RubyGems - casino - Versions diffs - 3.0.4 → 4.0.0.pre.1 - Mend

casino 3.0.4 → 4.0.0.pre.1

Files changed (149) hide show

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 71cfd75e5672f90469a0c6d4fdd0f2d3a8aa8c33
+  data.tar.gz: f21e697ce6f06d1b2212e503e34dd096f6128f3c
+SHA512:
+  metadata.gz: a9208fbd8c620d512e0ee8ef82ec7bdec667003ba6f7eaff1833fe69b1fc85f16a353201636d385b1eb98140996d0e4f337a9d89ab8219fc88c3510b7b8d5b32
+  data.tar.gz: e24bc5645aadd311e410fd6da88996672faa77014ef4981ed5c03d80a12d9a6fcaeec5af700edd68511378c2647a5c42ccc4617912ca7f7856ef6d0dd12ecf61

data/.travis.yml CHANGED

@@ -1,5 +1,14 @@
 language: ruby
 rvm:
-  - 1.9.3
-  - 2.0.0
-  - 2.1.0
+- 1.9.3
+- 2.0.0
+- 2.1.0
+notifications:
+  hipchat:
+    rooms:
+      secure: kXPfZwOtdwJM0NIOj2td/NoPOhzxWVlUfHQuke2N4fuoKDQ+nhz5ZV4btW5J+O5C5aC6qyBBFdm+FzA/8m1WiLMGX0DIE1X67zZts/udMwtIDRNoHV594hd2co4oA72QMUT5kdre7IvTpSnnJwkp/d3V0kB7DOHuEbDJsjipx8I=
+    template:
+      - '%{repository} <a href="%{build_url}">#%{build_number}</a> (%{branch} - <a href="%{compare_url}">%{commit}</a> : %{author}): %{message}'
+    format: html
+    on_failure: always
+    on_success: change

data/app/api/casino/api.rb ADDED

@@ -0,0 +1,7 @@
+require 'grape'
+class CASino::API < Grape::API
+  format :json
+  mount CASino::API::Resource::AuthTokenTickets
+end

data/app/api/casino/api/entity/auth_token_ticket.rb ADDED

@@ -0,0 +1,5 @@
+require 'grape-entity'
+class CASino::API::Entity::AuthTokenTicket < Grape::Entity
+  expose :ticket
+end

data/app/api/casino/api/resource/auth_token_tickets.rb ADDED

@@ -0,0 +1,12 @@
+require 'grape'
+class CASino::API::Resource::AuthTokenTickets < Grape::API
+  resource :auth_token_tickets do
+    desc 'Create an auth token ticket'
+    post do
+      @ticket = CASino::AuthTokenTicket.create
+      Rails.logger.debug "Created auth token ticket '#{@ticket.ticket}'"
+      present @ticket, with: CASino::API::Entity::AuthTokenTicket
+    end
+  end
+end

data/app/assets/javascripts/casino/{application.js → application.js.erb} RENAMED

@@ -1,7 +1,7 @@
 // Place all the behaviors and hooks related to the matching controller here.
 (function(win) {
   if(!win.CASino) {
-    win.CASino = { baseUrl: '/' };
+    win.CASino = { baseUrl: '<%= CASino::Engine.routes.url_helpers.root_path %>' };
   }
   win.CASino.url = function(path) {

data/app/authenticators/casino/static_authenticator.rb CHANGED

@@ -12,12 +12,18 @@ class CASino::StaticAuthenticator < CASino::Authenticator
   def validate(username, password)
     username = :"#{username}"
     if @users.include?(username) && @users[username][:password] == password
+      load_user_data(username)
+    else
+      false
+    end
+  end
+  def load_user_data(username)
+    if @users.include?(username)
       {
         username: "#{username}",
         extra_attributes: @users[username].except(:password)
       }
-    else
-      false
     end
   end
 end

data/app/builders/casino/proxy_response_builder.rb ADDED

@@ -0,0 +1,24 @@
+require 'builder'
+class CASino::ProxyResponseBuilder
+  attr_reader :success, :options
+  def initialize(success, options)
+    @success = success
+    @options = options
+  end
+  def build
+    xml = Builder::XmlMarkup.new(indent: 2)
+    xml.cas :serviceResponse, 'xmlns:cas' => 'http://www.yale.edu/tp/cas' do |service_response|
+      if success
+        service_response.cas :proxySuccess do |proxy_success|
+          proxy_success.cas :proxyTicket, options[:proxy_ticket].ticket
+        end
+      else
+        service_response.cas :proxyFailure, options[:error_message], code: options[:error_code]
+      end
+    end
+    xml.target!
+  end
+end

data/app/builders/casino/ticket_validation_response_builder.rb CHANGED

@@ -1,6 +1,8 @@
 require 'builder'
 class CASino::TicketValidationResponseBuilder
+  attr_reader :success, :options
   def initialize(success, options)
     @success = success
     @options = options
@@ -9,8 +11,8 @@ class CASino::TicketValidationResponseBuilder
   def build
     xml = Builder::XmlMarkup.new(indent: 2)
     xml.cas :serviceResponse, 'xmlns:cas' => 'http://www.yale.edu/tp/cas' do |service_response|
-      if @success
-        ticket = @options[:ticket]
+      if success
+        ticket = options[:ticket]
         if ticket.is_a?(CASino::ProxyTicket)
           proxies = []
           service_ticket = ticket
@@ -38,6 +40,8 @@ class CASino::TicketValidationResponseBuilder
     key = :"#{key}"
     if value.kind_of?(String) || value.kind_of?(Numeric) || value.kind_of?(Symbol)
       builder.cas key, "#{value}"
+    elsif value.kind_of?(Array)
+      value.each { |v| serialize_extra_attribute(builder, key, v) }
     else
       builder.cas key do |container|
         container.cdata! value.to_yaml
@@ -65,8 +69,8 @@ class CASino::TicketValidationResponseBuilder
           end
         end
       end
-      if @options[:proxy_granting_ticket]
-        proxy_granting_ticket = @options[:proxy_granting_ticket]
+      if options[:proxy_granting_ticket]
+        proxy_granting_ticket = options[:proxy_granting_ticket]
         authentication_success.cas :proxyGrantingTicket, proxy_granting_ticket.iou
       end
       if ticket.is_a?(CASino::ProxyTicket)
@@ -80,6 +84,6 @@ class CASino::TicketValidationResponseBuilder
   end
   def build_failure_xml(service_response)
-    service_response.cas :authenticationFailure, @options[:error_message], code: @options[:error_code]
+    service_response.cas :authenticationFailure, options[:error_message], code: options[:error_code]
   end
 end

data/app/controllers/casino/application_controller.rb CHANGED

@@ -1,11 +1,9 @@
 require 'casino'
-require 'http_accept_language'
 class CASino::ApplicationController < ::ApplicationController
   include ApplicationHelper
   layout 'application'
-  before_filter :set_locale
   unless Rails.env.development?
     rescue_from ActionView::MissingTemplate, with: :missing_template
@@ -16,26 +14,6 @@ class CASino::ApplicationController < ::ApplicationController
   end
   protected
-  def processor(processor_name, listener_name = nil)
-    listener_name ||= processor_name
-    listener = CASino.const_get(:"#{listener_name}Listener").new(self)
-    @processor = CASino.const_get(:"#{processor_name}Processor").new(listener)
-  end
-  def set_locale
-    I18n.locale = extract_locale_from_accept_language_header || I18n.default_locale
-  end
-  def extract_locale_from_accept_language_header
-    if request.env['HTTP_ACCEPT_LANGUAGE']
-      http_accept_language.preferred_language_from(I18n.available_locales)
-    end
-  end
-  def http_accept_language
-    HttpAcceptLanguage::Parser.new request.env['HTTP_ACCEPT_LANGUAGE']
-  end
   def missing_template(exception)
     render plain: 'Format not supported', status: :not_acceptable
   end

data/app/controllers/casino/auth_tokens_controller.rb ADDED

@@ -0,0 +1,34 @@
+class CASino::AuthTokensController < CASino::ApplicationController
+  include CASino::SessionsHelper
+  def login
+    validation_result = validation_service.validation_result
+    return redirect_to_login unless validation_result
+    sign_in(validation_result)
+  end
+  private
+  def validation_service
+    @validation_service ||= CASino::AuthTokenValidationService.new(auth_token, auth_token_signature)
+  end
+  def redirect_to_login
+    redirect_to login_path(service: params[:service])
+  end
+  def auth_token_signature
+    @auth_token_signature ||= base64_decode(params[:ats])
+  end
+  def auth_token
+    @auth_token ||= base64_decode(params[:at])
+  end
+  def base64_decode(data)
+    begin
+      Base64.strict_decode64(data)
+    rescue
+      ''
+    end
+  end
+end

data/app/controllers/casino/controller_concern/ticket_validator.rb ADDED

@@ -0,0 +1,30 @@
+module CASino::ControllerConcern::TicketValidator
+  extend ActiveSupport::Concern
+  include CASino::ServiceTicketProcessor
+  include CASino::ProxyGrantingTicketProcessor
+  def validate_ticket(ticket)
+    validation_result = validate_ticket_for_service(ticket, params[:service], renew: params[:renew])
+    if validation_result.success?
+      options = { ticket: ticket }
+      options[:proxy_granting_ticket] = acquire_proxy_granting_ticket(params[:pgtUrl], ticket) unless params[:pgtUrl].nil?
+      build_ticket_validation_response(true, options)
+    else
+      build_ticket_validation_response(false,
+                                       error_code: validation_result.error_code,
+                                       error_message: validation_result.error_message)
+    end
+  end
+  def build_ticket_validation_response(success, options = {})
+    render xml: CASino::TicketValidationResponseBuilder.new(success, options).build
+  end
+  def ensure_service_ticket_parameters_present
+    if params[:ticket].nil? || params[:service].nil?
+      build_ticket_validation_response(false,
+                                       error_code: 'INVALID_REQUEST',
+                                       error_message: '"ticket" and "service" parameters are both required')
+    end
+  end
+end

data/app/controllers/casino/proxy_tickets_controller.rb CHANGED

@@ -1,9 +1,49 @@
 class CASino::ProxyTicketsController < CASino::ApplicationController
+  include CASino::ControllerConcern::TicketValidator
+  before_action :load_ticket, only: [:proxy_validate]
+  before_action :ensure_service_ticket_parameters_present, only: [:proxy_validate]
+  before_action :load_proxy_granting_ticket, only: [:create]
+  before_action :ensure_proxy_parameters_present, only: [:create]
   def proxy_validate
-    processor(:ProxyTicketValidator, :TicketValidator).process(params)
+    validate_ticket(@ticket)
   end
   def create
-    processor(:ProxyTicketProvider).process(params)
+    proxy_ticket = @proxy_granting_ticket.proxy_tickets.create!(service: params[:targetService])
+    build_proxy_response(true, proxy_ticket: proxy_ticket)
+  end
+  private
+  def load_ticket
+    @ticket = case params[:ticket]
+              when /\APT-/
+                CASino::ProxyTicket.where(ticket: params[:ticket]).first
+              when /\AST-/
+                CASino::ServiceTicket.where(ticket: params[:ticket]).first
+              end
+  end
+  def build_proxy_response(success, options = {})
+    render xml: CASino::ProxyResponseBuilder.new(success, options).build
+  end
+  def ensure_proxy_parameters_present
+    if params[:pgt].nil? || params[:targetService].nil?
+      build_proxy_response(false,
+                           error_code: 'INVALID_REQUEST',
+                           error_message: '"pgt" and "targetService" parameters are both required')
+    end
+  end
+  def load_proxy_granting_ticket
+    @proxy_granting_ticket = CASino::ProxyGrantingTicket.where(ticket: params[:pgt]).first if params[:pgt].present?
+    if @proxy_granting_ticket.nil?
+      build_proxy_response(false,
+                           error_code: 'BAD_PGT',
+                           error_message: 'PGT not found')
+    end
   end
 end

data/app/controllers/casino/service_tickets_controller.rb CHANGED

@@ -1,9 +1,22 @@
 class CASino::ServiceTicketsController < CASino::ApplicationController
+  include CASino::ControllerConcern::TicketValidator
+  before_action :load_service_ticket
+  before_action :ensure_service_ticket_parameters_present, only: [:service_validate]
   def validate
-    processor(:LegacyValidator).process(params)
+    if ticket_valid_for_service?(@service_ticket, params[:service], renew: params[:renew])
+      @username = @service_ticket.ticket_granting_ticket.user.username
+    end
+    render :validate, formats: [:text]
   end
   def service_validate
-    processor(:ServiceTicketValidator, :TicketValidator).process(params)
+    validate_ticket(@service_ticket)
+  end
+  private
+  def load_service_ticket
+    @service_ticket = CASino::ServiceTicket.where(ticket: params[:ticket]).first if params[:service].present?
   end
 end

data/app/controllers/casino/sessions_controller.rb CHANGED

@@ -1,32 +1,83 @@
 class CASino::SessionsController < CASino::ApplicationController
   include CASino::SessionsHelper
+  include CASino::AuthenticationProcessor
+  include CASino::TwoFactorAuthenticatorProcessor
+  before_action :validate_login_ticket, only: [:create]
+  before_action :ensure_service_allowed, only: [:new, :create]
+  before_action :load_ticket_granting_ticket_from_parameter, only: [:validate_otp]
+  before_action :ensure_signed_in, only: [:index, :destroy]
   def index
-    processor(:TwoFactorAuthenticatorOverview).process(cookies, request.user_agent)
-    processor(:SessionOverview).process(cookies, request.user_agent)
+    @ticket_granting_tickets = current_user.ticket_granting_tickets.active
+    @two_factor_authenticators = current_user.two_factor_authenticators.active
   end
   def new
-    processor(:LoginCredentialRequestor).process(params, cookies, request.user_agent)
+    tgt = current_ticket_granting_ticket
+    handle_signed_in(tgt) unless params[:renew] || tgt.nil?
+    redirect_to(params[:service]) if params[:gateway] && params[:service].present?
   end
   def create
-    processor(:LoginCredentialAcceptor).process(params, request.user_agent)
+    validation_result = validate_login_credentials(params[:username], params[:password])
+    if !validation_result
+      show_login_error I18n.t('login_credential_acceptor.invalid_login_credentials')
+    else
+      sign_in(validation_result, long_term: params[:rememberMe], credentials_supplied: true)
+    end
   end
   def destroy
-    processor(:SessionDestroyer).process(params, cookies, request.user_agent)
+    tickets = current_user.ticket_granting_tickets.where(id: params[:id])
+    tickets.first.destroy if tickets.any?
+    redirect_to sessions_path
   end
   def destroy_others
-    processor(:OtherSessionsDestroyer).process(params, cookies, request.user_agent)
+    current_user
+      .ticket_granting_tickets
+      .where('id != ?', current_ticket_granting_ticket.id)
+      .destroy_all if signed_in?
+    redirect_to params[:service] || sessions_path
   end
   def logout
-    processor(:Logout).process(params, cookies, request.user_agent)
+    sign_out
+    @url = params[:url]
+    if params[:service].present? && service_allowed?(params[:service])
+      redirect_to params[:service], status: :see_other
+    end
   end
   def validate_otp
-    processor(:SecondFactorAuthenticationAcceptor).process(params, request.user_agent)
+    validation_result = validate_one_time_password(params[:otp], @ticket_granting_ticket.user.active_two_factor_authenticator)
+    return flash.now[:error] = I18n.t('validate_otp.invalid_otp') unless validation_result.success?
+    @ticket_granting_ticket.update_attribute(:awaiting_two_factor_authentication, false)
+    set_tgt_cookie(@ticket_granting_ticket)
+    handle_signed_in(@ticket_granting_ticket)
+  end
+  private
+  def show_login_error(message)
+    flash.now[:error] = message
+    render :new, status: :forbidden
+  end
+  def validate_login_ticket
+    unless CASino::LoginTicket.consume(params[:lt])
+      show_login_error I18n.t('login_credential_acceptor.invalid_login_ticket')
+    end
+  end
+  def ensure_service_allowed
+    if params[:service].present? && !service_allowed?(params[:service])
+      render 'service_not_allowed', status: :forbidden
+    end
+  end
+  def load_ticket_granting_ticket_from_parameter
+    @ticket_granting_ticket = find_valid_ticket_granting_ticket(params[:tgt], request.user_agent, ignore_two_factor: true)
+    redirect_to login_path if @ticket_granting_ticket.nil?
   end
 end

data/app/controllers/casino/two_factor_authenticators_controller.rb CHANGED

@@ -1,15 +1,40 @@
+require 'rotp'
 class CASino::TwoFactorAuthenticatorsController < CASino::ApplicationController
   include CASino::SessionsHelper
+  include CASino::TwoFactorAuthenticatorsHelper
+  include CASino::TwoFactorAuthenticatorProcessor
+  before_action :ensure_signed_in
   def new
-    processor(:TwoFactorAuthenticatorRegistrator).process(cookies, request.user_agent)
+    @two_factor_authenticator = current_user.two_factor_authenticators.create! secret: ROTP::Base32.random_base32
   end
   def create
-    processor(:TwoFactorAuthenticatorActivator).process(params, cookies, request.user_agent)
+    @two_factor_authenticator = current_user.two_factor_authenticators.where(id: params[:id]).first
+    validation_result = validate_one_time_password(params[:otp], @two_factor_authenticator)
+    case
+    when validation_result.success?
+      current_user.two_factor_authenticators.where(active: true).delete_all
+      @two_factor_authenticator.update_attribute(:active, true)
+      flash[:notice] = I18n.t('two_factor_authenticators.successfully_activated')
+      redirect_to sessions_path
+    when validation_result.error_code == 'INVALID_OTP'
+      flash.now[:error] = I18n.t('two_factor_authenticators.invalid_one_time_password')
+      render :new
+    else
+      flash[:error] = I18n.t('two_factor_authenticators.invalid_two_factor_authenticator')
+      redirect_to new_two_factor_authenticator_path
+    end
   end
   def destroy
-    processor(:TwoFactorAuthenticatorDestroyer).process(params, cookies, request.user_agent)
+    authenticators = current_user.two_factor_authenticators.where(id: params[:id])
+    if authenticators.any?
+      authenticators.first.destroy
+      flash[:notice] = I18n.t('two_factor_authenticators.successfully_deleted')
+    end
+    redirect_to sessions_path
   end
 end