casino 3.0.4 → 4.0.0.pre.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.travis.yml +12 -3
- data/app/api/casino/api.rb +7 -0
- data/app/api/casino/api/entity/auth_token_ticket.rb +5 -0
- data/app/api/casino/api/resource/auth_token_tickets.rb +12 -0
- data/app/assets/javascripts/casino/{application.js → application.js.erb} +1 -1
- data/app/authenticators/casino/static_authenticator.rb +8 -2
- data/app/builders/casino/proxy_response_builder.rb +24 -0
- data/app/builders/casino/ticket_validation_response_builder.rb +9 -5
- data/app/controllers/casino/application_controller.rb +0 -22
- data/app/controllers/casino/auth_tokens_controller.rb +34 -0
- data/app/controllers/casino/controller_concern/ticket_validator.rb +30 -0
- data/app/controllers/casino/proxy_tickets_controller.rb +42 -2
- data/app/controllers/casino/service_tickets_controller.rb +15 -2
- data/app/controllers/casino/sessions_controller.rb +59 -8
- data/app/controllers/casino/two_factor_authenticators_controller.rb +28 -3
- data/app/helpers/casino/sessions_helper.rb +75 -0
- data/app/helpers/casino/two_factor_authenticators_helper.rb +12 -0
- data/app/models/casino/auth_token_ticket.rb +15 -0
- data/app/models/casino/login_ticket.rb +7 -4
- data/app/models/casino/model_concern/consumable_ticket.rb +20 -0
- data/app/models/casino/model_concern/ticket.rb +28 -0
- data/app/models/casino/proxy_granting_ticket.rb +12 -0
- data/app/models/casino/proxy_ticket.rb +4 -0
- data/app/models/casino/service_ticket.rb +5 -4
- data/app/models/casino/ticket_granting_ticket.rb +5 -1
- data/app/models/casino/two_factor_authenticator.rb +2 -0
- data/app/processors/casino/authentication_processor.rb +73 -0
- data/app/processors/casino/browser_processor.rb +12 -0
- data/app/processors/casino/proxy_granting_ticket_processor.rb +37 -0
- data/app/processors/casino/service_ticket_processor.rb +81 -0
- data/app/processors/casino/ticket_granting_ticket_processor.rb +56 -0
- data/app/processors/casino/two_factor_authenticator_processor.rb +18 -0
- data/app/services/casino/auth_token_validation_service.rb +66 -0
- data/app/views/casino/sessions/index.html.erb +2 -2
- data/app/views/casino/sessions/new.html.erb +1 -1
- data/app/views/casino/sessions/validate_otp.html.erb +1 -1
- data/app/views/casino/two_factor_authenticators/new.html.erb +6 -3
- data/app/views/layouts/application.html.erb +0 -1
- data/casino.gemspec +4 -2
- data/config/locales/en.yml +35 -0
- data/config/locales/zh-CN.yml +88 -0
- data/config/locales/zh-TW.yml +88 -0
- data/config/routes.rb +3 -10
- data/db/migrate/20140831205255_create_auth_token_tickets.rb +10 -0
- data/lib/casino.rb +4 -1
- data/lib/casino/tasks/cleanup.rake +13 -1
- data/lib/casino/version.rb +1 -1
- data/spec/controllers/auth_tokens_controller_spec.rb +75 -0
- data/spec/controllers/proxy_tickets_controller_spec.rb +120 -14
- data/spec/controllers/service_and_proxy_tickets_controller_spec.rb +224 -0
- data/spec/controllers/service_tickets_controller_spec.rb +62 -16
- data/spec/controllers/sessions_controller_spec.rb +622 -36
- data/spec/controllers/two_factor_authenticators_controller_spec.rb +217 -18
- data/spec/dummy/config/cas.yml +3 -0
- data/spec/dummy/config/environments/development.rb +0 -4
- data/spec/dummy/db/migrate/{20130910094259_create_base_models.casino.rb → 20140831214845_create_core_schema.casino.rb} +55 -32
- data/spec/dummy/db/migrate/20140831214846_rename_base_models.casino.rb +102 -0
- data/spec/dummy/db/migrate/20140831214847_cleanup_indexes.casino.rb +28 -0
- data/spec/dummy/db/migrate/20140831214848_fix_long_index_names.casino.rb +13 -0
- data/spec/dummy/db/migrate/20140831214849_change_service_to_text.casino.rb +7 -0
- data/spec/dummy/db/migrate/20140831214850_change_user_agent_to_text.casino.rb +6 -0
- data/spec/dummy/db/migrate/20140831214851_fix_length_of_text_fields.casino.rb +8 -0
- data/spec/dummy/db/migrate/20140831214852_create_auth_token_tickets.casino.rb +11 -0
- data/spec/dummy/db/schema.rb +79 -70
- data/spec/features/login_spec.rb +0 -9
- data/spec/model/auth_token_ticket_spec.rb +23 -0
- data/spec/services/auth_token_validation_service_spec.rb +83 -0
- data/spec/support/sign_in.rb +4 -0
- metadata +139 -210
- data/app/controllers/casino/api/v1/tickets_controller.rb +0 -55
- data/app/helpers/service_tickets_helper.rb +0 -2
- data/app/listeners/casino/legacy_validator_listener.rb +0 -11
- data/app/listeners/casino/listener.rb +0 -16
- data/app/listeners/casino/login_credential_acceptor_listener.rb +0 -38
- data/app/listeners/casino/login_credential_requestor_listener.rb +0 -21
- data/app/listeners/casino/logout_listener.rb +0 -12
- data/app/listeners/casino/other_sessions_destroyer_listener.rb +0 -7
- data/app/listeners/casino/proxy_ticket_provider_listener.rb +0 -11
- data/app/listeners/casino/second_factor_authentication_acceptor_listener.rb +0 -26
- data/app/listeners/casino/session_destroyer_listener.rb +0 -11
- data/app/listeners/casino/session_overview_listener.rb +0 -11
- data/app/listeners/casino/ticket_validator_listener.rb +0 -11
- data/app/listeners/casino/two_factor_authenticator_activator_listener.rb +0 -23
- data/app/listeners/casino/two_factor_authenticator_destroyer_listener.rb +0 -16
- data/app/listeners/casino/two_factor_authenticator_overview_listener.rb +0 -11
- data/app/listeners/casino/two_factor_authenticator_registrator_listener.rb +0 -11
- data/app/processors/casino/api/login_credential_acceptor_processor.rb +0 -46
- data/app/processors/casino/api/logout_processor.rb +0 -17
- data/app/processors/casino/api/service_ticket_provider_processor.rb +0 -69
- data/app/processors/casino/legacy_validator_processor.rb +0 -19
- data/app/processors/casino/login_credential_acceptor_processor.rb +0 -63
- data/app/processors/casino/login_credential_requestor_processor.rb +0 -70
- data/app/processors/casino/logout_processor.rb +0 -23
- data/app/processors/casino/other_sessions_destroyer_processor.rb +0 -26
- data/app/processors/casino/processor.rb +0 -5
- data/app/processors/casino/processor_concern/authentication.rb +0 -87
- data/app/processors/casino/processor_concern/browser.rb +0 -14
- data/app/processors/casino/processor_concern/login_tickets.rb +0 -28
- data/app/processors/casino/processor_concern/proxy_granting_tickets.rb +0 -43
- data/app/processors/casino/processor_concern/proxy_tickets.rb +0 -56
- data/app/processors/casino/processor_concern/service_tickets.rb +0 -50
- data/app/processors/casino/processor_concern/ticket_granting_tickets.rb +0 -65
- data/app/processors/casino/processor_concern/tickets.rb +0 -17
- data/app/processors/casino/processor_concern/two_factor_authenticators.rb +0 -23
- data/app/processors/casino/proxy_ticket_provider_processor.rb +0 -41
- data/app/processors/casino/proxy_ticket_validator_processor.rb +0 -22
- data/app/processors/casino/second_factor_authentication_acceptor_processor.rb +0 -45
- data/app/processors/casino/service_ticket_validator_processor.rb +0 -46
- data/app/processors/casino/session_destroyer_processor.rb +0 -25
- data/app/processors/casino/session_overview_processor.rb +0 -21
- data/app/processors/casino/two_factor_authenticator_activator_processor.rb +0 -41
- data/app/processors/casino/two_factor_authenticator_destroyer_processor.rb +0 -33
- data/app/processors/casino/two_factor_authenticator_overview_processor.rb +0 -20
- data/app/processors/casino/two_factor_authenticator_registrator_processor.rb +0 -24
- data/spec/controllers/api/v1/tickets_controller_spec.rb +0 -114
- data/spec/controllers/listener/legacy_validator_spec.rb +0 -22
- data/spec/controllers/listener/login_credential_acceptor_spec.rb +0 -108
- data/spec/controllers/listener/login_credential_requestor_spec.rb +0 -57
- data/spec/controllers/listener/logout_spec.rb +0 -38
- data/spec/controllers/listener/other_sessions_destroyer_spec.rb +0 -19
- data/spec/controllers/listener/proxy_ticket_provider_spec.rb +0 -22
- data/spec/controllers/listener/second_factor_authentication_acceptor_spec.rb +0 -74
- data/spec/controllers/listener/session_destroyer_spec.rb +0 -25
- data/spec/controllers/listener/session_overview_spec.rb +0 -26
- data/spec/controllers/listener/ticket_validator_spec.rb +0 -22
- data/spec/controllers/listener/two_factor_authenticator_activator_spec.rb +0 -64
- data/spec/controllers/listener/two_factor_authenticator_destroyer_spec.rb +0 -40
- data/spec/controllers/listener/two_factor_authenticator_overview_spec.rb +0 -16
- data/spec/controllers/listener/two_factor_authenticator_registrator_spec.rb +0 -27
- data/spec/processor/api/login_credential_acceptor_spec.rb +0 -52
- data/spec/processor/api/logout_spec.rb +0 -34
- data/spec/processor/api/service_ticket_provider_spec.rb +0 -61
- data/spec/processor/legacy_validator_spec.rb +0 -78
- data/spec/processor/login_credential_acceptor_spec.rb +0 -164
- data/spec/processor/login_credential_requestor_spec.rb +0 -145
- data/spec/processor/logout_other_sessions_spec.rb +0 -53
- data/spec/processor/logout_spec.rb +0 -72
- data/spec/processor/processor_concern/service_tickets_spec.rb +0 -49
- data/spec/processor/proxy_ticket_provider_spec.rb +0 -66
- data/spec/processor/proxy_ticket_validator_spec.rb +0 -65
- data/spec/processor/second_factor_authenticaton_acceptor_spec.rb +0 -94
- data/spec/processor/session_destroyer_spec.rb +0 -75
- data/spec/processor/session_overview_spec.rb +0 -49
- data/spec/processor/ticket_validator_spec.rb +0 -214
- data/spec/processor/two_factor_authenticator_activator_spec.rb +0 -122
- data/spec/processor/two_factor_authenticator_destroyer_spec.rb +0 -71
- data/spec/processor/two_factor_authenticator_overview_spec.rb +0 -56
- data/spec/processor/two_factor_authenticator_registrator_spec.rb +0 -48
@@ -1,50 +0,0 @@
|
|
1
|
-
require 'addressable/uri'
|
2
|
-
|
3
|
-
module CASino
|
4
|
-
module ProcessorConcern
|
5
|
-
module ServiceTickets
|
6
|
-
include CASino::ProcessorConcern::Tickets
|
7
|
-
include CASino::ProcessorConcern::ProxyTickets
|
8
|
-
|
9
|
-
class ServiceNotAllowedError < StandardError; end
|
10
|
-
|
11
|
-
RESERVED_CAS_PARAMETER_KEYS = ['service', 'ticket', 'gateway', 'renew']
|
12
|
-
|
13
|
-
def acquire_service_ticket(ticket_granting_ticket, service, credentials_supplied = nil)
|
14
|
-
service_url = clean_service_url(service)
|
15
|
-
unless CASino::ServiceRule.allowed?(service_url)
|
16
|
-
message = "#{service_url} is not in the list of allowed URLs"
|
17
|
-
Rails.logger.error message
|
18
|
-
raise ServiceNotAllowedError, message
|
19
|
-
end
|
20
|
-
service_tickets = ticket_granting_ticket.service_tickets
|
21
|
-
service_tickets.where(service: service_url).destroy_all
|
22
|
-
service_tickets.create!({
|
23
|
-
ticket: random_ticket_string('ST'),
|
24
|
-
service: service_url,
|
25
|
-
issued_from_credentials: !!credentials_supplied
|
26
|
-
})
|
27
|
-
end
|
28
|
-
|
29
|
-
def clean_service_url(dirty_service)
|
30
|
-
return dirty_service if dirty_service.blank?
|
31
|
-
service_uri = Addressable::URI.parse dirty_service
|
32
|
-
unless service_uri.query_values.nil?
|
33
|
-
service_uri.query_values = service_uri.query_values(Array).select { |k,v| !RESERVED_CAS_PARAMETER_KEYS.include?(k) }
|
34
|
-
end
|
35
|
-
if service_uri.query_values.blank?
|
36
|
-
service_uri.query_values = nil
|
37
|
-
end
|
38
|
-
|
39
|
-
service_uri.path = (service_uri.path || '').gsub(/\/+\z/, '')
|
40
|
-
service_uri.path = '/' if service_uri.path.blank?
|
41
|
-
|
42
|
-
clean_service = service_uri.normalize.to_s
|
43
|
-
|
44
|
-
Rails.logger.debug("Cleaned dirty service URL '#{dirty_service}' to '#{clean_service}'") if dirty_service != clean_service
|
45
|
-
|
46
|
-
clean_service
|
47
|
-
end
|
48
|
-
end
|
49
|
-
end
|
50
|
-
end
|
@@ -1,65 +0,0 @@
|
|
1
|
-
require 'addressable/uri'
|
2
|
-
|
3
|
-
module CASino
|
4
|
-
module ProcessorConcern
|
5
|
-
module TicketGrantingTickets
|
6
|
-
|
7
|
-
include CASino::ProcessorConcern::Browser
|
8
|
-
|
9
|
-
def find_valid_ticket_granting_ticket(tgt, user_agent, ignore_two_factor = false)
|
10
|
-
ticket_granting_ticket = CASino::TicketGrantingTicket.where(ticket: tgt).first
|
11
|
-
unless ticket_granting_ticket.nil?
|
12
|
-
if ticket_granting_ticket.expired?
|
13
|
-
Rails.logger.info "Ticket-granting ticket expired (Created: #{ticket_granting_ticket.created_at})"
|
14
|
-
ticket_granting_ticket.destroy
|
15
|
-
nil
|
16
|
-
elsif !ignore_two_factor && ticket_granting_ticket.awaiting_two_factor_authentication?
|
17
|
-
Rails.logger.info 'Ticket-granting ticket is valid, but two-factor authentication is pending'
|
18
|
-
nil
|
19
|
-
elsif same_browser?(ticket_granting_ticket.user_agent, user_agent)
|
20
|
-
ticket_granting_ticket.user_agent = user_agent
|
21
|
-
ticket_granting_ticket.touch
|
22
|
-
ticket_granting_ticket.save!
|
23
|
-
ticket_granting_ticket
|
24
|
-
else
|
25
|
-
Rails.logger.info 'User-Agent changed: ticket-granting ticket not valid for this browser'
|
26
|
-
nil
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
30
|
-
|
31
|
-
def acquire_ticket_granting_ticket(authentication_result, user_agent = nil, long_term = nil)
|
32
|
-
user_data = authentication_result[:user_data]
|
33
|
-
user = load_or_initialize_user(authentication_result[:authenticator], user_data[:username], user_data[:extra_attributes])
|
34
|
-
cleanup_expired_ticket_granting_tickets(user)
|
35
|
-
user.ticket_granting_tickets.create!({
|
36
|
-
ticket: random_ticket_string('TGC'),
|
37
|
-
awaiting_two_factor_authentication: !user.active_two_factor_authenticator.nil?,
|
38
|
-
user_agent: user_agent,
|
39
|
-
long_term: !!long_term
|
40
|
-
})
|
41
|
-
end
|
42
|
-
|
43
|
-
def load_or_initialize_user(authenticator, username, extra_attributes)
|
44
|
-
user = CASino::User.where(
|
45
|
-
authenticator: authenticator,
|
46
|
-
username: username).first_or_initialize
|
47
|
-
user.extra_attributes = extra_attributes
|
48
|
-
user.save!
|
49
|
-
return user
|
50
|
-
end
|
51
|
-
|
52
|
-
def remove_ticket_granting_ticket(ticket_granting_ticket, user_agent = nil)
|
53
|
-
tgt = find_valid_ticket_granting_ticket(ticket_granting_ticket, user_agent)
|
54
|
-
unless tgt.nil?
|
55
|
-
tgt.destroy
|
56
|
-
end
|
57
|
-
end
|
58
|
-
|
59
|
-
def cleanup_expired_ticket_granting_tickets(user)
|
60
|
-
CASino::TicketGrantingTicket.cleanup(user)
|
61
|
-
end
|
62
|
-
|
63
|
-
end
|
64
|
-
end
|
65
|
-
end
|
@@ -1,17 +0,0 @@
|
|
1
|
-
require 'securerandom'
|
2
|
-
|
3
|
-
module CASino
|
4
|
-
module ProcessorConcern
|
5
|
-
module Tickets
|
6
|
-
|
7
|
-
ALLOWED_TICKET_STRING_CHARACTERS = ('A'..'Z').to_a + ('a'..'z').to_a + ('0'..'9').to_a
|
8
|
-
|
9
|
-
def random_ticket_string(prefix, length = 40)
|
10
|
-
random_string = SecureRandom.random_bytes(length).each_char.map do |char|
|
11
|
-
ALLOWED_TICKET_STRING_CHARACTERS[(char.ord % ALLOWED_TICKET_STRING_CHARACTERS.length)]
|
12
|
-
end.join
|
13
|
-
"#{prefix}-#{'%d' % (Time.now.to_f * 10000)}-#{random_string}"
|
14
|
-
end
|
15
|
-
end
|
16
|
-
end
|
17
|
-
end
|
@@ -1,23 +0,0 @@
|
|
1
|
-
require 'addressable/uri'
|
2
|
-
require 'rotp'
|
3
|
-
|
4
|
-
module CASino
|
5
|
-
module ProcessorConcern
|
6
|
-
module TwoFactorAuthenticators
|
7
|
-
class ValidationResult < CASino::ValidationResult; end
|
8
|
-
|
9
|
-
def validate_one_time_password(otp, authenticator)
|
10
|
-
if authenticator.nil? || authenticator.expired?
|
11
|
-
ValidationResult.new 'INVALID_AUTHENTICATOR', 'Authenticator does not exist or expired', :warn
|
12
|
-
else
|
13
|
-
totp = ROTP::TOTP.new(authenticator.secret)
|
14
|
-
if totp.verify_with_drift(otp, CASino.config.two_factor_authenticator[:drift])
|
15
|
-
ValidationResult.new
|
16
|
-
else
|
17
|
-
ValidationResult.new 'INVALID_OTP', 'One-time password not valid', :warn
|
18
|
-
end
|
19
|
-
end
|
20
|
-
end
|
21
|
-
end
|
22
|
-
end
|
23
|
-
end
|
@@ -1,41 +0,0 @@
|
|
1
|
-
require 'builder'
|
2
|
-
|
3
|
-
# The ProxyTicketProvider processor should be used to handle GET requests to /proxy
|
4
|
-
class CASino::ProxyTicketProviderProcessor < CASino::Processor
|
5
|
-
include CASino::ProcessorConcern::ProxyGrantingTickets
|
6
|
-
include CASino::ProcessorConcern::ProxyTickets
|
7
|
-
|
8
|
-
# This method will call `#request_succeeded` or `#request_failed`. In both cases, it supplies
|
9
|
-
# a string as argument. The web application should present that string (and nothing else) to the
|
10
|
-
# requestor. The Content-Type should be set to 'text/xml; charset=utf-8'
|
11
|
-
#
|
12
|
-
# @param [Hash] params parameters delivered by the client
|
13
|
-
def process(params = nil)
|
14
|
-
if params[:pgt].nil? || params[:targetService].nil?
|
15
|
-
@listener.request_failed build_xml false, error_code: 'INVALID_REQUEST', error_message: '"pgt" and "targetService" parameters are both required'
|
16
|
-
else
|
17
|
-
proxy_granting_ticket = CASino::ProxyGrantingTicket.where(ticket: params[:pgt]).first
|
18
|
-
if proxy_granting_ticket.nil?
|
19
|
-
@listener.request_failed build_xml false, error_code: 'BAD_PGT', error_message: 'PGT not found'
|
20
|
-
else
|
21
|
-
proxy_ticket = acquire_proxy_ticket(proxy_granting_ticket, params[:targetService])
|
22
|
-
@listener.request_succeeded build_xml true, proxy_ticket: proxy_ticket
|
23
|
-
end
|
24
|
-
end
|
25
|
-
end
|
26
|
-
|
27
|
-
private
|
28
|
-
def build_xml(success, options = {})
|
29
|
-
xml = Builder::XmlMarkup.new(indent: 2)
|
30
|
-
xml.cas :serviceResponse, 'xmlns:cas' => 'http://www.yale.edu/tp/cas' do |service_response|
|
31
|
-
if success
|
32
|
-
service_response.cas :proxySuccess do |proxy_success|
|
33
|
-
proxy_success.cas :proxyTicket, options[:proxy_ticket].ticket
|
34
|
-
end
|
35
|
-
else
|
36
|
-
service_response.cas :proxyFailure, options[:error_message], code: options[:error_code]
|
37
|
-
end
|
38
|
-
end
|
39
|
-
xml.target!
|
40
|
-
end
|
41
|
-
end
|
@@ -1,22 +0,0 @@
|
|
1
|
-
# The ProxyTicketValidator processor should be used to handle GET requests to /proxyValidate
|
2
|
-
class CASino::ProxyTicketValidatorProcessor < CASino::ServiceTicketValidatorProcessor
|
3
|
-
|
4
|
-
# This method will call `#validation_succeeded` or `#validation_failed`. In both cases, it supplies
|
5
|
-
# a string as argument. The web application should present that string (and nothing else) to the
|
6
|
-
# requestor. The Content-Type should be set to 'text/xml; charset=utf-8'
|
7
|
-
#
|
8
|
-
# @param [Hash] params parameters delivered by the client
|
9
|
-
def process(params = nil)
|
10
|
-
params ||= {}
|
11
|
-
if request_valid?(params)
|
12
|
-
ticket = if params[:ticket].start_with?('PT-')
|
13
|
-
CASino::ProxyTicket.where(ticket: params[:ticket]).first
|
14
|
-
elsif params[:ticket].start_with?('ST-')
|
15
|
-
CASino::ServiceTicket.where(ticket: params[:ticket]).first
|
16
|
-
else
|
17
|
-
nil
|
18
|
-
end
|
19
|
-
validate_ticket!(ticket, params)
|
20
|
-
end
|
21
|
-
end
|
22
|
-
end
|
@@ -1,45 +0,0 @@
|
|
1
|
-
# The SecondFactorAuthenticationAcceptor processor can be used to activate a previously generated ticket-granting ticket with pending two-factor authentication.
|
2
|
-
#
|
3
|
-
# This feature is not described in the CAS specification so it's completly optional
|
4
|
-
# to implement this on the web application side.
|
5
|
-
class CASino::SecondFactorAuthenticationAcceptorProcessor < CASino::Processor
|
6
|
-
include CASino::ProcessorConcern::ServiceTickets
|
7
|
-
include CASino::ProcessorConcern::TicketGrantingTickets
|
8
|
-
include CASino::ProcessorConcern::TwoFactorAuthenticators
|
9
|
-
|
10
|
-
# The method will call one of the following methods on the listener:
|
11
|
-
# * `#user_not_logged_in`: The user should be redirected to /login.
|
12
|
-
# * `#user_logged_in`: The first argument (String) is the URL (if any), the user should be redirected to.
|
13
|
-
# The second argument (String) is the ticket-granting ticket. It should be stored in a cookie named "tgt".
|
14
|
-
# * `#invalid_one_time_password`: The user should be asked for a new OTP.
|
15
|
-
#
|
16
|
-
# @param [Hash] params parameters supplied by user. The processor will look for keys :otp and :service.
|
17
|
-
# @param [String] user_agent user-agent delivered by the client
|
18
|
-
def process(params = nil, user_agent = nil)
|
19
|
-
cookies ||= {}
|
20
|
-
tgt = find_valid_ticket_granting_ticket(params[:tgt], user_agent, true)
|
21
|
-
if tgt.nil?
|
22
|
-
@listener.user_not_logged_in
|
23
|
-
else
|
24
|
-
validation_result = validate_one_time_password(params[:otp], tgt.user.active_two_factor_authenticator)
|
25
|
-
if validation_result.success?
|
26
|
-
tgt.awaiting_two_factor_authentication = false
|
27
|
-
tgt.save!
|
28
|
-
begin
|
29
|
-
url = unless params[:service].blank?
|
30
|
-
acquire_service_ticket(tgt, params[:service], true).service_with_ticket_url
|
31
|
-
end
|
32
|
-
if tgt.long_term?
|
33
|
-
@listener.user_logged_in(url, tgt.ticket, CASino.config.ticket_granting_ticket[:lifetime_long_term].seconds.from_now)
|
34
|
-
else
|
35
|
-
@listener.user_logged_in(url, tgt.ticket)
|
36
|
-
end
|
37
|
-
rescue ServiceNotAllowedError => e
|
38
|
-
@listener.service_not_allowed(clean_service_url params[:service])
|
39
|
-
end
|
40
|
-
else
|
41
|
-
@listener.invalid_one_time_password
|
42
|
-
end
|
43
|
-
end
|
44
|
-
end
|
45
|
-
end
|
@@ -1,46 +0,0 @@
|
|
1
|
-
# The ServiceTicketValidator processor should be used to handle GET requests to /serviceValidate
|
2
|
-
class CASino::ServiceTicketValidatorProcessor < CASino::Processor
|
3
|
-
include CASino::ProcessorConcern::ServiceTickets
|
4
|
-
include CASino::ProcessorConcern::ProxyGrantingTickets
|
5
|
-
|
6
|
-
# This method will call `#validation_succeeded` or `#validation_failed`. In both cases, it supplies
|
7
|
-
# a string as argument. The web application should present that string (and nothing else) to the
|
8
|
-
# requestor. The Content-Type should be set to 'text/xml; charset=utf-8'
|
9
|
-
#
|
10
|
-
# @param [Hash] params parameters delivered by the client
|
11
|
-
def process(params = nil)
|
12
|
-
params ||= {}
|
13
|
-
if request_valid?(params)
|
14
|
-
ticket = CASino::ServiceTicket.where(ticket: params[:ticket]).first
|
15
|
-
validate_ticket!(ticket, params)
|
16
|
-
end
|
17
|
-
end
|
18
|
-
|
19
|
-
protected
|
20
|
-
def build_service_response(success, options = {})
|
21
|
-
builder = CASino::TicketValidationResponseBuilder.new(success, options)
|
22
|
-
builder.build
|
23
|
-
end
|
24
|
-
|
25
|
-
def request_valid?(params)
|
26
|
-
if params[:ticket].nil? || params[:service].nil?
|
27
|
-
@listener.validation_failed build_service_response(false, error_code: 'INVALID_REQUEST', error_message: '"ticket" and "service" parameters are both required')
|
28
|
-
false
|
29
|
-
else
|
30
|
-
true
|
31
|
-
end
|
32
|
-
end
|
33
|
-
|
34
|
-
def validate_ticket!(ticket, params)
|
35
|
-
validation_result = validate_ticket_for_service(ticket, params[:service], !!params[:renew])
|
36
|
-
if validation_result.success?
|
37
|
-
options = { ticket: ticket }
|
38
|
-
unless params[:pgtUrl].nil?
|
39
|
-
options[:proxy_granting_ticket] = acquire_proxy_granting_ticket(params[:pgtUrl], ticket)
|
40
|
-
end
|
41
|
-
@listener.validation_succeeded(build_service_response(true, options))
|
42
|
-
else
|
43
|
-
@listener.validation_failed(build_service_response(false, error_code: validation_result.error_code, error_message: validation_result.error_message))
|
44
|
-
end
|
45
|
-
end
|
46
|
-
end
|
@@ -1,25 +0,0 @@
|
|
1
|
-
# The SessionDestroyer processor is used to destroy a ticket-granting ticket.
|
2
|
-
#
|
3
|
-
# This feature is not described in the CAS specification so it's completly optional
|
4
|
-
# to implement this on the web application side. It is especially useful in
|
5
|
-
# combination with the {CASino::SessionOverviewProcessor} processor.
|
6
|
-
class CASino::SessionDestroyerProcessor < CASino::Processor
|
7
|
-
|
8
|
-
# This method will call `#ticket_not_found` or `#ticket_deleted` on the listener.
|
9
|
-
# @param [Hash] params parameters supplied by user (ID of ticket-granting ticket to delete should by in params[:id])
|
10
|
-
# @param [Hash] cookies cookies supplied by user
|
11
|
-
# @param [String] user_agent user-agent delivered by the client
|
12
|
-
def process(params = nil, cookies = nil, user_agent = nil)
|
13
|
-
params ||= {}
|
14
|
-
cookies ||= {}
|
15
|
-
ticket = CASino::TicketGrantingTicket.where(id: params[:id]).first
|
16
|
-
owner_ticket = CASino::TicketGrantingTicket.where(ticket: cookies[:tgt]).first
|
17
|
-
if ticket.nil? || !ticket.same_user?(owner_ticket)
|
18
|
-
@listener.ticket_not_found
|
19
|
-
else
|
20
|
-
Rails.logger.info "Destroying ticket-granting ticket '#{ticket.ticket}'"
|
21
|
-
ticket.destroy
|
22
|
-
@listener.ticket_deleted
|
23
|
-
end
|
24
|
-
end
|
25
|
-
end
|
@@ -1,21 +0,0 @@
|
|
1
|
-
# The SessionOverview processor to list all open session for the currently signed in user.
|
2
|
-
#
|
3
|
-
# This feature is not described in the CAS specification so it's completly optional
|
4
|
-
# to implement this on the web application side.
|
5
|
-
class CASino::SessionOverviewProcessor < CASino::Processor
|
6
|
-
include CASino::ProcessorConcern::TicketGrantingTickets
|
7
|
-
|
8
|
-
# This method will call `#user_not_logged_in` or `#ticket_granting_tickets_found(Enumerable)` on the listener.
|
9
|
-
# @param [Hash] cookies cookies delivered by the client
|
10
|
-
# @param [String] user_agent user-agent delivered by the client
|
11
|
-
def process(cookies = nil, user_agent = nil)
|
12
|
-
cookies ||= {}
|
13
|
-
tgt = find_valid_ticket_granting_ticket(cookies[:tgt], user_agent)
|
14
|
-
if tgt.nil?
|
15
|
-
@listener.user_not_logged_in
|
16
|
-
else
|
17
|
-
ticket_granting_tickets = tgt.user.ticket_granting_tickets.where(awaiting_two_factor_authentication: false).order('updated_at DESC')
|
18
|
-
@listener.ticket_granting_tickets_found(ticket_granting_tickets)
|
19
|
-
end
|
20
|
-
end
|
21
|
-
end
|
@@ -1,41 +0,0 @@
|
|
1
|
-
# The TwoFactorAuthenticatorActivator processor can be used to activate a previously generated two-factor authenticator.
|
2
|
-
#
|
3
|
-
# This feature is not described in the CAS specification so it's completly optional
|
4
|
-
# to implement this on the web application side.
|
5
|
-
class CASino::TwoFactorAuthenticatorActivatorProcessor < CASino::Processor
|
6
|
-
include CASino::ProcessorConcern::TicketGrantingTickets
|
7
|
-
include CASino::ProcessorConcern::TwoFactorAuthenticators
|
8
|
-
|
9
|
-
# The method will call one of the following methods on the listener:
|
10
|
-
# * `#user_not_logged_in`: The user is not logged in and should be redirected to /login.
|
11
|
-
# * `#two_factor_authenticator_activated`: The two-factor authenticator was successfully activated.
|
12
|
-
# * `#invalid_two_factor_authenticator`: The two-factor authenticator is not valid.
|
13
|
-
# * `#invalid_one_time_password`: The user should be asked for a new OTP.
|
14
|
-
#
|
15
|
-
# @param [Hash] params parameters supplied by user. The processor will look for keys :otp and :id.
|
16
|
-
# @param [Hash] cookies cookies delivered by the client
|
17
|
-
# @param [String] user_agent user-agent delivered by the client
|
18
|
-
def process(params = nil, cookies = nil, user_agent = nil)
|
19
|
-
cookies ||= {}
|
20
|
-
params ||= {}
|
21
|
-
tgt = find_valid_ticket_granting_ticket(cookies[:tgt], user_agent)
|
22
|
-
if tgt.nil?
|
23
|
-
@listener.user_not_logged_in
|
24
|
-
else
|
25
|
-
authenticator = tgt.user.two_factor_authenticators.where(id: params[:id]).first
|
26
|
-
validation_result = validate_one_time_password(params[:otp], authenticator)
|
27
|
-
if validation_result.success?
|
28
|
-
tgt.user.two_factor_authenticators.where(active: true).delete_all
|
29
|
-
authenticator.active = true
|
30
|
-
authenticator.save!
|
31
|
-
@listener.two_factor_authenticator_activated
|
32
|
-
else
|
33
|
-
if validation_result.error_code == 'INVALID_OTP'
|
34
|
-
@listener.invalid_one_time_password(authenticator)
|
35
|
-
else
|
36
|
-
@listener.invalid_two_factor_authenticator
|
37
|
-
end
|
38
|
-
end
|
39
|
-
end
|
40
|
-
end
|
41
|
-
end
|
@@ -1,33 +0,0 @@
|
|
1
|
-
# The TwoFactorAuthenticatorDestroyer processor can be used to deactivate a previously activated two-factor authenticator.
|
2
|
-
#
|
3
|
-
# This feature is not described in the CAS specification so it's completly optional
|
4
|
-
# to implement this on the web application side.
|
5
|
-
class CASino::TwoFactorAuthenticatorDestroyerProcessor < CASino::Processor
|
6
|
-
include CASino::ProcessorConcern::TicketGrantingTickets
|
7
|
-
include CASino::ProcessorConcern::TwoFactorAuthenticators
|
8
|
-
|
9
|
-
# The method will call one of the following methods on the listener:
|
10
|
-
# * `#user_not_logged_in`: The user is not logged in and should be redirected to /login.
|
11
|
-
# * `#two_factor_authenticator_destroyed`: The two-factor authenticator was successfully destroyed.
|
12
|
-
# * `#invalid_two_factor_authenticator`: The two-factor authenticator is not valid.
|
13
|
-
#
|
14
|
-
# @param [Hash] params parameters supplied by user. The processor will look for key :id.
|
15
|
-
# @param [Hash] cookies cookies delivered by the client
|
16
|
-
# @param [String] user_agent user-agent delivered by the client
|
17
|
-
def process(params = nil, cookies = nil, user_agent = nil)
|
18
|
-
cookies ||= {}
|
19
|
-
params ||= {}
|
20
|
-
tgt = find_valid_ticket_granting_ticket(cookies[:tgt], user_agent)
|
21
|
-
if tgt.nil?
|
22
|
-
@listener.user_not_logged_in
|
23
|
-
else
|
24
|
-
authenticator = tgt.user.two_factor_authenticators.where(id: params[:id]).first
|
25
|
-
if authenticator
|
26
|
-
authenticator.destroy
|
27
|
-
@listener.two_factor_authenticator_destroyed
|
28
|
-
else
|
29
|
-
@listener.invalid_two_factor_authenticator
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|
@@ -1,20 +0,0 @@
|
|
1
|
-
# The TwoFactorAuthenticatorOverview processor lists registered two factor devices for the currently signed in user.
|
2
|
-
#
|
3
|
-
# This feature is not described in the CAS specification so it's completly optional
|
4
|
-
# to implement this on the web application side.
|
5
|
-
class CASino::TwoFactorAuthenticatorOverviewProcessor < CASino::Processor
|
6
|
-
include CASino::ProcessorConcern::TicketGrantingTickets
|
7
|
-
|
8
|
-
# This method will call `#user_not_logged_in` or `#two_factor_authenticators_found(Enumerable)` on the listener.
|
9
|
-
# @param [Hash] cookies cookies delivered by the client
|
10
|
-
# @param [String] user_agent user-agent delivered by the client
|
11
|
-
def process(cookies = nil, user_agent = nil)
|
12
|
-
cookies ||= {}
|
13
|
-
tgt = find_valid_ticket_granting_ticket(cookies[:tgt], user_agent)
|
14
|
-
if tgt.nil?
|
15
|
-
@listener.user_not_logged_in
|
16
|
-
else
|
17
|
-
@listener.two_factor_authenticators_found(tgt.user.two_factor_authenticators.where(active: true))
|
18
|
-
end
|
19
|
-
end
|
20
|
-
end
|