cassette 1.0.18 → 1.1.0

data/lib/cassette/http/request.rb

@@ -0,0 +1,44 @@
+module Cassette
+  module Http
+    module Request
+      extend self
+
+      def post(uri, payload, timeout = DEFAULT_TIMEOUT)
+        perform(:post, uri, timeout) do |request|
+          request.body = URI.encode_www_form(payload)
+        end
+      end
+
+      private
+
+      def perform(http_verb, uri, timeout, &block)
+        request(uri, timeout)
+          .tap(&log_request)
+          .public_send(http_verb, &block)
+          .tap(&check_response)
+      end
+
+      def request(uri, timeout)
+        Faraday.new(url: uri, ssl: { verify: false, version: 'TLSv1' }) do |con|
+          con.adapter Faraday.default_adapter
+          con.options.timeout = timeout
+        end
+      end
+
+      def log_request
+        lambda { |request| Cassette.logger.debug "Request: #{request.inspect}" }
+      end
+
+      def check_response
+        lambda do |resp|
+          Cassette.logger.debug(
+            "Got response: #{resp.body.inspect} (#{resp.status}), " \
+            "#{resp.headers.inspect}"
+          )
+
+          Cassette::Errors.raise_by_code(resp.status) unless resp.success?
+        end
+      end
+    end
+  end
+end

data/lib/cassette/http/ticket_response.rb

@@ -0,0 +1,48 @@
+module Cassette
+  module Http
+    class TicketResponse
+      def initialize(response)
+        @content = ParsedResponse.new(response)
+      end
+
+      def login
+        fetch_val(
+          content,
+          'serviceResponse',
+          'authenticationSuccess',
+          'user',
+          '__content__'
+        )
+      end
+
+      def name
+        fetch_val(attributes, 'cn', '__content__')
+      end
+
+      def authorities
+        fetch_val(attributes, 'authorities', '__content__')
+      end
+
+      private
+
+      attr_reader :content
+
+      def fetch_val(hash, *keys)
+        keys.reduce(hash, &access_key)
+      end
+
+      def access_key
+        lambda { |hash, key| hash.try(:[], key) }
+      end
+
+      def attributes
+        fetch_val(
+          content,
+          'serviceResponse',
+          'authenticationSuccess',
+          'attributes'
+        )
+      end
+    end
+  end
+end

data/lib/cassette/http.rb

@@ -0,0 +1,8 @@
+require_relative 'http/request'
+require_relative 'http/parsed_response'
+require_relative 'http/ticket_response'
+
+module Cassette
+  module Http
+  end
+end

data/lib/cassette/rubycas/helper.rb

@@ -6,6 +6,7 @@ module Cassette
   module Rubycas
     module Helper
       extend ActiveSupport::Concern
+      extend UserFactory
 
       included do
         before_filter :validate_authentication_ticket
@@ -60,14 +61,7 @@ module Cassette
         return fake_user if ENV['NOAUTH']
         return nil unless session[:cas_user]
 
-        @current_user ||= begin
-          attributes = session[:cas_extra_attributes]
-          Cassette::Authentication::User.new(login: session[:cas_user],
-                                             name: attributes.try(:[], :cn),
-                                             email: attributes.try(:[], :email),
-                                             authorities: attributes.try(:[], :authorities),
-                                             type: attributes.try(:[], :type).try(:downcase))
-        end
+        @current_user ||= from_session(session)
       end
     end
   end

data/lib/cassette/rubycas/routing_constraint.rb

@@ -0,0 +1,23 @@
+module Cassette
+  module Rubycas
+    class RoutingConstraint
+      include UserFactory
+
+      attr_reader :role, :options
+
+      def initialize(role, opts = {})
+        defaults = { raw: false }
+        @role = role
+        @options = defaults.merge(opts)
+      end
+
+      def matches?(request)
+        user = from_session(request.session)
+
+        meth = options[:raw] ? :has_raw_role? : :has_role?
+
+        user.send(meth, role)
+      end
+    end
+  end
+end

data/lib/cassette/rubycas/single_sign_out_constraint.rb

@@ -3,18 +3,18 @@
 module Cassette
   module Rubycas
     class SingleSignOutConstraint
+      LOGOUT_PAYLOAD_EXPR = %r{<samlp:LogoutRequest.*?<samlp:SessionIndex>(.*)<\/samlp:SessionIndex}m
+
+      def logout_request?(params)
+        [params['logoutRequest'], URI.unescape(params['logoutRequest'])].find { |xml| xml =~ LOGOUT_PAYLOAD_EXPR }
+      end
+
       def matches?(request)
-        if (content_type = request.headers['CONTENT_TYPE']) &&
-           content_type =~ /^multipart\//
+        if (content_type = request.headers['CONTENT_TYPE']) && content_type =~ %r{^multipart/}
           return false
         end
 
-        if request.post? &&
-           request.request_parameters['logoutRequest'] &&
-           [request.request_parameters['logoutRequest'],
-            URI.unescape(request.request_parameters['logoutRequest'])]
-           .find { |xml| xml =~ /^<samlp:LogoutRequest.*?<samlp:SessionIndex>(.*)<\/samlp:SessionIndex>/m }
-
+        if request.post? && request.request_parameters['logoutRequest'] && logout_request?(request.request_parameters)
           Cassette.logger.debug "Intercepted a single sign out request on #{request}"
           return true
         end

data/lib/cassette/rubycas/user_factory.rb

@@ -0,0 +1,14 @@
+module Cassette
+  module Rubycas
+    module UserFactory
+      def from_session(session)
+        attributes = session[:cas_extra_attributes]
+        Cassette::Authentication::User.new(login: session[:cas_user],
+                                           name: attributes.try(:[], :cn),
+                                           email: attributes.try(:[], :email),
+                                           authorities: attributes.try(:[], :authorities),
+                                           type: attributes.try(:[], :type).try(:downcase))
+      end
+    end
+  end
+end

data/lib/cassette/rubycas.rb

@@ -1,8 +1,10 @@
 # encoding: UTF-8
 
+require 'cassette/rubycas/user_factory'
 require 'cassette/rubycas/helper'
 require 'cassette/rubycas/single_sign_out_constraint'
 require 'cassette/rubycas/not_single_sign_out_constraint'
+require 'cassette/rubycas/routing_constraint'
 
 module Cassette
   module Rubycas

data/lib/cassette/version.rb

@@ -1,8 +1,8 @@
 module Cassette
   class Version
     MAJOR = '1'
-    MINOR = '0'
-    PATCH = '18'
+    MINOR = '1'
+    PATCH = '0'
 
     def self.version
       [MAJOR, MINOR, PATCH].join('.')

data/lib/cassette.rb

@@ -2,6 +2,7 @@
 
 require 'cassette/errors'
 require 'cassette/cache'
+require 'cassette/http'
 require 'cassette/client/cache'
 require 'cassette/client'
 require 'cassette/authentication'
@@ -16,62 +17,23 @@ require 'logger'
 module Cassette
   extend self
 
+  attr_writer :config, :logger
+
   DEFAULT_TIMEOUT = 10
 
   def logger
-    @@logger ||= begin
-                   if defined?(Rails) && Rails.logger
-                     Rails.logger
-                   else
-                     Logger.new('/dev/null')
-                   end
-                 end
-  end
-
-  def logger=(logger)
-    @@logger = logger
+    @logger ||= begin
+                  if defined?(::Rails) && ::Rails.logger
+                    ::Rails.logger
+                  else
+                    Logger.new('/dev/null')
+                  end
+                end
   end
 
   def config
-    if defined?(@@config)
-      @@config
-    end
-  end
-
-  def config=(config)
-    @@config = config
-  end
-
-  def new_request(uri, timeout)
-    Faraday.new(url: uri, ssl: { verify: false, version: 'TLSv1' }) do |builder|
-      builder.adapter Faraday.default_adapter
-      builder.options.timeout = timeout
-    end
+    @config if defined?(@config)
   end
 
-  def get(uri, payload, timeout = DEFAULT_TIMEOUT)
-    perform(:get, uri, payload, timeout) do |req|
-      req.params = payload
-      logger.debug "Request: #{req.inspect}"
-    end
-  end
-
-  def post(uri, payload, timeout = DEFAULT_TIMEOUT)
-    perform(:post, uri, payload, timeout) do |req|
-      req.body = URI.encode_www_form(payload)
-      logger.debug "Request: #{req.inspect}"
-    end
-  end
-
-  protected
-
-  def perform(op, uri, _payload, timeout = DEFAULT_TIMEOUT, &block)
-    request = new_request(uri, timeout)
-    res = request.send(op, &block)
-
-    res.tap do |response|
-      logger.debug "Got response: #{response.body.inspect} (#{response.status}), #{response.headers.inspect}"
-      Cassette::Errors.raise_by_code(response.status) unless response.success?
-    end
-  end
+  delegate :post, to: :'Http::Request'
 end

data/spec/cassette/authentication/authorities_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper'
+
 
 describe Cassette::Authentication::Authorities do
   subject do

data/spec/cassette/authentication/cache_spec.rb

@@ -1,8 +1,44 @@
-
 # encoding: utf-8
 
-require 'spec_helper'
-
 describe Cassette::Authentication::Cache do
-  pending
+  subject(:cache) { described_class.new(Logger.new('/dev/null')) }
+
+  describe '#fetch_authentication' do
+    subject(:fetch_authentication) do
+      cache.fetch_authentication(ticket, service, &block)
+    end
+
+    let(:second_call) do
+      cache.fetch_authentication(ticket, service, &other_block)
+    end
+    let(:call_with_other_service) do
+      cache.fetch_authentication(ticket, other_service, &other_block)
+    end
+
+    let(:ticket) { 'ticket' }
+
+    let(:service) { 'lala' }
+    let(:other_service) { 'popo' }
+
+    let(:block) { -> { 1 } }
+    let(:other_block) { -> { 2 } }
+
+
+    before { cache.fetch_authentication(ticket, service, &block) }
+
+    it { is_expected.to eq(1) }
+
+    context 'when for a second time' do
+      it  { expect(second_call).to eq(1) }
+
+      it do
+        expect(other_block).not_to receive(:call)
+        second_call
+      end
+
+      context 'when calling with a different service' do
+        it  { expect(call_with_other_service).to eq(2) }
+      end
+    end
+  end
 end

data/spec/cassette/authentication/filter_spec.rb

@@ -1,24 +1,12 @@
 # encoding: utf-8
 
-require 'spec_helper'
-require 'active_support/core_ext/hash/indifferent_access'
+
 
 describe Cassette::Authentication::Filter do
   before do
     allow(Cassette::Authentication).to receive(:validate_ticket)
   end
 
-  class ControllerMock
-    attr_accessor :params, :request, :current_user
-    def self.before_filter(*); end
-    include Cassette::Authentication::Filter
-
-    def initialize(params = {}, headers = {})
-      self.params = params.with_indifferent_access
-      self.request = OpenStruct.new(headers: headers.with_indifferent_access)
-    end
-  end
-
   shared_context 'with NOAUTH' do
     before do
       ENV['NOAUTH'] = 'yes'
@@ -30,7 +18,7 @@ describe Cassette::Authentication::Filter do
   end
 
   describe '#validate_raw_role!' do
-    let(:controller) { ControllerMock.new }
+    let(:controller) { ControllerMock(described_class).new }
     let(:current_user) { instance_double(Cassette::Authentication::User) }
 
     before do
@@ -64,7 +52,7 @@ describe Cassette::Authentication::Filter do
   end
 
   describe '#validate_role!' do
-    let(:controller) { ControllerMock.new }
+    let(:controller) { ControllerMock(described_class).new }
     let(:current_user) { instance_double(Cassette::Authentication::User) }
 
     before do
@@ -97,7 +85,6 @@ describe Cassette::Authentication::Filter do
     end
   end
 
-
   describe '#validate_authentication_ticket' do
     shared_examples_for 'controller without authentication' do
       it 'does not validate tickets' do
@@ -113,14 +100,14 @@ describe Cassette::Authentication::Filter do
 
     it_behaves_like 'with NOAUTH' do
       context 'and no ticket' do
-        let(:controller) { ControllerMock.new }
+        let(:controller) { ControllerMock(described_class).new }
 
         it_behaves_like 'controller without authentication'
       end
 
       context 'and a ticket header' do
         let(:controller) do
-          ControllerMock.new({}, 'Service-Ticket' => 'le ticket')
+          ControllerMock(described_class).new({}, 'Service-Ticket' => 'le ticket')
         end
 
         it_behaves_like 'controller without authentication'
@@ -128,43 +115,126 @@ describe Cassette::Authentication::Filter do
 
       context 'and a ticket param' do
         let(:controller) do
-          ControllerMock.new(ticket: 'le ticket')
+          ControllerMock(described_class).new(ticket: 'le ticket')
         end
 
         it_behaves_like 'controller without authentication'
       end
     end
 
-    context 'with a ticket in the query string *AND* headers' do
+    context 'when accepts_authentication_service? returns false' do
       let(:controller) do
-        ControllerMock.new({ 'ticket' => 'le other ticket' }, 'Service-Ticket' => 'le ticket')
+        ControllerMock(described_class).new(ticket: 'le ticket')
       end
 
-      it 'should send only the header ticket to validation' do
-        controller.validate_authentication_ticket
-        expect(Cassette::Authentication).to have_received(:validate_ticket).with('le ticket', Cassette.config.service)
+      before do
+        expect(controller).to receive(:accepts_authentication_service?)
+          .with(Cassette.config.service) { false }
+      end
+
+      it 'raises a Cassette::Errors::Forbidden' do
+        expect { controller.validate_authentication_ticket }
+          .to raise_error(Cassette::Errors::Forbidden)
       end
     end
 
-    context 'with a ticket in the query string' do
-      let(:controller) do
-        ControllerMock.new('ticket' => 'le ticket')
+    context 'when accepts_authentication_service? returns true' do
+      before do
+        expect(controller).to receive(:accepts_authentication_service?).with(anything) { true }
       end
 
-      it 'should send the ticket to validation' do
-        controller.validate_authentication_ticket
-        expect(Cassette::Authentication).to have_received(:validate_ticket).with('le ticket', Cassette.config.service)
+      context 'with a ticket in the query string *AND* headers' do
+        let(:controller) do
+          ControllerMock(described_class).new({ 'ticket' => 'le other ticket' },
+                                              'Service-Ticket' => 'le ticket')
+        end
+
+        it 'should send only the header ticket to validation' do
+          controller.validate_authentication_ticket
+          expect(Cassette::Authentication).to have_received(:validate_ticket).with('le ticket', Cassette.config.service)
+        end
+      end
+
+      context 'with a ticket in the query string' do
+        let(:controller) do
+          ControllerMock(described_class).new('ticket' => 'le ticket')
+        end
+
+        it 'should send the ticket to validation' do
+          controller.validate_authentication_ticket
+          expect(Cassette::Authentication).to have_received(:validate_ticket).with('le ticket', Cassette.config.service)
+        end
       end
+
+      context 'when #authentication_service is overriden' do
+        let(:controller) do
+          mod = Module.new do
+            def authentication_service
+              "subdomain.#{Cassette.config.service}"
+            end
+          end
+
+          ControllerMock(described_class, mod).new({}, 'Service-Ticket' => 'le ticket')
+        end
+
+        it 'validates with the overriden value and not the config' do
+          controller.validate_authentication_ticket
+
+          expect(Cassette::Authentication).to have_received(:validate_ticket)
+            .with('le ticket', "subdomain.#{Cassette.config.service}")
+        end
+      end
+
+      context 'with a ticket in the Service-Ticket header' do
+        let(:controller) do
+          ControllerMock(described_class).new({}, 'Service-Ticket' => 'le ticket')
+        end
+
+        it 'sends the ticket to validation' do
+          controller.validate_authentication_ticket
+
+          expect(Cassette::Authentication).to have_received(:validate_ticket)
+            .with('le ticket', Cassette.config.service)
+        end
+      end
+    end
+  end
+
+  describe '#accepts_authentication_service?' do
+    let(:controller) do
+      ControllerMock(described_class).new(ticket: 'le ticket')
     end
 
-    context 'with a ticket in the Service-Ticket header' do
-      let(:controller) do
-        ControllerMock.new({}, 'Service-Ticket' => 'le ticket')
+    before do
+      allow(Cassette).to receive(:config) { config }
+    end
+
+    subject { controller.accepts_authentication_service?(service) }
+
+    context 'when config responds to #services' do
+      let(:subdomain) { "subdomain.acme.org" }
+      let(:not_related) { "acme.org" }
+
+      let(:config) do
+        OpenStruct.new(YAML.load_file('spec/config.yml').merge(services: [subdomain]))
       end
 
-      it 'should send the ticket to validation' do
-        controller.validate_authentication_ticket
-        expect(Cassette::Authentication).to have_received(:validate_ticket).with('le ticket', Cassette.config.service)
+      context 'and the authentication service is included in the configuration' do
+        let(:service) { subdomain }
+
+        it { is_expected.to eq true }
+      end
+
+      context 'and the authentication service is Cassette.config.service' do
+        let(:service) { Cassette.config.service }
+
+        it { is_expected.to eq true }
+      end
+
+      context 'and the authentication service is not included in the configuration' do
+        let(:service) { not_related }
+
+        it { is_expected.to eq false }
       end
     end
   end

data/spec/cassette/authentication/user_factory_spec.rb

@@ -0,0 +1,42 @@
+require 'spec_helper'
+
+RSpec.describe Cassette::Rubycas::UserFactory do
+  let(:mod) do
+    Module.new do
+      extend Cassette::Rubycas::UserFactory
+      extend self
+    end
+  end
+
+  describe '#from_session' do
+    let(:session) do
+      name = Faker.name
+
+      {
+        cas_user: Faker::Internet.user_name(name),
+        cas_extra_attributes: {
+          email: Faker::Internet.email(name),
+          type: 'Customer',
+          authorities: '[CASTEST_ADMIN]'
+        }
+      }
+    end
+
+    let(:attributes) do
+      session[:cas_extra_attributes]
+    end
+
+    subject do
+      mod.from_session(session)
+    end
+
+    context 'with default attributes' do
+      its(:login) { is_expected.to eq(session[:cas_user]) }
+      its(:name) { is_expected.to eq(attributes[:name]) }
+      its(:email) { is_expected.to eq(attributes[:email]) }
+      its(:type) { is_expected.to eq(attributes[:type].downcase) }
+      it { is_expected.to be_customer }
+      it { is_expected.not_to be_employee }
+    end
+  end
+end

data/spec/cassette/authentication/user_spec.rb

@@ -1,4 +1,4 @@
-require 'spec_helper'
+
 
 describe Cassette::Authentication::User do
   let(:base_authority) do
@@ -20,13 +20,14 @@ describe Cassette::Authentication::User do
         expect(config).to receive(:base_authority).and_return('TESTAPI')
         expect(Cassette::Authentication::Authorities).to receive(:new).with('[CUSTOMERAPI, SAPI]', 'TESTAPI')
 
-        Cassette::Authentication::User.new(login: 'john.doe', name: 'John Doe', authorities: '[CUSTOMERAPI, SAPI]', config: config)
+        Cassette::Authentication::User.new(login: 'john.doe', name: 'John Doe',
+                                           authorities: '[CUSTOMERAPI, SAPI]', config: config)
       end
     end
   end
 
   describe '#has_role?' do
-    let (:user) do
+    let(:user) do
       Cassette::Authentication::User.new(login: 'john.doe', name: 'John Doe',
                                          authorities: "[#{base_authority}, SAPI, #{base_authority}_CREATE-USER]")
     end