casino_core 1.4.2 → 1.4.3

data/.ruby-gemset

@@ -0,0 +1 @@
+casino_core

data/.ruby-version

@@ -0,0 +1 @@
+ruby-1.9.3-p194

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    casino_core (1.4.2)
+    casino_core (1.4.3)
       activerecord (~> 3.2.9)
       addressable (~> 2.3)
       faraday (~> 0.8)

data/lib/casino_core/helper/tickets.rb

@@ -1,9 +1,16 @@
+require 'securerandom'
+
 module CASinoCore
   module Helper
     module Tickets
+
+      ALLOWED_TICKET_STRING_CHARACTERS = ('A'..'Z').to_a + ('a'..'z').to_a + ('0'..'9').to_a
+
       def random_ticket_string(prefix, length = 40)
-        random_string = rand(36**length).to_s(36)
-        "#{prefix}-#{Time.now.to_i}-#{random_string}"
+        random_string = SecureRandom.random_bytes(length).each_char.map do |char|
+          ALLOWED_TICKET_STRING_CHARACTERS[(char.ord % ALLOWED_TICKET_STRING_CHARACTERS.length)]
+        end.join
+        "#{prefix}-#{'%d' % (Time.now.to_f * 10000)}-#{random_string}"
       end
     end
   end

data/lib/casino_core/model/service_ticket.rb

@@ -5,7 +5,7 @@ require 'addressable/uri'
 class CASinoCore::Model::ServiceTicket < ActiveRecord::Base
   autoload :SingleSignOutNotifier, 'casino_core/model/service_ticket/single_sign_out_notifier.rb'
 
-  attr_accessible :ticket, :service
+  attr_accessible :ticket, :service, :issued_from_credentials
   validates :ticket, uniqueness: true
   belongs_to :ticket_granting_ticket
   before_destroy :send_single_sing_out_notification, if: :consumed?

data/lib/casino_core/model/ticket_granting_ticket.rb

@@ -14,7 +14,9 @@ class CASinoCore::Model::TicketGrantingTicket < ActiveRecord::Base
       base = user.ticket_granting_tickets
     end
     base.where([
-      '(created_at < ? AND long_term = ?) OR created_at < ?',
+      '(created_at < ? AND awaiting_two_factor_authentication = ?) OR (created_at < ? AND long_term = ?) OR created_at < ?',
+      CASinoCore::Settings.two_factor_authenticator[:timeout].seconds.ago,
+      true,
       CASinoCore::Settings.ticket_granting_ticket[:lifetime].seconds.ago,
       false,
       CASinoCore::Settings.ticket_granting_ticket[:lifetime_long_term].seconds.ago

data/lib/casino_core/processor/second_factor_authentication_acceptor.rb

@@ -34,7 +34,11 @@ class CASinoCore::Processor::SecondFactorAuthenticationAcceptor < CASinoCore::Pr
           url = unless params[:service].blank?
             acquire_service_ticket(tgt, params[:service], true).service_with_ticket_url
           end
-          @listener.user_logged_in(url, tgt.ticket)
+          if tgt.long_term?
+            @listener.user_logged_in(url, tgt.ticket, CASinoCore::Settings.ticket_granting_ticket[:lifetime_long_term].seconds.from_now)
+          else
+            @listener.user_logged_in(url, tgt.ticket)
+          end
         rescue ServiceNotAllowedError => e
           @listener.service_not_allowed(clean_service_url params[:service])
         end

data/lib/casino_core/version.rb

@@ -1,3 +1,3 @@
 module CASinoCore
-  VERSION = '1.4.2'
+  VERSION = '1.4.3'
 end

data/spec/model/ticket_granting_ticket_spec.rb

@@ -181,5 +181,24 @@ describe CASinoCore::Model::TicketGrantingTicket do
       end.should change(described_class, :count).by(-1)
       described_class.find_by_ticket(ticket_granting_ticket.ticket).should be_false
     end
+
+    it 'does not delete almost expired ticket-granting tickets with pending two-factor authentication' do
+      ticket_granting_ticket.created_at = 2.minutes.ago
+      ticket_granting_ticket.awaiting_two_factor_authentication = true
+      ticket_granting_ticket.save!
+      lambda do
+        described_class.cleanup
+      end.should_not change(described_class, :count)
+    end
+
+    it 'does delete expired ticket-granting tickets with pending two-factor authentication' do
+      ticket_granting_ticket.created_at = 20.minutes.ago
+      ticket_granting_ticket.awaiting_two_factor_authentication = true
+      ticket_granting_ticket.save!
+      lambda do
+        described_class.cleanup
+      end.should change(described_class, :count).by(-1)
+      described_class.find_by_ticket(ticket_granting_ticket.ticket).should be_false
+    end
   end
 end

data/spec/processor/second_factor_authenticaton_acceptor_spec.rb

@@ -17,7 +17,7 @@ describe CASinoCore::Processor::SecondFactorAuthenticationAcceptor do
       let(:tgt) { ticket_granting_ticket.ticket }
       let(:user_agent) { ticket_granting_ticket.user_agent }
       let(:otp) { '123456' }
-      let(:service) { 'http://www.example.com/testing' } 
+      let(:service) { 'http://www.example.com/testing' }
       let(:params) { { tgt: tgt, otp: otp, service: service }}
 
       context 'with an active authenticator' do
@@ -39,6 +39,17 @@ describe CASinoCore::Processor::SecondFactorAuthenticationAcceptor do
             ticket_granting_ticket.should_not be_awaiting_two_factor_authentication
           end
 
+          context 'with a long-term ticket-granting ticket' do
+            before(:each) do
+              ticket_granting_ticket.update_attributes! long_term: true
+            end
+
+            it 'calls the #user_logged_in method on the listener with an expiration date set' do
+              listener.should_receive(:user_logged_in).with(/^#{service}\?ticket=ST\-/, /^TGC\-/, kind_of(Time))
+              processor.process(params, user_agent)
+            end
+          end
+
           context 'with a not allowed service' do
             before(:each) do
               FactoryGirl.create :service_rule, :regex, url: '^https://.*'
@@ -56,12 +67,12 @@ describe CASinoCore::Processor::SecondFactorAuthenticationAcceptor do
           before(:each) do
             ROTP::TOTP.any_instance.should_receive(:verify_with_drift).with(otp, 30).and_return(false)
           end
-        
+
           it 'calls the `#invalid_one_time_password` method an the listener' do
             listener.should_receive(:invalid_one_time_password).with(no_args)
             processor.process(params, user_agent)
           end
-        
+
           it 'does not activate the ticket-granting ticket' do
             processor.process(params, user_agent)
             ticket_granting_ticket.reload

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: casino_core
 version: !ruby/object:Gem::Version
-  version: 1.4.2
+  version: 1.4.3
   prerelease: 
 platform: ruby
 authors:
@@ -36,7 +36,7 @@ cert_chain:
   b1VSdnUwRzgvWXlIVUFtSVUvV0tyanIxYmdjZjFWUnYKUjRLRDFNblVWL3Y1
   MDJwaU1sWG1qeE9XZGJLOHl2UUVIa3N1L3pqYkNqU3UrTTJrd0ZtV0dzeDVu
   eCtWZHc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
-date: 2013-03-29 00:00:00.000000000 Z
+date: 2013-04-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -305,7 +305,8 @@ files:
 - .document
 - .gitignore
 - .rspec
-- .rvmrc
+- .ruby-gemset
+- .ruby-version
 - .travis.yml
 - Gemfile
 - Gemfile.lock
@@ -449,7 +450,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -1266012444534367385
+      hash: 3956376216012117413
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -458,7 +459,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -1266012444534367385
+      hash: 3956376216012117413
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.25

data/.rvmrc

@@ -1,48 +0,0 @@
-#!/usr/bin/env bash
-
-# This is an RVM Project .rvmrc file, used to automatically load the ruby
-# development environment upon cd'ing into the directory
-
-# First we specify our desired <ruby>[@<gemset>], the @gemset name is optional,
-# Only full ruby name is supported here, for short names use:
-#     echo "rvm use 1.9.3" > .rvmrc
-environment_id="ruby-1.9.3-p194@casino_core"
-
-# Uncomment the following lines if you want to verify rvm version per project
-# rvmrc_rvm_version="1.15.8 (stable)" # 1.10.1 seams as a safe start
-# eval "$(echo ${rvm_version}.${rvmrc_rvm_version} | awk -F. '{print "[[ "$1*65536+$2*256+$3" -ge "$4*65536+$5*256+$6" ]]"}' )" || {
-#   echo "This .rvmrc file requires at least RVM ${rvmrc_rvm_version}, aborting loading."
-#   return 1
-# }
-
-# First we attempt to load the desired environment directly from the environment
-# file. This is very fast and efficient compared to running through the entire
-# CLI and selector. If you want feedback on which environment was used then
-# insert the word 'use' after --create as this triggers verbose mode.
-if [[ -d "${rvm_path:-$HOME/.rvm}/environments"
-  && -s "${rvm_path:-$HOME/.rvm}/environments/$environment_id" ]]
-then
-  \. "${rvm_path:-$HOME/.rvm}/environments/$environment_id"
-  [[ -s "${rvm_path:-$HOME/.rvm}/hooks/after_use" ]] &&
-    \. "${rvm_path:-$HOME/.rvm}/hooks/after_use" || true
-else
-  # If the environment file has not yet been created, use the RVM CLI to select.
-  rvm --create  "$environment_id" || {
-    echo "Failed to create RVM environment '${environment_id}'."
-    return 1
-  }
-fi
-
-# If you use bundler, this might be useful to you:
-# if [[ -s Gemfile ]] && {
-#   ! builtin command -v bundle >/dev/null ||
-#   builtin command -v bundle | GREP_OPTIONS= \grep $rvm_path/bin/bundle >/dev/null
-# }
-# then
-#   printf "%b" "The rubygem 'bundler' is not installed. Installing it now.\n"
-#   gem install bundler
-# fi
-# if [[ -s Gemfile ]] && builtin command -v bundle >/dev/null
-# then
-#   bundle install | GREP_OPTIONS= \grep -vE '^Using|Your bundle is complete'
-# fi