket_granting_tickets) { FactoryGirl.create_list :ticket_granting_ticket, 3 }
+      let!(:other_ticket_granting_tickets) { FactoryGirl.create_list :ticket_granting_ticket, 3, user: user }
+      let!(:ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket, user: user }
+      let(:tgt) { ticket_granting_ticket.ticket }
+      let(:user_agent) { ticket_granting_ticket.user_agent }
+
+      it 'deletes all other ticket-granting tickets' do
+        lambda do
+          processor.process(params, cookies, user_agent)
+        end.should change(CASino::TicketGrantingTicket, :count).by(-3)
+      end
+
+      it 'calls the #user_logged_out method on the listener' do
+        listener.should_receive(:other_sessions_destroyed).with(nil)
+        processor.process(params, cookies, user_agent)
+      end
+
+      context 'with an URL' do
+        let(:url) { 'http://www.example.com' }
+
+        it 'calls the #user_logged_out method on the listener and passes the URL' do
+          listener.should_receive(:other_sessions_destroyed).with(url)
+          processor.process(params, cookies, user_agent)
+        end
+      end
+    end
+
+    context 'with an invlaid ticket-granting ticket' do
+      let(:tgt) { 'TGT-lalala' }
+
+      it 'calls the #other_sessions_destroyed method on the listener' do
+        listener.should_receive(:other_sessions_destroyed).with(nil)
+        processor.process(params, cookies)
+      end
+    end
+  end
+end

data/spec/processor/logout_spec.rb

@@ -0,0 +1,72 @@
+require 'spec_helper'
+
+describe CASino::LogoutProcessor do
+  describe '#process' do
+    let(:listener) { Object.new }
+    let(:processor) { described_class.new(listener) }
+    let(:cookies) { { tgt: tgt } }
+    let(:url) { nil }
+    let(:params) { { :url => url } unless url.nil? }
+
+    before(:each) do
+      listener.stub(:user_logged_out)
+    end
+
+    context 'with an existing ticket-granting ticket' do
+      let(:ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket }
+      let(:tgt) { ticket_granting_ticket.ticket }
+      let(:user_agent) { ticket_granting_ticket.user_agent }
+
+      it 'deletes the ticket-granting ticket' do
+        processor.process(params, cookies, user_agent)
+        CASino::TicketGrantingTicket.where(id: ticket_granting_ticket.id).first.should == nil
+      end
+
+      it 'calls the #user_logged_out method on the listener' do
+        listener.should_receive(:user_logged_out).with(nil)
+        processor.process(params, cookies, user_agent)
+      end
+
+      context 'with an URL' do
+        let(:url) { 'http://www.example.com' }
+
+        it 'calls the #user_logged_out method on the listener and passes the URL' do
+          listener.should_receive(:user_logged_out).with(url)
+          processor.process(params, cookies, user_agent)
+        end
+      end
+
+      context 'with a service' do
+        let(:params) { { :service => url } }
+        let(:url) { 'http://www.example.org' }
+
+        context '(whitelisted)' do
+          it 'calls the #user_logged_out method on the listener and passes the URL and the redirect_immediate flag' do
+            listener.should_receive(:user_logged_out).with(url, true)
+            processor.process(params, cookies, user_agent)
+          end
+        end
+
+        context '(not whitelisted)' do
+          before(:each) do
+            FactoryGirl.create :service_rule, :regex, url: '^https://.*'
+          end
+
+          it 'calls the #user_logged_out method on the listener and passes no URL' do
+            listener.should_receive(:user_logged_out).with(nil)
+            processor.process(params, cookies, user_agent)
+          end
+        end
+      end
+    end
+
+    context 'with an invlaid ticket-granting ticket' do
+      let(:tgt) { 'TGT-lalala' }
+
+      it 'calls the #user_logged_out method on the listener' do
+        listener.should_receive(:user_logged_out).with(nil)
+        processor.process(params, cookies)
+      end
+    end
+  end
+end

data/spec/processor/processor_concern/service_tickets_spec.rb

@@ -0,0 +1,49 @@
+require 'spec_helper'
+
+describe CASino::ProcessorConcern::ServiceTickets do
+  let(:class_with_mixin) {
+    Class.new do
+      include CASino::ProcessorConcern::ServiceTickets
+    end
+  }
+  subject {
+    class_with_mixin.new
+  }
+
+  describe '#acquire_service_ticket' do
+    let(:ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket }
+    let(:service) { 'http://www.example.com/' }
+
+    context 'with a ticket-granting ticket with existing service tickets' do
+      let!(:service_ticket) { FactoryGirl.create :service_ticket, ticket_granting_ticket: ticket_granting_ticket, service: service }
+      let!(:other_service_ticket) { FactoryGirl.create :service_ticket, ticket_granting_ticket: ticket_granting_ticket }
+
+      it 'does not change the service tickets count' do
+        expect do
+          subject.acquire_service_ticket(ticket_granting_ticket, service)
+        end.to_not change(CASino::ServiceTicket, :count)
+      end
+
+      it 'deletes the old service ticket' do
+        subject.acquire_service_ticket(ticket_granting_ticket, service)
+        expect { service_ticket.reload }.to raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+
+    context 'with a service url another ticket-granting ticket has a service ticket for' do
+      let!(:service_ticket) { FactoryGirl.create :service_ticket, ticket_granting_ticket: ticket_granting_ticket, service: service }
+      let!(:other_ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket }
+
+      it 'does change the service tickets count' do
+        expect do
+          subject.acquire_service_ticket(other_ticket_granting_ticket, service)
+        end.to change(CASino::ServiceTicket, :count).by(1)
+      end
+
+      it 'does not delete the other service ticket' do
+        subject.acquire_service_ticket(other_ticket_granting_ticket, service)
+        expect { service_ticket.reload }.not_to raise_error
+      end
+    end
+  end
+end

data/spec/processor/proxy_ticket_provider_spec.rb

@@ -0,0 +1,66 @@
+require 'spec_helper'
+
+describe CASino::ProxyTicketProviderProcessor do
+  describe '#process' do
+    let(:listener) { Object.new }
+    let(:processor) { described_class.new(listener) }
+    let(:params) { { targetService: 'this_does_not_have_to_be_a_url' } }
+
+    before(:each) do
+      listener.stub(:request_failed)
+      listener.stub(:request_succeeded)
+    end
+
+    context 'without proxy-granting ticket' do
+      it 'calls the #request_failed method on the listener' do
+        listener.should_receive(:request_failed)
+        processor.process(params)
+      end
+
+      it 'does not create a proxy ticket' do
+        lambda do
+          processor.process(params)
+        end.should_not change(CASino::ProxyTicket, :count)
+      end
+    end
+
+    context 'with a not-existing proxy-granting ticket' do
+      let(:params_with_deleted_pgt) { params.merge(pgt: 'PGT-123453789') }
+
+      it 'calls the #request_failed method on the listener' do
+        listener.should_receive(:request_failed)
+        processor.process(params_with_deleted_pgt)
+      end
+
+      it 'does not create a proxy ticket' do
+        lambda do
+          processor.process(params_with_deleted_pgt)
+        end.should_not change(CASino::ProxyTicket, :count)
+      end
+    end
+
+    context 'with a proxy-granting ticket' do
+      let(:proxy_granting_ticket) { FactoryGirl.create :proxy_granting_ticket }
+      let(:params_with_valid_pgt) { params.merge(pgt: proxy_granting_ticket.ticket) }
+
+      it 'calls the #request_succeeded method on the listener' do
+        listener.should_receive(:request_succeeded)
+        processor.process(params_with_valid_pgt)
+      end
+
+      it 'does not create a proxy ticket' do
+        lambda do
+          processor.process(params_with_valid_pgt)
+        end.should change(proxy_granting_ticket.proxy_tickets, :count).by(1)
+      end
+
+      it 'includes the proxy ticket in the response' do
+        listener.should_receive(:request_succeeded) do |response|
+          proxy_ticket = CASino::ProxyTicket.last
+          response.should =~ /<cas:proxyTicket>#{proxy_ticket.ticket}<\/cas:proxyTicket>/
+        end
+        processor.process(params_with_valid_pgt)
+      end
+    end
+  end
+end

data/spec/processor/proxy_ticket_validator_spec.rb

@@ -0,0 +1,65 @@
+require 'spec_helper'
+
+describe CASino::ProxyTicketValidatorProcessor do
+  let(:listener) { Object.new }
+  let(:processor) { described_class.new(listener) }
+
+  describe '#process' do
+    let(:regex_success) { /\A<cas:serviceResponse.*\n.*authenticationSuccess/ }
+
+    context 'with a login ticket' do
+      let(:login_ticket) { FactoryGirl.create :login_ticket }
+      let(:parameters) { { ticket: login_ticket.ticket, service: 'http://www.example.org/' } }
+
+      it 'calls the #validation_failed method on the listener' do
+        listener.should_receive(:validation_failed)
+        processor.process(parameters)
+      end
+    end
+
+    context 'with an unconsumed proxy ticket' do
+      let(:proxy_ticket) { FactoryGirl.create :proxy_ticket }
+      let(:parameters) { { ticket: proxy_ticket.ticket, service: proxy_ticket.service } }
+      let(:regex_proxy) { /<cas:proxies>\s*<cas:proxy>#{proxy_ticket.proxy_granting_ticket.pgt_url}<\/cas:proxy>\s*<\/cas:proxies>/ }
+
+      it 'calls the #validation_succeeded method on the listener' do
+        listener.should_receive(:validation_succeeded).with(regex_success)
+        processor.process(parameters)
+      end
+
+      it 'includes the proxy in the response' do
+        listener.should_receive(:validation_succeeded).with(regex_proxy)
+        processor.process(parameters)
+      end
+
+      context 'with an expired proxy ticket' do
+        before(:each) do
+          CASino::ProxyTicket.any_instance.stub(:expired?).and_return(true)
+        end
+
+        it 'calls the #validation_failed method on the listener' do
+          listener.should_receive(:validation_failed)
+          processor.process(parameters)
+        end
+      end
+
+      context 'with an other service' do
+        let(:parameters_with_other_service) { parameters.merge(service: 'this_is_another_service') }
+
+        it 'calls the #validation_failed method on the listener' do
+          listener.should_receive(:validation_failed)
+          processor.process(parameters_with_other_service)
+        end
+      end
+
+      context 'without an existing ticket' do
+        let(:parameters_without_existing_ticket) { { ticket: 'PT-1234', service: 'https://www.example.com/' } }
+
+        it 'calls the #validation_failed method on the listener' do
+          listener.should_receive(:validation_failed)
+          processor.process(parameters_without_existing_ticket)
+        end
+      end
+    end
+  end
+end

data/spec/processor/second_factor_authenticaton_acceptor_spec.rb

@@ -0,0 +1,94 @@
+require 'spec_helper'
+
+describe CASino::SecondFactorAuthenticationAcceptorProcessor do
+  describe '#process' do
+    let(:listener) { Object.new }
+    let(:processor) { described_class.new(listener) }
+
+    before(:each) do
+      listener.stub(:user_not_logged_in)
+      listener.stub(:invalid_one_time_password)
+      listener.stub(:user_logged_in)
+    end
+
+    context 'with an existing ticket-granting ticket' do
+      let(:ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket, :awaiting_two_factor_authentication }
+      let(:user) { ticket_granting_ticket.user }
+      let(:tgt) { ticket_granting_ticket.ticket }
+      let(:user_agent) { ticket_granting_ticket.user_agent }
+      let(:otp) { '123456' }
+      let(:service) { 'http://www.example.com/testing' }
+      let(:params) { { tgt: tgt, otp: otp, service: service }}
+
+      context 'with an active authenticator' do
+        let!(:two_factor_authenticator) { FactoryGirl.create :two_factor_authenticator, user: user }
+
+        context 'with a valid OTP' do
+          before(:each) do
+            ROTP::TOTP.any_instance.should_receive(:verify_with_drift).with(otp, 30).and_return(true)
+          end
+
+          it 'calls the `#user_logged_in` method an the listener' do
+            listener.should_receive(:user_logged_in).with(/^#{service}\?ticket=ST\-/, /^TGC\-/)
+            processor.process(params, user_agent)
+          end
+
+          it 'does activate the ticket-granting ticket' do
+            processor.process(params, user_agent)
+            ticket_granting_ticket.reload
+            ticket_granting_ticket.should_not be_awaiting_two_factor_authentication
+          end
+
+          context 'with a long-term ticket-granting ticket' do
+            before(:each) do
+              ticket_granting_ticket.update_attributes! long_term: true
+            end
+
+            it 'calls the #user_logged_in method on the listener with an expiration date set' do
+              listener.should_receive(:user_logged_in).with(/^#{service}\?ticket=ST\-/, /^TGC\-/, kind_of(Time))
+              processor.process(params, user_agent)
+            end
+          end
+
+          context 'with a not allowed service' do
+            before(:each) do
+              FactoryGirl.create :service_rule, :regex, url: '^https://.*'
+            end
+            let(:service) { 'http://www.example.org/' }
+
+            it 'calls the #service_not_allowed method on the listener' do
+              listener.should_receive(:service_not_allowed).with(service)
+              processor.process(params.merge(service: service), user_agent)
+            end
+          end
+        end
+
+        context 'with an invalid OTP' do
+          before(:each) do
+            ROTP::TOTP.any_instance.should_receive(:verify_with_drift).with(otp, 30).and_return(false)
+          end
+
+          it 'calls the `#invalid_one_time_password` method an the listener' do
+            listener.should_receive(:invalid_one_time_password).with(no_args)
+            processor.process(params, user_agent)
+          end
+
+          it 'does not activate the ticket-granting ticket' do
+            processor.process(params, user_agent)
+            ticket_granting_ticket.reload
+            ticket_granting_ticket.should be_awaiting_two_factor_authentication
+          end
+        end
+      end
+    end
+
+    context 'with an invalid ticket-granting ticket' do
+      let(:tgt) { 'TGT-lalala' }
+      let(:user_agent) { 'TestBrowser 1.0' }
+      it 'calls the #user_not_logged_in method on the listener' do
+        listener.should_receive(:user_not_logged_in).with(no_args)
+        processor.process({tgt: tgt}, user_agent)
+      end
+    end
+  end
+end

data/spec/processor/session_destroyer_spec.rb

@@ -0,0 +1,75 @@
+require 'spec_helper'
+
+describe CASino::SessionDestroyerProcessor do
+  describe '#process' do
+    let(:listener) { Object.new }
+    let(:processor) { described_class.new(listener) }
+    let(:owner_ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket }
+    let(:user) { owner_ticket_granting_ticket.user }
+    let(:user_agent) { owner_ticket_granting_ticket.user_agent }
+    let(:cookies) { { tgt: owner_ticket_granting_ticket.ticket } }
+
+    before(:each) do
+      listener.stub(:ticket_deleted)
+      listener.stub(:ticket_not_found)
+    end
+
+    context 'with an existing ticket-granting ticket' do
+      let(:ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket, user: user }
+      let(:service_ticket) { FactoryGirl.create :service_ticket, ticket_granting_ticket: ticket_granting_ticket }
+      let(:consumed_service_ticket) { FactoryGirl.create :service_ticket, :consumed, ticket_granting_ticket: ticket_granting_ticket }
+      let(:params) { { id: ticket_granting_ticket.id } }
+
+      it 'deletes exactly one ticket-granting ticket' do
+        ticket_granting_ticket
+        owner_ticket_granting_ticket
+        lambda do
+          processor.process(params, cookies, user_agent)
+        end.should change(CASino::TicketGrantingTicket, :count).by(-1)
+      end
+
+      it 'deletes the ticket-granting ticket' do
+        processor.process(params, cookies, user_agent)
+        CASino::TicketGrantingTicket.where(id: params[:id]).length.should == 0
+      end
+
+      it 'calls the #ticket_deleted method on the listener' do
+        listener.should_receive(:ticket_deleted).with(no_args)
+        processor.process(params, cookies, user_agent)
+      end
+    end
+
+    context 'with an invalid ticket-granting ticket' do
+      let(:params) { { id: 99999 } }
+      it 'does not delete a ticket-granting ticket' do
+        owner_ticket_granting_ticket
+        lambda do
+          processor.process(params, cookies, user_agent)
+        end.should_not change(CASino::TicketGrantingTicket, :count)
+      end
+
+      it 'calls the #ticket_not_found method on the listener' do
+        listener.should_receive(:ticket_not_found).with(no_args)
+        processor.process(params, cookies, user_agent)
+      end
+    end
+
+    context 'when trying to delete ticket-granting ticket of another user' do
+      let(:ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket }
+      let(:params) { { id: ticket_granting_ticket.id } }
+
+      it 'does not delete a ticket-granting ticket' do
+        owner_ticket_granting_ticket
+        ticket_granting_ticket
+        lambda do
+          processor.process(params, cookies, user_agent)
+        end.should change(CASino::TicketGrantingTicket, :count).by(0)
+      end
+
+      it 'calls the #ticket_not_found method on the listener' do
+        listener.should_receive(:ticket_not_found).with(no_args)
+        processor.process(params, cookies, user_agent)
+      end
+    end
+  end
+end