casino_core 0.0.6 → 1.0.0

data/VERSION

@@ -1 +1 @@
-0.0.6
+1.0.0

data/casino_core.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "casino_core"
-  s.version = "0.0.6"
+  s.version = "1.0.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Nils Caspar"]
-  s.date = "2012-12-24"
+  s.date = "2012-12-26"
   s.description = "A CAS server core library."
   s.email = "ncaspar@me.com"
   s.extra_rdoc_files = [
@@ -42,21 +42,31 @@ Gem::Specification.new do |s|
     "db/migrate/20121125185415_create_proxy_granting_tickets.rb",
     "db/migrate/20121125190013_tickets_should_be_unique.rb",
     "db/migrate/20121223135227_proxy_granting_tickets_belongs_to_service_ticket.rb",
+    "db/migrate/20121224113737_create_proxy_tickets.rb",
+    "db/migrate/20121225153637_add_pgt_url_to_proxy_granting_tickets.rb",
+    "db/migrate/20121225231301_proxy_granting_ticket_can_be_granted_by_proxy_ticket.rb",
+    "db/migrate/20121225231713_no_default_granter_type.rb",
+    "db/migrate/20121226192211_fix_index_for_granter_on_proxy_granting_ticket.rb",
+    "db/migrate/20121226211511_allow_service_tickets_without_ticket_granting_ticket.rb",
     "db/schema.rb",
     "lib/casino_core.rb",
     "lib/casino_core/authenticator.rb",
     "lib/casino_core/authenticator/static.rb",
+    "lib/casino_core/builder.rb",
+    "lib/casino_core/builder/ticket_validation_response.rb",
     "lib/casino_core/helper.rb",
     "lib/casino_core/helper/browser.rb",
     "lib/casino_core/helper/logger.rb",
     "lib/casino_core/helper/login_tickets.rb",
     "lib/casino_core/helper/proxy_granting_tickets.rb",
+    "lib/casino_core/helper/proxy_tickets.rb",
     "lib/casino_core/helper/service_tickets.rb",
     "lib/casino_core/helper/ticket_granting_tickets.rb",
     "lib/casino_core/helper/tickets.rb",
     "lib/casino_core/model.rb",
     "lib/casino_core/model/login_ticket.rb",
     "lib/casino_core/model/proxy_granting_ticket.rb",
+    "lib/casino_core/model/proxy_ticket.rb",
     "lib/casino_core/model/service_ticket.rb",
     "lib/casino_core/model/service_ticket/single_sign_out_notifier.rb",
     "lib/casino_core/model/ticket_granting_ticket.rb",
@@ -65,6 +75,8 @@ Gem::Specification.new do |s|
     "lib/casino_core/processor/login_credential_acceptor.rb",
     "lib/casino_core/processor/login_credential_requestor.rb",
     "lib/casino_core/processor/logout.rb",
+    "lib/casino_core/processor/proxy_ticket_provider.rb",
+    "lib/casino_core/processor/proxy_ticket_validator.rb",
     "lib/casino_core/processor/service_ticket_validator.rb",
     "lib/casino_core/processor/session_destroyer.rb",
     "lib/casino_core/processor/session_overview.rb",
@@ -73,16 +85,21 @@ Gem::Specification.new do |s|
     "lib/casino_core/settings.rb",
     "lib/casino_core/tasks/cleanup.rake",
     "lib/casino_core/tasks/database.rake",
+    "spec/authenticator/base_spec.rb",
     "spec/authenticator/static_spec.rb",
     "spec/model/login_ticket_spec.rb",
+    "spec/model/proxy_ticket_spec.rb",
     "spec/model/service_ticket_spec.rb",
+    "spec/model/ticket_granting_ticket_spec.rb",
     "spec/processor/legacy_validator_spec.rb",
     "spec/processor/login_credential_acceptor_spec.rb",
     "spec/processor/login_credential_requestor_spec.rb",
     "spec/processor/logout_spec.rb",
-    "spec/processor/service_ticket_validator_spec.rb",
+    "spec/processor/proxy_ticket_provider_spec.rb",
+    "spec/processor/proxy_ticket_validator_spec.rb",
     "spec/processor/session_destroyer_spec.rb",
     "spec/processor/session_overview_spec.rb",
+    "spec/processor/ticket_validator_spec.rb",
     "spec/spec_helper.rb"
   ]
   s.homepage = "http://github.com/pencil/CASinoCore"

data/config/cas.yml

@@ -4,6 +4,9 @@ defaults: &defaults
   service_ticket:
     lifetime_unconsumed: 300
     lifetime_consumed: 86400
+  proxy_ticket:
+    lifetime_unconsumed: 300
+    lifetime_consumed: 86400
 
 development:
   <<: *defaults

data/db/migrate/20121224113737_create_proxy_tickets.rb

@@ -0,0 +1,15 @@
+class CreateProxyTickets < ActiveRecord::Migration
+  def change
+    create_table :proxy_tickets do |t|
+      t.string :ticket, null: false
+      t.string :service, null: false
+      t.boolean :consumed, null: false, default: false
+      t.integer :proxy_granting_ticket_id, null: false
+
+      t.timestamps
+    end
+
+    add_index :proxy_tickets, :ticket, unique: true
+    add_index :proxy_tickets, :proxy_granting_ticket_id
+  end
+end

data/db/migrate/20121225153637_add_pgt_url_to_proxy_granting_tickets.rb

@@ -0,0 +1,11 @@
+class AddPgtUrlToProxyGrantingTickets < ActiveRecord::Migration
+  def up
+    add_column :proxy_granting_tickets, :pgt_url, :string, null: true
+    CASinoCore::Model::ProxyGrantingTicket.delete_all
+    change_column :proxy_granting_tickets, :pgt_url, :string, null: false
+  end
+
+  def down
+    remove_column :proxy_granting_tickets, :pgt_url
+  end
+end

data/db/migrate/20121225231301_proxy_granting_ticket_can_be_granted_by_proxy_ticket.rb

@@ -0,0 +1,6 @@
+class ProxyGrantingTicketCanBeGrantedByProxyTicket < ActiveRecord::Migration
+  def up
+    add_column :proxy_granting_tickets, :granter_type, :string, null: false, default: 'ServiceTicket'
+    rename_column :proxy_granting_tickets, :service_ticket_id, :granter_id
+  end
+end

data/db/migrate/20121225231713_no_default_granter_type.rb

@@ -0,0 +1,5 @@
+class NoDefaultGranterType < ActiveRecord::Migration
+  def up
+    change_column_default :proxy_granting_tickets, :granter_type, nil
+  end
+end

data/db/migrate/20121226192211_fix_index_for_granter_on_proxy_granting_ticket.rb

@@ -0,0 +1,6 @@
+class FixIndexForGranterOnProxyGrantingTicket < ActiveRecord::Migration
+  def change
+    remove_index :proxy_granting_tickets, :service_ticket_id
+    add_index :proxy_granting_tickets, [:granter_type, :granter_id], unique: true
+  end
+end

data/db/migrate/20121226211511_allow_service_tickets_without_ticket_granting_ticket.rb

@@ -0,0 +1,5 @@
+class AllowServiceTicketsWithoutTicketGrantingTicket < ActiveRecord::Migration
+  def change
+    change_column :service_tickets, :ticket_granting_ticket_id, :integer, null: true
+  end
+end

data/db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20121223135227) do
+ActiveRecord::Schema.define(:version => 20121226211511) do
 
   create_table "login_tickets", :force => true do |t|
     t.string   "ticket",     :null => false
@@ -22,21 +22,35 @@ ActiveRecord::Schema.define(:version => 20121223135227) do
   add_index "login_tickets", ["ticket"], :name => "index_login_tickets_on_ticket", :unique => true
 
   create_table "proxy_granting_tickets", :force => true do |t|
-    t.string   "ticket",            :null => false
-    t.string   "iou",               :null => false
-    t.datetime "created_at",        :null => false
-    t.datetime "updated_at",        :null => false
-    t.integer  "service_ticket_id", :null => false
+    t.string   "ticket",       :null => false
+    t.string   "iou",          :null => false
+    t.datetime "created_at",   :null => false
+    t.datetime "updated_at",   :null => false
+    t.integer  "granter_id",   :null => false
+    t.string   "pgt_url",      :null => false
+    t.string   "granter_type", :null => false
   end
 
+  add_index "proxy_granting_tickets", ["granter_type", "granter_id"], :name => "index_proxy_granting_tickets_on_granter_type_and_granter_id", :unique => true
   add_index "proxy_granting_tickets", ["iou"], :name => "index_proxy_granting_tickets_on_iou", :unique => true
-  add_index "proxy_granting_tickets", ["service_ticket_id"], :name => "index_proxy_granting_tickets_on_service_ticket_id"
   add_index "proxy_granting_tickets", ["ticket"], :name => "index_proxy_granting_tickets_on_ticket", :unique => true
 
+  create_table "proxy_tickets", :force => true do |t|
+    t.string   "ticket",                                      :null => false
+    t.string   "service",                                     :null => false
+    t.boolean  "consumed",                 :default => false, :null => false
+    t.integer  "proxy_granting_ticket_id",                    :null => false
+    t.datetime "created_at",                                  :null => false
+    t.datetime "updated_at",                                  :null => false
+  end
+
+  add_index "proxy_tickets", ["proxy_granting_ticket_id"], :name => "index_proxy_tickets_on_proxy_granting_ticket_id"
+  add_index "proxy_tickets", ["ticket"], :name => "index_proxy_tickets_on_ticket", :unique => true
+
   create_table "service_tickets", :force => true do |t|
     t.string   "ticket",                                       :null => false
     t.string   "service",                                      :null => false
-    t.integer  "ticket_granting_ticket_id",                    :null => false
+    t.integer  "ticket_granting_ticket_id"
     t.datetime "created_at",                                   :null => false
     t.datetime "updated_at",                                   :null => false
     t.boolean  "consumed",                  :default => false, :null => false

data/lib/casino_core/builder.rb

@@ -0,0 +1,7 @@
+require 'active_record'
+
+module CASinoCore
+  class Builder
+    autoload :TicketValidationResponse, 'casino_core/builder/ticket_validation_response.rb'
+  end
+end

data/lib/casino_core/builder/ticket_validation_response.rb

@@ -0,0 +1,76 @@
+require 'builder'
+require 'casino_core/builder'
+
+class CASinoCore::Builder::TicketValidationResponse < CASinoCore::Builder
+  def initialize(success, options)
+    @success = success
+    @options = options
+  end
+
+  def build
+    xml = Builder::XmlMarkup.new(indent: 2)
+    xml.cas :serviceResponse, 'xmlns:cas' => 'http://www.yale.edu/tp/cas' do |service_response|
+      if @success
+        ticket = @options[:ticket]
+        if ticket.is_a?(CASinoCore::Model::ProxyTicket)
+          proxies = []
+          _ticket = ticket
+          while _ticket.is_a?(CASinoCore::Model::ProxyTicket)
+            proxy_granting_ticket = ticket.proxy_granting_ticket
+            proxies << proxy_granting_ticket.pgt_url
+            _ticket = proxy_granting_ticket.granter
+          end
+          ticket_granting_ticket = _ticket.ticket_granting_ticket
+        else
+          ticket_granting_ticket = ticket.ticket_granting_ticket
+        end
+
+        build_success_xml(service_response, ticket, ticket_granting_ticket, proxies)
+      else
+        build_failure_xml(service_response)
+      end
+    end
+    xml.target!
+  end
+
+  private
+  def serialize_extra_attribute(builder, key, value)
+    if value.kind_of?(String) || value.kind_of?(Numeric) || value.kind_of?(Symbol)
+      builder.cas key, "#{value}"
+    elsif value.kind_of?(Numeric)
+      builder.cas key, value.to_s
+    else
+      builder.cas key do |container|
+        container.cdata! value.to_yaml
+      end
+    end
+  end
+
+  def build_success_xml(service_response, ticket, ticket_granting_ticket, proxies)
+    service_response.cas :authenticationSuccess do |authentication_success|
+      authentication_success.cas :user, ticket_granting_ticket.username
+      unless ticket_granting_ticket.extra_attributes.blank?
+        authentication_success.cas :attributes do |attributes|
+          ticket_granting_ticket.extra_attributes.each do |key, value|
+            serialize_extra_attribute(attributes, key, value)
+          end
+        end
+      end
+      if @options[:proxy_granting_ticket]
+        proxy_granting_ticket = @options[:proxy_granting_ticket]
+        authentication_success.cas :proxyGrantingTicket, proxy_granting_ticket.iou
+      end
+      if ticket.is_a?(CASinoCore::Model::ProxyTicket)
+        authentication_success.cas :proxies do |proxies_container|
+          proxies.each do |proxy|
+            proxies_container.cas :proxy, proxy
+          end
+        end
+      end
+    end
+  end
+
+  def build_failure_xml(service_response)
+    service_response.cas :authenticationFailure, @options[:error_message], code: @options[:error_code]
+  end
+end

data/lib/casino_core/helper.rb

@@ -7,6 +7,7 @@ module CASinoCore
     autoload :Logger, 'casino_core/helper/logger.rb'
     autoload :LoginTickets, 'casino_core/helper/login_tickets.rb'
     autoload :ProxyGrantingTickets, 'casino_core/helper/proxy_granting_tickets.rb'
+    autoload :ProxyTickets, 'casino_core/helper/proxy_tickets.rb'
     autoload :ServiceTickets, 'casino_core/helper/service_tickets.rb'
     autoload :Tickets, 'casino_core/helper/tickets.rb'
     autoload :TicketGrantingTickets, 'casino_core/helper/ticket_granting_tickets.rb'

data/lib/casino_core/helper/proxy_granting_tickets.rb

@@ -12,33 +12,40 @@ module CASinoCore
 
       def acquire_proxy_granting_ticket(pgt_url, service_ticket)
         begin
-          uri = Addressable::URI.parse(pgt_url)
-          https = Net::HTTP.new(uri.host, uri.port || 443)
-          https.use_ssl = true
+          return contact_callback_server(pgt_url, service_ticket)
+        rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError, Net::ProtocolError
+          logger.warn "Exception while communicating with proxy-granting ticket callback server: #{e.message}"
+        end
+        nil
+      end
 
-          https.start do |conn|
-            pgt = service_ticket.proxy_granting_tickets.new({
-              ticket: random_ticket_string('PGT'),
-              iou: random_ticket_string('PGTIOU')
-            })
+      private
+      def contact_callback_server(pgt_url, service_ticket)
+        callback_uri = Addressable::URI.parse(pgt_url)
+        https = Net::HTTP.new(callback_uri.host, callback_uri.port || 443)
+        https.use_ssl = true
 
-            uri.query_values = (uri.query_values || {}).merge(pgtId: pgt.ticket, pgtIou: pgt.iou)
+        https.start do |conn|
+          pgt = service_ticket.proxy_granting_tickets.new({
+            ticket: random_ticket_string('PGT'),
+            iou: random_ticket_string('PGTIOU'),
+            pgt_url: pgt_url
+          })
 
-            response = conn.request_get(uri.request_uri)
-            # TODO: follow redirects... 2.5.4 says that redirects MAY be followed
-            if "#{response.code}" == "200"
-              # 3.4 (proxy-granting ticket IOU)
-              pgt.save!
-              logger.debug "Proxy-granting ticket generated for pgt_url '#{pgt_url}': #{pgt.inspect}"
-              return pgt
-            else
-              logger.warn "Proxy-granting ticket callback server responded with a bad result code '#{response.code}'. PGT will not be stored."
-            end
+          callback_uri.query_values = (callback_uri.query_values || {}).merge(pgtId: pgt.ticket, pgtIou: pgt.iou)
+
+          response = conn.request_get(callback_uri.request_uri)
+          # TODO: follow redirects... 2.5.4 says that redirects MAY be followed
+          if "#{response.code}" == "200"
+            # 3.4 (proxy-granting ticket IOU)
+            pgt.save!
+            logger.debug "Proxy-granting ticket generated for service '#{service_ticket.service}': #{pgt.inspect}"
+            pgt
+          else
+            logger.warn "Proxy-granting ticket callback server responded with a bad result code '#{response.code}'. PGT will not be stored."
+            nil
           end
-        rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError, Net::ProtocolError
-          logger.warn "Exception while communication with proxy-granting ticket callback server: #{e.message}"
         end
-        nil
       end
     end
   end

data/lib/casino_core/helper/proxy_tickets.rb

@@ -0,0 +1,61 @@
+module CASinoCore
+  module Helper
+    module ProxyTickets
+
+      class ValidationResult < Struct.new(:error_code, :error_message, :error_severity)
+        def success?
+          self.error_code.nil?
+        end
+      end
+
+      include CASinoCore::Helper::Logger
+      include CASinoCore::Helper::Tickets
+
+      def acquire_proxy_ticket(proxy_granting_ticket, service)
+        proxy_granting_ticket.proxy_tickets.create!({
+          ticket: random_ticket_string('ST'),
+          service: service,
+        })
+      end
+
+      def validate_ticket_for_service(ticket, service, renew = false)
+        if ticket.nil?
+          result = ValidationResult.new 'INVALID_TICKET', 'Invalid validate request: Ticket does not exist', :warn
+        else
+          result = validate_existing_ticket_for_service(ticket, service, renew)
+          ticket.consumed = true
+          ticket.save!
+          logger.debug "Consumed ticket '#{ticket.ticket}'"
+        end
+        if result.success?
+          logger.info "Ticket '#{ticket.ticket}' for service '#{service}' successfully validated"
+        else
+          logger.send(result.error_severity, result.error_message)
+        end
+        result
+      end
+
+      def ticket_valid_for_service?(ticket, service, renew = false)
+        validate_ticket_for_service(ticket, service, renew).success?
+      end
+
+      private
+      def validate_existing_ticket_for_service(ticket, service, renew = false)
+        if ticket.is_a?(CASinoCore::Model::ServiceTicket)
+          service = clean_service_url(service)
+        end
+        if ticket.consumed?
+          ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' already consumed", :warn
+        elsif ticket.expired?
+          ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' has expired", :warn
+        elsif service != ticket.service
+          ValidationResult.new 'INVALID_SERVICE', "Ticket '#{ticket.ticket}' is not valid for service '#{service}'", :warn
+        elsif renew && !ticket.issued_from_credentials?
+          ValidationResult.new 'INVALID_TICKET', "Ticket '#{ticket.ticket}' was not issued from credentials but service '#{service}' will only accept a renewed ticket", :info
+        else
+          ValidationResult.new
+        end
+      end
+    end
+  end
+end

data/lib/casino_core/helper/service_tickets.rb

@@ -5,6 +5,7 @@ module CASinoCore
     module ServiceTickets
       include CASinoCore::Helper::Logger
       include CASinoCore::Helper::Tickets
+      include CASinoCore::Helper::ProxyTickets
 
       def acquire_service_ticket(ticket_granting_ticket, service, credentials_supplied = nil)
         ticket_granting_ticket.service_tickets.create!({
@@ -26,40 +27,6 @@ module CASinoCore
 
         clean_service
       end
-
-      def validate_service_ticket_for_service(ticket, service, renew = false)
-        result = if service.nil? or ticket.nil?
-          logger.warn 'Invalid validate request: no valid ticket or no valid service given'
-          'INVALID_REQUEST'
-        else
-          if ticket.consumed?
-            logger.warn "Service ticket '#{ticket.ticket}' already consumed"
-            'INVALID_TICKET'
-          elsif Time.now - ticket.created_at > CASinoCore::Settings.service_ticket[:lifetime_unconsumed]
-            logger.warn "Service ticket '#{ticket.ticket}' has expired"
-            'INVALID_TICKET'
-          elsif clean_service_url(service) != ticket.service
-            logger.warn "Service ticket '#{ticket.ticket}' is not valid for service '#{service}'"
-            'INVALID_SERVICE'
-          elsif renew && !ticket.issued_from_credentials?
-            logger.info "Service ticket '#{ticket.ticket}' was not issued from credentials but service '#{service}' will only accept a renewed ticket"
-            'INVALID_TICKET'
-          else
-            logger.info "Service ticket '#{ticket.ticket}' for service '#{service}' successfully validated"
-            true
-          end
-        end
-        unless ticket.nil?
-          logger.debug "Consumed ticket '#{ticket.ticket}'"
-          ticket.consumed = true
-          ticket.save!
-        end
-        result
-      end
-
-      def service_ticket_valid_for_service?(ticket, service, renew = false)
-        validate_service_ticket_for_service(ticket, service, renew) == true
-      end
     end
   end
 end