casino_core 0.0.1

data/db/migrate/20121122180310_add_user_agent_to_ticket_granting_tickets.rb

@@ -0,0 +1,5 @@
+class AddUserAgentToTicketGrantingTickets < ActiveRecord::Migration
+  def change
+    add_column :ticket_granting_tickets, :user_agent, :string
+  end
+end

data/db/migrate/20121124170004_add_index_for_username_to_ticket_granting_tickets.rb

@@ -0,0 +1,5 @@
+class AddIndexForUsernameToTicketGrantingTickets < ActiveRecord::Migration
+  def change
+    add_index :ticket_granting_tickets, :username
+  end
+end

data/db/migrate/20121124183542_create_service_tickets.rb

@@ -0,0 +1,13 @@
+class CreateServiceTickets < ActiveRecord::Migration
+  def change
+    create_table :service_tickets do |t|
+      t.string :ticket, null: false, unique: true
+      t.string :service, null: false
+      t.integer :ticket_granting_ticket_id, null: false
+
+      t.timestamps
+    end
+    add_index :service_tickets, :ticket
+    add_index :service_tickets, :ticket_granting_ticket_id
+  end
+end

data/db/migrate/20121124183732_add_ticket_indexes.rb

@@ -0,0 +1,6 @@
+class AddTicketIndexes < ActiveRecord::Migration
+  def change
+    add_index :ticket_granting_tickets, :ticket
+    add_index :login_tickets, :ticket
+  end
+end

data/db/migrate/20121124195013_add_consumed_to_service_tickets.rb

@@ -0,0 +1,5 @@
+class AddConsumedToServiceTickets < ActiveRecord::Migration
+  def change
+    add_column :service_tickets, :consumed, :boolean, null: false, default: false
+  end
+end

data/db/migrate/20121125091934_add_issued_from_credentials_to_service_tickets.rb

@@ -0,0 +1,5 @@
+class AddIssuedFromCredentialsToServiceTickets < ActiveRecord::Migration
+  def change
+    add_column :service_tickets, :issued_from_credentials, :boolean, null: false, default: false
+  end
+end

data/db/migrate/20121125185415_create_proxy_granting_tickets.rb

@@ -0,0 +1,14 @@
+class CreateProxyGrantingTickets < ActiveRecord::Migration
+  def change
+    create_table :proxy_granting_tickets do |t|
+      t.string :ticket, null: false
+      t.string :iou, null: false
+      t.integer :ticket_granting_ticket_id, null: false
+
+      t.timestamps
+    end
+    add_index :proxy_granting_tickets, :ticket, unique: true
+    add_index :proxy_granting_tickets, :iou, unique: true
+    add_index :proxy_granting_tickets, :ticket_granting_ticket_id
+  end
+end

data/db/migrate/20121125190013_tickets_should_be_unique.rb

@@ -0,0 +1,8 @@
+class TicketsShouldBeUnique < ActiveRecord::Migration
+  def change
+    [:login_tickets, :service_tickets, :ticket_granting_tickets].each do |table|
+      remove_index table, :ticket
+      add_index table, :ticket, unique: true
+    end
+  end
+end

data/db/schema.rb

@@ -0,0 +1,61 @@
+# encoding: UTF-8
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# Note that this schema.rb definition is the authoritative source for your
+# database schema. If you need to create the application database on another
+# system, you should be using db:schema:load, not running all the migrations
+# from scratch. The latter is a flawed and unsustainable approach (the more migrations
+# you'll amass, the slower it'll run and the greater likelihood for issues).
+#
+# It's strongly recommended to check this file into your version control system.
+
+ActiveRecord::Schema.define(:version => 20121125190013) do
+
+  create_table "login_tickets", :force => true do |t|
+    t.string   "ticket",     :null => false
+    t.datetime "created_at", :null => false
+    t.datetime "updated_at", :null => false
+  end
+
+  add_index "login_tickets", ["ticket"], :name => "index_login_tickets_on_ticket", :unique => true
+
+  create_table "proxy_granting_tickets", :force => true do |t|
+    t.string   "ticket",                    :null => false
+    t.string   "iou",                       :null => false
+    t.integer  "ticket_granting_ticket_id", :null => false
+    t.datetime "created_at",                :null => false
+    t.datetime "updated_at",                :null => false
+  end
+
+  add_index "proxy_granting_tickets", ["iou"], :name => "index_proxy_granting_tickets_on_iou", :unique => true
+  add_index "proxy_granting_tickets", ["ticket"], :name => "index_proxy_granting_tickets_on_ticket", :unique => true
+  add_index "proxy_granting_tickets", ["ticket_granting_ticket_id"], :name => "index_proxy_granting_tickets_on_ticket_granting_ticket_id"
+
+  create_table "service_tickets", :force => true do |t|
+    t.string   "ticket",                                       :null => false
+    t.string   "service",                                      :null => false
+    t.integer  "ticket_granting_ticket_id",                    :null => false
+    t.datetime "created_at",                                   :null => false
+    t.datetime "updated_at",                                   :null => false
+    t.boolean  "consumed",                  :default => false, :null => false
+    t.boolean  "issued_from_credentials",   :default => false, :null => false
+  end
+
+  add_index "service_tickets", ["ticket"], :name => "index_service_tickets_on_ticket", :unique => true
+  add_index "service_tickets", ["ticket_granting_ticket_id"], :name => "index_service_tickets_on_ticket_granting_ticket_id"
+
+  create_table "ticket_granting_tickets", :force => true do |t|
+    t.string   "ticket",           :null => false
+    t.string   "username",         :null => false
+    t.text     "extra_attributes"
+    t.datetime "created_at",       :null => false
+    t.datetime "updated_at",       :null => false
+    t.string   "user_agent"
+  end
+
+  add_index "ticket_granting_tickets", ["ticket"], :name => "index_ticket_granting_tickets_on_ticket", :unique => true
+  add_index "ticket_granting_tickets", ["username"], :name => "index_ticket_granting_tickets_on_username"
+
+end

data/lib/casino_core.rb

@@ -0,0 +1,33 @@
+module CASinoCore
+  autoload :Authenticator, 'casino_core/authenticator.rb'
+  autoload :Helper, 'casino_core/helper.rb'
+  autoload :Model, 'casino_core/model.rb'
+  autoload :Processor, 'casino_core/processor.rb'
+  autoload :RakeTasks, 'casino_core/rake_tasks.rb'
+  autoload :Settings, 'casino_core/settings.rb'
+
+  require 'casino_core/railtie' if defined?(Rails)
+
+  class << self
+    def setup(environment = nil, options = {})
+      @environment = environment || 'development'
+      require 'active_record'
+      require 'yaml'
+      YAML::ENGINE.yamler = 'syck'
+      ActiveRecord::Base.establish_connection YAML.load_file('config/database.yml')[@environment]
+
+      config = YAML.load_file('config/cas.yml')[@environment].symbolize_keys
+      recursive_symbolize_keys!(config)
+      CASinoCore::Settings.init config
+    end
+
+    private
+    def recursive_symbolize_keys! hash
+      # ugly, ugly, ugly
+      # TODO refactor!
+      hash.symbolize_keys!
+      hash.values.select{|v| v.is_a? Hash}.each{|h| recursive_symbolize_keys!(h)}
+      hash.values.select{|v| v.is_a? Array}.each{|a| a.select{|v| v.is_a? Hash}.each{|h| recursive_symbolize_keys!(h)}}
+    end
+  end
+end

data/lib/casino_core/authenticator.rb

@@ -0,0 +1,9 @@
+module CASinoCore
+  class Authenticator
+    autoload :Static, 'casino_core/authenticator/static.rb'
+
+    def validate(username, password)
+      raise NotImplementedError, "This method must be implemented by a class extending #{self.class}"
+    end
+  end
+end

data/lib/casino_core/authenticator/static.rb

@@ -0,0 +1,23 @@
+require 'casino_core/authenticator'
+
+# The static authenticator is just a simple example.
+# Never ever us this authenticator in a productive environment!
+class CASinoCore::Authenticator::Static < CASinoCore::Authenticator
+
+  # @param [Hash] options
+  def initialize(options)
+    @users = options[:users] || {}
+  end
+
+  def validate(username, password)
+    username = :"#{username}"
+    if @users.include?(username) && @users[username][:password] == password
+      {
+        username: "#{username}",
+        extra_attributes: @users[username].except(:password)
+      }
+    else
+      false
+    end
+  end
+end

data/lib/casino_core/helper.rb

@@ -0,0 +1,21 @@
+require 'logger'
+require 'useragent'
+
+module CASinoCore
+  module Helper
+    autoload :ServiceTickets, 'casino_core/helper/service_tickets.rb'
+    autoload :Browser, 'casino_core/helper/browser.rb'
+
+    def random_ticket_string(prefix, length = 40)
+      random_string = rand(36**length).to_s(36)
+      "#{prefix}-#{Time.now.to_i}-#{random_string}"
+    end
+
+    def logger
+      # TODO this is just a "silent logger", make logger a setting!
+      logger = ::Logger.new(STDOUT)
+      logger.level = ::Logger::Severity::UNKNOWN
+      logger
+    end
+  end
+end

data/lib/casino_core/helper/browser.rb

@@ -0,0 +1,16 @@
+require 'addressable/uri'
+
+module CASinoCore
+  module Helper
+    module Browser
+      def browser_info(user_agent)
+        user_agent = UserAgent.parse(user_agent)
+        "#{user_agent.browser} (#{user_agent.platform})"
+      end
+
+      def same_browser?(user_agent, other_user_agent)
+        user_agent == other_user_agent || browser_info(user_agent) == browser_info(other_user_agent)
+      end
+    end
+  end
+end

data/lib/casino_core/helper/service_tickets.rb

@@ -0,0 +1,30 @@
+require 'addressable/uri'
+
+module CASinoCore
+  module Helper
+    module ServiceTickets
+      include CASinoCore::Helper
+
+      def acquire_service_ticket(ticket_granting_ticket, service, credentials_supplied = nil)
+        ticket_granting_ticket.service_tickets.create!({
+          ticket: random_ticket_string('ST'),
+          service: clean_service_url(service),
+          issued_from_credentials: !!credentials_supplied
+        })
+      end
+
+      def clean_service_url(dirty_service)
+        return dirty_service if dirty_service.blank?
+        service_uri = Addressable::URI.parse dirty_service
+        unless service_uri.query_values.nil?
+          service_uri.query_values = service_uri.query_values.except('service', 'ticket', 'gateway', 'renew')
+        end
+        clean_service = service_uri.to_s
+
+        logger.debug("Cleaned dirty service URL '#{dirty_service}' to '#{clean_service}'") if dirty_service != clean_service
+
+        clean_service
+      end
+    end
+  end
+end

data/lib/casino_core/model.rb

@@ -0,0 +1,10 @@
+require 'active_record'
+
+module CASinoCore
+  module Model
+    autoload :LoginTicket, 'casino_core/model/login_ticket.rb'
+    autoload :ServiceTicket, 'casino_core/model/service_ticket.rb'
+    autoload :ProxyGrantingTicket, 'casino_core/model/proxy_granting_ticket.rb'
+    autoload :TicketGrantingTicket, 'casino_core/model/ticket_granting_ticket.rb'
+  end
+end

data/lib/casino_core/model/login_ticket.rb

@@ -0,0 +1,11 @@
+require 'casino_core/model'
+require 'casino_core/settings'
+
+class CASinoCore::Model::LoginTicket < ActiveRecord::Base
+  attr_accessible :ticket
+  validates :ticket, uniqueness: true
+
+  def self.cleanup
+    self.delete_all(['created_at < ?', CASinoCore::Settings.login_ticket[:lifetime].seconds.ago])
+  end
+end

data/lib/casino_core/model/proxy_granting_ticket.rb

@@ -0,0 +1,8 @@
+require 'casino_core/model'
+
+class CASinoCore::Model::ProxyGrantingTicket < ActiveRecord::Base
+  attr_accessible :iou, :ticket, :ticket_granting_ticket_id
+  validates :ticket, uniqueness: true
+  validates :iou, uniqueness: true
+  belongs_to :ticket_granting_ticket
+end

data/lib/casino_core/model/service_ticket.rb

@@ -0,0 +1,32 @@
+require 'casino_core/model'
+require 'casino_core/settings'
+require 'addressable/uri'
+
+class CASinoCore::Model::ServiceTicket < ActiveRecord::Base
+  autoload :SingleSignOutNotifier, 'casino_core/model/service_ticket/single_sign_out_notifier.rb'
+
+  attr_accessible :ticket, :service
+  validates :ticket, uniqueness: true
+  belongs_to :ticket_granting_ticket
+  before_destroy :send_single_sing_out_notification
+
+  def self.cleanup_unconsumed
+    self.delete_all(['created_at < ? AND consumed = ?', CASinoCore::Settings.service_ticket[:lifetime_unconsumed].seconds.ago, false])
+  end
+
+  def self.cleanup_consumed
+    self.destroy_all(['created_at < ? AND consumed = ?', CASinoCore::Settings.service_ticket[:lifetime_consumed].seconds.ago, true]).length
+  end
+
+  def service_with_ticket_url
+    service_uri = Addressable::URI.parse(self.service)
+    service_uri.query_values = (service_uri.query_values || {}).merge(ticket: self.ticket)
+    service_uri.to_s
+  end
+
+  private
+  def send_single_sing_out_notification
+    notifier = SingleSignOutNotifier.new(self)
+    notifier.notify
+  end
+end

data/lib/casino_core/model/service_ticket/single_sign_out_notifier.rb

@@ -0,0 +1,53 @@
+require 'builder'
+require 'net/https'
+require 'casino_core/model/service_ticket'
+
+class CASinoCore::Model::ServiceTicket::SingleSignOutNotifier
+  def initialize(service_ticket)
+    @service_ticket = service_ticket
+  end
+
+  def notify
+    xml = build_xml
+    uri = URI.parse(@service_ticket.service)
+    request = build_request(uri, xml)
+    send_notification(uri, request)
+  end
+
+  private
+  def build_xml
+    xml = Builder::XmlMarkup.new(indent: 2)
+    xml.samlp :LogoutRequest, ID: SecureRandom.uuid, Version: '2.0', IsseInstant: Time.now do |logout_request|
+      logout_request.samlp :NameID, '@NOT_USED@'
+      logout_request.samlp :SessionIndex, @service_ticket.ticket
+    end
+    xml.target!
+  end
+
+  def build_request(uri, xml)
+    request = Net::HTTP::Post.new(uri.path || '/')
+    request.set_form_data(logoutRequest: xml)
+    return request
+  end
+
+  def send_notification(uri, request)
+    begin
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = true if uri.scheme =='https'
+
+      http.start do |conn|
+        response = conn.request(request)
+        if response.kind_of? Net::HTTPSuccess
+          logger.info "Logout notification successfully posted to #{uri}."
+          return true
+        else
+          logger.warn "Service #{uri} responed to logout notification with code '#{response.code}'!"
+          return false
+        end
+      end
+    rescue Exception => e
+      logger.warn "Failed to send logout notification to service #{uri} due to #{e}"
+      return false
+    end
+  end
+end

data/lib/casino_core/model/ticket_granting_ticket.rb

@@ -0,0 +1,9 @@
+require 'casino_core/model'
+
+class CASinoCore::Model::TicketGrantingTicket < ActiveRecord::Base
+  attr_accessible :ticket, :username, :user_agent, :extra_attributes
+  serialize :extra_attributes, Hash
+  validates :ticket, uniqueness: true
+  has_many :service_tickets
+  has_many :proxy_granting_tickets
+end

data/lib/casino_core/processor.rb

@@ -0,0 +1,15 @@
+require 'active_record'
+
+module CASinoCore
+  class Processor
+    autoload :LegacyValidator, 'casino_core/processor/legacy_validator.rb'
+    autoload :LoginCredentialAcceptor, 'casino_core/processor/login_credential_acceptor.rb'
+    autoload :LoginCredentialRequestor, 'casino_core/processor/login_credential_requestor.rb'
+    autoload :Logout, 'casino_core/processor/logout.rb'
+    autoload :SessionDestroyer, 'casino_core/processor/session_destroyer.rb'
+
+    def initialize(listener)
+      @listener = listener
+    end
+  end
+end

data/lib/casino_core/processor/legacy_validator.rb

@@ -0,0 +1,49 @@
+require 'casino_core/processor'
+require 'casino_core/helper'
+require 'casino_core/model'
+
+class CASinoCore::Processor::LegacyValidator < CASinoCore::Processor
+  include CASinoCore::Helper
+  include CASinoCore::Helper::ServiceTickets
+
+  def process(params = nil)
+    params ||= {}
+    ticket = CASinoCore::Model::ServiceTicket.where(ticket: params[:ticket]).first
+    if ticket_valid_for_service?(ticket, params[:service], !!params[:renew])
+      @listener.validation_succeeded("yes\n#{ticket.ticket_granting_ticket.username}\n")
+    else
+      @listener.validation_failed("no\n\n")
+    end
+  end
+
+  private
+  def ticket_valid_for_service?(ticket, service, renew = false)
+    ticket_valid = if service.nil? or ticket.nil?
+      logger.warn 'Invalid validate request: no valid ticket or no valid service given'
+      false
+    else
+      if ticket.consumed?
+        logger.warn "Service ticket '#{ticket.ticket}' already consumed"
+        false
+      elsif Time.now - ticket.created_at > CASinoCore::Settings.service_ticket[:lifetime_unconsumed]
+        logger.warn "Service ticket '#{ticket.ticket}' has expired"
+        false
+      elsif clean_service_url(service) != ticket.service
+        logger.warn "Service ticket '#{ticket.ticket}' is not valid for service '#{service}'"
+        false
+      elsif renew && !ticket.issued_from_credentials?
+        logger.info "Service ticket '#{ticket.ticket}' was not issued from credentials but service '#{service}' will only accept a renewed ticket"
+        false
+      else
+        logger.info "Service ticket '#{ticket.ticket}' for service '#{service}' successfully validated"
+        true
+      end
+    end
+    unless ticket.nil?
+      logger.debug "Consumed ticket '#{ticket.ticket}'"
+      ticket.consumed = true
+      ticket.save!
+    end
+    ticket_valid
+  end
+end