casino_core 1.2.0 → 1.3.0

data/Gemfile.lock

@@ -1,9 +1,11 @@
 PATH
   remote: .
   specs:
-    casino_core (1.2.0)
+    casino_core (1.3.0)
       activerecord (~> 3.2.9)
       addressable (~> 2.3)
+      faraday (~> 0.8)
+      rotp (~> 1.4)
       terminal-table (~> 1.4)
       useragent (~> 0.4)
 
@@ -29,10 +31,14 @@ GEM
     diff-lcs (1.1.3)
     factory_girl (4.2.0)
       activesupport (>= 3.0.0)
+    faraday (0.8.5)
+      multipart-post (~> 1.1)
     i18n (0.6.1)
     multi_json (1.5.0)
+    multipart-post (1.1.5)
     nokogiri (1.5.6)
     rake (10.0.3)
+    rotp (1.4.1)
     rspec (2.12.0)
       rspec-core (~> 2.12.0)
       rspec-expectations (~> 2.12.0)

data/UPGRADE.md

@@ -2,6 +2,18 @@
 
 Here is a list of backward-incompatible changes that were introduced.
 
+## 1.x.y
+
+This release adds support for two-factor authentication using a [TOTP](http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm) (time-based one-time password) which can be generated with applications like [Google Authenticator](http://support.google.com/a/bin/answer.py?hl=en&answer=1037451) (iPhone, Android, BlackBerry) or gadgets such as the [YubiKey](http://www.yubico.com/products/yubikey-hardware/yubikey/).
+
+If you would like to support two-factor authentication in your web application, please have a look at the corresponding processors: `SecondFactorAuthenticationAcceptor`, `TwoFactorAuthenticatorActivator`, `TwoFactorAuthenticatorDestroyer`, `TwoFactorAuthenticatorOverview`, `TwoFactorAuthenticatorRegistrator`
+
+New callbacks:
+
+* `LoginCredentialAcceptor`: calls `#two_factor_authentication_pending` on the listener, when two-factor authentication is enabled for this user.
+
+If you don't want to support two-factor authentication, nothing has to be changed.
+
 ## 1.2.0
 
 API changes:
@@ -12,9 +24,9 @@ API changes:
 
 API changes:
 
-* `login_credential_acceptor`: The parameters of `#process` changed from `params, cookies, user_agent` to just `params, user_agent`
+* `LoginCredentialAcceptor`: The parameters of `#process` changed from `params, cookies, user_agent` to just `params, user_agent`
 
 New callbacks:
 
-* `login_credential_requestor` and `login_credential_acceptor` call `#service_not_allowed` on the listener, when a service is not in the service whitelist.
-* `api/service_ticket_provider` calls `#service_not_allowed_via_api` on the listener, when a service is not in the service whitelist.
+* `LoginCredentialRequestor` and `LoginCredentialAcceptor` call `#service_not_allowed` on the listener, when a service is not in the service whitelist.
+* `API::ServiceTicketProvider` calls `#service_not_allowed_via_api` on the listener, when a service is not in the service whitelist.

data/casino_core.gemspec

@@ -34,5 +34,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency 'addressable', '~> 2.3'
   s.add_runtime_dependency 'terminal-table', '~> 1.4'
   s.add_runtime_dependency 'useragent', '~> 0.4'
+  s.add_runtime_dependency 'faraday', '~> 0.8'
+  s.add_runtime_dependency 'rotp', '~> 1.4'
 end
 

data/config/cas.yml

@@ -1,12 +1,6 @@
 defaults: &defaults
-  login_ticket:
-    lifetime: 600
   service_ticket:
-    lifetime_unconsumed: 300
-    lifetime_consumed: 86400
-  proxy_ticket:
-    lifetime_unconsumed: 300
-    lifetime_consumed: 86400
+    lifetime_unconsumed: 299
   authenticators:
     static_1:
       class: "CASinoCore::Authenticator::Static"

data/db/migrate/20130202210100_create_users.rb

@@ -1,11 +1,5 @@
 class CreateUsers < ActiveRecord::Migration
   def up
-    tgt = CASinoCore::Model::TicketGrantingTicket.new
-    tgt.authenticator = 'foo'
-    tgt.username = 'bar'
-    tgt.ticket = 'TGT-bla'
-    tgt.save!
-
     create_table :users do |t|
       t.string :authenticator, null: false
       t.string :username, null: false

data/db/migrate/20130203100015_create_two_factor_authenticators.rb

@@ -0,0 +1,12 @@
+class CreateTwoFactorAuthenticators < ActiveRecord::Migration
+  def change
+    create_table :two_factor_authenticators do |t|
+      t.integer :user_id, null: false
+      t.string :secret, null: false
+
+      t.timestamps
+    end
+
+    add_index :two_factor_authenticators, :user_id
+  end
+end

data/db/migrate/20130203101351_add_active_to_two_factor_authenticators.rb

@@ -0,0 +1,5 @@
+class AddActiveToTwoFactorAuthenticators < ActiveRecord::Migration
+  def change
+    add_column :two_factor_authenticators, :active, :boolean, null: false, default: false
+  end
+end

data/db/migrate/20130203155008_add_awaiting_two_factor_authentication_to_ticket_granting_tickets.rb

@@ -0,0 +1,5 @@
+class AddAwaitingTwoFactorAuthenticationToTicketGrantingTickets < ActiveRecord::Migration
+  def change
+    add_column :ticket_granting_tickets, :awaiting_two_factor_authentication, :boolean, null: false, default: false
+  end
+end

data/db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
 
-ActiveRecord::Schema.define(:version => 20130202210100) do
+ActiveRecord::Schema.define(:version => 20130203155008) do
 
   create_table "login_tickets", :force => true do |t|
     t.string   "ticket",     :null => false
@@ -73,15 +73,26 @@ ActiveRecord::Schema.define(:version => 20130202210100) do
   add_index "service_tickets", ["ticket_granting_ticket_id"], :name => "index_service_tickets_on_ticket_granting_ticket_id"
 
   create_table "ticket_granting_tickets", :force => true do |t|
-    t.string   "ticket",     :null => false
-    t.datetime "created_at", :null => false
-    t.datetime "updated_at", :null => false
+    t.string   "ticket",                                                :null => false
+    t.datetime "created_at",                                            :null => false
+    t.datetime "updated_at",                                            :null => false
     t.string   "user_agent"
-    t.integer  "user_id",    :null => false
+    t.integer  "user_id",                                               :null => false
+    t.boolean  "awaiting_two_factor_authentication", :default => false, :null => false
   end
 
   add_index "ticket_granting_tickets", ["ticket"], :name => "index_ticket_granting_tickets_on_ticket", :unique => true
 
+  create_table "two_factor_authenticators", :force => true do |t|
+    t.integer  "user_id",                       :null => false
+    t.string   "secret",                        :null => false
+    t.datetime "created_at",                    :null => false
+    t.datetime "updated_at",                    :null => false
+    t.boolean  "active",     :default => false, :null => false
+  end
+
+  add_index "two_factor_authenticators", ["user_id"], :name => "index_two_factor_authenticators_on_user_id"
+
   create_table "users", :force => true do |t|
     t.string   "authenticator",    :null => false
     t.string   "username",         :null => false

data/lib/casino_core/helper.rb

@@ -12,5 +12,6 @@ module CASinoCore
     autoload :ServiceTickets, 'casino_core/helper/service_tickets.rb'
     autoload :Tickets, 'casino_core/helper/tickets.rb'
     autoload :TicketGrantingTickets, 'casino_core/helper/ticket_granting_tickets.rb'
+    autoload :TwoFactorAuthenticators, 'casino_core/helper/two_factor_authenticators.rb'
   end
 end

data/lib/casino_core/helper/proxy_granting_tickets.rb

@@ -1,5 +1,5 @@
 require 'addressable/uri'
-require 'net/https'
+require 'faraday'
 
 require 'casino_core/helper/logger'
 require 'casino_core/helper/tickets'
@@ -11,41 +11,36 @@ module CASinoCore
       include CASinoCore::Helper::Tickets
 
       def acquire_proxy_granting_ticket(pgt_url, service_ticket)
-        begin
-          return contact_callback_server(pgt_url, service_ticket)
-        rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError, Net::ProtocolError => e
-          logger.warn "Exception while communicating with proxy-granting ticket callback server: #{e.message}"
+        callback_uri = Addressable::URI.parse(pgt_url)
+        if callback_uri.scheme != 'https'
+          logger.warn "Proxy tickets can only be granted to callback servers using HTTPS."
+          nil
+        else
+          contact_callback_server(callback_uri, service_ticket)
         end
-        nil
       end
 
       private
-      def contact_callback_server(pgt_url, service_ticket)
-        callback_uri = Addressable::URI.parse(pgt_url)
-        https = Net::HTTP.new(callback_uri.host, callback_uri.port || 443)
-        https.use_ssl = true
-
-        https.start do |conn|
-          pgt = service_ticket.proxy_granting_tickets.new({
-            ticket: random_ticket_string('PGT'),
-            iou: random_ticket_string('PGTIOU'),
-            pgt_url: pgt_url
-          })
-
-          callback_uri.query_values = (callback_uri.query_values || {}).merge(pgtId: pgt.ticket, pgtIou: pgt.iou)
-
-          response = conn.request_get(callback_uri.request_uri)
-          # TODO: follow redirects... 2.5.4 says that redirects MAY be followed
-          if "#{response.code}" == "200"
-            # 3.4 (proxy-granting ticket IOU)
-            pgt.save!
-            logger.debug "Proxy-granting ticket generated for service '#{service_ticket.service}': #{pgt.inspect}"
-            pgt
-          else
-            logger.warn "Proxy-granting ticket callback server responded with a bad result code '#{response.code}'. PGT will not be stored."
-            nil
-          end
+      def contact_callback_server(callback_uri, service_ticket)
+        pgt = service_ticket.proxy_granting_tickets.new({
+          ticket: random_ticket_string('PGT'),
+          iou: random_ticket_string('PGTIOU'),
+          pgt_url: "#{callback_uri}"
+        })
+        callback_uri.query_values = (callback_uri.query_values || {}).merge(pgtId: pgt.ticket, pgtIou: pgt.iou)
+        response = Faraday.get "#{callback_uri}"
+        # TODO: does this follow redirects? CAS specification says that redirects MAY be followed (2.5.4)
+        if response.success?
+          pgt.save!
+          logger.debug "Proxy-granting ticket generated for service '#{service_ticket.service}': #{pgt.inspect}"
+          pgt
+        else
+          logger.warn "Proxy-granting ticket callback server responded with a bad result code '#{response.status}'. PGT will not be stored."
+          nil
         end
+      rescue Faraday::Error::ClientError => error
+        logger.warn "Exception while communicating with proxy-granting ticket callback server: #{error.message}"
+        nil
       end
     end
   end

data/lib/casino_core/helper/proxy_tickets.rb

@@ -2,11 +2,7 @@ module CASinoCore
   module Helper
     module ProxyTickets
 
-      class ValidationResult < Struct.new(:error_code, :error_message, :error_severity)
-        def success?
-          self.error_code.nil?
-        end
-      end
+      class ValidationResult < CASinoCore::Model::ValidationResult; end
 
       include CASinoCore::Helper::Logger
       include CASinoCore::Helper::Tickets

data/lib/casino_core/helper/ticket_granting_tickets.rb

@@ -7,9 +7,9 @@ module CASinoCore
       include CASinoCore::Helper::Browser
       include CASinoCore::Helper::Logger
 
-      def find_valid_ticket_granting_ticket(tgt, user_agent)
+      def find_valid_ticket_granting_ticket(tgt, user_agent, ignore_two_factor = false)
         ticket_granting_ticket = CASinoCore::Model::TicketGrantingTicket.where(ticket: tgt).first
-        unless ticket_granting_ticket.nil?
+        unless ticket_granting_ticket.nil? || (!ignore_two_factor && ticket_granting_ticket.awaiting_two_factor_authentication?)
           if same_browser?(ticket_granting_ticket.user_agent, user_agent)
             ticket_granting_ticket.user_agent = user_agent
             ticket_granting_ticket.touch
@@ -27,6 +27,7 @@ module CASinoCore
         user = load_or_initialize_user(authentication_result[:authenticator], user_data[:username], user_data[:extra_attributes])
         user.ticket_granting_tickets.create!({
           ticket: random_ticket_string('TGC'),
+          awaiting_two_factor_authentication: !user.active_two_factor_authenticator.nil?,
           user_agent: user_agent
         })
       end

data/lib/casino_core/helper/two_factor_authenticators.rb

@@ -0,0 +1,22 @@
+require 'addressable/uri'
+
+module CASinoCore
+  module Helper
+    module TwoFactorAuthenticators
+      class ValidationResult < CASinoCore::Model::ValidationResult; end
+
+      def validate_one_time_password(otp, authenticator)
+        if authenticator.nil? || authenticator.expired?
+          ValidationResult.new 'INVALID_AUTHENTICATOR', 'Authenticator does not exist or expired', :warn
+        else
+          totp = ROTP::TOTP.new(authenticator.secret)
+          if totp.verify_with_drift(otp, CASinoCore::Settings.two_factor_authenticator[:drift])
+            ValidationResult.new
+          else
+            ValidationResult.new 'INVALID_OTP', 'One-time password not valid', :warn
+          end
+        end
+      end
+    end
+  end
+end

data/lib/casino_core/model.rb

@@ -8,6 +8,8 @@ module CASinoCore
     autoload :ProxyGrantingTicket, 'casino_core/model/proxy_granting_ticket.rb'
     autoload :ProxyTicket, 'casino_core/model/proxy_ticket.rb'
     autoload :TicketGrantingTicket, 'casino_core/model/ticket_granting_ticket.rb'
+    autoload :TwoFactorAuthenticator, 'casino_core/model/two_factor_authenticator.rb'
     autoload :User, 'casino_core/model/user.rb'
+    autoload :ValidationResult, 'casino_core/model/validation_result.rb'
   end
 end

data/lib/casino_core/model/service_ticket/single_sign_out_notifier.rb

@@ -1,7 +1,6 @@
 require 'builder'
-require 'net/https'
+require 'faraday'
 require 'casino_core/model/service_ticket'
-require 'addressable/uri'
 
 class CASinoCore::Model::ServiceTicket::SingleSignOutNotifier
   include CASinoCore::Helper::Logger
@@ -11,10 +10,7 @@ class CASinoCore::Model::ServiceTicket::SingleSignOutNotifier
   end
 
   def notify
-    xml = build_xml
-    uri = Addressable::URI.parse(@service_ticket.service)
-    request = build_request(uri, xml)
-    send_notification(uri, request)
+    send_notification @service_ticket.service, build_xml
   end
 
   private
@@ -32,31 +28,18 @@ class CASinoCore::Model::ServiceTicket::SingleSignOutNotifier
     xml.target!
   end
 
-  def build_request(uri, xml)
-    request = Net::HTTP::Post.new(uri.request_uri)
-    request.set_form_data(logoutRequest: xml)
-    return request
-  end
-
-  def send_notification(uri, request)
+  def send_notification(url, xml)
     logger.info "Sending Single Sign Out notification for ticket '#{@service_ticket.ticket}'"
-    begin
-      http = Net::HTTP.new(uri.host, uri.port)
-      http.use_ssl = true if uri.scheme =='https'
-
-      http.start do |conn|
-        response = conn.request(request)
-        if response.kind_of? Net::HTTPSuccess
-          logger.info "Logout notification successfully posted to #{uri}."
-          return true
-        else
-          logger.warn "Service #{uri} responed to logout notification with code '#{response.code}'!"
-          return false
-        end
-      end
-    rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError, Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError, Net::ProtocolError => e
-      logger.warn "Failed to send logout notification to service #{uri} due to #{e}"
-      return false
+    result = Faraday.post(url, logoutRequest: xml)
+    if result.success?
+      logger.info "Logout notification successfully posted to #{url}."
+      true
+    else
+      logger.warn "Service #{url} responed to logout notification with code '#{result.status}'!"
+      false
     end
+  rescue Faraday::Error::ClientError => error
+    logger.warn "Failed to send logout notification to service #{url} due to #{error}"
+    false
   end
 end

data/lib/casino_core/model/ticket_granting_ticket.rb

@@ -1,7 +1,7 @@
 require 'casino_core/model'
 
 class CASinoCore::Model::TicketGrantingTicket < ActiveRecord::Base
-  attr_accessible :ticket, :user_agent
+  attr_accessible :ticket, :user_agent, :awaiting_two_factor_authentication
   validates :ticket, uniqueness: true
 
   belongs_to :user

data/lib/casino_core/model/two_factor_authenticator.rb

@@ -0,0 +1,19 @@
+require 'casino_core/model'
+
+class CASinoCore::Model::TwoFactorAuthenticator < ActiveRecord::Base
+  attr_accessible :secret
+
+  belongs_to :user
+
+  def self.cleanup
+    self.delete_all(['(created_at < ?) AND active = ?', self.lifetime.ago, false])
+  end
+
+  def self.lifetime
+    CASinoCore::Settings.two_factor_authenticator[:lifetime_inactive].seconds
+  end
+
+  def expired?
+    !self.active? && (Time.now - (self.created_at || Time.now)) > self.class.lifetime
+  end
+end

data/lib/casino_core/model/user.rb

@@ -5,4 +5,9 @@ class CASinoCore::Model::User < ActiveRecord::Base
   serialize :extra_attributes, Hash
 
   has_many :ticket_granting_tickets
+  has_many :two_factor_authenticators
+
+  def active_two_factor_authenticator
+    self.two_factor_authenticators.where(active: true).first
+  end
 end

data/lib/casino_core/model/validation_result.rb

@@ -0,0 +1,7 @@
+require 'casino_core/model'
+
+class CASinoCore::Model::ValidationResult < Struct.new(:error_code, :error_message, :error_severity)
+  def success?
+    self.error_code.nil?
+  end
+end

data/lib/casino_core/processor.rb

@@ -8,9 +8,14 @@ module CASinoCore
     autoload :Logout, 'casino_core/processor/logout.rb'
     autoload :ProxyTicketProvider, 'casino_core/processor/proxy_ticket_provider.rb'
     autoload :ProxyTicketValidator, 'casino_core/processor/proxy_ticket_validator.rb'
+    autoload :SecondFactorAuthenticationAcceptor, 'casino_core/processor/second_factor_authentication_acceptor.rb'
     autoload :ServiceTicketValidator, 'casino_core/processor/service_ticket_validator.rb'
     autoload :SessionDestroyer, 'casino_core/processor/session_destroyer.rb'
     autoload :SessionOverview, 'casino_core/processor/session_overview.rb'
+    autoload :TwoFactorAuthenticatorActivator, 'casino_core/processor/two_factor_authenticator_activator.rb'
+    autoload :TwoFactorAuthenticatorDestroyer, 'casino_core/processor/two_factor_authenticator_destroyer.rb'
+    autoload :TwoFactorAuthenticatorOverview, 'casino_core/processor/two_factor_authenticator_overview.rb'
+    autoload :TwoFactorAuthenticatorRegistrator, 'casino_core/processor/two_factor_authenticator_registrator.rb'
 
     autoload :API, 'casino_core/processor/api.rb'
 

data/lib/casino_core/processor/login_credential_acceptor.rb

@@ -18,6 +18,7 @@ class CASinoCore::Processor::LoginCredentialAcceptor < CASinoCore::Processor
   # * `#invalid_login_ticket` and `#invalid_login_credentials`: The first argument is a LoginTicket.
   #   See {CASinoCore::Processor::LoginCredentialRequestor} for details.
   # * `#service_not_allowed`: The user tried to access a service that this CAS server is not allowed to serve.
+  # * `#two_factor_authentication_pending`: The user should be asked to enter his OTP. The first argument (String) is the ticket-granting ticket. The ticket-granting ticket is not active yet. Use SecondFactorAuthenticatonAcceptor to activate it.
   #
   # @param [Hash] params parameters supplied by user
   # @param [String] user_agent user-agent delivered by the client
@@ -42,14 +43,18 @@ class CASinoCore::Processor::LoginCredentialAcceptor < CASinoCore::Processor
   end
 
   def user_logged_in(authentication_result)
-    begin
-      ticket_granting_ticket = acquire_ticket_granting_ticket(authentication_result, @user_agent)
-      url = unless @params[:service].nil?
-        acquire_service_ticket(ticket_granting_ticket, @params[:service], true).service_with_ticket_url
+    ticket_granting_ticket = acquire_ticket_granting_ticket(authentication_result, @user_agent)
+    if ticket_granting_ticket.awaiting_two_factor_authentication?
+      @listener.two_factor_authentication_pending(ticket_granting_ticket.ticket)
+    else
+      begin
+        url = unless @params[:service].blank?
+          acquire_service_ticket(ticket_granting_ticket, @params[:service], true).service_with_ticket_url
+        end
+        @listener.user_logged_in(url, ticket_granting_ticket.ticket)
+      rescue ServiceNotAllowedError => e
+        @listener.service_not_allowed(clean_service_url @params[:service])
       end
-      @listener.user_logged_in(url, ticket_granting_ticket.ticket)
-    rescue ServiceNotAllowedError => e
-      @listener.service_not_allowed(clean_service_url @params[:service])
     end
   end
 end