cassette 1.0.18 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ef167b410ab8edd7eddb9cbc2905273b103fb65d
-  data.tar.gz: 3fe842b14b10a50e5493cbfc6b021b554c1732fe
+  metadata.gz: e4fc103e95f0afcbec1f342bda0bf6c26c16aaab
+  data.tar.gz: 4fec669e36c9fc02dac165f203f23635fb60c9f0
 SHA512:
-  metadata.gz: e624b4e33054308e07ff1b8f4966ad1d22dad86a207d0274bb8d93fefa4ad2bc95837478a4b653be64f4a79d07d57bb704f847003bde4953727a0f024628144a
-  data.tar.gz: ac20ab03689bc234dda217951dc362c35c3425add96691ad016a93587cd005a64533b26c548969d746e26a5ab5d074a76fcb249bcbc334899ac7ad3c4e194222
+  metadata.gz: 1a11d5a6a757a705913b3b1510bba8b34bed024401bdd3fbdca64a57e36dad8ca5a5bec19af39f332a899d3046a0fffd9b9c2eb719905896cf856b8dbc0727c5
+  data.tar.gz: 1ad976704ed09a02b776710bddb836f0fbee7f1dc9edd6675a029ac9bc1a73ba6ba1efd234d5322a4b111f002652b8907cf92f3c41380b199893819673bf5fd2

data/README.md

@@ -24,10 +24,7 @@ Require this library and create an intializer to set its configuration:
 Cassette.config = config
 ```
 
-where config is an object that responds to the methods #base for the base CAS uri, #username and #password
-if you are authenticating on other systems and #service and #base\_authority if you are using the authentication filter
-to authenticate your app
-
+where config is an object that responds to the methods `base` for the base CAS uri, `username` and `password` if you are authenticating on other systems and `service` and `base_authority` if you are using the authentication filter to authenticate your app.
 
 You may also set the caching backend using the .backend= module method:
 
@@ -35,10 +32,9 @@ You may also set the caching backend using the .backend= module method:
 Cassette::Cache.backend = ActiveSupport::Cache::MemcacheStorage.new
 ```
 
-By default, Cassette::Cache will check if you have Rails.cache defined or instantiate a new ActiveSupport::Cache::MemoryStore
-
+By default, `Cassette::Cache` will check if you have `Rails.cache` defined or instantiate a new `ActiveSupport::Cache::MemoryStore`
 
-To authenticate your Rails app, add to your ApplicationController (or any authenticated controller):
+To authenticate your Rails app, add to your `ApplicationController` (or any authenticated controller):
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -48,7 +44,7 @@ class ApplicationController < ActionController::Base
 end
 ```
 
-You should also rescue from Cassette::Errors::Forbidden with more friendly errors
+You should also rescue from `Cassette::Errors::Forbidden` with more friendly errors
 
 If you wish to have actions that skip the authentication filter, add to your controller:
 
@@ -60,7 +56,68 @@ class SomeController < ApplicationController
 end
 ```
 
-Where options are the same options you can pass to Rails' __skip_before_filter__ method
+Where options are the same options you can pass to Rails' `skip_before_filter` method
+
+### Overriding the authenticated service
+
+You can the service being authenticated in a controller (or group of controllers). To do this, override the instance method `authentication_service`:
+
+```ruby
+class ApiController < ApplicationController
+  def authentication_service
+    "api.#{super}"
+
+    # or maybe a hardcoded:
+    # "api.example.org"
+
+    # looking like regular RubyCAS, using the url
+    # request.url
+  end
+end
+```
+
+### Accepting multiple services (restricting from a list)
+
+Your config object must respond to `services` and the filter will check your controller `authentication_service` against the list or the configured service.
+
+In your initializer:
+
+```ruby
+Cassete.config = OpenStruct.new(
+  # omitted
+  service: "example.org",
+  services: ["api.example.org", "www.example.org", "subdomain.example.org"]
+)
+```
+
+And in your controller:
+
+```ruby
+class ApplicationController < ActionController::Base
+  def authentication_service
+    request.host
+  end
+end
+```
+
+In this example, only tickets generated for __api.example.org__, __www.example.org__, __subdomain.example.org__ or __example.org__ will be accepted others will raise a `Cassette::Errors::Forbidden`.
+
+### Accepting multiple services (customized)
+
+If whitelisting services is not enough for your application, you can override the `accepts_authentication_service?` in your controller.
+This method receives the service and returns a boolean if the service is ok or not.
+
+```ruby
+class ApplicationController < ActionController::Base
+  def accepts_authentication_service?(service)
+    service.ends_with?('my-domain.com')
+  end
+
+  def authentication_service
+    request.host
+  end
+end
+```
 
 ## RubyCAS client helpers
 
@@ -68,10 +125,10 @@ Where options are the same options you can pass to Rails' __skip_before_filter__
 If you are authenticating users with RubyCAS and want role checking, in your rubycas initializer:
 
 ```ruby
-require "cas/rubycas"
+require "cassette/rubycas"
 ```
 
-And in your ApplicationController (or any authenticated controller):
+And in your `ApplicationController` (or any authenticated controller):
 
 ```ruby
 class SomeController < ApplicationController
@@ -95,9 +152,29 @@ class SomeController < ApplicationController
 end
 ```
 
+### Constraining routes for roles
+
+This is useful if you want to mount an unauthenticated Rack app (like Resque)
+
+Add to your `config/routes.rb`:
+
+```ruby
+  mount Resque::Server.new, at: '/resque', constraints: Cassette::Rubycas::RoutingConstraint.new(:admin)
+```
+
+This will make your /resque route require your `BASEAUTHORITY_ADMIN` role.
+
+You can also use raw roles:
+
+```ruby
+  mount Resque::Server.new, at: '/resque', constraints: Cassette::Rubycas::RoutingConstraint.new('OTHERAPP_ROLE', raw: true)
+```
+
+And your /resque route will require the `OTHERAPP_ROLE` role.
+
 ## Instantiating Cassette::Client and Cassette::Authentication
 
-You can create your own instances of __Cassette::Client__ (st/tgt generator) and __Cassette::Authentication__ (st validator).
+You can create your own instances of `Cassette::Client` (st/tgt generator) and `Cassette::Authentication` (st validator).
 
 The constructor accepts a hash with keys (as symbols) for the values of cache, logger, http_client and configuration.
 

data/lib/cassette/authentication/authorities.rb

@@ -2,36 +2,40 @@
 
 require 'cassette/authentication'
 
-class Cassette::Authentication::Authorities
-  def self.parse(authorities, base_authority = nil)
-    new(authorities, base_authority)
-  end
-
-  def base
-    @base_authority.to_s.upcase
-  end
-
-  def has_raw_role?(role)
-    return true if ENV['NOAUTH']
-    @authorities.include?(role)
-  end
-
-  def has_role?(role)
-    return true if ENV['NOAUTH']
-    has_raw_role?("#{base}_#{role.to_s.upcase.gsub('_', '-')}")
-  end
-
-  def initialize(authorities, base_authority = nil)
-    @base_authority = base_authority || Cassette.config.base_authority
-
-    if authorities.is_a?(String)
-      @authorities = authorities.gsub(/^\[(.*)\]$/, '\\1').split(',').map(&:strip)
-    else
-      @authorities = Array(authorities).map(&:strip)
+module Cassette
+  class Authentication
+    class Authorities
+      def self.parse(authorities, base_authority = nil)
+        new(authorities, base_authority)
+      end
+
+      def base
+        @base_authority.to_s.upcase
+      end
+
+      def has_raw_role?(role)
+        return true if ENV['NOAUTH']
+        @authorities.include?(role)
+      end
+
+      def has_role?(role)
+        return true if ENV['NOAUTH']
+        has_raw_role?("#{base}_#{role.to_s.upcase.gsub('_', '-')}")
+      end
+
+      def initialize(authorities, base_authority = nil)
+        @base_authority = base_authority || Cassette.config.base_authority
+
+        if authorities.is_a?(String)
+          @authorities = authorities.gsub(/^\[(.*)\]$/, '\\1').split(',').map(&:strip)
+        else
+          @authorities = Array(authorities).map(&:strip)
+        end
+      end
+
+      def authorities
+        @authorities.dup
+      end
     end
   end
-
-  def authorities
-    @authorities.dup
-  end
 end

data/lib/cassette/authentication/cache.rb

@@ -3,27 +3,31 @@
 require 'cassette/authentication'
 require 'cassette/cache'
 
-class Cassette::Authentication::Cache
-  include Cassette::Cache
+module Cassette
+  class Authentication
+    class Cache
+      include Cassette::Cache
 
-  def initialize(logger)
-    self.logger = logger
-  end
+      def initialize(logger)
+        self.logger = logger
+      end
 
-  def fetch_authentication(ticket, options = {}, &block)
-    options = { expires_in: 5 * 60, max_uses: 5000, force: false }.merge(options)
-    fetch("Cassette::Authentication.validate_ticket(#{ticket})", options) do
-      logger.info("Authentication for #{ticket} is not cached")
-      block.call
-    end
-  end
+      def fetch_authentication(ticket, service, options = {}, &block)
+        options = { expires_in: 5 * 60, max_uses: 5000, force: false }.merge(options)
+        fetch("Cassette::Authentication.validate_ticket(#{ticket}, #{service})", options) do
+          logger.info("Authentication for #{ticket}, #{service} is not cached")
+          block.call
+        end
+      end
 
-  def clear_authentication_cache!
-    backend.delete_matched('Cassette::Authentication.validate_ticket*')
-    backend.delete_matched("#{uses_key('Cassette::Authentication.validate_ticket')}*")
-  end
+      def clear_authentication_cache!
+        backend.delete_matched('Cassette::Authentication.validate_ticket*')
+        backend.delete_matched("#{uses_key('Cassette::Authentication.validate_ticket')}*")
+      end
 
-  protected
+      protected
 
-  attr_accessor :logger
+      attr_accessor :logger
+    end
+  end
 end

data/lib/cassette/authentication/filter.rb

@@ -3,39 +3,58 @@
 require 'active_support/concern'
 require 'cassette/authentication/user'
 
-module Cassette::Authentication::Filter
-  extend ActiveSupport::Concern
-
-  included do |controller|
-    controller.before_filter(:validate_authentication_ticket)
-    controller.send(:attr_accessor, :current_user)
-  end
-
-  module ClassMethods
-    def skip_authentication(*options)
-      skip_before_filter :validate_authentication_ticket, *options
-    end
-  end
-
-  def validate_authentication_ticket(service = Cassette.config.service)
-    ticket = request.headers['Service-Ticket'] || params[:ticket]
-
-    if ENV['NOAUTH']
-      Cassette.logger.debug 'NOAUTH set and no Service Ticket, skipping authentication'
-      self.current_user = Cassette::Authentication::User.new
-      return
+module Cassette
+  class Authentication
+    module Filter
+      extend ActiveSupport::Concern
+
+      included do |controller|
+        controller.before_filter(:validate_authentication_ticket)
+        controller.send(:attr_accessor, :current_user)
+      end
+
+      module ClassMethods
+        def skip_authentication(*options)
+          skip_before_filter :validate_authentication_ticket, *options
+        end
+      end
+
+      def accepts_authentication_service?(service)
+        config = Cassette.config
+
+        if config.respond_to?(:services)
+          config.services.member?(service) || config.service == service
+        else
+          config.service == service
+        end
+      end
+
+      def validate_authentication_ticket(service = authentication_service)
+        ticket = request.headers['Service-Ticket'] || params[:ticket]
+
+        if ENV['NOAUTH']
+          Cassette.logger.debug 'NOAUTH set and no Service Ticket, skipping authentication'
+          self.current_user = Cassette::Authentication::User.new
+          return
+        end
+
+        fail Cassette::Errors::Forbidden unless accepts_authentication_service?(authentication_service)
+        self.current_user = Cassette::Authentication.validate_ticket(ticket, service)
+      end
+
+      def authentication_service
+        Cassette.config.service
+      end
+
+      def validate_role!(role)
+        return if ENV['NOAUTH']
+        fail Cassette::Errors::Forbidden unless current_user.has_role?(role)
+      end
+
+      def validate_raw_role!(role)
+        return if ENV['NOAUTH']
+        fail Cassette::Errors::Forbidden unless current_user.has_raw_role?(role)
+      end
     end
-
-    self.current_user = Cassette::Authentication.validate_ticket(ticket, service)
-  end
-
-  def validate_role!(role)
-    return if ENV['NOAUTH']
-    fail Cassette::Errors::Forbidden unless current_user.has_role?(role)
-  end
-
-  def validate_raw_role!(role)
-    return if ENV['NOAUTH']
-    fail Cassette::Errors::Forbidden unless current_user.has_raw_role?(role)
   end
 end

data/lib/cassette/authentication/user.rb

@@ -4,24 +4,28 @@ require 'cassette/authentication'
 require 'cassette/authentication/authorities'
 require 'delegate'
 
-class Cassette::Authentication::User
-  attr_accessor :login, :name, :authorities, :email, :ticket
-  delegate :has_role?, :has_raw_role?, to: :@authorities
+module Cassette
+  class Authentication
+    class User
+      attr_accessor :login, :name, :authorities, :email, :ticket, :type
+      delegate :has_role?, :has_raw_role?, to: :@authorities
 
-  def initialize(attrs = {})
-    config       = attrs[:config]
-    @login       = attrs[:login]
-    @name        = attrs[:name]
-    @type        = attrs[:type]
-    @email       = attrs[:email]
-    @ticket      = attrs[:ticket]
-    @authorities = Cassette::Authentication::Authorities
-                   .parse(attrs.fetch(:authorities, '[]'), config && config.base_authority)
-  end
+      def initialize(attrs = {})
+        config       = attrs[:config]
+        @login       = attrs[:login]
+        @name        = attrs[:name]
+        @type        = attrs[:type]
+        @email       = attrs[:email]
+        @ticket      = attrs[:ticket]
+        @authorities = Cassette::Authentication::Authorities
+                       .parse(attrs.fetch(:authorities, '[]'), config && config.base_authority)
+      end
 
-  %w(customer employee).each do |type|
-    define_method :"#{type}?" do
-      !@type.nil? && @type.to_s.downcase == type.to_s
+      %w(customer employee).each do |type|
+        define_method :"#{type}?" do
+          !@type.nil? && @type.to_s.downcase == type.to_s
+        end
+      end
     end
   end
 end

data/lib/cassette/authentication.rb

@@ -1,25 +1,22 @@
 # encoding: UTF-8
 
-require 'active_support/xml_mini'
-ActiveSupport::XmlMini.backend = 'LibXML'
-
 module Cassette
   class Authentication
     def self.method_missing(name, *args)
-      @@default_authentication ||= new
-      @@default_authentication.send(name, *args)
+      @default_authentication ||= new
+      @default_authentication.send(name, *args)
     end
 
     def initialize(opts = {})
       self.config = opts.fetch(:config, Cassette.config)
       self.logger = opts.fetch(:logger, Cassette.logger)
-      self.http   = opts.fetch(:http_client, Cassette)
+      self.http   = opts.fetch(:http_client, Cassette::Http)
       self.cache  = opts.fetch(:cache, Cassette::Authentication::Cache.new(logger))
     end
 
     def validate_ticket(ticket, service = config.service)
-      logger.debug "Cassette::Authentication validating ticket: #{ticket}"
-      fail Cassette::Errors::AuthorizationRequired if ticket.nil? || ticket.blank?
+      logger.debug "Cassette::Authentication validating ticket: #{ticket}, #{service}"
+      fail Cassette::Errors::AuthorizationRequired if ticket.blank?
 
       user = ticket_user(ticket, service)
       logger.info "Cassette::Authentication user: #{user.inspect}"
@@ -30,33 +27,25 @@ module Cassette
     end
 
     def ticket_user(ticket, service = config.service)
-      cache.fetch_authentication(ticket) do
+      cache.fetch_authentication(ticket, service) do
         begin
           logger.info("Validating #{ticket} on #{validate_uri}")
+
           response = http.post(validate_uri, ticket: ticket, service: service).body
+          ticket_response = Http::TicketResponse.new(response)
 
           logger.info("Validation resut: #{response.inspect}")
 
-          user = nil
-
-          ActiveSupport::XmlMini.with_backend('LibXML') do
-            result = ActiveSupport::XmlMini.parse(response)
-
-            login = result.try(:[], 'serviceResponse').try(:[], 'authenticationSuccess').try(:[], 'user').try(:[], '__content__')
-
-            if login
-              attributes = result['serviceResponse']['authenticationSuccess']['attributes']
-              name = attributes.try(:[], 'cn').try(:[], '__content__')
-              authorities = attributes.try(:[], 'authorities').try(:[], '__content__')
-
-              user = Cassette::Authentication::User.new(login: login, name: name, authorities: authorities, ticket: ticket, config: config)
-            end
-          end
-
-          user
+          Cassette::Authentication::User.new(
+            login: ticket_response.login,
+            name: ticket_response.name,
+            authorities: ticket_response.authorities,
+            ticket: ticket,
+            config: config
+          ) if ticket_response.login
         rescue => exception
           logger.error "Error while authenticating ticket #{ticket}: #{exception.message}"
-          raise Cassette::Errors::Forbidden.new(exception.message)
+          raise Cassette::Errors::Forbidden, exception.message
         end
       end
     end
@@ -65,6 +54,29 @@ module Cassette
 
     attr_accessor :cache, :logger, :http, :config
 
+    def try_content(node, *keys)
+      keys.inject(node) do |a, e|
+        a.try(:[], e)
+      end.try(:[], '__content__')
+    end
+
+    def extract_user(xml, ticket)
+      ActiveSupport::XmlMini.with_backend('LibXML') do
+        result = ActiveSupport::XmlMini.parse(xml)
+
+        login = try_content(result, 'serviceResponse', 'authenticationSuccess', 'user')
+
+        if login
+          attributes = result['serviceResponse']['authenticationSuccess']['attributes']
+          name = try_content(attributes, 'cn')
+          authorities = try_content(attributes, 'authorities')
+
+          Cassette::Authentication::User.new(login: login, name: name, authorities: authorities,
+                                             ticket: ticket, config: config)
+        end
+      end
+    end
+
     def validate_uri
       "#{config.base.gsub(/\/?$/, '')}/serviceValidate"
     end

data/lib/cassette/cache.rb

@@ -6,8 +6,8 @@ module Cassette
   module Cache
     def backend
       @backend ||= begin
-        if defined?(Rails) && Rails.cache
-          Rails.cache
+        if defined?(::Rails) && ::Rails.cache
+          ::Rails.cache
         else
           ActiveSupport::Cache::MemoryStore.new
         end

data/lib/cassette/client/cache.rb

@@ -3,41 +3,45 @@
 require 'cassette/client'
 require 'cassette/cache'
 
-class Cassette::Client::Cache
-  include Cassette::Cache
-
-  def initialize(logger)
-    self.logger = logger
-  end
-
-  def fetch_tgt(options = {}, &_block)
-    options = { expires_in: 4 * 3600, max_uses: 5000, force: false }.merge(options)
-    fetch('Cassette::Client.tgt', options) do
-      self.clear_st_cache!
-      logger.info 'TGT is not cached'
-      yield
-    end
-  end
-
-  def fetch_st(service, options = {}, &_block)
-    options = { max_uses: 2000, expires_in: 252, force: false }.merge(options)
-    fetch("Cassette::Client.st(#{service})", options) do
-      logger.info "ST for #{service} is not cached"
-      yield
+module Cassette
+  class Client
+    class Cache
+      include Cassette::Cache
+
+      def initialize(logger)
+        self.logger = logger
+      end
+
+      def fetch_tgt(options = {}, &_block)
+        options = { expires_in: 4 * 3600, max_uses: 5000, force: false }.merge(options)
+        fetch('Cassette::Client.tgt', options) do
+          self.clear_st_cache!
+          logger.info 'TGT is not cached'
+          yield
+        end
+      end
+
+      def fetch_st(service, options = {}, &_block)
+        options = { max_uses: 2000, expires_in: 252, force: false }.merge(options)
+        fetch("Cassette::Client.st(#{service})", options) do
+          logger.info "ST for #{service} is not cached"
+          yield
+        end
+      end
+
+      def clear_tgt_cache!
+        backend.delete('Cassette::Client.tgt')
+        backend.delete("#{uses_key('Cassette::Client.tgt')}")
+      end
+
+      def clear_st_cache!
+        backend.delete_matched('Cassette::Client.st*')
+        backend.delete_matched("#{uses_key('Cassette::Client.st')}*")
+      end
+
+      protected
+
+      attr_accessor :logger
     end
   end
-
-  def clear_tgt_cache!
-    backend.delete('Cassette::Client.tgt')
-    backend.delete("#{uses_key('Cassette::Client.tgt')}")
-  end
-
-  def clear_st_cache!
-    backend.delete_matched('Cassette::Client.st*')
-    backend.delete_matched("#{uses_key('Cassette::Client.st')}*")
-  end
-
-  protected
-
-  attr_accessor :logger
 end

data/lib/cassette/client.rb

@@ -3,8 +3,8 @@
 module Cassette
   class Client
     def self.method_missing(name, *args)
-      @@default_client ||= new
-      @@default_client.send(name, *args)
+      @default_client ||= new
+      @default_client.send(name, *args)
     end
 
     def initialize(opts = {})
@@ -28,9 +28,10 @@ module Cassette
       end
     end
 
-    def st(tgt, service, force = false)
+    def st(tgt_param, service, force = false)
       logger.info "Requesting ST for #{service}"
       cache.fetch_st(service, force: force) do
+        tgt = tgt_param.respond_to?(:call) ? tgt_param[] : tgt_param
         response = http.post("#{tickets_uri}/#{tgt}", service: service)
         response.body.tap do |st|
           logger.info "ST is #{st}"
@@ -47,7 +48,7 @@ module Cassette
     attr_accessor :cache, :logger, :http, :config
 
     def st_with_retry(user, pass, service, retrying = false)
-      st(tgt(user, pass, retrying), service)
+      st(->{ tgt(user, pass, retrying) }, service)
     rescue Cassette::Errors::NotFound => e
       raise e if retrying
 

data/lib/cassette/http/parsed_response.rb

@@ -0,0 +1,20 @@
+require 'delegate'
+require 'active_support/xml_mini'
+
+module Cassette
+  module Http
+    class ParsedResponse < SimpleDelegator
+      def initialize(raw_content, parser = XMLParser)
+        super(parser.call(raw_content))
+      end
+
+      XMLParser = lambda do |raw_content|
+        ActiveSupport::XmlMini.with_backend('LibXML') do
+          ActiveSupport::XmlMini.parse(raw_content)
+        end
+      end
+
+      private_constant :XMLParser
+    end
+  end
+end