classy_cas 0.9.1

data/README.textile

@@ -0,0 +1,160 @@
+h1. Classy CAS
+
+Single sign-on server based on the "CAS protocol":http://www.jasig.org/cas/protocol and implemented in Sinatra.
+
+* Single sign-on server
+* "CAS protocol":http://www.jasig.org/cas/protocol compliant
+* Implemented with "Sinatra":http://www.sinatrarb.com/
+* Uses "Redis":http://code.google.com/p/redis/
+* Pairs great with "OmniAuth":https://github.com/intridea/omniauth "CAS client":https://github.com/intridea/omniauth/tree/master/oa-enterprise 
+* Supports any "CAS protocol":http://www.jasig.org/cas/protocol compliant client from any language, framework, or platform (PHP, .NET, Java)
+
+
+On the client side, ClassyCAS pairs up nicely with "OmniAuth":https://github.com/intridea/omniauth and it's "CAS client implementation":https://github.com/intridea/omniauth/tree/master/oa-enterprise .  However clients are not only limited to either RubyonRails or Sinatra apps, because the server is built on the "CAS protocol":http://www.jasig.org/cas/protocol any compliant client in any language or framework which adheres to the protocol is supported, thus ClassyCAS is also well to suited to environments where Single sign-on is desired but where the ecosystem of applications is heterogeneous in terms of platforms.
+
+h2. Demo on Heroku
+
+* "Site 1 Protected Content":http://casclientone.heroku.com/
+* "Site 2 Protected Content":http://casclienttwo.heroku.com/
+* "ClassyCAS Server":http://classycas.heroku.com/
+
+Username is "test", password is "password".
+
+
+h2. Quick Start Demo
+
+<ol>
+ <li>Download and install Redis:"http://code.google.com/p/redis/"
+ (Feel free to also use homebrew if you're on a mac)
+<pre>
+<code>
+	 curl -O http://redis.googlecode.com/files/redis-2.0.4.tar.gz
+	 tar xvzf redis-2.0.4.tar.gz
+	 cd redis-2.0.4
+	 make
+	 sudo cp redis-server redis-cli redis-benchmark /usr/local/bin
+</code>
+</pre></li>
+
+<li>Install the first rails sign-on client example
+<pre>
+<code>
+	git clone git@github.com:Econify/classy_cas_client_example.git  first_client
+	cd first_client
+	bundle install
+</code>
+</pre></li>
+
+<li>Install a second rails sign-on client example
+<pre>
+<code>
+	git clone git@github.com:Econify/classy_cas_client_example.git second_client
+	cd second_client
+	bundle install
+</code>
+</pre></li>
+
+<li>Open the second rails sign-on client in a text editor and navigate to config/config.yml, edit the file to look like this:
+<pre>
+<code>
+	development:
+	    #first or second
+	    site_name: second
+	    other_site_url: http://0.0.0.0:3000</code>
+</pre></li>
+
+<li>Install ClassyCAS
+<pre>
+<code>
+	git clone git://github.com/Econify/ClassyCAS.git
+	bundle install
+</code>
+</pre></li>
+
+<li>Run it all together
+In your current terminal tab, start Redis in the background:
+<pre>
+<code>
+	redis-server
+</code>
+</pre></li>
+
+<li>Start the first client: open up a new tab, navigate to the first client app directory and start the app
+<pre>
+<code>
+	ruby script/server 
+</code>
+</pre></li>
+
+<li>Same thing for the second client but this time assign it to a different port
+<pre>
+<code>
+	ruby script/server -p 3001
+</code>
+</pre></li>
+
+<li>Open up yet another terminal tab (you should have four open now) and start ClassyCAS:
+<pre>
+<code>
+	shotgun config.ru
+</code>
+</pre></li>
+</ol>
+
+# Navigate to the first app in your browser
+# Click on the login link, and you'll be redirected to ClassyCAS
+# Login successfully with any username and password
+# You should be redirect back to the first site's protected area and you'll see a picture of a cow.
+# From the first site you'll see a link to take you to the other site, you won't see it but you are actually redirected by the second site to ClassyCAS for authentication (which does it via a session cookie) and then sent back to the second site where you'll see a picture of an eagle.
+# Click to logout from either site, you'll be taken back to ClassyCAS, navigate back to both and you should see that you are logged out from both.
+
+h2. User Authentication
+
+ClassyCAS is designed to a provide a vehicle for Single sign-on to multiple client apps and doesn't concern itself with the intricacies of authentication.  In other words, it's up to you to roll your own authentication.  For authentication ClassyCAS makes a call to a class called UserStore which has one method authenticate.  It's up to you how you want to implement authenticate, included in the same folder is an example of authenticate implemented to hit a rails app remotely through REST and getting it's authentication from that app (which in this example does it with Devise.)  You can do it many ways and here are some ideas:
+
+1) Remotely via REST to a devise app
+2) Locally via Datamapper or Activerecord 3.0 class.
+3) Key value pairs in a config file
+4) Whatever you can think of.
+
+h2. Logout
+
+The CAS protocol doesn't really specify whether logging you out of one client should log you out of all clients but we thought that made the most sense and so we wrote that into ClassyCAS.  Upon logging out a user is redirect to ClassyCAS which renders non-visible iframes that log the user out of all the apps.  There are two things to be aware of to make this work for you:
+
+# The iframes are located in the login template, views/login.erb.
+# You'll need to modify the url's of the iframes in the template to GET the logout method of the client app.
+# There is a config for the client apps in config/classy_cas.yml that let's tell ClassyCAS which clients need to be logged out.
+
+h2. Client Callback
+
+After a user successfully logs into ClassyCAS they are redirected back to the client.  The url they are redirected to must be sent to ClassyCAS in the form of a parameter that is part of the initial login redirect to ClassyCAS.
+
+For example: 
+
+<pre>
+<code>
+http://127.0.0.1:9393/login?service=http://0.0.0.0:3000/auth/cas/callback
+</code>
+</pre>
+
+This url is for the "client demo app example":https://github.com/Econify/classy_cas_client_example.git, it could very be the href for a login link tag.  A Callback url is the service parameter in this case http://0.0.0.0:3000/auth/cas/callback, this callback url can be anything you want simply by change the service parameter on the initial call to ClassyCAS.
+
+
+h2. What's There
+
+* "Sinatra":http://www.sinatrarb.com/ based.  Classy.
+* Uses "Redis":http://code.google.com/p/redis/ to store tickets.  Fast!
+* Lots of tests.  The whole protocol isn't there yet, but "this test":http://github.com/AndrewO/ClassyCAS/blob/master/test/protocol/cas_server_test.rb is a good start on an executable spec for CAS 1.0/2.0.
+
+h2. What's Missing
+
+* Proxy authentication.
+
+h2. Resources
+
+* "ClassyCAS client example app":https://github.com/Econify/classy_cas_client_example
+* "CAS":http://www.jasig.org/cas
+* "Sinatra":http://www.sinatrarb.com/
+* "Redis":http://code.google.com/p/redis/
+* "OmniAuth":https://github.com/intridea/omniauth
+* "OmniAuth CAS":https://github.com/intridea/omniauth/tree/master/oa-enterprise

data/config.ru

@@ -0,0 +1,6 @@
+require 'rubygems'
+require 'bundler'
+Bundler.require :default, :development
+require './lib/classy_cas'
+
+run ClassyCAS::Server

data/lib/classy_cas.rb

@@ -0,0 +1,231 @@
+require 'rubygems'
+require 'bundler'
+Bundler.require
+# Bundler.require doesn't seem to be pulling this in when used as gem...
+require 'sinatra'
+require 'redis'
+require 'nokogiri'
+require 'rack'
+require 'rack-flash' 
+require 'warden'
+
+if RUBY_VERSION < "1.9"
+  require 'backports'
+  require 'system_timer'
+end
+
+require 'addressable/uri'
+
+require_relative 'login_ticket'
+require_relative 'proxy_ticket'
+require_relative 'service_ticket'
+require_relative 'ticket_granting_ticket'
+require_relative 'strategies'
+
+module ClassyCAS 
+  class Server < Sinatra::Base
+    set :redis, Proc.new { Redis.new } unless settings.respond_to?(:redis)
+    set :client_sites, [ "http://localhost:3001", 'http://localhost:3002'] unless settings.respond_to?(:client_sites)
+    
+    set :root, File.dirname(__FILE__)
+    set :public, File.join(root, "/../public")
+    
+    set :warden_strategies, [:simple] unless settings.respond_to?(:warden_strategies)
+    
+    use Rack::Session::Cookie
+    use Rack::Flash, :accessorize => [:notice, :error]
+    use Warden::Manager do |manager|
+      manager.failure_app = self
+      manager.default_scope = :cas
+    
+      manager.scope_defaults(:cas, 
+        :strategies => settings.warden_strategies,
+        :action => "login"
+      )
+    end
+      
+    configure :development do
+      set :dump_errors
+    end
+    
+    get "/" do
+      redirect "/login"
+    end
+    
+    get "/login" do
+      @service_url = Addressable::URI.parse(params[:service])
+      @renew = [true, "true", "1", 1].include?(params[:renew])
+      @gateway = [true, "true", "1", 1].include?(params[:gateway])
+    
+      if @renew
+        @login_ticket = LoginTicket.create!(settings.redis)
+        render_login
+      elsif @gateway
+        if @service_url
+          if sso_session
+            st = ServiceTicket.new(params[:service], sso_session.username)
+            st.save!(settings.redis)
+            redirect_url = @service_url.clone
+            if @service_url.query_values.nil?
+              redirect_url.query_values = @service_url.query_values = {:ticket => st.ticket}
+            else
+              redirect_url.query_values = @service_url.query_values.merge(:ticket => st.ticket)
+            end
+            redirect redirect_url.to_s, 303
+          else
+            redirect @service_url.to_s, 303
+          end
+        else
+          @login_ticket = LoginTicket.create!(settings.redis)
+          render_login
+        end
+      else
+        if sso_session
+          if @service_url
+            st = ServiceTicket.new(params[:service], sso_session.username)
+            st.save!(settings.redis)
+            redirect_url = @service_url.clone
+            if @service_url.query_values.nil?
+              redirect_url.query_values = @service_url.query_values = {:ticket => st.ticket}
+            else
+              redirect_url.query_values = @service_url.query_values.merge(:ticket => st.ticket)
+            end
+            redirect redirect_url.to_s, 303
+          else
+            render_logged_in
+          end
+        else
+          @login_ticket = LoginTicket.create!(settings.redis)
+          render_login
+        end
+      end
+    end
+    
+    post "/login" do
+      username = params[:username]
+      password = params[:password]
+    
+      service_url = params[:service]
+    
+      warn = [true, "true", "1", 1].include? params[:warn]
+      # Spec is undefined about what to do without these params, so redirecting to credential requestor
+      redirect "/login", 303 unless username && password && login_ticket
+      # Failures will throw back to self, which we've registered with Warden to handle login failures
+      warden.authenticate!(:scope => :cas, :action => 'unauthenticated')
+
+      tgt = TicketGrantingTicket.new(username)
+      tgt.save!(settings.redis)
+      cookie = tgt.to_cookie(request.host)
+      response.set_cookie(*cookie)
+    
+      if service_url && !warn
+        st = ServiceTicket.new(service_url, username)
+        st.save!(settings.redis)
+        redirect service_url + "?ticket=#{st.ticket}", 303
+      else
+        render_logged_in
+      end
+    end
+    
+    get %r{(proxy|service)Validate} do
+      service_url = params[:service]
+      ticket = params[:ticket]
+      # proxy_gateway = params[:pgtUrl]
+      # renew = params[:renew]
+    
+      xml = if service_url && ticket
+      if service_ticket
+        if service_ticket.valid_for_service?(service_url)
+          render_validation_success service_ticket.username
+        else
+          render_validation_error(:invalid_service)
+        end
+      else
+        render_validation_error(:invalid_ticket, "ticket #{ticket} not recognized")
+      end
+      else
+        render_validation_error(:invalid_request)
+      end
+    
+      content_type :xml
+      xml
+    end
+    
+    
+    get '/logout' do
+      url = params[:url]
+    
+      if sso_session
+        @sso_session.destroy!(settings.redis)
+        response.delete_cookie(*sso_session.to_cookie(request.host))
+        warden.logout(:cas)
+        flash.now[:notice] = "Logout Successful."
+        if url
+          msg = "  The application you just logged out of has provided a link it would like you to follow."
+          msg += "Please <a href=\"#{url}\">click here</a> to access <a href=\"#{url}\">#{url}</a>"      
+          flash.now[:notice] += msg
+        end
+      end
+      @login_ticket = LoginTicket.create!(settings.redis)
+      @logout = true
+      render_login
+    end
+        
+    def render_login
+      erb :login
+    end
+    
+    def render_logged_in
+      erb :logged_in
+    end
+    
+    # Override to add user info back to client applications
+    def append_user_info(username, xml)
+    end
+    
+    private
+      def warden
+        request.env["warden"]
+      end
+    
+      def sso_session
+        @sso_session ||= TicketGrantingTicket.validate(request.cookies["tgt"], settings.redis)
+      end
+      
+      def ticket_granting_ticket
+        @ticket_granting_ticket ||= sso_session
+      end
+    
+      def login_ticket
+        @login_ticket ||= LoginTicket.validate!(params[:lt], settings.redis)
+      end
+    
+      def service_ticket
+        @service_ticket ||= ServiceTicket.find!(params[:ticket], settings.redis)
+      end
+    
+      def render_validation_error(code, message = nil)
+        xml = Nokogiri::XML::Builder.new do |xml|
+          xml.serviceResponse("xmlns:cas" => "http://www.yale.edu/tp/cas") {
+            xml.parent.namespace = xml.parent.namespace_definitions.first
+            xml['cas'].authenticationFailure(message, :code => code.to_s.upcase){
+            }
+          }
+        end
+        xml.to_xml
+      end
+    
+      def render_validation_success(username)
+        xml = Nokogiri::XML::Builder.new do |xml|
+          xml.serviceResponse("xmlns:cas" => "http://www.yale.edu/tp/cas") {
+            xml.parent.namespace = xml.parent.namespace_definitions.first
+            xml['cas'].authenticationSuccess {
+              xml['cas'].user username
+              append_user_info(username, xml)
+            }
+          }
+        end
+        xml.to_xml
+      end
+  end
+end

data/lib/login_ticket.rb

@@ -0,0 +1,34 @@
+class LoginTicket
+  class << self
+    def validate!(ticket, store)
+      if store.exists ticket
+        store.del ticket
+        new
+      end
+    end
+    
+    def create!(store)
+      lt =  self.new
+      lt.save!(store)
+      lt
+    end
+
+    def expire_time
+      300
+    end
+  end
+
+  def ticket
+    @ticket ||= "LT-#{rand(100000000000000000)}".to_s
+  end
+
+  def remaining_time(store)
+    store.ttl ticket
+  end
+
+
+  def save!(store)
+    store[ticket] = 1
+    store.expire ticket, self.class.expire_time
+  end
+end

data/lib/proxy_granting_ticket.rb

@@ -0,0 +1,31 @@
+class ProxyGrantingTicket
+  class << self
+    def validate!(ticket, store)
+      if service_name = store[ticket]
+        new(service_name)
+      end
+    end
+  end
+  
+  def initialize(service_name)
+    @service_name = service_name
+  end
+  
+  def valid_for_service?(url)
+    @service_name == url
+  end
+  
+  def ticket
+    @ticket ||= "PGT-#{rand(100000000000000000)}".to_s
+  end
+  
+  def save!(store)
+    store[ticket] = @service_name
+  end
+
+  def create_proxy_ticket!(store)
+    pt = ProxyTicket.new(@service_name, self)
+    pt.save!(store)
+    pt
+  end
+end