casino 1.3.2 → 2.0.0

data/spec/model/service_ticket/single_sign_out_notifier_spec.rb

@@ -0,0 +1,61 @@
+require 'spec_helper'
+require 'nokogiri'
+
+describe CASino::ServiceTicket::SingleSignOutNotifier do
+  let(:service_ticket) { FactoryGirl.create :service_ticket }
+  let(:service) { service_ticket.service }
+  let(:notifier) { described_class.new service_ticket }
+
+  describe '#notify' do
+    before(:each) do
+      stub_request(:post, service)
+    end
+
+    it 'sends a valid Single Sign Out XML to the service URL' do
+      notifier.notify
+      WebMock.should have_requested(:post, service).with { |request|
+        post_params = CGI.parse(request.body)
+        post_params.should_not be_nil
+        xml = Nokogiri::XML post_params['logoutRequest'].first
+        xml.at_xpath('/samlp:LogoutRequest/samlp:SessionIndex').text.should == service_ticket.ticket
+      }
+    end
+
+    it 'sets the timeout values' do
+      [:read_timeout=, :open_timeout=].each do |timeout|
+        Net::HTTP.any_instance.should_receive(timeout).with(CASino.config.service_ticket[:single_sign_out_notification][:timeout])
+      end
+      notifier.notify
+    end
+
+    context 'when it is a success' do
+      it 'returns true' do
+        notifier.notify.should == true
+      end
+    end
+
+    context 'with server error' do
+      [404, 500].each do |status_code|
+        context "#{status_code}" do
+          before(:each) do
+            stub_request(:post, service).to_return status: status_code
+          end
+
+          it 'returns false' do
+            notifier.notify.should == false
+          end
+        end
+      end
+
+      context 'connection timeout' do
+        before(:each) do
+          stub_request(:post, service).to_raise Timeout::Error
+        end
+
+        it 'returns false' do
+          notifier.notify.should == false
+        end
+      end
+    end
+  end
+end

data/spec/model/service_ticket_spec.rb

@@ -0,0 +1,124 @@
+require 'spec_helper'
+
+describe CASino::ServiceTicket do
+  let(:unconsumed_ticket) {
+    ticket = described_class.new ticket: 'ST-12345', service: 'https://example.com/cas-service'
+    ticket.ticket_granting_ticket_id = 1
+    ticket
+  }
+  let(:consumed_ticket) {
+    ticket = described_class.new ticket: 'ST-54321', service: 'https://example.com/cas-service'
+    ticket.ticket_granting_ticket_id = 1
+    ticket.consumed = true
+    ticket.save!
+    ticket
+  }
+
+  describe '#expired?' do
+    [:unconsumed, :consumed].each do |state|
+      context "with an #{state} ticket" do
+        let(:ticket) { send("#{state}_ticket") }
+
+        context 'with an expired ticket' do
+          before(:each) do
+            ticket.created_at = (CASino.config.service_ticket[:"lifetime_#{state}"].seconds + 1).ago
+            ticket.save!
+          end
+
+          it 'returns true' do
+            ticket.expired?.should == true
+          end
+        end
+
+        context 'with an unexpired ticket' do
+          it 'returns false' do
+            ticket.expired?.should == false
+          end
+        end
+      end
+    end
+  end
+
+  describe '.cleanup_unconsumed' do
+    it 'deletes expired unconsumed service tickets' do
+      unconsumed_ticket.created_at = 10.hours.ago
+      unconsumed_ticket.save!
+      lambda do
+        described_class.cleanup_unconsumed
+      end.should change(described_class, :count).by(-1)
+      described_class.find_by_ticket('ST-12345').should be_false
+    end
+  end
+
+  describe '.cleanup_consumed_hard' do
+    before(:each) do
+      described_class::SingleSignOutNotifier.any_instance.stub(:notify).and_return(false)
+    end
+
+    it 'deletes consumed service tickets with an unreachable Single Sign Out callback server' do
+      consumed_ticket.created_at = 10.days.ago
+      consumed_ticket.save!
+      lambda do
+        described_class.cleanup_consumed_hard
+      end.should change(described_class, :count).by(-1)
+    end
+  end
+
+  describe '.cleanup_consumed' do
+    before(:each) do
+      described_class::SingleSignOutNotifier.any_instance.stub(:notify).and_return(true)
+    end
+
+    it 'deletes expired consumed service tickets' do
+      consumed_ticket.created_at = 10.days.ago
+      consumed_ticket.save!
+      lambda do
+        described_class.cleanup_consumed
+      end.should change(described_class, :count).by(-1)
+      described_class.find_by_ticket('ST-12345').should be_false
+    end
+
+    it 'deletes consumed service tickets without ticket_granting_ticket' do
+      consumed_ticket.ticket_granting_ticket_id = nil
+      consumed_ticket.save!
+      lambda do
+        described_class.cleanup_consumed
+      end.should change(described_class, :count).by(-1)
+      described_class.find_by_ticket('ST-12345').should be_false
+    end
+
+    it 'does not delete unexpired service tickets' do
+      consumed_ticket # create the ticket
+      lambda do
+        described_class.cleanup_consumed
+      end.should_not change(described_class, :count)
+    end
+  end
+
+  describe '#destroy' do
+    it 'sends out a single sign out notification' do
+      described_class::SingleSignOutNotifier.any_instance.should_receive(:notify).and_return(true)
+      consumed_ticket.destroy
+    end
+
+    context 'when notification fails' do
+      before(:each) do
+        described_class::SingleSignOutNotifier.any_instance.stub(:notify).and_return(false)
+      end
+
+      it 'does delete the service ticket anyway' do
+        consumed_ticket
+        lambda {
+          consumed_ticket.destroy
+        }.should change(CASino::ServiceTicket, :count).by(-1)
+      end
+    end
+  end
+
+  describe '#service_with_ticket_url' do
+    it 'does not escape the url from the database' do
+      unconsumed_ticket.service = 'https://host.example.org/test.php?t=other&other=testing'
+      unconsumed_ticket.service_with_ticket_url.should eq('https://host.example.org/test.php?t=other&other=testing&ticket=ST-12345')
+    end
+  end
+end

data/spec/model/ticket_granting_ticket_spec.rb

@@ -0,0 +1,204 @@
+require 'spec_helper'
+require 'useragent'
+
+describe CASino::TicketGrantingTicket do
+  let(:ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket }
+  let(:service_ticket) { FactoryGirl.create :service_ticket, ticket_granting_ticket: ticket_granting_ticket }
+
+  describe '#destroy' do
+    let!(:consumed_service_ticket) { FactoryGirl.create :service_ticket, :consumed, ticket_granting_ticket: ticket_granting_ticket }
+
+    context 'when notification for a service ticket fails' do
+      before(:each) do
+        CASino::ServiceTicket::SingleSignOutNotifier.any_instance.stub(:notify).and_return(false)
+      end
+
+      it 'deletes depending proxy-granting tickets' do
+        consumed_service_ticket.proxy_granting_tickets.create! ticket: 'PGT-12345', iou: 'PGTIOU-12345', pgt_url: 'bla'
+        lambda {
+          ticket_granting_ticket.destroy
+        }.should change(CASino::ProxyGrantingTicket, :count).by(-1)
+      end
+
+      it 'deletes depending service tickets' do
+        lambda {
+          ticket_granting_ticket.destroy
+        }.should change(CASino::ServiceTicket, :count).by(-1)
+      end
+    end
+  end
+
+  describe '#browser_info' do
+    let(:user_agent) { Object.new }
+    before(:each) do
+      user_agent.stub(:browser).and_return('TestBrowser')
+      UserAgent.stub(:parse).and_return(user_agent)
+    end
+
+    context 'without platform' do
+      before(:each) do
+        user_agent.stub(:platform).and_return(nil)
+      end
+
+      it 'returns the browser name' do
+        ticket_granting_ticket.browser_info.should == 'TestBrowser'
+      end
+    end
+
+    context 'with a platform' do
+      before(:each) do
+        user_agent.stub(:platform).and_return('Linux')
+      end
+
+      it 'returns the browser name' do
+        ticket_granting_ticket.browser_info.should == 'TestBrowser (Linux)'
+      end
+    end
+  end
+
+  describe '#same_user?' do
+    context 'with a nil value' do
+      let(:other_ticket_granting_ticket) { nil }
+
+      it 'should return false' do
+        ticket_granting_ticket.same_user?(other_ticket_granting_ticket).should == false
+      end
+    end
+
+    context 'with a ticket from another user' do
+      let(:other_ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket  }
+
+      it 'should return false' do
+        ticket_granting_ticket.same_user?(other_ticket_granting_ticket).should == false
+      end
+    end
+
+    context 'with a ticket from the same user' do
+      let(:other_ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket, user: ticket_granting_ticket.user }
+
+      it 'should return true' do
+        ticket_granting_ticket.same_user?(other_ticket_granting_ticket).should == true
+      end
+    end
+  end
+
+  describe '#expired?' do
+    context 'with a long-term ticket' do
+      context 'when almost expired' do
+        before(:each) do
+          ticket_granting_ticket.created_at = 9.days.ago
+          ticket_granting_ticket.long_term = true
+          ticket_granting_ticket.save!
+        end
+
+        it 'returns false' do
+          ticket_granting_ticket.expired?.should == false
+        end
+      end
+
+      context 'when expired' do
+        before(:each) do
+          ticket_granting_ticket.created_at = 30.days.ago
+          ticket_granting_ticket.long_term = true
+          ticket_granting_ticket.save!
+        end
+
+        it 'returns true' do
+          ticket_granting_ticket.expired?.should == true
+        end
+      end
+    end
+
+    context 'with an expired ticket' do
+      before(:each) do
+        ticket_granting_ticket.created_at = 25.hours.ago
+        ticket_granting_ticket.save!
+      end
+
+      it 'returns true' do
+        ticket_granting_ticket.expired?.should == true
+      end
+    end
+
+    context 'with an unexpired ticket' do
+      it 'returns false' do
+        ticket_granting_ticket.expired?.should == false
+      end
+    end
+
+    context 'with pending two-factor authentication' do
+      before(:each) do
+        ticket_granting_ticket.awaiting_two_factor_authentication = true
+        ticket_granting_ticket.save!
+      end
+
+      context 'with an expired ticket' do
+        before(:each) do
+          ticket_granting_ticket.created_at = 10.minutes.ago
+          ticket_granting_ticket.save!
+        end
+
+        it 'returns true' do
+          ticket_granting_ticket.expired?.should == true
+        end
+      end
+
+      context 'with an unexpired ticket' do
+        it 'returns false' do
+          ticket_granting_ticket.expired?.should == false
+        end
+      end
+    end
+  end
+
+  describe '.cleanup' do
+    let!(:other_ticket_granting_ticket) { FactoryGirl.create :ticket_granting_ticket }
+
+    it 'deletes expired ticket-granting tickets' do
+      ticket_granting_ticket.created_at = 25.hours.ago
+      ticket_granting_ticket.save!
+      lambda do
+        described_class.cleanup
+      end.should change(described_class, :count).by(-1)
+      described_class.find_by_ticket(ticket_granting_ticket.ticket).should be_false
+    end
+
+    it 'does not delete almost expired long-term ticket-granting tickets' do
+      ticket_granting_ticket.created_at = 9.days.ago
+      ticket_granting_ticket.long_term = true
+      ticket_granting_ticket.save!
+      lambda do
+        described_class.cleanup
+      end.should_not change(described_class, :count)
+    end
+
+    it 'does delete expired long-term ticket-granting tickets' do
+      ticket_granting_ticket.created_at = 30.days.ago
+      ticket_granting_ticket.long_term = true
+      ticket_granting_ticket.save!
+      lambda do
+        described_class.cleanup
+      end.should change(described_class, :count).by(-1)
+      described_class.find_by_ticket(ticket_granting_ticket.ticket).should be_false
+    end
+
+    it 'does not delete almost expired ticket-granting tickets with pending two-factor authentication' do
+      ticket_granting_ticket.created_at = 2.minutes.ago
+      ticket_granting_ticket.awaiting_two_factor_authentication = true
+      ticket_granting_ticket.save!
+      lambda do
+        described_class.cleanup
+      end.should_not change(described_class, :count)
+    end
+
+    it 'does delete expired ticket-granting tickets with pending two-factor authentication' do
+      ticket_granting_ticket.created_at = 20.minutes.ago
+      ticket_granting_ticket.awaiting_two_factor_authentication = true
+      ticket_granting_ticket.save!
+      lambda do
+        described_class.cleanup
+      end.should change(described_class, :count).by(-1)
+      described_class.find_by_ticket(ticket_granting_ticket.ticket).should be_false
+    end
+  end
+end

data/spec/model/two_factor_authenticator_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+
+describe CASino::TwoFactorAuthenticator do
+  describe '.cleanup' do
+    it 'deletes expired inactive two-factor authenticators' do
+      authenticator = FactoryGirl.create :two_factor_authenticator, :inactive
+      authenticator.created_at = 10.hours.ago
+      authenticator.save!
+      lambda do
+        described_class.cleanup
+      end.should change(described_class, :count).by(-1)
+    end
+
+    it 'does not delete not expired inactive two-factor authenticators' do
+      authenticator = FactoryGirl.create :two_factor_authenticator, :inactive
+      authenticator.created_at = (CASino.config.two_factor_authenticator[:lifetime_inactive].seconds - 5).ago
+      lambda do
+        described_class.cleanup
+      end.should_not change(described_class, :count)
+    end
+
+    it 'does not delete active two-factor authenticators' do
+      authenticator = FactoryGirl.create :two_factor_authenticator
+      authenticator.created_at = 10.hours.ago
+      authenticator.save!
+      lambda do
+        described_class.cleanup
+      end.should_not change(described_class, :count)
+    end
+  end
+end

data/spec/processor/api/login_credential_acceptor_spec.rb

@@ -0,0 +1,52 @@
+require 'spec_helper'
+
+describe CASino::API::LoginCredentialAcceptorProcessor do
+  describe '#process' do
+    let(:listener) { Object.new }
+    let(:processor) { described_class.new(listener) }
+    let(:user_agent) { 'ThisIsATestBrwoser 1.0' }
+
+    context 'with invalid credentials' do
+      let(:login_data) { { username: 'testuser', password: 'wrong' } }
+
+      before(:each) do
+        listener.stub(:invalid_login_credentials_via_api)
+      end
+
+      it 'calls the #invalid_login_credentials_via_api method on the listener' do
+        listener.should_receive(:invalid_login_credentials_via_api)
+        processor.process(login_data, user_agent).should be_false
+      end
+
+      it 'does not generate a ticket-granting ticket' do
+        expect {
+          processor.process(login_data, user_agent)
+        }.to_not change(CASino::TicketGrantingTicket, :count)
+      end
+    end
+
+    context 'with valid credentials' do
+      let(:login_data) { { username: 'testuser', password: 'foobar123' } }
+
+      before(:each) do
+        listener.stub(:user_logged_in_via_api)
+      end
+
+      it 'calls the #user_logged_in_via_api method on the listener' do
+        listener.should_receive(:user_logged_in_via_api).with(/^TGC\-/)
+        processor.process(login_data, user_agent)
+      end
+
+      it 'generates a ticket-granting ticket' do
+        expect {
+          processor.process(login_data, user_agent)
+        }.to change(CASino::TicketGrantingTicket, :count).by(1)
+      end
+
+      it 'sets the user-agent in the ticket-granting ticket' do
+        processor.process(login_data, user_agent)
+        CASino::TicketGrantingTicket.last.user_agent.should == user_agent
+      end
+    end
+  end
+end