RubyGems - casino - Versions diffs - 3.0.4 → 4.0.0.pre.1 - Mend

casino 3.0.4 → 4.0.0.pre.1

Files changed (149) hide show

data/app/processors/casino/ticket_granting_ticket_processor.rb ADDED

@@ -0,0 +1,56 @@
+module CASino::TicketGrantingTicketProcessor
+  extend ActiveSupport::Concern
+  include CASino::BrowserProcessor
+  def find_valid_ticket_granting_ticket(ticket, user_agent, options = {})
+    tgt = CASino::TicketGrantingTicket.where(ticket: ticket).first
+    unless tgt.nil?
+      if tgt.expired?
+        Rails.logger.info "Ticket-granting ticket expired (Created: #{tgt.created_at})"
+        tgt.destroy
+        nil
+      elsif !options[:ignore_two_factor] && tgt.awaiting_two_factor_authentication?
+        Rails.logger.info 'Ticket-granting ticket is valid, but two-factor authentication is pending'
+        nil
+      elsif same_browser?(tgt.user_agent, user_agent)
+        tgt.user_agent = user_agent
+        tgt.touch
+        tgt.save!
+        tgt
+      else
+        Rails.logger.info 'User-Agent changed: ticket-granting ticket not valid for this browser'
+        nil
+      end
+    end
+  end
+  def acquire_ticket_granting_ticket(authentication_result, user_agent, options = {})
+    user_data = authentication_result[:user_data]
+    user = load_or_initialize_user(authentication_result[:authenticator], user_data[:username], user_data[:extra_attributes])
+    cleanup_expired_ticket_granting_tickets(user)
+    user.ticket_granting_tickets.create!({
+      awaiting_two_factor_authentication: !user.active_two_factor_authenticator.nil?,
+      user_agent: user_agent,
+      long_term: !!options[:long_term]
+    })
+  end
+  def load_or_initialize_user(authenticator, username, extra_attributes)
+    user = CASino::User
+      .where(authenticator: authenticator, username: username)
+      .first_or_initialize
+    user.extra_attributes = extra_attributes
+    user.save!
+    return user
+  end
+  def remove_ticket_granting_ticket(ticket_granting_ticket, user_agent)
+    tgt = find_valid_ticket_granting_ticket(ticket_granting_ticket, user_agent)
+    tgt.destroy unless tgt.nil?
+  end
+  def cleanup_expired_ticket_granting_tickets(user)
+    CASino::TicketGrantingTicket.cleanup(user)
+  end
+end

data/app/processors/casino/two_factor_authenticator_processor.rb ADDED

@@ -0,0 +1,18 @@
+require 'rotp'
+module CASino::TwoFactorAuthenticatorProcessor
+  extend ActiveSupport::Concern
+  def validate_one_time_password(otp, authenticator)
+    if authenticator.nil? || authenticator.expired?
+      CASino::ValidationResult.new 'INVALID_AUTHENTICATOR', 'Authenticator does not exist or expired', :warn
+    else
+      totp = ROTP::TOTP.new(authenticator.secret)
+      if totp.verify_with_drift(otp, CASino.config.two_factor_authenticator[:drift])
+        CASino::ValidationResult.new
+      else
+        CASino::ValidationResult.new 'INVALID_OTP', 'One-time password not valid', :warn
+      end
+    end
+  end
+end

data/app/services/casino/auth_token_validation_service.rb ADDED

@@ -0,0 +1,66 @@
+class CASino::AuthTokenValidationService
+  include CASino::AuthenticationProcessor
+  AUTH_TOKEN_SIGNERS_GLOB = Rails.root.join('config/auth_token_signers/*.pem').freeze
+  attr_reader :token, :signature
+  def initialize(token, signature)
+    @token = token
+    @signature = signature
+  end
+  def validation_result
+    return nil unless user_data
+    { authenticator: token_data[:authenticator], user_data: user_data }
+  end
+  def user_data
+    return @user_data unless @user_data.nil?
+    return nil unless signature_valid?
+    return nil unless ticket_valid?
+    @user_data = load_user_data(token_data[:authenticator], token_data[:username]).tap do |user|
+      if user.nil?
+        Rails.logger.warn("Could not load user '#{token_data[:authenticator]}'/'#{token_data[:username]}'")
+      else
+        Rails.logger.info("User '#{token_data[:authenticator]}'/'#{token_data[:username]}' successfully identified through auth token.")
+      end
+    end
+  end
+  def token_data
+    begin
+      JSON.parse(token).symbolize_keys
+    rescue JSON::ParserError
+      {}
+    end
+  end
+  private
+  def signature_valid?
+    Dir.glob(AUTH_TOKEN_SIGNERS_GLOB) do |path|
+      if signature_valid_with_key?(path)
+        Rails.logger.info("Successfully validated auth token signature with #{File.basename(path)}")
+        return true
+      end
+    end
+    Rails.logger.warn('Signature could not be validated: No matching key found.')
+    false
+  end
+  def signature_valid_with_key?(path)
+    digest = OpenSSL::Digest::SHA256.new
+    key = OpenSSL::PKey::RSA.new(File.read(path))
+    key.verify(digest, signature, token)
+  end
+  def ticket_valid?
+    CASino::AuthTokenTicket.consume(token_data[:ticket]).tap do |is_valid|
+      Rails.logger.warn('Could not find a valid auth token ticket.') unless is_valid
+    end
+  end
+  def authentication_service
+    @authentication_service ||= CASino::AuthenticationService.new
+  end
+end

data/app/views/casino/sessions/index.html.erb CHANGED

@@ -4,7 +4,7 @@
     <div class="info">
       <h1><%= t('sessions.title') %></h1>
       <p>
-        <%= raw t('sessions.currently_logged_in_as', :username => @ticket_granting_tickets[0].user.username) %>
+        <%= raw t('sessions.currently_logged_in_as', :username => current_user.username) %>
       </p>
       <%= link_to t('sessions.label_logout_button'), logout_path, :class => 'button' %>
@@ -18,7 +18,7 @@
       <% if @two_factor_authenticators.blank? %>
         <%= t('two_factor_authenticators.disabled') %> - <%= link_to t('two_factor_authenticators.enable'), new_two_factor_authenticator_path %>
       <% else %>
-        <%= t('two_factor_authenticators.enabled') %> - <%= button_to t('two_factor_authenticators.disable'), two_factor_authenticator_path(@two_factor_authenticators[0].id), method: :delete %>
+        <%= t('two_factor_authenticators.enabled') %> - <%= button_to t('two_factor_authenticators.disable'), two_factor_authenticator_path(@two_factor_authenticators.first.id), method: :delete %>
       <% end %>
       <h3><%= t('sessions.your_active_sessions') %></h3>

data/app/views/casino/sessions/new.html.erb CHANGED

@@ -13,7 +13,7 @@
     <div class="form">
       <%= form_tag(login_path, method: :post, id: 'login-form') do %>
-        <%= hidden_field_tag :lt, @login_ticket.ticket %>
+        <%= hidden_field_tag :lt, CASino::LoginTicket.create.ticket %>
         <%= hidden_field_tag :service, params[:service] unless params[:service].nil? %>
         <%= label_tag :username, t('login.label_username') %>
         <%= text_field_tag :username, params[:username], autofocus:true %>

data/app/views/casino/sessions/validate_otp.html.erb CHANGED

@@ -8,7 +8,7 @@
         <%= hidden_field_tag :tgt, @ticket_granting_ticket || params[:tgt] %>
         <%= hidden_field_tag :service, params[:service] %>
         <%= label_tag :code, t('validate_otp.code') %>
-        <%= text_field_tag :otp, nil, maxlength: 6, autofocus:true %>
+        <%= text_field_tag :otp, nil, maxlength: 6, autofocus: true, autocomplete: 'off' %>
         <%= button_tag t('validate_otp.submit'), :class => 'button' %>
       <% end %>
     </div>

data/app/views/casino/two_factor_authenticators/new.html.erb CHANGED

@@ -11,10 +11,13 @@
         <%= t('two_factor_authenticators.instructions') %>
       </p>
       <div id="qr-code">
-        <img src="https://chart.googleapis.com/chart?cht=qr&chs=250x250&chl=<%= u "otpauth://totp/#{u CASino.config.frontend[:sso_name] + ': ' + @two_factor_authenticator.user.username}?secret=#{@two_factor_authenticator.secret}&issuer=#{u CASino.config.frontend[:sso_name]}" %>" height="250" width="250"><br />
+        <img src="<%= otp_qr_code_data_url(@two_factor_authenticator) %>" height="250" width="250"><br />
       </div>
       <p id="secret">
-        <%= t('two_factor_authenticators.secret') %>: <%= @two_factor_authenticator.secret %>
+        <%= t('two_factor_authenticators.secret') %>:
+        <a href="<%= otp_auth_url(@two_factor_authenticator) %>">
+          <%= @two_factor_authenticator.secret %>
+        </a>
       </p>
     </div>
@@ -22,7 +25,7 @@
       <%= form_tag(two_factor_authenticators_path, method: :post, id: 'two_factor_authenticators-form') do %>
         <%= hidden_field_tag :id, @two_factor_authenticator.id %>
         <%= label_tag :code, t('two_factor_authenticators.code') %>
-        <%= text_field_tag :otp, nil, maxlength: 6, autofocus:true %>
+        <%= text_field_tag :otp, nil, maxlength: 6, autofocus: true, autocomplete: 'off' %>
         <%= link_to t('two_factor_authenticators.cancel'), sessions_path, :class => 'secondary button' %>
         <%= button_tag t('two_factor_authenticators.submit'), :class => 'button' %>
       <% end %>

data/app/views/layouts/application.html.erb CHANGED

@@ -4,7 +4,6 @@
   <title><%= CASino.config.frontend[:sso_name] %></title>
   <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
   <%= stylesheet_link_tag    "application", :media => "all" %>
-  <%= javascript_tag         "window.CASino = { baseUrl: '#{root_path}' };" %>
   <%= javascript_include_tag "application" %>
   <%= csrf_meta_tags %>
   <%= favicon_link_tag 'favicon.png', type: 'image/png' %>

data/casino.gemspec CHANGED

@@ -33,12 +33,14 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'webmock', '~> 1.9'
   s.add_development_dependency 'coveralls', '~> 0.7'
-  s.add_runtime_dependency 'rails', '~> 4.1.0'
+  s.add_runtime_dependency 'rails', '>= 4.1.0', '< 4.3.0'
   s.add_runtime_dependency 'sass-rails', '~> 4.0.0'
-  s.add_runtime_dependency 'http_accept_language', '~> 2.0.0.pre'
   s.add_runtime_dependency 'addressable', '~> 2.3'
   s.add_runtime_dependency 'terminal-table', '~> 1.4'
   s.add_runtime_dependency 'useragent', '~> 0.4'
   s.add_runtime_dependency 'faraday', '~> 0.8'
   s.add_runtime_dependency 'rotp', '~> 2.0'
+  s.add_runtime_dependency 'grape', '~> 0.8'
+  s.add_runtime_dependency 'grape-entity', '~> 0.4'
+  s.add_runtime_dependency 'rqrcode_png', '~> 0.1'
 end

data/config/locales/en.yml CHANGED

@@ -51,3 +51,38 @@ en:
     successfully_deleted: "The two-factor authenticator was successfully deleted."
   datetime:
     ago: "%{datetime} ago"
+    distance_in_words:
+      about_x_hours:
+        one: about oue hour
+        other: about %{count} hours
+      about_x_months:
+        one: about one monate
+        other: about %{count} monates
+      about_x_years:
+        one: about one year
+        other: about %{count} years
+      almost_x_years:
+        one: nearly one year
+        other: nearly %{count} years
+      half_a_minute: half minute
+      less_than_x_minutes:
+        one: less than one minute
+        other: less than %{count} minutes
+      less_than_x_seconds:
+        one: less than one second
+        other: less than %{count} seconds
+      over_x_years:
+        one: more than one year
+        other: more than %{count} years
+      x_days:
+        one: one day
+        other: ! '%{count} days'
+      x_minutes:
+        one: one minute
+        other: ! '%{count} minutes'
+      x_months:
+        one: one month
+        other: ! '%{count} months'
+      x_seconds:
+        one: one second
+        other: ! '%{count} seconds'

data/config/locales/zh-CN.yml ADDED

@@ -0,0 +1,88 @@
+zh-CN:
+  login_credential_acceptor:
+    invalid_login_ticket: "您的登录请求没有包含有效的登录授权。"
+    invalid_login_credentials: "用户名或密码错误"
+  login:
+    label_username: "用户名"
+    label_password: "密码"
+    label_button: "登录"
+    label_remember_me: "保持登录"
+    notice: ""
+  service_not_allowed:
+    title: "服务不允许"
+    message: "此登录服务器未配置允许登录服务\"%{service}\"。如果您认为此处有误，请联系您的管理员。"
+  validate_otp:
+    title: "两步验证"
+    description: "请输入一次性密码（OTP）."
+    code: "编码"
+    submit: "继续"
+    invalid_otp: "您输入的一次性密码（OTP）无效"
+  logout:
+    title: "再见"
+    logged_out_without_url: "您已经成功登出。"
+    logged_out_with_url: "您刚刚成功登出的应用请您点击下面的链接："
+  sessions:
+    title: "您好!"
+    currently_logged_in_as: "您刚刚以<strong>%{username}</strong>登录。"
+    label_logout_button: "登出"
+    your_active_sessions: "当前会话"
+    table:
+      column_browser: "浏览器"
+      column_services: "服务"
+      column_activity: "最近活动"
+    current_session: "当前会话"
+    end_session: "结束会话"
+  two_factor_authenticators:
+    title: "两步验证"
+    setup: "设置两步验证"
+    description: "两步验证需要您在每次登录时输入一个一次性密码（OTP）。 一次性密码（OTP）可以通过手机应用（比如<a href='http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447'>Google Authenticator</a> ）产生。"
+    instructions: "如果您使用google验证器，请用手机扫描下面的二维码，在下方输入验证码。"
+    disabled: "当前已关闭"
+    enable: "开启"
+    enabled: "当前已开启"
+    disable: "关闭"
+    cancel: "取消"
+    secret: "密钥"
+    code: "确认码"
+    submit: "验证并开启"
+    invalid_one_time_password: "一次性密码不正确"
+    invalid_two_factor_authenticator: "两步验证已经失效，请按照下面的指示："
+    successfully_activated: "两步验证已经关联到此账户。"
+    successfully_deleted: "两步验证已经删除。"
+  datetime:
+    ago: "%{datetime} 之前"
+    distance_in_words:
+      about_x_hours:
+        one: 大约一小时
+        other: 大约%{count}小时
+      about_x_months:
+        one: 大约一个月
+        other: 大约%{count}个月
+      about_x_years:
+        one: 大约一年
+        other: 大约%{count}年
+      almost_x_years:
+        one: 几乎一年
+        other: 几乎%{count}年
+      half_a_minute: 半分钟
+      less_than_x_minutes:
+        one: 少于一分钟
+        other: 少于%{count}分钟
+      less_than_x_seconds:
+        one: 少于一秒
+        other: 少于%{count}秒
+      over_x_years:
+        one: 超过一年
+        other: 超过%{count}年
+      x_days:
+        one: 一天
+        other: ! '%{count}天'
+      x_minutes:
+        one: 一分钟
+        other: ! '%{count}分钟'
+      x_months:
+        one: 一个月
+        other: ! '%{count}个月'
+      x_seconds:
+        one: 一秒
+        other: ! '%{count}秒'

data/config/locales/zh-TW.yml ADDED

@@ -0,0 +1,88 @@
+zh-TW:
+  login_credential_acceptor:
+    invalid_login_ticket: "您的登錄請求沒有包含有效的登錄授權。"
+    invalid_login_credentials: "用戶名或密碼錯誤"
+  login:
+    label_username: "用戶名"
+    label_password: "密碼"
+    label_button: "登錄"
+    label_remember_me: "保持登錄"
+    notice: ""
+  service_not_allowed:
+    title: "服務不允許"
+    message: "此登錄服務器未配置允許登錄服務\"%{service}\"。如果您認為此處有誤，請聯系您的管理員。"
+  validate_otp:
+    title: "兩步驗證"
+    description: "請輸入一次性密碼（OTP）."
+    code: "編碼"
+    submit: "繼續"
+    invalid_otp: "您輸入的一次性密碼（OTP）無效"
+  logout:
+    title: "再見"
+    logged_out_without_url: "您已經成功登出。"
+    logged_out_with_url: "您剛剛成功登出的應用請您點擊下面的鏈接："
+  sessions:
+    title: "您好!"
+    currently_logged_in_as: "您剛剛以<strong>%{username}</strong>登錄。"
+    label_logout_button: "登出"
+    your_active_sessions: "當前會話"
+    table:
+      column_browser: "瀏覽器"
+      column_services: "服務"
+      column_activity: "最近活動"
+    current_session: "當前會話"
+    end_session: "結束會話"
+  two_factor_authenticators:
+    title: "兩步驗證"
+    setup: "設置兩步驗證"
+    description: "兩步驗證需要您在每次登錄時輸入一個一次性密碼（OTP）。 一次性密碼（OTP）可以通過手機應用（比如<a href='http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447'>Google Authenticator</a> ）產生。"
+    instructions: "如果您使用google驗證器，請用手機掃描下面的二維碼，在下方輸入驗證碼。"
+    disabled: "當前已關閉"
+    enable: "開啟"
+    enabled: "當前已開啟"
+    disable: "關閉"
+    cancel: "取消"
+    secret: "密鑰"
+    code: "確認碼"
+    submit: "驗證並開啟"
+    invalid_one_time_password: "一次性密碼不正確"
+    invalid_two_factor_authenticator: "兩步驗證已經失效，請按照下面的指示："
+    successfully_activated: "兩步驗證已經關聯到此賬戶。"
+    successfully_deleted: "兩步驗證已經刪除。"
+  datetime:
+    ago: "%{datetime} 之前"
+    distance_in_words:
+      about_x_hours:
+        one: 大約一小時
+        other: 大約%{count}小時
+      about_x_months:
+        one: 大約一個月
+        other: 大約%{count}個月
+      about_x_years:
+        one: 大約一年
+        other: 大約%{count}年
+      almost_x_years:
+        one: 幾乎一年
+        other: 幾乎%{count}年
+      half_a_minute: 半分鐘
+      less_than_x_minutes:
+        one: 少於一分鐘
+        other: 少於%{count}分鐘
+      less_than_x_seconds:
+        one: 少於一秒
+        other: 少於%{count}秒
+      over_x_years:
+        one: 超過一年
+        other: 超過%{count}年
+      x_days:
+        one: 一天
+        other: ! '%{count}天'
+      x_minutes:
+        one: 一分鐘
+        other: ! '%{count}分鐘'
+      x_months:
+        one: 一個月
+        other: ! '%{count}個月'
+      x_seconds:
+        one: 一秒
+        other: ! '%{count}秒'