casino 3.0.4 → 4.0.0.pre.1

data/app/processors/casino/processor_concern/service_tickets.rb

@@ -1,50 +0,0 @@
-require 'addressable/uri'
-
-module CASino
-  module ProcessorConcern
-    module ServiceTickets
-      include CASino::ProcessorConcern::Tickets
-      include CASino::ProcessorConcern::ProxyTickets
-
-      class ServiceNotAllowedError < StandardError; end
-
-      RESERVED_CAS_PARAMETER_KEYS = ['service', 'ticket', 'gateway', 'renew']
-
-      def acquire_service_ticket(ticket_granting_ticket, service, credentials_supplied = nil)
-        service_url = clean_service_url(service)
-        unless CASino::ServiceRule.allowed?(service_url)
-          message = "#{service_url} is not in the list of allowed URLs"
-          Rails.logger.error message
-          raise ServiceNotAllowedError, message
-        end
-        service_tickets = ticket_granting_ticket.service_tickets
-        service_tickets.where(service: service_url).destroy_all
-        service_tickets.create!({
-          ticket: random_ticket_string('ST'),
-          service: service_url,
-          issued_from_credentials: !!credentials_supplied
-        })
-      end
-
-      def clean_service_url(dirty_service)
-        return dirty_service if dirty_service.blank?
-        service_uri = Addressable::URI.parse dirty_service
-        unless service_uri.query_values.nil?
-          service_uri.query_values = service_uri.query_values(Array).select { |k,v| !RESERVED_CAS_PARAMETER_KEYS.include?(k) }
-        end
-        if service_uri.query_values.blank?
-          service_uri.query_values = nil
-        end
-
-        service_uri.path = (service_uri.path || '').gsub(/\/+\z/, '')
-        service_uri.path = '/' if service_uri.path.blank?
-
-        clean_service = service_uri.normalize.to_s
-
-        Rails.logger.debug("Cleaned dirty service URL '#{dirty_service}' to '#{clean_service}'") if dirty_service != clean_service
-
-        clean_service
-      end
-    end
-  end
-end

data/app/processors/casino/processor_concern/ticket_granting_tickets.rb

@@ -1,65 +0,0 @@
-require 'addressable/uri'
-
-module CASino
-  module ProcessorConcern
-    module TicketGrantingTickets
-
-      include CASino::ProcessorConcern::Browser
-
-      def find_valid_ticket_granting_ticket(tgt, user_agent, ignore_two_factor = false)
-        ticket_granting_ticket = CASino::TicketGrantingTicket.where(ticket: tgt).first
-        unless ticket_granting_ticket.nil?
-          if ticket_granting_ticket.expired?
-            Rails.logger.info "Ticket-granting ticket expired (Created: #{ticket_granting_ticket.created_at})"
-            ticket_granting_ticket.destroy
-            nil
-          elsif !ignore_two_factor && ticket_granting_ticket.awaiting_two_factor_authentication?
-            Rails.logger.info 'Ticket-granting ticket is valid, but two-factor authentication is pending'
-            nil
-          elsif same_browser?(ticket_granting_ticket.user_agent, user_agent)
-            ticket_granting_ticket.user_agent = user_agent
-            ticket_granting_ticket.touch
-            ticket_granting_ticket.save!
-            ticket_granting_ticket
-          else
-            Rails.logger.info 'User-Agent changed: ticket-granting ticket not valid for this browser'
-            nil
-          end
-        end
-      end
-
-      def acquire_ticket_granting_ticket(authentication_result, user_agent = nil, long_term = nil)
-        user_data = authentication_result[:user_data]
-        user = load_or_initialize_user(authentication_result[:authenticator], user_data[:username], user_data[:extra_attributes])
-        cleanup_expired_ticket_granting_tickets(user)
-        user.ticket_granting_tickets.create!({
-          ticket: random_ticket_string('TGC'),
-          awaiting_two_factor_authentication: !user.active_two_factor_authenticator.nil?,
-          user_agent: user_agent,
-          long_term: !!long_term
-        })
-      end
-
-      def load_or_initialize_user(authenticator, username, extra_attributes)
-        user = CASino::User.where(
-          authenticator: authenticator,
-          username: username).first_or_initialize
-        user.extra_attributes = extra_attributes
-        user.save!
-        return user
-      end
-
-      def remove_ticket_granting_ticket(ticket_granting_ticket, user_agent = nil)
-        tgt = find_valid_ticket_granting_ticket(ticket_granting_ticket, user_agent)
-        unless tgt.nil?
-          tgt.destroy
-        end
-      end
-
-      def cleanup_expired_ticket_granting_tickets(user)
-        CASino::TicketGrantingTicket.cleanup(user)
-      end
-
-    end
-  end
-end

data/app/processors/casino/processor_concern/tickets.rb

@@ -1,17 +0,0 @@
-require 'securerandom'
-
-module CASino
-  module ProcessorConcern
-    module Tickets
-
-      ALLOWED_TICKET_STRING_CHARACTERS = ('A'..'Z').to_a + ('a'..'z').to_a + ('0'..'9').to_a
-
-      def random_ticket_string(prefix, length = 40)
-        random_string = SecureRandom.random_bytes(length).each_char.map do |char|
-          ALLOWED_TICKET_STRING_CHARACTERS[(char.ord % ALLOWED_TICKET_STRING_CHARACTERS.length)]
-        end.join
-        "#{prefix}-#{'%d' % (Time.now.to_f * 10000)}-#{random_string}"
-      end
-    end
-  end
-end

data/app/processors/casino/processor_concern/two_factor_authenticators.rb

@@ -1,23 +0,0 @@
-require 'addressable/uri'
-require 'rotp'
-
-module CASino
-  module ProcessorConcern
-    module TwoFactorAuthenticators
-      class ValidationResult < CASino::ValidationResult; end
-
-      def validate_one_time_password(otp, authenticator)
-        if authenticator.nil? || authenticator.expired?
-          ValidationResult.new 'INVALID_AUTHENTICATOR', 'Authenticator does not exist or expired', :warn
-        else
-          totp = ROTP::TOTP.new(authenticator.secret)
-          if totp.verify_with_drift(otp, CASino.config.two_factor_authenticator[:drift])
-            ValidationResult.new
-          else
-            ValidationResult.new 'INVALID_OTP', 'One-time password not valid', :warn
-          end
-        end
-      end
-    end
-  end
-end

data/app/processors/casino/proxy_ticket_provider_processor.rb

@@ -1,41 +0,0 @@
-require 'builder'
-
-# The ProxyTicketProvider processor should be used to handle GET requests to /proxy
-class CASino::ProxyTicketProviderProcessor < CASino::Processor
-  include CASino::ProcessorConcern::ProxyGrantingTickets
-  include CASino::ProcessorConcern::ProxyTickets
-
-  # This method will call `#request_succeeded` or `#request_failed`. In both cases, it supplies
-  # a string as argument. The web application should present that string (and nothing else) to the
-  # requestor. The Content-Type should be set to 'text/xml; charset=utf-8'
-  #
-  # @param [Hash] params parameters delivered by the client
-  def process(params = nil)
-    if params[:pgt].nil? || params[:targetService].nil?
-      @listener.request_failed build_xml false, error_code: 'INVALID_REQUEST', error_message: '"pgt" and "targetService" parameters are both required'
-    else
-      proxy_granting_ticket = CASino::ProxyGrantingTicket.where(ticket: params[:pgt]).first
-      if proxy_granting_ticket.nil?
-        @listener.request_failed build_xml false, error_code: 'BAD_PGT', error_message: 'PGT not found'
-      else
-        proxy_ticket = acquire_proxy_ticket(proxy_granting_ticket, params[:targetService])
-        @listener.request_succeeded build_xml true, proxy_ticket: proxy_ticket
-      end
-    end
-  end
-
-  private
-  def build_xml(success, options = {})
-    xml = Builder::XmlMarkup.new(indent: 2)
-    xml.cas :serviceResponse, 'xmlns:cas' => 'http://www.yale.edu/tp/cas' do |service_response|
-      if success
-        service_response.cas :proxySuccess do |proxy_success|
-          proxy_success.cas :proxyTicket, options[:proxy_ticket].ticket
-        end
-      else
-        service_response.cas :proxyFailure, options[:error_message], code: options[:error_code]
-      end
-    end
-    xml.target!
-  end
-end

data/app/processors/casino/proxy_ticket_validator_processor.rb

@@ -1,22 +0,0 @@
-# The ProxyTicketValidator processor should be used to handle GET requests to /proxyValidate
-class CASino::ProxyTicketValidatorProcessor < CASino::ServiceTicketValidatorProcessor
-
-  # This method will call `#validation_succeeded` or `#validation_failed`. In both cases, it supplies
-  # a string as argument. The web application should present that string (and nothing else) to the
-  # requestor. The Content-Type should be set to 'text/xml; charset=utf-8'
-  #
-  # @param [Hash] params parameters delivered by the client
-  def process(params = nil)
-    params ||= {}
-    if request_valid?(params)
-      ticket = if params[:ticket].start_with?('PT-')
-        CASino::ProxyTicket.where(ticket: params[:ticket]).first
-      elsif params[:ticket].start_with?('ST-')
-        CASino::ServiceTicket.where(ticket: params[:ticket]).first
-      else
-        nil
-      end
-      validate_ticket!(ticket, params)
-    end
-  end
-end

data/app/processors/casino/second_factor_authentication_acceptor_processor.rb

@@ -1,45 +0,0 @@
-# The SecondFactorAuthenticationAcceptor processor can be used to activate a previously generated ticket-granting ticket with pending two-factor authentication.
-#
-# This feature is not described in the CAS specification so it's completly optional
-# to implement this on the web application side.
-class CASino::SecondFactorAuthenticationAcceptorProcessor < CASino::Processor
-  include CASino::ProcessorConcern::ServiceTickets
-  include CASino::ProcessorConcern::TicketGrantingTickets
-  include CASino::ProcessorConcern::TwoFactorAuthenticators
-
-  # The method will call one of the following methods on the listener:
-  # * `#user_not_logged_in`: The user should be redirected to /login.
-  # * `#user_logged_in`: The first argument (String) is the URL (if any), the user should be redirected to.
-  #   The second argument (String) is the ticket-granting ticket. It should be stored in a cookie named "tgt".
-  # * `#invalid_one_time_password`: The user should be asked for a new OTP.
-  #
-  # @param [Hash] params parameters supplied by user. The processor will look for keys :otp and :service.
-  # @param [String] user_agent user-agent delivered by the client
-  def process(params = nil, user_agent = nil)
-    cookies ||= {}
-    tgt = find_valid_ticket_granting_ticket(params[:tgt], user_agent, true)
-    if tgt.nil?
-      @listener.user_not_logged_in
-    else
-      validation_result = validate_one_time_password(params[:otp], tgt.user.active_two_factor_authenticator)
-      if validation_result.success?
-        tgt.awaiting_two_factor_authentication = false
-        tgt.save!
-        begin
-          url = unless params[:service].blank?
-            acquire_service_ticket(tgt, params[:service], true).service_with_ticket_url
-          end
-          if tgt.long_term?
-            @listener.user_logged_in(url, tgt.ticket, CASino.config.ticket_granting_ticket[:lifetime_long_term].seconds.from_now)
-          else
-            @listener.user_logged_in(url, tgt.ticket)
-          end
-        rescue ServiceNotAllowedError => e
-          @listener.service_not_allowed(clean_service_url params[:service])
-        end
-      else
-        @listener.invalid_one_time_password
-      end
-    end
-  end
-end

data/app/processors/casino/service_ticket_validator_processor.rb

@@ -1,46 +0,0 @@
-# The ServiceTicketValidator processor should be used to handle GET requests to /serviceValidate
-class CASino::ServiceTicketValidatorProcessor < CASino::Processor
-  include CASino::ProcessorConcern::ServiceTickets
-  include CASino::ProcessorConcern::ProxyGrantingTickets
-
-  # This method will call `#validation_succeeded` or `#validation_failed`. In both cases, it supplies
-  # a string as argument. The web application should present that string (and nothing else) to the
-  # requestor. The Content-Type should be set to 'text/xml; charset=utf-8'
-  #
-  # @param [Hash] params parameters delivered by the client
-  def process(params = nil)
-    params ||= {}
-    if request_valid?(params)
-      ticket = CASino::ServiceTicket.where(ticket: params[:ticket]).first
-      validate_ticket!(ticket, params)
-    end
-  end
-
-  protected
-  def build_service_response(success, options = {})
-    builder = CASino::TicketValidationResponseBuilder.new(success, options)
-    builder.build
-  end
-
-  def request_valid?(params)
-    if params[:ticket].nil? || params[:service].nil?
-      @listener.validation_failed build_service_response(false, error_code: 'INVALID_REQUEST', error_message: '"ticket" and "service" parameters are both required')
-      false
-    else
-      true
-    end
-  end
-
-  def validate_ticket!(ticket, params)
-    validation_result = validate_ticket_for_service(ticket, params[:service], !!params[:renew])
-    if validation_result.success?
-      options = { ticket: ticket }
-      unless params[:pgtUrl].nil?
-        options[:proxy_granting_ticket] = acquire_proxy_granting_ticket(params[:pgtUrl], ticket)
-      end
-      @listener.validation_succeeded(build_service_response(true, options))
-    else
-      @listener.validation_failed(build_service_response(false, error_code: validation_result.error_code, error_message: validation_result.error_message))
-    end
-  end
-end

data/app/processors/casino/session_destroyer_processor.rb

@@ -1,25 +0,0 @@
-# The SessionDestroyer processor is used to destroy a ticket-granting ticket.
-#
-# This feature is not described in the CAS specification so it's completly optional
-# to implement this on the web application side. It is especially useful in
-# combination with the {CASino::SessionOverviewProcessor} processor.
-class CASino::SessionDestroyerProcessor < CASino::Processor
-
-  # This method will call `#ticket_not_found` or `#ticket_deleted` on the listener.
-  # @param [Hash] params parameters supplied by user (ID of ticket-granting ticket to delete should by in params[:id])
-  # @param [Hash] cookies cookies supplied by user
-  # @param [String] user_agent user-agent delivered by the client
-  def process(params = nil, cookies = nil, user_agent = nil)
-    params ||= {}
-    cookies ||= {}
-    ticket = CASino::TicketGrantingTicket.where(id: params[:id]).first
-    owner_ticket = CASino::TicketGrantingTicket.where(ticket: cookies[:tgt]).first
-    if ticket.nil? || !ticket.same_user?(owner_ticket)
-      @listener.ticket_not_found
-    else
-      Rails.logger.info "Destroying ticket-granting ticket '#{ticket.ticket}'"
-      ticket.destroy
-      @listener.ticket_deleted
-    end
-  end
-end

data/app/processors/casino/session_overview_processor.rb

@@ -1,21 +0,0 @@
-# The SessionOverview processor to list all open session for the currently signed in user.
-#
-# This feature is not described in the CAS specification so it's completly optional
-# to implement this on the web application side.
-class CASino::SessionOverviewProcessor < CASino::Processor
-  include CASino::ProcessorConcern::TicketGrantingTickets
-
-  # This method will call `#user_not_logged_in` or `#ticket_granting_tickets_found(Enumerable)` on the listener.
-  # @param [Hash] cookies cookies delivered by the client
-  # @param [String] user_agent user-agent delivered by the client
-  def process(cookies = nil, user_agent = nil)
-    cookies ||= {}
-    tgt = find_valid_ticket_granting_ticket(cookies[:tgt], user_agent)
-    if tgt.nil?
-      @listener.user_not_logged_in
-    else
-      ticket_granting_tickets = tgt.user.ticket_granting_tickets.where(awaiting_two_factor_authentication: false).order('updated_at DESC')
-      @listener.ticket_granting_tickets_found(ticket_granting_tickets)
-    end
-  end
-end

data/app/processors/casino/two_factor_authenticator_activator_processor.rb

@@ -1,41 +0,0 @@
-# The TwoFactorAuthenticatorActivator processor can be used to activate a previously generated two-factor authenticator.
-#
-# This feature is not described in the CAS specification so it's completly optional
-# to implement this on the web application side.
-class CASino::TwoFactorAuthenticatorActivatorProcessor < CASino::Processor
-  include CASino::ProcessorConcern::TicketGrantingTickets
-  include CASino::ProcessorConcern::TwoFactorAuthenticators
-
-  # The method will call one of the following methods on the listener:
-  # * `#user_not_logged_in`: The user is not logged in and should be redirected to /login.
-  # * `#two_factor_authenticator_activated`: The two-factor authenticator was successfully activated.
-  # * `#invalid_two_factor_authenticator`: The two-factor authenticator is not valid.
-  # * `#invalid_one_time_password`: The user should be asked for a new OTP.
-  #
-  # @param [Hash] params parameters supplied by user. The processor will look for keys :otp and :id.
-  # @param [Hash] cookies cookies delivered by the client
-  # @param [String] user_agent user-agent delivered by the client
-  def process(params = nil, cookies = nil, user_agent = nil)
-    cookies ||= {}
-    params ||= {}
-    tgt = find_valid_ticket_granting_ticket(cookies[:tgt], user_agent)
-    if tgt.nil?
-      @listener.user_not_logged_in
-    else
-      authenticator = tgt.user.two_factor_authenticators.where(id: params[:id]).first
-      validation_result = validate_one_time_password(params[:otp], authenticator)
-      if validation_result.success?
-        tgt.user.two_factor_authenticators.where(active: true).delete_all
-        authenticator.active = true
-        authenticator.save!
-        @listener.two_factor_authenticator_activated
-      else
-        if validation_result.error_code == 'INVALID_OTP'
-          @listener.invalid_one_time_password(authenticator)
-        else
-          @listener.invalid_two_factor_authenticator
-        end
-      end
-    end
-  end
-end

data/app/processors/casino/two_factor_authenticator_destroyer_processor.rb

@@ -1,33 +0,0 @@
-# The TwoFactorAuthenticatorDestroyer processor can be used to deactivate a previously activated two-factor authenticator.
-#
-# This feature is not described in the CAS specification so it's completly optional
-# to implement this on the web application side.
-class CASino::TwoFactorAuthenticatorDestroyerProcessor < CASino::Processor
-  include CASino::ProcessorConcern::TicketGrantingTickets
-  include CASino::ProcessorConcern::TwoFactorAuthenticators
-
-  # The method will call one of the following methods on the listener:
-  # * `#user_not_logged_in`: The user is not logged in and should be redirected to /login.
-  # * `#two_factor_authenticator_destroyed`: The two-factor authenticator was successfully destroyed.
-  # * `#invalid_two_factor_authenticator`: The two-factor authenticator is not valid.
-  #
-  # @param [Hash] params parameters supplied by user. The processor will look for key :id.
-  # @param [Hash] cookies cookies delivered by the client
-  # @param [String] user_agent user-agent delivered by the client
-  def process(params = nil, cookies = nil, user_agent = nil)
-    cookies ||= {}
-    params ||= {}
-    tgt = find_valid_ticket_granting_ticket(cookies[:tgt], user_agent)
-    if tgt.nil?
-      @listener.user_not_logged_in
-    else
-      authenticator = tgt.user.two_factor_authenticators.where(id: params[:id]).first
-      if authenticator
-        authenticator.destroy
-        @listener.two_factor_authenticator_destroyed
-      else
-        @listener.invalid_two_factor_authenticator
-      end
-    end
-  end
-end

data/app/processors/casino/two_factor_authenticator_overview_processor.rb

@@ -1,20 +0,0 @@
-# The TwoFactorAuthenticatorOverview processor lists registered two factor devices for the currently signed in user.
-#
-# This feature is not described in the CAS specification so it's completly optional
-# to implement this on the web application side.
-class CASino::TwoFactorAuthenticatorOverviewProcessor < CASino::Processor
-  include CASino::ProcessorConcern::TicketGrantingTickets
-
-  # This method will call `#user_not_logged_in` or `#two_factor_authenticators_found(Enumerable)` on the listener.
-  # @param [Hash] cookies cookies delivered by the client
-  # @param [String] user_agent user-agent delivered by the client
-  def process(cookies = nil, user_agent = nil)
-    cookies ||= {}
-    tgt = find_valid_ticket_granting_ticket(cookies[:tgt], user_agent)
-    if tgt.nil?
-      @listener.user_not_logged_in
-    else
-      @listener.two_factor_authenticators_found(tgt.user.two_factor_authenticators.where(active: true))
-    end
-  end
-end