casino 3.0.4 → 4.0.0.pre.1

data/app/processors/casino/legacy_validator_processor.rb

@@ -1,19 +0,0 @@
-# The LegacyValidator processor should be used for GET requests to /validate
-class CASino::LegacyValidatorProcessor < CASino::Processor
-  include CASino::ProcessorConcern::ServiceTickets
-
-  # This method will call `#validation_succeeded` or `#validation_failed`. In both cases, it supplies
-  # a string as argument. The web application should present that string (and nothing else) to the
-  # requestor.
-  #
-  # @param [Hash] params parameters supplied by requestor (a service)
-  def process(params = nil)
-    params ||= {}
-    ticket = CASino::ServiceTicket.where(ticket: params[:ticket]).first
-    if !params[:service].nil? && ticket_valid_for_service?(ticket, params[:service], !!params[:renew])
-      @listener.validation_succeeded("yes\n#{ticket.ticket_granting_ticket.user.username}\n")
-    else
-      @listener.validation_failed("no\n\n")
-    end
-  end
-end

data/app/processors/casino/login_credential_acceptor_processor.rb

@@ -1,63 +0,0 @@
-# This processor should be used for POST requests to /login
-class CASino::LoginCredentialAcceptorProcessor < CASino::Processor
-  include CASino::ProcessorConcern::LoginTickets
-  include CASino::ProcessorConcern::ServiceTickets
-  include CASino::ProcessorConcern::Authentication
-  include CASino::ProcessorConcern::TicketGrantingTickets
-
-  # Use this method to process the request. It expects the username in the parameter "username" and the password
-  # in "password".
-  #
-  # The method will call one of the following methods on the listener:
-  # * `#user_logged_in`: The first argument (String) is the URL (if any), the user should be redirected to.
-  #   The second argument (String) is the ticket-granting ticket. It should be stored in a cookie named "tgt".
-  #   The third argument (Time, optional, default = nil) is for "Remember Me" functionality.
-  #   This is the cookies expiration date. If it is `nil`, the cookie should be a session cookie.
-  # * `#invalid_login_ticket` and `#invalid_login_credentials`: The first argument is a LoginTicket.
-  #   See {CASino::LoginCredentialRequestorProcessor} for details.
-  # * `#service_not_allowed`: The user tried to access a service that this CAS server is not allowed to serve.
-  # * `#two_factor_authentication_pending`: The user should be asked to enter his OTP. The first argument (String) is the ticket-granting ticket. The ticket-granting ticket is not active yet. Use SecondFactorAuthenticatonAcceptor to activate it.
-  #
-  # @param [Hash] params parameters supplied by user
-  # @param [String] user_agent user-agent delivered by the client
-  def process(params = nil, user_agent = nil)
-    @params = params || {}
-    @user_agent = user_agent
-    if login_ticket_valid?(@params[:lt])
-      authenticate_user
-    else
-      @listener.invalid_login_ticket(acquire_login_ticket)
-    end
-  end
-
-  private
-  def authenticate_user
-    authentication_result = validate_login_credentials(@params[:username], @params[:password])
-    if !authentication_result.nil?
-      user_logged_in(authentication_result)
-    else
-      @listener.invalid_login_credentials(acquire_login_ticket)
-    end
-  end
-
-  def user_logged_in(authentication_result)
-    long_term = @params[:rememberMe]
-    ticket_granting_ticket = acquire_ticket_granting_ticket(authentication_result, @user_agent, long_term)
-    if ticket_granting_ticket.awaiting_two_factor_authentication?
-      @listener.two_factor_authentication_pending(ticket_granting_ticket.ticket)
-    else
-      begin
-        url = unless @params[:service].blank?
-          acquire_service_ticket(ticket_granting_ticket, @params[:service], true).service_with_ticket_url
-        end
-        if long_term
-          @listener.user_logged_in(url, ticket_granting_ticket.ticket, CASino.config.ticket_granting_ticket[:lifetime_long_term].seconds.from_now)
-        else
-          @listener.user_logged_in(url, ticket_granting_ticket.ticket)
-        end
-      rescue ServiceNotAllowedError => e
-        @listener.service_not_allowed(clean_service_url @params[:service])
-      end
-    end
-  end
-end

data/app/processors/casino/login_credential_requestor_processor.rb

@@ -1,70 +0,0 @@
-# This processor should be used for GET requests to /login
-class CASino::LoginCredentialRequestorProcessor < CASino::Processor
-  include CASino::ProcessorConcern::Browser
-  include CASino::ProcessorConcern::LoginTickets
-  include CASino::ProcessorConcern::ServiceTickets
-  include CASino::ProcessorConcern::TicketGrantingTickets
-
-  # Use this method to process the request.
-  #
-  # The method will call one of the following methods on the listener:
-  # * `#user_logged_in`: The first argument (String) is the URL (if any), the user should be redirected to.
-  # * `#user_not_logged_in`: The first argument is a LoginTicket. It should be stored in a hidden field with name "lt".
-  # * `#service_not_allowed`: The user tried to access a service that this CAS server is not allowed to serve.
-  #
-  # @param [Hash] params parameters supplied by user
-  # @param [Hash] cookies cookies supplied by user
-  # @param [String] user_agent user-agent delivered by the client
-  def process(params = nil, cookies = nil, user_agent = nil)
-    @params = params || {}
-    @cookies = cookies || {}
-    @user_agent = user_agent || {}
-    begin
-      @service_url = clean_service_url(@params[:service]) unless @params[:service].nil?
-    rescue Addressable::URI::InvalidURIError => e
-      Rails.logger.warn "Service #{@params[:service]} not valid: #{e}"
-    end
-    if service_allowed?
-      handle_allowed_service
-    end
-  end
-
-  private
-  def handle_allowed_service
-    if !@params[:renew] && (@ticket_granting_ticket = find_valid_ticket_granting_ticket(@cookies[:tgt], @user_agent))
-      handle_logged_in
-    else
-      handle_not_logged_in
-    end
-  end
-
-  def handle_logged_in
-    service_url_with_ticket = unless @service_url.nil?
-      acquire_service_ticket(@ticket_granting_ticket, @service_url, true).service_with_ticket_url
-    end
-    @listener.user_logged_in(service_url_with_ticket)
-  end
-
-  def handle_not_logged_in
-    if gateway_request?
-      # we actually lie to the listener to simplify things
-      @listener.user_logged_in(@service_url)
-    else
-      login_ticket = acquire_login_ticket
-      @listener.user_not_logged_in(login_ticket)
-    end
-  end
-
-  def service_allowed?
-    if @service_url.nil? || CASino::ServiceRule.allowed?(@service_url)
-      true
-    else
-      @listener.service_not_allowed(@service_url)
-      false
-    end
-  end
-
-  def gateway_request?
-    @params[:gateway] == 'true' && @service_url
-  end
-end

data/app/processors/casino/logout_processor.rb

@@ -1,23 +0,0 @@
-# The Logout processor should be used to process GET requests to /logout.
-class CASino::LogoutProcessor < CASino::Processor
-  include CASino::ProcessorConcern::TicketGrantingTickets
-
-  # This method will call `#user_logged_out` and may supply an URL that should be presented to the user.
-  # As per specification, the URL specified by "url" SHOULD be on the logout page with descriptive text.
-  # For example, "The application you just logged out of has provided a link it would like you to follow.
-  # Please click here to access http://www.go-back.edu/."
-  #
-  # @param [Hash] params parameters supplied by user
-  # @param [Hash] cookies cookies supplied by user
-  # @param [String] user_agent user-agent delivered by the client
-  def process(params = nil, cookies = nil, user_agent = nil)
-    params ||= {}
-    cookies ||= {}
-    remove_ticket_granting_ticket(cookies[:tgt], user_agent)
-    if params[:service] && CASino::ServiceRule.allowed?(params[:service])
-      @listener.user_logged_out(params[:service], true)
-    else
-      @listener.user_logged_out(params[:url])
-    end
-  end
-end

data/app/processors/casino/other_sessions_destroyer_processor.rb

@@ -1,26 +0,0 @@
-# The OtherSessionsDestroyer processor should be used to process GET requests to /destroy-other-sessions.
-#
-# It is usefule to redirect users to this action after a password change.
-#
-# This feature is not described in the CAS specification so it's completly optional
-# to implement this on the web application side.
-class CASino::OtherSessionsDestroyerProcessor < CASino::Processor
-  include CASino::ProcessorConcern::TicketGrantingTickets
-
-  # This method will call `#other_sessions_destroyed` and may supply an URL that should be presented to the user.
-  # The user should be redirected to this URL immediately.
-  #
-  # @param [Hash] params parameters supplied by user
-  # @param [Hash] cookies cookies supplied by user
-  # @param [String] user_agent user-agent delivered by the client
-  def process(params = nil, cookies = nil, user_agent = nil)
-    params ||= {}
-    cookies ||= {}
-    tgt = find_valid_ticket_granting_ticket(cookies[:tgt], user_agent)
-    unless tgt.nil?
-      other_ticket_granting_tickets = tgt.user.ticket_granting_tickets.where('id != ?', tgt.id)
-      other_ticket_granting_tickets.destroy_all
-    end
-    @listener.other_sessions_destroyed(params[:service])
-  end
-end

data/app/processors/casino/processor.rb

@@ -1,5 +0,0 @@
-class CASino::Processor
-  def initialize(listener)
-    @listener = listener
-  end
-end

data/app/processors/casino/processor_concern/authentication.rb

@@ -1,87 +0,0 @@
-module CASino
-  module ProcessorConcern
-    module Authentication
-
-      def validate_login_credentials(username, password)
-        authentication_result = nil
-        authenticators.each do |authenticator_name, authenticator|
-          begin
-            data = authenticator.validate(username, password)
-          rescue CASino::Authenticator::AuthenticatorError => e
-            Rails.logger.error "Authenticator '#{authenticator_name}' (#{authenticator.class}) raised an error: #{e}"
-          end
-          if data
-            authentication_result = { authenticator: authenticator_name, user_data: data }
-            Rails.logger.info("Credentials for username '#{data[:username]}' successfully validated using authenticator '#{authenticator_name}' (#{authenticator.class})")
-            break
-          end
-        end
-        authentication_result
-      end
-
-      def authenticators
-        @authenticators ||= begin
-          CASino.config[:authenticators].each do |name, auth|
-            next unless auth.is_a?(Hash)
-
-            authenticator = if auth[:class]
-              auth[:class].constantize
-            else
-              load_authenticator(auth[:authenticator])
-            end
-
-            CASino.config[:authenticators][name] = authenticator.new(auth[:options])
-          end
-        end
-      end
-
-      private
-      def load_legacy_authenticator(name)
-        gemname, classname = parse_legacy_name(name)
-
-        begin
-          require gemname
-          CASinoCore::Authenticator.const_get("#{classname}")
-        rescue LoadError, NameError
-          false
-        end
-      end
-
-      def load_authenticator(name)
-        legacy_authenticator = load_legacy_authenticator(name)
-        return legacy_authenticator if legacy_authenticator
-
-        gemname, classname = parse_name(name)
-
-        begin
-          require gemname
-          CASino.const_get(classname)
-        rescue LoadError => error
-          raise LoadError, load_error_message(name, gemname, error)
-        rescue NameError => error
-          raise NameError, name_error_message(name, error)
-        end
-      end
-
-      def parse_name(name)
-        [ "casino-#{name.underscore}_authenticator", "#{name.camelize}Authenticator" ]
-      end
-
-      def parse_legacy_name(name)
-        [ "casino_core-authenticator-#{name.underscore}", name.camelize ]
-      end
-
-      def load_error_message(name, gemname, error)
-        "Failed to load authenticator '#{name}'. Maybe you have to include " \
-        "\"gem '#{gemname}'\" in your Gemfile?\n" \
-        "  Error: #{error.message}\n"
-      end
-
-      def name_error_message(name, error)
-        "Failed to load authenticator '#{name}'. The authenticator class must " \
-        "be defined in the CASino namespace.\n" \
-        "  Error: #{error.message}\n"
-      end
-    end
-  end
-end

data/app/processors/casino/processor_concern/browser.rb

@@ -1,14 +0,0 @@
-module CASino
-  module ProcessorConcern
-    module Browser
-      def browser_info(user_agent)
-        user_agent = UserAgent.parse(user_agent)
-        "#{user_agent.browser} (#{user_agent.platform})"
-      end
-
-      def same_browser?(user_agent, other_user_agent)
-        user_agent == other_user_agent || browser_info(user_agent) == browser_info(other_user_agent)
-      end
-    end
-  end
-end

data/app/processors/casino/processor_concern/login_tickets.rb

@@ -1,28 +0,0 @@
-module CASino
-  module ProcessorConcern
-    module LoginTickets
-      include CASino::ProcessorConcern::Tickets
-
-      def acquire_login_ticket
-        ticket = CASino::LoginTicket.create ticket: random_ticket_string('LT')
-        Rails.logger.debug "Created login ticket '#{ticket.ticket}'"
-        ticket
-      end
-
-      def login_ticket_valid?(lt)
-        ticket = CASino::LoginTicket.find_by_ticket lt
-        if ticket.nil?
-          Rails.logger.info "Login ticket '#{lt}' not found"
-          false
-        elsif ticket.created_at < CASino.config.login_ticket[:lifetime].seconds.ago
-          Rails.logger.info "Login ticket '#{ticket.ticket}' expired"
-          false
-        else
-          Rails.logger.debug "Login ticket '#{ticket.ticket}' successfully validated"
-          ticket.delete
-          true
-        end
-      end
-    end
-  end
-end

data/app/processors/casino/processor_concern/proxy_granting_tickets.rb

@@ -1,43 +0,0 @@
-require 'addressable/uri'
-require 'faraday'
-
-module CASino
-  module ProcessorConcern
-    module ProxyGrantingTickets
-      include CASino::ProcessorConcern::Tickets
-
-      def acquire_proxy_granting_ticket(pgt_url, service_ticket)
-        callback_uri = Addressable::URI.parse(pgt_url)
-        if callback_uri.scheme != 'https'
-          Rails.logger.warn "Proxy tickets can only be granted to callback servers using HTTPS."
-          nil
-        else
-          contact_callback_server(callback_uri, service_ticket)
-        end
-      end
-
-      private
-      def contact_callback_server(callback_uri, service_ticket)
-        pgt = service_ticket.proxy_granting_tickets.new({
-          ticket: random_ticket_string('PGT'),
-          iou: random_ticket_string('PGTIOU'),
-          pgt_url: "#{callback_uri}"
-        })
-        callback_uri.query_values = (callback_uri.query_values || {}).merge(pgtId: pgt.ticket, pgtIou: pgt.iou)
-        response = Faraday.get "#{callback_uri}"
-        # TODO: does this follow redirects? CAS specification says that redirects MAY be followed (2.5.4)
-        if response.success?
-          pgt.save!
-          Rails.logger.debug "Proxy-granting ticket generated for service '#{service_ticket.service}': #{pgt.inspect}"
-          pgt
-        else
-          Rails.logger.warn "Proxy-granting ticket callback server responded with a bad result code '#{response.status}'. PGT will not be stored."
-          nil
-        end
-      rescue Faraday::Error::ClientError => error
-        Rails.logger.warn "Exception while communicating with proxy-granting ticket callback server: #{error.message}"
-        nil
-      end
-    end
-  end
-end

data/app/processors/casino/processor_concern/proxy_tickets.rb

@@ -1,56 +0,0 @@
-module CASino
-  module ProcessorConcern
-    module ProxyTickets
-
-      include CASino::ProcessorConcern::Tickets
-
-      class ValidationResult < CASino::ValidationResult; end
-
-      def acquire_proxy_ticket(proxy_granting_ticket, service)
-        proxy_granting_ticket.proxy_tickets.create!({
-          ticket: random_ticket_string('PT'),
-          service: service,
-        })
-      end
-
-      def validate_ticket_for_service(ticket, service, renew = false)
-        if ticket.nil?
-          result = ValidationResult.new 'INVALID_TICKET', 'Invalid validate request: Ticket does not exist', :warn
-        else
-          result = validate_existing_ticket_for_service(ticket, service, renew)
-          ticket.consumed = true
-          ticket.save!
-          Rails.logger.debug "Consumed ticket '#{ticket.ticket}'"
-        end
-        if result.success?
-          Rails.logger.info "Ticket '#{ticket.ticket}' for service '#{service}' successfully validated"
-        else
-          Rails.logger.send(result.error_severity, result.error_message)
-        end
-        result
-      end
-
-      def ticket_valid_for_service?(ticket, service, renew = false)
-        validate_ticket_for_service(ticket, service, renew).success?
-      end
-
-      private
-      def validate_existing_ticket_for_service(ticket, service, renew = false)
-        if ticket.is_a?(CASino::ServiceTicket)
-          service = clean_service_url(service)
-        end
-        if ticket.consumed?
-          ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' already consumed", :warn
-        elsif ticket.expired?
-          ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' has expired", :warn
-        elsif service != ticket.service
-          ValidationResult.new 'INVALID_SERVICE', "Ticket '#{ticket.ticket}' is not valid for service '#{service}'", :warn
-        elsif renew && !ticket.issued_from_credentials?
-          ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' was not issued from credentials but service '#{service}' will only accept a renewed ticket", :info
-        else
-          ValidationResult.new
-        end
-      end
-    end
-  end
-end