cassette 1.0.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    MzAxZTBjNTNjZjEwYWY0YzQ4Y2U0YjliYzFhMzYyNjAyM2Y1NDUxYw==
+  data.tar.gz: !binary |-
+    NDMwZGU1NmEzNWNjMDAxODY2NjNmODgwNDM5MDgwM2QzY2VlZTBjYg==
+SHA512:
+  metadata.gz: !binary |-
+    OWNmZjk2MGUyMjI5NzkwNjhkMDczOTI2NjJkZWVjMDgxYzRlZjBkZDRjYWM0
+    ODUyZjAzMTBiOGMyM2ZhYWMyZTc4MDhlN2Q1ZmRlZWJhMzQ1MGYyYmVmZWZk
+    MWI5YzAxZDgzMTQ4NDQ3NjVkYjQxM2RhMDIwZmY4Zjg2MTI4ZWE=
+  data.tar.gz: !binary |-
+    Yzc1ZjM0MTk4OTQyYTJmYTMxODRiYWRjOWY0N2ZjMDBmMDcwZDI4ZDYxOTg1
+    YTI5M2U3ODhhZTMyNjc4MGYyZDE5OTU2MzgxODQxOWY1NDIyMmI3MTU4Yjg1
+    MjIxOWRhNWFiMDc2YTIxYjVhZjNjNGY4NGNhNjkyOTgxNmFlZjY=

data/README.md

@@ -0,0 +1,106 @@
+# Cassette::Client
+
+Library to generate and validate STs and TGTs
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'cassette'
+
+And then execute:
+
+    $ bundle
+
+## Usage
+
+Require this library and create an intializer to set its configuration:
+
+
+    Cassette.config = config
+
+
+where config is an object that responds to the methods #base for the base CAS uri, #username and #password
+if you are authenticating on other systems and #service and #base\_authority if you are using the authentication filter
+to authenticate your app
+
+
+You may also set the caching backend using the .backend= module method:
+
+
+    Cassette::Cache.backend = ActiveSupport::Cache::MemcacheStorage.new
+
+
+By default, Cassette::Cache will check if you have Rails.cache defined or instantiate a new ActiveSupport::Cache::MemoryStore
+
+
+To authenticate your Rails app, add to your ApplicationController (or any authenticated controller):
+
+
+    class ApplicationController < ActionController::Base
+      include Cassette::Authentication::Filter
+
+
+      (...)
+
+    end
+
+
+You should also rescue from Cassette::Errors::Forbidden with more friendly errors
+
+If you wish to have actions that skip the authentication filter, add to your controller:
+
+
+    skip_authentication [options]
+
+
+Where options are the same options you can pass to Rails' __skip_before_filter__ method
+
+## RubyCAS client helpers
+
+
+If you are authenticating users with RubyCAS and want role checking, in your rubycas initializer:
+
+
+    require "cas/rubycas"
+
+
+And in your ApplicationController (or any authenticated controller):
+
+
+    include Cassette::Rubycas::Helper
+
+    # - Allow only employees:
+    #
+    # before_filter :employee_only_filter
+    #
+    # rescue_from Cassette::Errors::NotAnEmployee d
+    #   redirect_to '/403.html'
+    # end
+
+    # - Allow only customers:
+    #
+    # before_filter :customer_only_filter
+    #
+    # rescue_from Cassette::Errors::NotACustomer do
+    #   redirect_to '/403.html'
+    # end
+
+
+## Instantiating Cassette::Client and Cassette::Authentication
+
+You can create your own instances of __Cassette::Client__ (st/tgt generator) and __Cassette::Authentication__ (st validator).
+
+The constructor accepts a hash with keys (as symbols) for the values of cache, logger, http_client and configuration.
+
+All values default to the same values used when accessing the class methods directly.
+
+Please check the constructors or integration specs for details.
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Added some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/lib/cassette/authentication/authorities.rb

@@ -0,0 +1,37 @@
+# encoding: UTF-8
+
+require "cassette/authentication"
+
+class Cassette::Authentication::Authorities
+  def self.parse(authorities, base_authority = nil)
+    new(authorities, base_authority)
+  end
+
+  def base
+    @base_authority.to_s.upcase
+  end
+
+  def has_raw_role?(role)
+    return true if ENV["NOAUTH"]
+    @authorities.include?(role)
+  end
+
+  def has_role?(role)
+    return true if ENV["NOAUTH"]
+    has_raw_role?("#{base}_#{role.to_s.upcase.gsub("_", "-")}")
+  end
+
+  def initialize(authorities, base_authority = nil)
+    @base_authority = base_authority || Cassette.config.base_authority
+
+    if authorities.is_a?(String)
+      @authorities = authorities.gsub(/^\[(.*)\]$/, "\\1").split(",").map(&:strip)
+    else
+      @authorities = Array(authorities).map(&:strip)
+    end
+  end
+
+  def authorities
+    @authorities.dup
+  end
+end

data/lib/cassette/authentication/cache.rb

@@ -0,0 +1,30 @@
+# encoding: UTF-8
+
+require "cassette/authentication"
+require "cassette/cache"
+
+class Cassette::Authentication::Cache
+  include Cassette::Cache
+
+  def initialize(logger)
+    self.logger = logger
+  end
+
+  def fetch_authentication(ticket, options = {}, &block)
+    options = {expires_in: 5 * 60, max_uses: 5000, force: false}.merge(options)
+    fetch("Cassette::Authentication.validate_ticket(#{ticket})", options) do
+      logger.info("Authentication for #{ticket} is not cached")
+      block.call
+    end
+  end
+
+  def clear_authentication_cache!
+    backend.delete_matched("Cassette::Authentication.validate_ticket*")
+    backend.delete_matched("#{uses_key("Cassette::Authentication.validate_ticket")}*")
+  end
+
+  protected
+
+  attr_accessor :logger
+end
+

data/lib/cassette/authentication/filter.rb

@@ -0,0 +1,41 @@
+# encoding: UTF-8
+
+require "active_support/concern"
+require "cassette/authentication/user"
+
+module Cassette::Authentication::Filter
+  extend ActiveSupport::Concern
+
+  included do |controller|
+    controller.before_filter(:validate_authentication_ticket)
+    controller.send(:attr_accessor, :current_user)
+  end
+
+  module ClassMethods
+    def skip_authentication(*options)
+      skip_before_filter :validate_authentication_ticket, *options
+    end
+  end
+
+  def validate_authentication_ticket(service = Cassette.config.service)
+    ticket = request.headers["Service-Ticket"] || params[:ticket]
+
+    if ENV["NOAUTH"] && !ticket
+      Cassette.logger.debug "NOAUTH set and no Service Ticket, skipping authentication"
+      self.current_user = Cassette::Authentication::User.new
+      return
+    end
+
+    self.current_user = Cassette::Authentication.validate_ticket(ticket, service)
+  end
+
+  def validate_role!(role)
+    return if ENV["NOAUTH"]
+    raise Cassette::Errors::Forbidden unless current_user.has_role?(role)
+  end
+
+  def validate_raw_role!(role)
+    return if ENV["NOAUTH"]
+    raise Cassette::Errors::Forbidden unless current_user.has_raw_role?(role)
+  end
+end

data/lib/cassette/authentication/user.rb

@@ -0,0 +1,27 @@
+# encoding: UTF-8
+
+require "cassette/authentication"
+require "cassette/authentication/authorities"
+require "delegate"
+
+class Cassette::Authentication::User
+  attr_accessor :login, :name, :authorities, :email, :ticket
+  delegate :has_role?, :has_raw_role?, to: :@authorities
+
+  def initialize(attrs = {})
+    config       = attrs[:config]
+    @login       = attrs[:login]
+    @name        = attrs[:name]
+    @type        = attrs[:type]
+    @email       = attrs[:email]
+    @ticket      = attrs[:ticket]
+    @authorities = Cassette::Authentication::Authorities
+      .parse(attrs.fetch(:authorities, "[]"), config && config.base_authority)
+  end
+
+  %w(customer employee).each do |type|
+    define_method :"#{type}?" do
+      !@type.nil? && @type.to_s.downcase == type.to_s
+    end
+  end
+end

data/lib/cassette/authentication.rb

@@ -0,0 +1,72 @@
+# encoding: UTF-8
+
+require "active_support/xml_mini"
+ActiveSupport::XmlMini.backend = 'LibXML'
+
+module Cassette
+  class Authentication
+    def self.method_missing(name, *args)
+      @@default_authentication ||= new
+      @@default_authentication.send(name, *args)
+    end
+
+    def initialize(opts = {})
+      self.config = opts.fetch(:config, Cassette.config)
+      self.logger = opts.fetch(:logger, Cassette.logger)
+      self.http   = opts.fetch(:http_client, Cassette)
+      self.cache  = opts.fetch(:cache, Cassette::Authentication::Cache.new(logger))
+    end
+
+    def validate_ticket(ticket, service = config.service)
+      logger.debug "Cassette::Authentication validating ticket: #{ticket}"
+      raise Cassette::Errors::AuthorizationRequired if ticket.nil? || ticket.blank?
+
+      user = ticket_user(ticket, service)
+      logger.info "Cassette::Authentication user: #{user.inspect}"
+
+      raise Cassette::Errors::Forbidden unless user
+
+      user
+    end
+
+    def ticket_user(ticket, service = config.service)
+      cache.fetch_authentication(ticket) do
+        begin
+          logger.info("Validating #{ticket} on #{validate_uri}")
+          response = http.post(validate_uri, ticket: ticket, service: service).body
+
+          logger.info("Validation resut: #{response.inspect}")
+
+          user = nil
+
+          ActiveSupport::XmlMini.with_backend("LibXML") do
+            result = ActiveSupport::XmlMini.parse(response)
+
+            login = result.try(:[], "serviceResponse").try(:[], "authenticationSuccess").try(:[], "user").try(:[], "__content__")
+
+            if login
+              attributes = result["serviceResponse"]["authenticationSuccess"]["attributes"]
+              name = attributes.try(:[], "cn").try(:[], "__content__")
+              authorities = attributes.try(:[], "authorities").try(:[], "__content__")
+
+              user = Cassette::Authentication::User.new(login: login, name: name, authorities: authorities, ticket: ticket, config: config)
+            end
+          end
+
+          user
+        rescue => exception
+          logger.error "Error while authenticating ticket #{ticket}: #{exception.message}"
+          raise Cassette::Errors::Forbidden.new(exception.message)
+        end
+      end
+    end
+
+    protected
+
+    attr_accessor :cache, :logger, :http, :config
+
+    def validate_uri
+      "#{config.base.gsub(/\/?$/, "")}/serviceValidate"
+    end
+  end
+end

data/lib/cassette/cache.rb

@@ -0,0 +1,42 @@
+# encoding: UTF-8
+
+require "active_support/cache"
+
+module Cassette
+  module Cache
+    def backend
+      @backend ||= begin
+        if defined?(Rails) && Rails.cache
+          Rails.cache
+        else
+          ActiveSupport::Cache::MemoryStore.new
+        end
+      end
+    end
+
+    def backend=(backend)
+      @backend = backend
+    end
+
+    def uses_key(key)
+      "uses:#{key}"
+    end
+
+    def fetch(key, options = {}, &block)
+      if options[:max_uses].to_i != 0
+        uses_key = self.uses_key(key)
+        uses = backend.read(uses_key, raw: true)
+        backend.write(uses_key, 0, raw: true, expires_in: options[:expires_in]) if uses.nil?
+
+        if uses.to_i >= options[:max_uses].to_i
+          options[:force] = true
+          backend.write(uses_key, 0, raw: true, expires_in: options[:expires_in])
+        else
+          backend.increment(uses_key)
+        end
+      end
+
+      backend.fetch(key, options, &block)
+    end
+  end
+end

data/lib/cassette/client/cache.rb

@@ -0,0 +1,43 @@
+# encoding: UTF-8
+
+require "cassette/client"
+require "cassette/cache"
+
+class Cassette::Client::Cache
+  include Cassette::Cache
+
+  def initialize(logger)
+    self.logger = logger
+  end
+
+  def fetch_tgt(options = {}, &block)
+    options = {expires_in: 4 * 3600, max_uses: 5000, force: false}.merge(options)
+    fetch("Cassette::Client.tgt", options) do
+      self.clear_st_cache!
+      logger.info "TGT is not cached"
+      yield
+    end
+  end
+
+  def fetch_st(service, options = {}, &block)
+    options = {max_uses: 2000, expires_in: 252, force: false}.merge(options)
+    fetch("Cassette::Client.st(#{service})", options) do
+      logger.info "ST for #{service} is not cached"
+      yield
+    end
+  end
+
+  def clear_tgt_cache!
+    backend.delete("Cassette::Client.tgt")
+    backend.delete("#{uses_key("Cassette::Client.tgt")}")
+  end
+
+  def clear_st_cache!
+    backend.delete_matched("Cassette::Client.st*")
+    backend.delete_matched("#{uses_key("Cassette::Client.st")}*")
+  end
+
+  protected
+
+  attr_accessor :logger
+end

data/lib/cassette/client.rb

@@ -0,0 +1,68 @@
+# encoding: UTF-8
+
+module Cassette
+  class Client
+    def self.method_missing(name, *args)
+      @@default_client ||= new
+      @@default_client.send(name, *args)
+    end
+
+    def initialize(opts = {})
+      self.config = opts.fetch(:config, Cassette.config)
+      self.logger = opts.fetch(:logger, Cassette.logger)
+      self.http   = opts.fetch(:http_client, Cassette)
+      self.cache  = opts.fetch(:cache, Cassette::Client::Cache.new(logger))
+    end
+
+    def health_check
+      st_for("monitoring")
+    end
+
+    def tgt(usr, pwd, force = false)
+      logger.info "Requesting TGT"
+      cache.fetch_tgt(force: force) do
+        response = http.post(tickets_uri, username: usr, password: pwd)
+        tgt = $1 if response.headers["Location"] =~ /tickets\/(.*)/
+        logger.info "TGT is #{tgt}"
+        tgt
+      end
+    end
+
+    def st(tgt, service, force = false)
+      logger.info "Requesting ST for #{service}"
+      cache.fetch_st(service, force: force) do
+        response = http.post("#{tickets_uri}/#{tgt}", service: service)
+        response.body.tap do |st|
+          logger.info "ST is #{st}"
+        end
+      end
+    end
+
+    def st_for(service_name)
+      st_with_retry(config.username, config.password, service_name)
+    end
+
+    protected
+
+    attr_accessor :cache, :logger, :http, :config
+
+    def st_with_retry(user, pass, service)
+      retrying = false
+      begin
+        st(tgt(user, pass, retrying), service)
+      rescue Cassette::Errors::NotFound => e
+        unless retrying
+          logger.info "Got 404 response, regenerating TGT"
+          retrying = true
+          retry
+        end
+        raise e
+      end
+    end
+
+    def tickets_uri
+      "#{config.base.gsub(/\/?$/, "")}/v1/tickets"
+    end
+  end
+end
+

data/lib/cassette/errors/not_a_customer.rb

@@ -0,0 +1,14 @@
+# encoding: utf-8
+
+require "cassette/errors"
+
+module Cassette
+  module Errors
+    class NotACustomer < Cassette::Errors::Base
+      def code
+        403
+      end
+    end
+  end
+end
+

data/lib/cassette/errors/not_an_employee.rb

@@ -0,0 +1,14 @@
+# encoding: utf-8
+
+require "cassette/errors"
+
+module Cassette
+  module Errors
+    class NotAnEmployee < Cassette::Errors::Base
+      def code
+        403
+      end
+    end
+  end
+end
+

data/lib/cassette/errors.rb

@@ -0,0 +1,44 @@
+# encoding: UTF-8
+
+require "active_support/inflector"
+
+module Cassette
+  module Errors
+    TYPES = {
+      401 => :authorization_required,
+      400 => :bad_request,
+      403 => :forbidden,
+      500 => :internal_server_error,
+      404 => :not_found,
+      412 => :precondition_failed,
+    }
+
+    def self.raise_by_code(code)
+      name = TYPES[code.to_i]
+
+      if name
+        raise error_class(name)
+      else
+        raise error_class(:internal_server_error)
+      end
+    end
+
+    def self.error_class(name)
+      "Cassette::Errors::#{name.to_s.camelize}".constantize
+    end
+
+    class Base < StandardError
+      def code
+        self.class.const_get("CODE")
+      end
+    end
+
+    TYPES.each do |status, name|
+      const_set(name.to_s.camelize, Class.new(Errors::Base))
+      error_class(name).const_set("CODE", status)
+    end
+  end
+end
+
+require "cassette/errors/not_an_employee"
+require "cassette/errors/not_a_customer"

data/lib/cassette/rubycas/helper.rb

@@ -0,0 +1,78 @@
+# encoding: UTF-8
+
+require "active_support/concern"
+
+module Cassette
+  module Rubycas
+    module Helper
+      extend ActiveSupport::Concern
+
+      included do
+        before_filter :validate_authentication_ticket
+        helper_method :current_user
+      end
+
+      module ClassMethods
+        def skip_authentication(*options)
+          skip_before_filter :validate_authentication_ticket, *options
+        end
+      end
+
+      def validate_authentication_ticket
+        return if ENV["NOAUTH"]
+        ::CASClient::Frameworks::Rails::Filter.filter(self)
+      end
+
+      def employee_only_filter
+        return if ENV["NOAUTH"] or current_user.blank?
+        raise Cassette::Errors::NotAnEmployee unless current_user.employee?
+      end
+
+      def customer_only_filter
+        return if ENV["NOAUTH"] or current_user.blank?
+        raise Cassette::Errors::NotACustomer unless current_user.customer?
+      end
+
+      def cas_logout(to = root_url)
+        session.destroy
+        ::CASClient::Frameworks::Rails::Filter.logout(self, to)
+      end
+
+      def fake_user
+        Cassette::Authentication::User.new({
+          login: "fake.user",
+          name: "Fake User",
+          email: "fake.user@locaweb.com.br",
+          authorities: [],
+          type: "customer"
+        })
+      end
+
+      def validate_role!(role)
+        return if ENV["NOAUTH"]
+        raise Cassette::Errors::Forbidden unless current_user.has_role?(role)
+      end
+
+      def validate_raw_role!(role)
+        return if ENV["NOAUTH"]
+        raise Cassette::Errors::Forbidden unless current_user.has_raw_role?(role)
+      end
+
+      def current_user
+        return fake_user if ENV["NOAUTH"]
+        return nil unless session[:cas_user]
+
+        @current_user ||= begin
+          attributes = session[:cas_extra_attributes]
+          Cassette::Authentication::User.new({
+            login: session[:cas_user],
+            name: attributes.try(:[], :cn),
+            email: attributes.try(:[], :email),
+            authorities: attributes.try(:[], :authorities),
+            type: attributes.try(:[], :type).try(:downcase)
+          })
+        end
+      end
+    end
+  end
+end

data/lib/cassette/rubycas/not_single_sign_out_constraint.rb

@@ -0,0 +1,14 @@
+# encoding: UTF-8
+
+require "cassette/rubycas/single_sign_out_constraint"
+
+module Cassette
+  module Rubycas
+    class NotSingleSignOutConstraint < SingleSignOutConstraint
+      def matches?(request)
+        !super(request)
+      end
+    end
+  end
+end
+

data/lib/cassette/rubycas/single_sign_out_constraint.rb

@@ -0,0 +1,27 @@
+# encoding: UTF-8
+
+module Cassette
+  module Rubycas
+    class SingleSignOutConstraint
+      def matches?(request)
+        if (content_type = request.headers["CONTENT_TYPE"]) &&
+            content_type =~ /^multipart\//
+          return false
+        end
+
+        if request.post? &&
+            request.request_parameters['logoutRequest'] &&
+            [request.request_parameters['logoutRequest'],
+              URI.unescape(request.request_parameters['logoutRequest'])]
+                .find { |xml| xml =~ /^<samlp:LogoutRequest.*?<samlp:SessionIndex>(.*)<\/samlp:SessionIndex>/m }
+
+          Cassette.logger.debug "Intercepted a single sign out request on #{request}"
+          return true
+        end
+
+        false
+      end
+    end
+  end
+end
+

data/lib/cassette/rubycas.rb

@@ -0,0 +1,11 @@
+# encoding: UTF-8
+
+require "cassette/rubycas/helper"
+require "cassette/rubycas/single_sign_out_constraint"
+require "cassette/rubycas/not_single_sign_out_constraint"
+
+module Cassette
+  module Rubycas
+  end
+end
+