casino 1.3.2 → 2.0.0
Sign up to get free protection for your applications and to get access to all the features.
- data.tar.gz.sig +0 -0
- data/.gitignore +3 -0
- data/.travis.yml +1 -1
- data/README.md +1 -8
- data/Rakefile +0 -2
- data/app/assets/javascripts/casino/application.js +1 -0
- data/app/assets/javascripts/casino/index.js +0 -2
- data/app/assets/javascripts/casino/sessions.js +32 -0
- data/app/authenticators/casino/static_authenticator.rb +23 -0
- data/app/builders/casino/ticket_validation_response_builder.rb +84 -0
- data/app/controllers/casino/api/v1/tickets_controller.rb +7 -4
- data/app/controllers/casino/application_controller.rb +2 -3
- data/{lib/casino/listener/legacy_validator.rb → app/listeners/casino/legacy_validator_listener.rb} +2 -2
- data/app/listeners/casino/listener.rb +16 -0
- data/{lib/casino/listener/login_credential_acceptor.rb → app/listeners/casino/login_credential_acceptor_listener.rb} +2 -2
- data/{lib/casino/listener/login_credential_requestor.rb → app/listeners/casino/login_credential_requestor_listener.rb} +2 -2
- data/{lib/casino/listener/logout.rb → app/listeners/casino/logout_listener.rb} +2 -2
- data/{lib/casino/listener/other_sessions_destroyer.rb → app/listeners/casino/other_sessions_destroyer_listener.rb} +2 -2
- data/{lib/casino/listener/proxy_ticket_provider.rb → app/listeners/casino/proxy_ticket_provider_listener.rb} +2 -2
- data/{lib/casino/listener/second_factor_authentication_acceptor.rb → app/listeners/casino/second_factor_authentication_acceptor_listener.rb} +2 -2
- data/{lib/casino/listener/session_destroyer.rb → app/listeners/casino/session_destroyer_listener.rb} +2 -2
- data/{lib/casino/listener/session_overview.rb → app/listeners/casino/session_overview_listener.rb} +2 -2
- data/{lib/casino/listener/ticket_validator.rb → app/listeners/casino/ticket_validator_listener.rb} +2 -2
- data/{lib/casino/listener/two_factor_authenticator_activator.rb → app/listeners/casino/two_factor_authenticator_activator_listener.rb} +2 -2
- data/{lib/casino/listener/two_factor_authenticator_destroyer.rb → app/listeners/casino/two_factor_authenticator_destroyer_listener.rb} +2 -2
- data/{lib/casino/listener/two_factor_authenticator_overview.rb → app/listeners/casino/two_factor_authenticator_overview_listener.rb} +2 -2
- data/{lib/casino/listener/two_factor_authenticator_registrator.rb → app/listeners/casino/two_factor_authenticator_registrator_listener.rb} +2 -2
- data/app/models/casino/login_ticket.rb +12 -0
- data/app/models/casino/proxy_granting_ticket.rb +8 -0
- data/app/models/casino/proxy_ticket.rb +25 -0
- data/app/models/casino/service_rule.rb +27 -0
- data/app/models/casino/service_ticket.rb +43 -0
- data/app/models/casino/service_ticket/single_sign_out_notifier.rb +44 -0
- data/app/models/casino/ticket_granting_ticket.rb +57 -0
- data/app/models/casino/two_factor_authenticator.rb +18 -0
- data/app/models/casino/user.rb +12 -0
- data/app/models/casino/validation_result.rb +5 -0
- data/app/processors/casino/api/login_credential_acceptor_processor.rb +46 -0
- data/app/processors/casino/api/logout_processor.rb +17 -0
- data/app/processors/casino/api/service_ticket_provider_processor.rb +69 -0
- data/app/processors/casino/legacy_validator_processor.rb +19 -0
- data/app/processors/casino/login_credential_acceptor_processor.rb +63 -0
- data/app/processors/casino/login_credential_requestor_processor.rb +66 -0
- data/app/processors/casino/logout_processor.rb +23 -0
- data/app/processors/casino/other_sessions_destroyer_processor.rb +26 -0
- data/app/processors/casino/processor.rb +5 -0
- data/app/processors/casino/processor_concern/authentication.rb +87 -0
- data/app/processors/casino/processor_concern/browser.rb +14 -0
- data/app/processors/casino/processor_concern/login_tickets.rb +28 -0
- data/app/processors/casino/processor_concern/proxy_granting_tickets.rb +43 -0
- data/app/processors/casino/processor_concern/proxy_tickets.rb +56 -0
- data/app/processors/casino/processor_concern/service_tickets.rb +50 -0
- data/app/processors/casino/processor_concern/ticket_granting_tickets.rb +65 -0
- data/app/processors/casino/processor_concern/tickets.rb +17 -0
- data/app/processors/casino/processor_concern/two_factor_authenticators.rb +22 -0
- data/app/processors/casino/proxy_ticket_provider_processor.rb +41 -0
- data/app/processors/casino/proxy_ticket_validator_processor.rb +22 -0
- data/app/processors/casino/second_factor_authentication_acceptor_processor.rb +45 -0
- data/app/processors/casino/service_ticket_validator_processor.rb +46 -0
- data/app/processors/casino/session_destroyer_processor.rb +25 -0
- data/app/processors/casino/session_overview_processor.rb +21 -0
- data/app/processors/casino/two_factor_authenticator_activator_processor.rb +41 -0
- data/app/processors/casino/two_factor_authenticator_destroyer_processor.rb +33 -0
- data/app/processors/casino/two_factor_authenticator_overview_processor.rb +20 -0
- data/app/processors/casino/two_factor_authenticator_registrator_processor.rb +24 -0
- data/app/views/casino/application/_footer.html.erb +1 -1
- data/app/views/casino/sessions/new.html.erb +2 -1
- data/app/views/casino/sessions/validate_otp.html.erb +1 -1
- data/app/views/casino/two_factor_authenticators/new.html.erb +2 -2
- data/app/views/layouts/application.html.erb +1 -1
- data/casino.gemspec +9 -4
- data/db/migrate/20130809135400_create_core_schema.rb +117 -0
- data/db/migrate/20130809135401_rename_base_models.rb +101 -0
- data/db/migrate/20131022110146_cleanup_indexes.rb +27 -0
- data/db/migrate/20131022110246_fix_long_index_names.rb +12 -0
- data/db/migrate/20131022110346_change_service_to_text.rb +6 -0
- data/lib/casino.rb +47 -3
- data/lib/casino/authenticator.rb +9 -0
- data/lib/casino/engine.rb +26 -0
- data/lib/casino/inflections.rb +7 -0
- data/lib/casino/tasks.rb +1 -0
- data/lib/casino/tasks/cleanup.rake +59 -0
- data/lib/casino/tasks/service_rule.rake +49 -0
- data/lib/casino/version.rb +1 -1
- data/lib/generators/casino/install/USAGE +13 -0
- data/lib/generators/casino/install/install_generator.rb +47 -0
- data/lib/generators/casino/{templates → install/templates}/README +3 -4
- data/lib/generators/casino/{templates → install/templates}/cas.yml +2 -2
- data/lib/generators/casino/{templates → install/templates}/casino_and_overrides.scss +0 -0
- data/lib/generators/casino/templates/casino_core.rb +1 -1
- data/spec/authenticator/base_spec.rb +13 -0
- data/spec/authenticator/static_spec.rb +42 -0
- data/spec/controllers/api/v1/tickets_controller_spec.rb +15 -15
- data/spec/controllers/listener/legacy_validator_spec.rb +1 -1
- data/spec/controllers/listener/login_credential_acceptor_spec.rb +1 -1
- data/spec/controllers/listener/login_credential_requestor_spec.rb +1 -1
- data/spec/controllers/listener/logout_spec.rb +1 -1
- data/spec/controllers/listener/other_sessions_destroyer_spec.rb +1 -1
- data/spec/controllers/listener/proxy_ticket_provider_spec.rb +1 -1
- data/spec/controllers/listener/second_factor_authentication_acceptor_spec.rb +1 -1
- data/spec/controllers/listener/session_destroyer_spec.rb +1 -1
- data/spec/controllers/listener/session_overview_spec.rb +1 -1
- data/spec/controllers/listener/ticket_validator_spec.rb +1 -1
- data/spec/controllers/listener/two_factor_authenticator_activator_spec.rb +1 -1
- data/spec/controllers/listener/two_factor_authenticator_destroyer_spec.rb +1 -1
- data/spec/controllers/listener/two_factor_authenticator_overview_spec.rb +1 -1
- data/spec/controllers/listener/two_factor_authenticator_registrator_spec.rb +1 -1
- data/spec/controllers/proxy_tickets_controller_spec.rb +4 -4
- data/spec/controllers/service_tickets_controller_spec.rb +4 -4
- data/spec/controllers/sessions_controller_spec.rb +15 -15
- data/spec/controllers/two_factor_authenticators_controller_spec.rb +6 -6
- data/spec/dummy/app/assets/stylesheets/casino_and_overrides.scss +13 -0
- data/spec/dummy/config/cas.yml +11 -11
- data/spec/dummy/config/routes.rb +1 -2
- data/spec/dummy/db/migrate/20130910094259_create_base_models.casino.rb +95 -0
- data/spec/dummy/db/schema.rb +107 -0
- data/spec/model/login_ticket_spec.rb +23 -0
- data/spec/model/proxy_ticket_spec.rb +63 -0
- data/spec/model/service_rule_spec.rb +65 -0
- data/spec/model/service_ticket/single_sign_out_notifier_spec.rb +61 -0
- data/spec/model/service_ticket_spec.rb +124 -0
- data/spec/model/ticket_granting_ticket_spec.rb +204 -0
- data/spec/model/two_factor_authenticator_spec.rb +31 -0
- data/spec/processor/api/login_credential_acceptor_spec.rb +52 -0
- data/spec/processor/api/logout_spec.rb +34 -0
- data/spec/processor/api/service_ticket_provider_spec.rb +61 -0
- data/spec/processor/legacy_validator_spec.rb +78 -0
- data/spec/processor/login_credential_acceptor_spec.rb +164 -0
- data/spec/processor/login_credential_requestor_spec.rb +135 -0
- data/spec/processor/logout_other_sessions_spec.rb +53 -0
- data/spec/processor/logout_spec.rb +72 -0
- data/spec/processor/processor_concern/service_tickets_spec.rb +49 -0
- data/spec/processor/proxy_ticket_provider_spec.rb +66 -0
- data/spec/processor/proxy_ticket_validator_spec.rb +65 -0
- data/spec/processor/second_factor_authenticaton_acceptor_spec.rb +94 -0
- data/spec/processor/session_destroyer_spec.rb +75 -0
- data/spec/processor/session_overview_spec.rb +49 -0
- data/spec/processor/ticket_validator_spec.rb +199 -0
- data/spec/processor/two_factor_authenticator_activator_spec.rb +122 -0
- data/spec/processor/two_factor_authenticator_destroyer_spec.rb +71 -0
- data/spec/processor/two_factor_authenticator_overview_spec.rb +56 -0
- data/spec/processor/two_factor_authenticator_registrator_spec.rb +48 -0
- data/spec/spec_helper.rb +8 -19
- data/spec/support/casino.rb +12 -0
- data/spec/support/factories/login_ticket_factory.rb +16 -0
- data/spec/support/factories/proxy_granting_ticket_factory.rb +16 -0
- data/spec/support/factories/proxy_ticket_factory.rb +17 -0
- data/spec/support/factories/service_rule_factory.rb +16 -0
- data/spec/support/factories/service_ticket_factory.rb +17 -0
- data/spec/support/factories/ticket_granting_ticket_factory.rb +15 -0
- data/spec/support/factories/two_factor_authenticator_factory.rb +16 -0
- data/spec/support/factories/user_factory.rb +11 -0
- data/spec/support/rspec.rb +8 -0
- data/spec/support/sqlite3.rb +4 -0
- metadata +284 -48
- metadata.gz.sig +2 -0
- data/.powrc +0 -4
- data/Gemfile.lock +0 -149
- data/app/assets/javascripts/casino/application.js.coffee +0 -5
- data/app/assets/javascripts/casino/sessions.js.coffee +0 -15
- data/config/initializers/frontend_config.rb +0 -9
- data/config/initializers/inflections.rb +0 -19
- data/config/initializers/yaml.rb +0 -1
- data/lib/casino/listener.rb +0 -31
- data/lib/generators/casino/install_generator.rb +0 -35
- data/spec/dummy/config/initializers/casino_core.rb +0 -1
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
# The Logout processor should be used to process GET requests to /logout.
|
|
2
|
+
class CASino::LogoutProcessor < CASino::Processor
|
|
3
|
+
include CASino::ProcessorConcern::TicketGrantingTickets
|
|
4
|
+
|
|
5
|
+
# This method will call `#user_logged_out` and may supply an URL that should be presented to the user.
|
|
6
|
+
# As per specification, the URL specified by "url" SHOULD be on the logout page with descriptive text.
|
|
7
|
+
# For example, "The application you just logged out of has provided a link it would like you to follow.
|
|
8
|
+
# Please click here to access http://www.go-back.edu/."
|
|
9
|
+
#
|
|
10
|
+
# @param [Hash] params parameters supplied by user
|
|
11
|
+
# @param [Hash] cookies cookies supplied by user
|
|
12
|
+
# @param [String] user_agent user-agent delivered by the client
|
|
13
|
+
def process(params = nil, cookies = nil, user_agent = nil)
|
|
14
|
+
params ||= {}
|
|
15
|
+
cookies ||= {}
|
|
16
|
+
remove_ticket_granting_ticket(cookies[:tgt], user_agent)
|
|
17
|
+
if params[:service] && CASino::ServiceRule.allowed?(params[:service])
|
|
18
|
+
@listener.user_logged_out(params[:service], true)
|
|
19
|
+
else
|
|
20
|
+
@listener.user_logged_out(params[:url])
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# The OtherSessionsDestroyer processor should be used to process GET requests to /destroy-other-sessions.
|
|
2
|
+
#
|
|
3
|
+
# It is usefule to redirect users to this action after a password change.
|
|
4
|
+
#
|
|
5
|
+
# This feature is not described in the CAS specification so it's completly optional
|
|
6
|
+
# to implement this on the web application side.
|
|
7
|
+
class CASino::OtherSessionsDestroyerProcessor < CASino::Processor
|
|
8
|
+
include CASino::ProcessorConcern::TicketGrantingTickets
|
|
9
|
+
|
|
10
|
+
# This method will call `#other_sessions_destroyed` and may supply an URL that should be presented to the user.
|
|
11
|
+
# The user should be redirected to this URL immediately.
|
|
12
|
+
#
|
|
13
|
+
# @param [Hash] params parameters supplied by user
|
|
14
|
+
# @param [Hash] cookies cookies supplied by user
|
|
15
|
+
# @param [String] user_agent user-agent delivered by the client
|
|
16
|
+
def process(params = nil, cookies = nil, user_agent = nil)
|
|
17
|
+
params ||= {}
|
|
18
|
+
cookies ||= {}
|
|
19
|
+
tgt = find_valid_ticket_granting_ticket(cookies[:tgt], user_agent)
|
|
20
|
+
unless tgt.nil?
|
|
21
|
+
other_ticket_granting_tickets = tgt.user.ticket_granting_tickets.where('id != ?', tgt.id)
|
|
22
|
+
other_ticket_granting_tickets.destroy_all
|
|
23
|
+
end
|
|
24
|
+
@listener.other_sessions_destroyed(params[:service])
|
|
25
|
+
end
|
|
26
|
+
end
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
module CASino
|
|
2
|
+
module ProcessorConcern
|
|
3
|
+
module Authentication
|
|
4
|
+
|
|
5
|
+
def validate_login_credentials(username, password)
|
|
6
|
+
authentication_result = nil
|
|
7
|
+
authenticators.each do |authenticator_name, authenticator|
|
|
8
|
+
begin
|
|
9
|
+
data = authenticator.validate(username, password)
|
|
10
|
+
rescue CASino::Authenticator::AuthenticatorError => e
|
|
11
|
+
Rails.logger.error "Authenticator '#{authenticator_name}' (#{authenticator.class}) raised an error: #{e}"
|
|
12
|
+
end
|
|
13
|
+
if data
|
|
14
|
+
authentication_result = { authenticator: authenticator_name, user_data: data }
|
|
15
|
+
Rails.logger.info("Credentials for username '#{data[:username]}' successfully validated using authenticator '#{authenticator_name}' (#{authenticator.class})")
|
|
16
|
+
break
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
authentication_result
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def authenticators
|
|
23
|
+
@authenticators ||= begin
|
|
24
|
+
CASino.config.authenticators.each do |name, auth|
|
|
25
|
+
next unless auth.is_a?(Hash)
|
|
26
|
+
|
|
27
|
+
authenticator = if auth[:class]
|
|
28
|
+
auth[:class].constantize
|
|
29
|
+
else
|
|
30
|
+
load_authenticator(auth[:authenticator])
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
CASino.config.authenticators[name] = authenticator.new(auth[:options])
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
private
|
|
39
|
+
def load_legacy_authenticator(name)
|
|
40
|
+
gemname, classname = parse_legacy_name(name)
|
|
41
|
+
|
|
42
|
+
begin
|
|
43
|
+
require gemname
|
|
44
|
+
CASinoCore::Authenticator.const_get("#{classname}")
|
|
45
|
+
rescue LoadError, NameError
|
|
46
|
+
false
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def load_authenticator(name)
|
|
51
|
+
legacy_authenticator = load_legacy_authenticator(name)
|
|
52
|
+
return legacy_authenticator if legacy_authenticator
|
|
53
|
+
|
|
54
|
+
gemname, classname = parse_name(name)
|
|
55
|
+
|
|
56
|
+
begin
|
|
57
|
+
require gemname
|
|
58
|
+
CASino.const_get(classname)
|
|
59
|
+
rescue LoadError => error
|
|
60
|
+
raise LoadError, load_error_message(name, gemname, error)
|
|
61
|
+
rescue NameError => error
|
|
62
|
+
raise NameError, name_error_message(name, error)
|
|
63
|
+
end
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def parse_name(name)
|
|
67
|
+
[ "casino-#{name.underscore}_authenticator", "#{name.camelize}Authenticator" ]
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
def parse_legacy_name(name)
|
|
71
|
+
[ "casino_core-authenticator-#{name.underscore}", name.camelize ]
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
def load_error_message(name, gemname, error)
|
|
75
|
+
"Failed to load authenticator '#{name}'. Maybe you have to include " \
|
|
76
|
+
"\"gem '#{gemname}'\" in your Gemfile?\n" \
|
|
77
|
+
" Error: #{error.message}\n"
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
def name_error_message(name, error)
|
|
81
|
+
"Failed to load authenticator '#{name}'. The authenticator class must " \
|
|
82
|
+
"be defined in the CASino namespace.\n" \
|
|
83
|
+
" Error: #{error.message}\n"
|
|
84
|
+
end
|
|
85
|
+
end
|
|
86
|
+
end
|
|
87
|
+
end
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
module CASino
|
|
2
|
+
module ProcessorConcern
|
|
3
|
+
module Browser
|
|
4
|
+
def browser_info(user_agent)
|
|
5
|
+
user_agent = UserAgent.parse(user_agent)
|
|
6
|
+
"#{user_agent.browser} (#{user_agent.platform})"
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
def same_browser?(user_agent, other_user_agent)
|
|
10
|
+
user_agent == other_user_agent || browser_info(user_agent) == browser_info(other_user_agent)
|
|
11
|
+
end
|
|
12
|
+
end
|
|
13
|
+
end
|
|
14
|
+
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
module CASino
|
|
2
|
+
module ProcessorConcern
|
|
3
|
+
module LoginTickets
|
|
4
|
+
include CASino::ProcessorConcern::Tickets
|
|
5
|
+
|
|
6
|
+
def acquire_login_ticket
|
|
7
|
+
ticket = CASino::LoginTicket.create ticket: random_ticket_string('LT')
|
|
8
|
+
Rails.logger.debug "Created login ticket '#{ticket.ticket}'"
|
|
9
|
+
ticket
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def login_ticket_valid?(lt)
|
|
13
|
+
ticket = CASino::LoginTicket.find_by_ticket lt
|
|
14
|
+
if ticket.nil?
|
|
15
|
+
Rails.logger.info "Login ticket '#{lt}' not found"
|
|
16
|
+
false
|
|
17
|
+
elsif ticket.created_at < CASino.config.login_ticket[:lifetime].seconds.ago
|
|
18
|
+
Rails.logger.info "Login ticket '#{ticket.ticket}' expired"
|
|
19
|
+
false
|
|
20
|
+
else
|
|
21
|
+
Rails.logger.debug "Login ticket '#{ticket.ticket}' successfully validated"
|
|
22
|
+
ticket.delete
|
|
23
|
+
true
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
require 'addressable/uri'
|
|
2
|
+
require 'faraday'
|
|
3
|
+
|
|
4
|
+
module CASino
|
|
5
|
+
module ProcessorConcern
|
|
6
|
+
module ProxyGrantingTickets
|
|
7
|
+
include CASino::ProcessorConcern::Tickets
|
|
8
|
+
|
|
9
|
+
def acquire_proxy_granting_ticket(pgt_url, service_ticket)
|
|
10
|
+
callback_uri = Addressable::URI.parse(pgt_url)
|
|
11
|
+
if callback_uri.scheme != 'https'
|
|
12
|
+
Rails.logger.warn "Proxy tickets can only be granted to callback servers using HTTPS."
|
|
13
|
+
nil
|
|
14
|
+
else
|
|
15
|
+
contact_callback_server(callback_uri, service_ticket)
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
private
|
|
20
|
+
def contact_callback_server(callback_uri, service_ticket)
|
|
21
|
+
pgt = service_ticket.proxy_granting_tickets.new({
|
|
22
|
+
ticket: random_ticket_string('PGT'),
|
|
23
|
+
iou: random_ticket_string('PGTIOU'),
|
|
24
|
+
pgt_url: "#{callback_uri}"
|
|
25
|
+
})
|
|
26
|
+
callback_uri.query_values = (callback_uri.query_values || {}).merge(pgtId: pgt.ticket, pgtIou: pgt.iou)
|
|
27
|
+
response = Faraday.get "#{callback_uri}"
|
|
28
|
+
# TODO: does this follow redirects? CAS specification says that redirects MAY be followed (2.5.4)
|
|
29
|
+
if response.success?
|
|
30
|
+
pgt.save!
|
|
31
|
+
Rails.logger.debug "Proxy-granting ticket generated for service '#{service_ticket.service}': #{pgt.inspect}"
|
|
32
|
+
pgt
|
|
33
|
+
else
|
|
34
|
+
Rails.logger.warn "Proxy-granting ticket callback server responded with a bad result code '#{response.status}'. PGT will not be stored."
|
|
35
|
+
nil
|
|
36
|
+
end
|
|
37
|
+
rescue Faraday::Error::ClientError => error
|
|
38
|
+
Rails.logger.warn "Exception while communicating with proxy-granting ticket callback server: #{error.message}"
|
|
39
|
+
nil
|
|
40
|
+
end
|
|
41
|
+
end
|
|
42
|
+
end
|
|
43
|
+
end
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
module CASino
|
|
2
|
+
module ProcessorConcern
|
|
3
|
+
module ProxyTickets
|
|
4
|
+
|
|
5
|
+
include CASino::ProcessorConcern::Tickets
|
|
6
|
+
|
|
7
|
+
class ValidationResult < CASino::ValidationResult; end
|
|
8
|
+
|
|
9
|
+
def acquire_proxy_ticket(proxy_granting_ticket, service)
|
|
10
|
+
proxy_granting_ticket.proxy_tickets.create!({
|
|
11
|
+
ticket: random_ticket_string('PT'),
|
|
12
|
+
service: service,
|
|
13
|
+
})
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def validate_ticket_for_service(ticket, service, renew = false)
|
|
17
|
+
if ticket.nil?
|
|
18
|
+
result = ValidationResult.new 'INVALID_TICKET', 'Invalid validate request: Ticket does not exist', :warn
|
|
19
|
+
else
|
|
20
|
+
result = validate_existing_ticket_for_service(ticket, service, renew)
|
|
21
|
+
ticket.consumed = true
|
|
22
|
+
ticket.save!
|
|
23
|
+
Rails.logger.debug "Consumed ticket '#{ticket.ticket}'"
|
|
24
|
+
end
|
|
25
|
+
if result.success?
|
|
26
|
+
Rails.logger.info "Ticket '#{ticket.ticket}' for service '#{service}' successfully validated"
|
|
27
|
+
else
|
|
28
|
+
Rails.logger.send(result.error_severity, result.error_message)
|
|
29
|
+
end
|
|
30
|
+
result
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
def ticket_valid_for_service?(ticket, service, renew = false)
|
|
34
|
+
validate_ticket_for_service(ticket, service, renew).success?
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
private
|
|
38
|
+
def validate_existing_ticket_for_service(ticket, service, renew = false)
|
|
39
|
+
if ticket.is_a?(CASino::ServiceTicket)
|
|
40
|
+
service = clean_service_url(service)
|
|
41
|
+
end
|
|
42
|
+
if ticket.consumed?
|
|
43
|
+
ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' already consumed", :warn
|
|
44
|
+
elsif ticket.expired?
|
|
45
|
+
ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' has expired", :warn
|
|
46
|
+
elsif service != ticket.service
|
|
47
|
+
ValidationResult.new 'INVALID_SERVICE', "Ticket '#{ticket.ticket}' is not valid for service '#{service}'", :warn
|
|
48
|
+
elsif renew && !ticket.issued_from_credentials?
|
|
49
|
+
ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' was not issued from credentials but service '#{service}' will only accept a renewed ticket", :info
|
|
50
|
+
else
|
|
51
|
+
ValidationResult.new
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
end
|
|
55
|
+
end
|
|
56
|
+
end
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
require 'addressable/uri'
|
|
2
|
+
|
|
3
|
+
module CASino
|
|
4
|
+
module ProcessorConcern
|
|
5
|
+
module ServiceTickets
|
|
6
|
+
include CASino::ProcessorConcern::Tickets
|
|
7
|
+
include CASino::ProcessorConcern::ProxyTickets
|
|
8
|
+
|
|
9
|
+
class ServiceNotAllowedError < StandardError; end
|
|
10
|
+
|
|
11
|
+
RESERVED_CAS_PARAMETER_KEYS = ['service', 'ticket', 'gateway', 'renew']
|
|
12
|
+
|
|
13
|
+
def acquire_service_ticket(ticket_granting_ticket, service, credentials_supplied = nil)
|
|
14
|
+
service_url = clean_service_url(service)
|
|
15
|
+
unless CASino::ServiceRule.allowed?(service_url)
|
|
16
|
+
message = "#{service_url} is not in the list of allowed URLs"
|
|
17
|
+
Rails.logger.error message
|
|
18
|
+
raise ServiceNotAllowedError, message
|
|
19
|
+
end
|
|
20
|
+
service_tickets = ticket_granting_ticket.service_tickets
|
|
21
|
+
service_tickets.where(service: service_url).destroy_all
|
|
22
|
+
service_tickets.create!({
|
|
23
|
+
ticket: random_ticket_string('ST'),
|
|
24
|
+
service: service_url,
|
|
25
|
+
issued_from_credentials: !!credentials_supplied
|
|
26
|
+
})
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
def clean_service_url(dirty_service)
|
|
30
|
+
return dirty_service if dirty_service.blank?
|
|
31
|
+
service_uri = Addressable::URI.parse dirty_service
|
|
32
|
+
unless service_uri.query_values.nil?
|
|
33
|
+
service_uri.query_values = service_uri.query_values(Array).select { |k,v| !RESERVED_CAS_PARAMETER_KEYS.include?(k) }
|
|
34
|
+
end
|
|
35
|
+
if service_uri.query_values.blank?
|
|
36
|
+
service_uri.query_values = nil
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
service_uri.path = (service_uri.path || '').gsub(/\/+\z/, '')
|
|
40
|
+
service_uri.path = '/' if service_uri.path.blank?
|
|
41
|
+
|
|
42
|
+
clean_service = service_uri.to_s
|
|
43
|
+
|
|
44
|
+
Rails.logger.debug("Cleaned dirty service URL '#{dirty_service}' to '#{clean_service}'") if dirty_service != clean_service
|
|
45
|
+
|
|
46
|
+
clean_service
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
end
|
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
require 'addressable/uri'
|
|
2
|
+
|
|
3
|
+
module CASino
|
|
4
|
+
module ProcessorConcern
|
|
5
|
+
module TicketGrantingTickets
|
|
6
|
+
|
|
7
|
+
include CASino::ProcessorConcern::Browser
|
|
8
|
+
|
|
9
|
+
def find_valid_ticket_granting_ticket(tgt, user_agent, ignore_two_factor = false)
|
|
10
|
+
ticket_granting_ticket = CASino::TicketGrantingTicket.where(ticket: tgt).first
|
|
11
|
+
unless ticket_granting_ticket.nil?
|
|
12
|
+
if ticket_granting_ticket.expired?
|
|
13
|
+
Rails.logger.info "Ticket-granting ticket expired (Created: #{ticket_granting_ticket.created_at})"
|
|
14
|
+
ticket_granting_ticket.destroy
|
|
15
|
+
nil
|
|
16
|
+
elsif !ignore_two_factor && ticket_granting_ticket.awaiting_two_factor_authentication?
|
|
17
|
+
Rails.logger.info 'Ticket-granting ticket is valid, but two-factor authentication is pending'
|
|
18
|
+
nil
|
|
19
|
+
elsif same_browser?(ticket_granting_ticket.user_agent, user_agent)
|
|
20
|
+
ticket_granting_ticket.user_agent = user_agent
|
|
21
|
+
ticket_granting_ticket.touch
|
|
22
|
+
ticket_granting_ticket.save!
|
|
23
|
+
ticket_granting_ticket
|
|
24
|
+
else
|
|
25
|
+
Rails.logger.info 'User-Agent changed: ticket-granting ticket not valid for this browser'
|
|
26
|
+
nil
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
def acquire_ticket_granting_ticket(authentication_result, user_agent = nil, long_term = nil)
|
|
32
|
+
user_data = authentication_result[:user_data]
|
|
33
|
+
user = load_or_initialize_user(authentication_result[:authenticator], user_data[:username], user_data[:extra_attributes])
|
|
34
|
+
cleanup_expired_ticket_granting_tickets(user)
|
|
35
|
+
user.ticket_granting_tickets.create!({
|
|
36
|
+
ticket: random_ticket_string('TGC'),
|
|
37
|
+
awaiting_two_factor_authentication: !user.active_two_factor_authenticator.nil?,
|
|
38
|
+
user_agent: user_agent,
|
|
39
|
+
long_term: !!long_term
|
|
40
|
+
})
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
def load_or_initialize_user(authenticator, username, extra_attributes)
|
|
44
|
+
user = CASino::User.where(
|
|
45
|
+
authenticator: authenticator,
|
|
46
|
+
username: username).first_or_initialize
|
|
47
|
+
user.extra_attributes = extra_attributes
|
|
48
|
+
user.save!
|
|
49
|
+
return user
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
def remove_ticket_granting_ticket(ticket_granting_ticket, user_agent = nil)
|
|
53
|
+
tgt = find_valid_ticket_granting_ticket(ticket_granting_ticket, user_agent)
|
|
54
|
+
unless tgt.nil?
|
|
55
|
+
tgt.destroy
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
def cleanup_expired_ticket_granting_tickets(user)
|
|
60
|
+
CASino::TicketGrantingTicket.cleanup(user)
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
end
|
|
64
|
+
end
|
|
65
|
+
end
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
require 'securerandom'
|
|
2
|
+
|
|
3
|
+
module CASino
|
|
4
|
+
module ProcessorConcern
|
|
5
|
+
module Tickets
|
|
6
|
+
|
|
7
|
+
ALLOWED_TICKET_STRING_CHARACTERS = ('A'..'Z').to_a + ('a'..'z').to_a + ('0'..'9').to_a
|
|
8
|
+
|
|
9
|
+
def random_ticket_string(prefix, length = 40)
|
|
10
|
+
random_string = SecureRandom.random_bytes(length).each_char.map do |char|
|
|
11
|
+
ALLOWED_TICKET_STRING_CHARACTERS[(char.ord % ALLOWED_TICKET_STRING_CHARACTERS.length)]
|
|
12
|
+
end.join
|
|
13
|
+
"#{prefix}-#{'%d' % (Time.now.to_f * 10000)}-#{random_string}"
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
require 'addressable/uri'
|
|
2
|
+
|
|
3
|
+
module CASino
|
|
4
|
+
module ProcessorConcern
|
|
5
|
+
module TwoFactorAuthenticators
|
|
6
|
+
class ValidationResult < CASino::ValidationResult; end
|
|
7
|
+
|
|
8
|
+
def validate_one_time_password(otp, authenticator)
|
|
9
|
+
if authenticator.nil? || authenticator.expired?
|
|
10
|
+
ValidationResult.new 'INVALID_AUTHENTICATOR', 'Authenticator does not exist or expired', :warn
|
|
11
|
+
else
|
|
12
|
+
totp = ROTP::TOTP.new(authenticator.secret)
|
|
13
|
+
if totp.verify_with_drift(otp, CASino.config.two_factor_authenticator[:drift])
|
|
14
|
+
ValidationResult.new
|
|
15
|
+
else
|
|
16
|
+
ValidationResult.new 'INVALID_OTP', 'One-time password not valid', :warn
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|