casino 3.0.4 → 4.0.0.pre.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.travis.yml +12 -3
- data/app/api/casino/api.rb +7 -0
- data/app/api/casino/api/entity/auth_token_ticket.rb +5 -0
- data/app/api/casino/api/resource/auth_token_tickets.rb +12 -0
- data/app/assets/javascripts/casino/{application.js → application.js.erb} +1 -1
- data/app/authenticators/casino/static_authenticator.rb +8 -2
- data/app/builders/casino/proxy_response_builder.rb +24 -0
- data/app/builders/casino/ticket_validation_response_builder.rb +9 -5
- data/app/controllers/casino/application_controller.rb +0 -22
- data/app/controllers/casino/auth_tokens_controller.rb +34 -0
- data/app/controllers/casino/controller_concern/ticket_validator.rb +30 -0
- data/app/controllers/casino/proxy_tickets_controller.rb +42 -2
- data/app/controllers/casino/service_tickets_controller.rb +15 -2
- data/app/controllers/casino/sessions_controller.rb +59 -8
- data/app/controllers/casino/two_factor_authenticators_controller.rb +28 -3
- data/app/helpers/casino/sessions_helper.rb +75 -0
- data/app/helpers/casino/two_factor_authenticators_helper.rb +12 -0
- data/app/models/casino/auth_token_ticket.rb +15 -0
- data/app/models/casino/login_ticket.rb +7 -4
- data/app/models/casino/model_concern/consumable_ticket.rb +20 -0
- data/app/models/casino/model_concern/ticket.rb +28 -0
- data/app/models/casino/proxy_granting_ticket.rb +12 -0
- data/app/models/casino/proxy_ticket.rb +4 -0
- data/app/models/casino/service_ticket.rb +5 -4
- data/app/models/casino/ticket_granting_ticket.rb +5 -1
- data/app/models/casino/two_factor_authenticator.rb +2 -0
- data/app/processors/casino/authentication_processor.rb +73 -0
- data/app/processors/casino/browser_processor.rb +12 -0
- data/app/processors/casino/proxy_granting_ticket_processor.rb +37 -0
- data/app/processors/casino/service_ticket_processor.rb +81 -0
- data/app/processors/casino/ticket_granting_ticket_processor.rb +56 -0
- data/app/processors/casino/two_factor_authenticator_processor.rb +18 -0
- data/app/services/casino/auth_token_validation_service.rb +66 -0
- data/app/views/casino/sessions/index.html.erb +2 -2
- data/app/views/casino/sessions/new.html.erb +1 -1
- data/app/views/casino/sessions/validate_otp.html.erb +1 -1
- data/app/views/casino/two_factor_authenticators/new.html.erb +6 -3
- data/app/views/layouts/application.html.erb +0 -1
- data/casino.gemspec +4 -2
- data/config/locales/en.yml +35 -0
- data/config/locales/zh-CN.yml +88 -0
- data/config/locales/zh-TW.yml +88 -0
- data/config/routes.rb +3 -10
- data/db/migrate/20140831205255_create_auth_token_tickets.rb +10 -0
- data/lib/casino.rb +4 -1
- data/lib/casino/tasks/cleanup.rake +13 -1
- data/lib/casino/version.rb +1 -1
- data/spec/controllers/auth_tokens_controller_spec.rb +75 -0
- data/spec/controllers/proxy_tickets_controller_spec.rb +120 -14
- data/spec/controllers/service_and_proxy_tickets_controller_spec.rb +224 -0
- data/spec/controllers/service_tickets_controller_spec.rb +62 -16
- data/spec/controllers/sessions_controller_spec.rb +622 -36
- data/spec/controllers/two_factor_authenticators_controller_spec.rb +217 -18
- data/spec/dummy/config/cas.yml +3 -0
- data/spec/dummy/config/environments/development.rb +0 -4
- data/spec/dummy/db/migrate/{20130910094259_create_base_models.casino.rb → 20140831214845_create_core_schema.casino.rb} +55 -32
- data/spec/dummy/db/migrate/20140831214846_rename_base_models.casino.rb +102 -0
- data/spec/dummy/db/migrate/20140831214847_cleanup_indexes.casino.rb +28 -0
- data/spec/dummy/db/migrate/20140831214848_fix_long_index_names.casino.rb +13 -0
- data/spec/dummy/db/migrate/20140831214849_change_service_to_text.casino.rb +7 -0
- data/spec/dummy/db/migrate/20140831214850_change_user_agent_to_text.casino.rb +6 -0
- data/spec/dummy/db/migrate/20140831214851_fix_length_of_text_fields.casino.rb +8 -0
- data/spec/dummy/db/migrate/20140831214852_create_auth_token_tickets.casino.rb +11 -0
- data/spec/dummy/db/schema.rb +79 -70
- data/spec/features/login_spec.rb +0 -9
- data/spec/model/auth_token_ticket_spec.rb +23 -0
- data/spec/services/auth_token_validation_service_spec.rb +83 -0
- data/spec/support/sign_in.rb +4 -0
- metadata +139 -210
- data/app/controllers/casino/api/v1/tickets_controller.rb +0 -55
- data/app/helpers/service_tickets_helper.rb +0 -2
- data/app/listeners/casino/legacy_validator_listener.rb +0 -11
- data/app/listeners/casino/listener.rb +0 -16
- data/app/listeners/casino/login_credential_acceptor_listener.rb +0 -38
- data/app/listeners/casino/login_credential_requestor_listener.rb +0 -21
- data/app/listeners/casino/logout_listener.rb +0 -12
- data/app/listeners/casino/other_sessions_destroyer_listener.rb +0 -7
- data/app/listeners/casino/proxy_ticket_provider_listener.rb +0 -11
- data/app/listeners/casino/second_factor_authentication_acceptor_listener.rb +0 -26
- data/app/listeners/casino/session_destroyer_listener.rb +0 -11
- data/app/listeners/casino/session_overview_listener.rb +0 -11
- data/app/listeners/casino/ticket_validator_listener.rb +0 -11
- data/app/listeners/casino/two_factor_authenticator_activator_listener.rb +0 -23
- data/app/listeners/casino/two_factor_authenticator_destroyer_listener.rb +0 -16
- data/app/listeners/casino/two_factor_authenticator_overview_listener.rb +0 -11
- data/app/listeners/casino/two_factor_authenticator_registrator_listener.rb +0 -11
- data/app/processors/casino/api/login_credential_acceptor_processor.rb +0 -46
- data/app/processors/casino/api/logout_processor.rb +0 -17
- data/app/processors/casino/api/service_ticket_provider_processor.rb +0 -69
- data/app/processors/casino/legacy_validator_processor.rb +0 -19
- data/app/processors/casino/login_credential_acceptor_processor.rb +0 -63
- data/app/processors/casino/login_credential_requestor_processor.rb +0 -70
- data/app/processors/casino/logout_processor.rb +0 -23
- data/app/processors/casino/other_sessions_destroyer_processor.rb +0 -26
- data/app/processors/casino/processor.rb +0 -5
- data/app/processors/casino/processor_concern/authentication.rb +0 -87
- data/app/processors/casino/processor_concern/browser.rb +0 -14
- data/app/processors/casino/processor_concern/login_tickets.rb +0 -28
- data/app/processors/casino/processor_concern/proxy_granting_tickets.rb +0 -43
- data/app/processors/casino/processor_concern/proxy_tickets.rb +0 -56
- data/app/processors/casino/processor_concern/service_tickets.rb +0 -50
- data/app/processors/casino/processor_concern/ticket_granting_tickets.rb +0 -65
- data/app/processors/casino/processor_concern/tickets.rb +0 -17
- data/app/processors/casino/processor_concern/two_factor_authenticators.rb +0 -23
- data/app/processors/casino/proxy_ticket_provider_processor.rb +0 -41
- data/app/processors/casino/proxy_ticket_validator_processor.rb +0 -22
- data/app/processors/casino/second_factor_authentication_acceptor_processor.rb +0 -45
- data/app/processors/casino/service_ticket_validator_processor.rb +0 -46
- data/app/processors/casino/session_destroyer_processor.rb +0 -25
- data/app/processors/casino/session_overview_processor.rb +0 -21
- data/app/processors/casino/two_factor_authenticator_activator_processor.rb +0 -41
- data/app/processors/casino/two_factor_authenticator_destroyer_processor.rb +0 -33
- data/app/processors/casino/two_factor_authenticator_overview_processor.rb +0 -20
- data/app/processors/casino/two_factor_authenticator_registrator_processor.rb +0 -24
- data/spec/controllers/api/v1/tickets_controller_spec.rb +0 -114
- data/spec/controllers/listener/legacy_validator_spec.rb +0 -22
- data/spec/controllers/listener/login_credential_acceptor_spec.rb +0 -108
- data/spec/controllers/listener/login_credential_requestor_spec.rb +0 -57
- data/spec/controllers/listener/logout_spec.rb +0 -38
- data/spec/controllers/listener/other_sessions_destroyer_spec.rb +0 -19
- data/spec/controllers/listener/proxy_ticket_provider_spec.rb +0 -22
- data/spec/controllers/listener/second_factor_authentication_acceptor_spec.rb +0 -74
- data/spec/controllers/listener/session_destroyer_spec.rb +0 -25
- data/spec/controllers/listener/session_overview_spec.rb +0 -26
- data/spec/controllers/listener/ticket_validator_spec.rb +0 -22
- data/spec/controllers/listener/two_factor_authenticator_activator_spec.rb +0 -64
- data/spec/controllers/listener/two_factor_authenticator_destroyer_spec.rb +0 -40
- data/spec/controllers/listener/two_factor_authenticator_overview_spec.rb +0 -16
- data/spec/controllers/listener/two_factor_authenticator_registrator_spec.rb +0 -27
- data/spec/processor/api/login_credential_acceptor_spec.rb +0 -52
- data/spec/processor/api/logout_spec.rb +0 -34
- data/spec/processor/api/service_ticket_provider_spec.rb +0 -61
- data/spec/processor/legacy_validator_spec.rb +0 -78
- data/spec/processor/login_credential_acceptor_spec.rb +0 -164
- data/spec/processor/login_credential_requestor_spec.rb +0 -145
- data/spec/processor/logout_other_sessions_spec.rb +0 -53
- data/spec/processor/logout_spec.rb +0 -72
- data/spec/processor/processor_concern/service_tickets_spec.rb +0 -49
- data/spec/processor/proxy_ticket_provider_spec.rb +0 -66
- data/spec/processor/proxy_ticket_validator_spec.rb +0 -65
- data/spec/processor/second_factor_authenticaton_acceptor_spec.rb +0 -94
- data/spec/processor/session_destroyer_spec.rb +0 -75
- data/spec/processor/session_overview_spec.rb +0 -49
- data/spec/processor/ticket_validator_spec.rb +0 -214
- data/spec/processor/two_factor_authenticator_activator_spec.rb +0 -122
- data/spec/processor/two_factor_authenticator_destroyer_spec.rb +0 -71
- data/spec/processor/two_factor_authenticator_overview_spec.rb +0 -56
- data/spec/processor/two_factor_authenticator_registrator_spec.rb +0 -48
@@ -1,19 +0,0 @@
|
|
1
|
-
# The LegacyValidator processor should be used for GET requests to /validate
|
2
|
-
class CASino::LegacyValidatorProcessor < CASino::Processor
|
3
|
-
include CASino::ProcessorConcern::ServiceTickets
|
4
|
-
|
5
|
-
# This method will call `#validation_succeeded` or `#validation_failed`. In both cases, it supplies
|
6
|
-
# a string as argument. The web application should present that string (and nothing else) to the
|
7
|
-
# requestor.
|
8
|
-
#
|
9
|
-
# @param [Hash] params parameters supplied by requestor (a service)
|
10
|
-
def process(params = nil)
|
11
|
-
params ||= {}
|
12
|
-
ticket = CASino::ServiceTicket.where(ticket: params[:ticket]).first
|
13
|
-
if !params[:service].nil? && ticket_valid_for_service?(ticket, params[:service], !!params[:renew])
|
14
|
-
@listener.validation_succeeded("yes\n#{ticket.ticket_granting_ticket.user.username}\n")
|
15
|
-
else
|
16
|
-
@listener.validation_failed("no\n\n")
|
17
|
-
end
|
18
|
-
end
|
19
|
-
end
|
@@ -1,63 +0,0 @@
|
|
1
|
-
# This processor should be used for POST requests to /login
|
2
|
-
class CASino::LoginCredentialAcceptorProcessor < CASino::Processor
|
3
|
-
include CASino::ProcessorConcern::LoginTickets
|
4
|
-
include CASino::ProcessorConcern::ServiceTickets
|
5
|
-
include CASino::ProcessorConcern::Authentication
|
6
|
-
include CASino::ProcessorConcern::TicketGrantingTickets
|
7
|
-
|
8
|
-
# Use this method to process the request. It expects the username in the parameter "username" and the password
|
9
|
-
# in "password".
|
10
|
-
#
|
11
|
-
# The method will call one of the following methods on the listener:
|
12
|
-
# * `#user_logged_in`: The first argument (String) is the URL (if any), the user should be redirected to.
|
13
|
-
# The second argument (String) is the ticket-granting ticket. It should be stored in a cookie named "tgt".
|
14
|
-
# The third argument (Time, optional, default = nil) is for "Remember Me" functionality.
|
15
|
-
# This is the cookies expiration date. If it is `nil`, the cookie should be a session cookie.
|
16
|
-
# * `#invalid_login_ticket` and `#invalid_login_credentials`: The first argument is a LoginTicket.
|
17
|
-
# See {CASino::LoginCredentialRequestorProcessor} for details.
|
18
|
-
# * `#service_not_allowed`: The user tried to access a service that this CAS server is not allowed to serve.
|
19
|
-
# * `#two_factor_authentication_pending`: The user should be asked to enter his OTP. The first argument (String) is the ticket-granting ticket. The ticket-granting ticket is not active yet. Use SecondFactorAuthenticatonAcceptor to activate it.
|
20
|
-
#
|
21
|
-
# @param [Hash] params parameters supplied by user
|
22
|
-
# @param [String] user_agent user-agent delivered by the client
|
23
|
-
def process(params = nil, user_agent = nil)
|
24
|
-
@params = params || {}
|
25
|
-
@user_agent = user_agent
|
26
|
-
if login_ticket_valid?(@params[:lt])
|
27
|
-
authenticate_user
|
28
|
-
else
|
29
|
-
@listener.invalid_login_ticket(acquire_login_ticket)
|
30
|
-
end
|
31
|
-
end
|
32
|
-
|
33
|
-
private
|
34
|
-
def authenticate_user
|
35
|
-
authentication_result = validate_login_credentials(@params[:username], @params[:password])
|
36
|
-
if !authentication_result.nil?
|
37
|
-
user_logged_in(authentication_result)
|
38
|
-
else
|
39
|
-
@listener.invalid_login_credentials(acquire_login_ticket)
|
40
|
-
end
|
41
|
-
end
|
42
|
-
|
43
|
-
def user_logged_in(authentication_result)
|
44
|
-
long_term = @params[:rememberMe]
|
45
|
-
ticket_granting_ticket = acquire_ticket_granting_ticket(authentication_result, @user_agent, long_term)
|
46
|
-
if ticket_granting_ticket.awaiting_two_factor_authentication?
|
47
|
-
@listener.two_factor_authentication_pending(ticket_granting_ticket.ticket)
|
48
|
-
else
|
49
|
-
begin
|
50
|
-
url = unless @params[:service].blank?
|
51
|
-
acquire_service_ticket(ticket_granting_ticket, @params[:service], true).service_with_ticket_url
|
52
|
-
end
|
53
|
-
if long_term
|
54
|
-
@listener.user_logged_in(url, ticket_granting_ticket.ticket, CASino.config.ticket_granting_ticket[:lifetime_long_term].seconds.from_now)
|
55
|
-
else
|
56
|
-
@listener.user_logged_in(url, ticket_granting_ticket.ticket)
|
57
|
-
end
|
58
|
-
rescue ServiceNotAllowedError => e
|
59
|
-
@listener.service_not_allowed(clean_service_url @params[:service])
|
60
|
-
end
|
61
|
-
end
|
62
|
-
end
|
63
|
-
end
|
@@ -1,70 +0,0 @@
|
|
1
|
-
# This processor should be used for GET requests to /login
|
2
|
-
class CASino::LoginCredentialRequestorProcessor < CASino::Processor
|
3
|
-
include CASino::ProcessorConcern::Browser
|
4
|
-
include CASino::ProcessorConcern::LoginTickets
|
5
|
-
include CASino::ProcessorConcern::ServiceTickets
|
6
|
-
include CASino::ProcessorConcern::TicketGrantingTickets
|
7
|
-
|
8
|
-
# Use this method to process the request.
|
9
|
-
#
|
10
|
-
# The method will call one of the following methods on the listener:
|
11
|
-
# * `#user_logged_in`: The first argument (String) is the URL (if any), the user should be redirected to.
|
12
|
-
# * `#user_not_logged_in`: The first argument is a LoginTicket. It should be stored in a hidden field with name "lt".
|
13
|
-
# * `#service_not_allowed`: The user tried to access a service that this CAS server is not allowed to serve.
|
14
|
-
#
|
15
|
-
# @param [Hash] params parameters supplied by user
|
16
|
-
# @param [Hash] cookies cookies supplied by user
|
17
|
-
# @param [String] user_agent user-agent delivered by the client
|
18
|
-
def process(params = nil, cookies = nil, user_agent = nil)
|
19
|
-
@params = params || {}
|
20
|
-
@cookies = cookies || {}
|
21
|
-
@user_agent = user_agent || {}
|
22
|
-
begin
|
23
|
-
@service_url = clean_service_url(@params[:service]) unless @params[:service].nil?
|
24
|
-
rescue Addressable::URI::InvalidURIError => e
|
25
|
-
Rails.logger.warn "Service #{@params[:service]} not valid: #{e}"
|
26
|
-
end
|
27
|
-
if service_allowed?
|
28
|
-
handle_allowed_service
|
29
|
-
end
|
30
|
-
end
|
31
|
-
|
32
|
-
private
|
33
|
-
def handle_allowed_service
|
34
|
-
if !@params[:renew] && (@ticket_granting_ticket = find_valid_ticket_granting_ticket(@cookies[:tgt], @user_agent))
|
35
|
-
handle_logged_in
|
36
|
-
else
|
37
|
-
handle_not_logged_in
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
|
-
def handle_logged_in
|
42
|
-
service_url_with_ticket = unless @service_url.nil?
|
43
|
-
acquire_service_ticket(@ticket_granting_ticket, @service_url, true).service_with_ticket_url
|
44
|
-
end
|
45
|
-
@listener.user_logged_in(service_url_with_ticket)
|
46
|
-
end
|
47
|
-
|
48
|
-
def handle_not_logged_in
|
49
|
-
if gateway_request?
|
50
|
-
# we actually lie to the listener to simplify things
|
51
|
-
@listener.user_logged_in(@service_url)
|
52
|
-
else
|
53
|
-
login_ticket = acquire_login_ticket
|
54
|
-
@listener.user_not_logged_in(login_ticket)
|
55
|
-
end
|
56
|
-
end
|
57
|
-
|
58
|
-
def service_allowed?
|
59
|
-
if @service_url.nil? || CASino::ServiceRule.allowed?(@service_url)
|
60
|
-
true
|
61
|
-
else
|
62
|
-
@listener.service_not_allowed(@service_url)
|
63
|
-
false
|
64
|
-
end
|
65
|
-
end
|
66
|
-
|
67
|
-
def gateway_request?
|
68
|
-
@params[:gateway] == 'true' && @service_url
|
69
|
-
end
|
70
|
-
end
|
@@ -1,23 +0,0 @@
|
|
1
|
-
# The Logout processor should be used to process GET requests to /logout.
|
2
|
-
class CASino::LogoutProcessor < CASino::Processor
|
3
|
-
include CASino::ProcessorConcern::TicketGrantingTickets
|
4
|
-
|
5
|
-
# This method will call `#user_logged_out` and may supply an URL that should be presented to the user.
|
6
|
-
# As per specification, the URL specified by "url" SHOULD be on the logout page with descriptive text.
|
7
|
-
# For example, "The application you just logged out of has provided a link it would like you to follow.
|
8
|
-
# Please click here to access http://www.go-back.edu/."
|
9
|
-
#
|
10
|
-
# @param [Hash] params parameters supplied by user
|
11
|
-
# @param [Hash] cookies cookies supplied by user
|
12
|
-
# @param [String] user_agent user-agent delivered by the client
|
13
|
-
def process(params = nil, cookies = nil, user_agent = nil)
|
14
|
-
params ||= {}
|
15
|
-
cookies ||= {}
|
16
|
-
remove_ticket_granting_ticket(cookies[:tgt], user_agent)
|
17
|
-
if params[:service] && CASino::ServiceRule.allowed?(params[:service])
|
18
|
-
@listener.user_logged_out(params[:service], true)
|
19
|
-
else
|
20
|
-
@listener.user_logged_out(params[:url])
|
21
|
-
end
|
22
|
-
end
|
23
|
-
end
|
@@ -1,26 +0,0 @@
|
|
1
|
-
# The OtherSessionsDestroyer processor should be used to process GET requests to /destroy-other-sessions.
|
2
|
-
#
|
3
|
-
# It is usefule to redirect users to this action after a password change.
|
4
|
-
#
|
5
|
-
# This feature is not described in the CAS specification so it's completly optional
|
6
|
-
# to implement this on the web application side.
|
7
|
-
class CASino::OtherSessionsDestroyerProcessor < CASino::Processor
|
8
|
-
include CASino::ProcessorConcern::TicketGrantingTickets
|
9
|
-
|
10
|
-
# This method will call `#other_sessions_destroyed` and may supply an URL that should be presented to the user.
|
11
|
-
# The user should be redirected to this URL immediately.
|
12
|
-
#
|
13
|
-
# @param [Hash] params parameters supplied by user
|
14
|
-
# @param [Hash] cookies cookies supplied by user
|
15
|
-
# @param [String] user_agent user-agent delivered by the client
|
16
|
-
def process(params = nil, cookies = nil, user_agent = nil)
|
17
|
-
params ||= {}
|
18
|
-
cookies ||= {}
|
19
|
-
tgt = find_valid_ticket_granting_ticket(cookies[:tgt], user_agent)
|
20
|
-
unless tgt.nil?
|
21
|
-
other_ticket_granting_tickets = tgt.user.ticket_granting_tickets.where('id != ?', tgt.id)
|
22
|
-
other_ticket_granting_tickets.destroy_all
|
23
|
-
end
|
24
|
-
@listener.other_sessions_destroyed(params[:service])
|
25
|
-
end
|
26
|
-
end
|
@@ -1,87 +0,0 @@
|
|
1
|
-
module CASino
|
2
|
-
module ProcessorConcern
|
3
|
-
module Authentication
|
4
|
-
|
5
|
-
def validate_login_credentials(username, password)
|
6
|
-
authentication_result = nil
|
7
|
-
authenticators.each do |authenticator_name, authenticator|
|
8
|
-
begin
|
9
|
-
data = authenticator.validate(username, password)
|
10
|
-
rescue CASino::Authenticator::AuthenticatorError => e
|
11
|
-
Rails.logger.error "Authenticator '#{authenticator_name}' (#{authenticator.class}) raised an error: #{e}"
|
12
|
-
end
|
13
|
-
if data
|
14
|
-
authentication_result = { authenticator: authenticator_name, user_data: data }
|
15
|
-
Rails.logger.info("Credentials for username '#{data[:username]}' successfully validated using authenticator '#{authenticator_name}' (#{authenticator.class})")
|
16
|
-
break
|
17
|
-
end
|
18
|
-
end
|
19
|
-
authentication_result
|
20
|
-
end
|
21
|
-
|
22
|
-
def authenticators
|
23
|
-
@authenticators ||= begin
|
24
|
-
CASino.config[:authenticators].each do |name, auth|
|
25
|
-
next unless auth.is_a?(Hash)
|
26
|
-
|
27
|
-
authenticator = if auth[:class]
|
28
|
-
auth[:class].constantize
|
29
|
-
else
|
30
|
-
load_authenticator(auth[:authenticator])
|
31
|
-
end
|
32
|
-
|
33
|
-
CASino.config[:authenticators][name] = authenticator.new(auth[:options])
|
34
|
-
end
|
35
|
-
end
|
36
|
-
end
|
37
|
-
|
38
|
-
private
|
39
|
-
def load_legacy_authenticator(name)
|
40
|
-
gemname, classname = parse_legacy_name(name)
|
41
|
-
|
42
|
-
begin
|
43
|
-
require gemname
|
44
|
-
CASinoCore::Authenticator.const_get("#{classname}")
|
45
|
-
rescue LoadError, NameError
|
46
|
-
false
|
47
|
-
end
|
48
|
-
end
|
49
|
-
|
50
|
-
def load_authenticator(name)
|
51
|
-
legacy_authenticator = load_legacy_authenticator(name)
|
52
|
-
return legacy_authenticator if legacy_authenticator
|
53
|
-
|
54
|
-
gemname, classname = parse_name(name)
|
55
|
-
|
56
|
-
begin
|
57
|
-
require gemname
|
58
|
-
CASino.const_get(classname)
|
59
|
-
rescue LoadError => error
|
60
|
-
raise LoadError, load_error_message(name, gemname, error)
|
61
|
-
rescue NameError => error
|
62
|
-
raise NameError, name_error_message(name, error)
|
63
|
-
end
|
64
|
-
end
|
65
|
-
|
66
|
-
def parse_name(name)
|
67
|
-
[ "casino-#{name.underscore}_authenticator", "#{name.camelize}Authenticator" ]
|
68
|
-
end
|
69
|
-
|
70
|
-
def parse_legacy_name(name)
|
71
|
-
[ "casino_core-authenticator-#{name.underscore}", name.camelize ]
|
72
|
-
end
|
73
|
-
|
74
|
-
def load_error_message(name, gemname, error)
|
75
|
-
"Failed to load authenticator '#{name}'. Maybe you have to include " \
|
76
|
-
"\"gem '#{gemname}'\" in your Gemfile?\n" \
|
77
|
-
" Error: #{error.message}\n"
|
78
|
-
end
|
79
|
-
|
80
|
-
def name_error_message(name, error)
|
81
|
-
"Failed to load authenticator '#{name}'. The authenticator class must " \
|
82
|
-
"be defined in the CASino namespace.\n" \
|
83
|
-
" Error: #{error.message}\n"
|
84
|
-
end
|
85
|
-
end
|
86
|
-
end
|
87
|
-
end
|
@@ -1,14 +0,0 @@
|
|
1
|
-
module CASino
|
2
|
-
module ProcessorConcern
|
3
|
-
module Browser
|
4
|
-
def browser_info(user_agent)
|
5
|
-
user_agent = UserAgent.parse(user_agent)
|
6
|
-
"#{user_agent.browser} (#{user_agent.platform})"
|
7
|
-
end
|
8
|
-
|
9
|
-
def same_browser?(user_agent, other_user_agent)
|
10
|
-
user_agent == other_user_agent || browser_info(user_agent) == browser_info(other_user_agent)
|
11
|
-
end
|
12
|
-
end
|
13
|
-
end
|
14
|
-
end
|
@@ -1,28 +0,0 @@
|
|
1
|
-
module CASino
|
2
|
-
module ProcessorConcern
|
3
|
-
module LoginTickets
|
4
|
-
include CASino::ProcessorConcern::Tickets
|
5
|
-
|
6
|
-
def acquire_login_ticket
|
7
|
-
ticket = CASino::LoginTicket.create ticket: random_ticket_string('LT')
|
8
|
-
Rails.logger.debug "Created login ticket '#{ticket.ticket}'"
|
9
|
-
ticket
|
10
|
-
end
|
11
|
-
|
12
|
-
def login_ticket_valid?(lt)
|
13
|
-
ticket = CASino::LoginTicket.find_by_ticket lt
|
14
|
-
if ticket.nil?
|
15
|
-
Rails.logger.info "Login ticket '#{lt}' not found"
|
16
|
-
false
|
17
|
-
elsif ticket.created_at < CASino.config.login_ticket[:lifetime].seconds.ago
|
18
|
-
Rails.logger.info "Login ticket '#{ticket.ticket}' expired"
|
19
|
-
false
|
20
|
-
else
|
21
|
-
Rails.logger.debug "Login ticket '#{ticket.ticket}' successfully validated"
|
22
|
-
ticket.delete
|
23
|
-
true
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
@@ -1,43 +0,0 @@
|
|
1
|
-
require 'addressable/uri'
|
2
|
-
require 'faraday'
|
3
|
-
|
4
|
-
module CASino
|
5
|
-
module ProcessorConcern
|
6
|
-
module ProxyGrantingTickets
|
7
|
-
include CASino::ProcessorConcern::Tickets
|
8
|
-
|
9
|
-
def acquire_proxy_granting_ticket(pgt_url, service_ticket)
|
10
|
-
callback_uri = Addressable::URI.parse(pgt_url)
|
11
|
-
if callback_uri.scheme != 'https'
|
12
|
-
Rails.logger.warn "Proxy tickets can only be granted to callback servers using HTTPS."
|
13
|
-
nil
|
14
|
-
else
|
15
|
-
contact_callback_server(callback_uri, service_ticket)
|
16
|
-
end
|
17
|
-
end
|
18
|
-
|
19
|
-
private
|
20
|
-
def contact_callback_server(callback_uri, service_ticket)
|
21
|
-
pgt = service_ticket.proxy_granting_tickets.new({
|
22
|
-
ticket: random_ticket_string('PGT'),
|
23
|
-
iou: random_ticket_string('PGTIOU'),
|
24
|
-
pgt_url: "#{callback_uri}"
|
25
|
-
})
|
26
|
-
callback_uri.query_values = (callback_uri.query_values || {}).merge(pgtId: pgt.ticket, pgtIou: pgt.iou)
|
27
|
-
response = Faraday.get "#{callback_uri}"
|
28
|
-
# TODO: does this follow redirects? CAS specification says that redirects MAY be followed (2.5.4)
|
29
|
-
if response.success?
|
30
|
-
pgt.save!
|
31
|
-
Rails.logger.debug "Proxy-granting ticket generated for service '#{service_ticket.service}': #{pgt.inspect}"
|
32
|
-
pgt
|
33
|
-
else
|
34
|
-
Rails.logger.warn "Proxy-granting ticket callback server responded with a bad result code '#{response.status}'. PGT will not be stored."
|
35
|
-
nil
|
36
|
-
end
|
37
|
-
rescue Faraday::Error::ClientError => error
|
38
|
-
Rails.logger.warn "Exception while communicating with proxy-granting ticket callback server: #{error.message}"
|
39
|
-
nil
|
40
|
-
end
|
41
|
-
end
|
42
|
-
end
|
43
|
-
end
|
@@ -1,56 +0,0 @@
|
|
1
|
-
module CASino
|
2
|
-
module ProcessorConcern
|
3
|
-
module ProxyTickets
|
4
|
-
|
5
|
-
include CASino::ProcessorConcern::Tickets
|
6
|
-
|
7
|
-
class ValidationResult < CASino::ValidationResult; end
|
8
|
-
|
9
|
-
def acquire_proxy_ticket(proxy_granting_ticket, service)
|
10
|
-
proxy_granting_ticket.proxy_tickets.create!({
|
11
|
-
ticket: random_ticket_string('PT'),
|
12
|
-
service: service,
|
13
|
-
})
|
14
|
-
end
|
15
|
-
|
16
|
-
def validate_ticket_for_service(ticket, service, renew = false)
|
17
|
-
if ticket.nil?
|
18
|
-
result = ValidationResult.new 'INVALID_TICKET', 'Invalid validate request: Ticket does not exist', :warn
|
19
|
-
else
|
20
|
-
result = validate_existing_ticket_for_service(ticket, service, renew)
|
21
|
-
ticket.consumed = true
|
22
|
-
ticket.save!
|
23
|
-
Rails.logger.debug "Consumed ticket '#{ticket.ticket}'"
|
24
|
-
end
|
25
|
-
if result.success?
|
26
|
-
Rails.logger.info "Ticket '#{ticket.ticket}' for service '#{service}' successfully validated"
|
27
|
-
else
|
28
|
-
Rails.logger.send(result.error_severity, result.error_message)
|
29
|
-
end
|
30
|
-
result
|
31
|
-
end
|
32
|
-
|
33
|
-
def ticket_valid_for_service?(ticket, service, renew = false)
|
34
|
-
validate_ticket_for_service(ticket, service, renew).success?
|
35
|
-
end
|
36
|
-
|
37
|
-
private
|
38
|
-
def validate_existing_ticket_for_service(ticket, service, renew = false)
|
39
|
-
if ticket.is_a?(CASino::ServiceTicket)
|
40
|
-
service = clean_service_url(service)
|
41
|
-
end
|
42
|
-
if ticket.consumed?
|
43
|
-
ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' already consumed", :warn
|
44
|
-
elsif ticket.expired?
|
45
|
-
ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' has expired", :warn
|
46
|
-
elsif service != ticket.service
|
47
|
-
ValidationResult.new 'INVALID_SERVICE', "Ticket '#{ticket.ticket}' is not valid for service '#{service}'", :warn
|
48
|
-
elsif renew && !ticket.issued_from_credentials?
|
49
|
-
ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' was not issued from credentials but service '#{service}' will only accept a renewed ticket", :info
|
50
|
-
else
|
51
|
-
ValidationResult.new
|
52
|
-
end
|
53
|
-
end
|
54
|
-
end
|
55
|
-
end
|
56
|
-
end
|