devise_cloudfuji_authenticatable 1.0.4

data/lib/devise_cas_authenticatable.rb

@@ -0,0 +1,135 @@
+if defined?(Rails) && Rails::VERSION::MAJOR == 3
+  require "action_dispatch"
+end
+
+require 'devise'
+
+require 'devise_cas_authenticatable/schema'
+require 'devise_cas_authenticatable/routes'
+require 'devise_cas_authenticatable/strategy'
+require 'devise_cas_authenticatable/exceptions'
+require 'devise_cas_authenticatable/missing_session_helpers'
+require 'devise_cas_authenticatable/single_sign_out'
+
+if ActiveSupport.respond_to? :on_load
+  ActiveSupport.on_load(:action_controller) do
+    include MissingSessionHelpers
+  end
+
+  ActiveSupport.on_load(:action_view) do
+    include MissingSessionHelpers
+  end
+else
+  ActionController.instance_eval do
+    include MissingSessionHelpers
+  end
+  
+  ActionView.instance_eval do
+    include MissingSessionHelpers
+  end
+end
+
+if defined?(ActiveRecord::SessionStore)
+  require 'devise_cas_authenticatable/single_sign_out/session_store/active_record'
+end
+
+if defined?(Redis::Store)
+  require 'devise_cas_authenticatable/single_sign_out/session_store/redis'
+end
+
+require 'rubycas-client'
+
+# Register as a Rails engine if Rails::Engine exists
+begin
+  Rails::Engine
+rescue
+else
+  module DeviseCasAuthenticatable
+    class Engine < Rails::Engine
+    end
+  end
+end
+
+module Devise
+  # The base URL of the CAS server.  For example, http://cas.example.com.  Specifying this
+  # is mandatory.
+  @@cas_base_url = ENV['CLOUDFUJI_CAS_URL'] || "https://cloudfuji.com/cas"
+
+  # The login URL of the CAS server.  If undefined, will default based on cas_base_url.
+  @@cas_login_url = nil
+
+  # The login URL of the CAS server.  If undefined, will default based on cas_base_url.
+  @@cas_logout_url = nil
+
+  # The login URL of the CAS server.  If undefined, will default based on cas_base_url.
+  @@cas_validate_url = nil
+
+  # Should devise_cas_authenticatable enable single-sign-out? Requires use of a supported
+  # session_store. Currently supports active_record or redis.
+  # False by default.
+  @@cas_enable_single_sign_out = true
+
+  # What strategy should single sign out use for tracking token->session ID mapping.
+  # :rails_cache by default.
+  @@cas_single_sign_out_mapping_strategy = :rails_cache
+
+  # Should devise_cas_authenticatable attempt to create new user records for
+  # unknown usernames?  True by default.
+  @@cas_create_user = true
+
+  # The model attribute used for query conditions. Should be the same as
+  # the rubycas-server username_column. :username by default
+  @@cas_username_column = :ido_id
+
+  # Name of the parameter passed in the logout query
+  @@cas_destination_logout_param_name = nil
+
+  mattr_accessor :cas_base_url, :cas_login_url, :cas_logout_url, :cas_validate_url, :cas_create_user, :cas_destination_logout_param_name, :cas_username_column, :cas_enable_single_sign_out, :cas_single_sign_out_mapping_strategy
+
+  def self.cas_create_user?
+    cas_create_user
+  end
+
+  # Return a CASClient::Client instance based on configuration parameters.
+  def self.cas_client
+    @@cas_client ||= CASClient::Client.new(
+        :cas_destination_logout_param_name => @@cas_destination_logout_param_name,
+        :cas_base_url => @@cas_base_url,
+        :login_url => @@cas_login_url,
+        :logout_url => @@cas_logout_url,
+        :validate_url => @@cas_validate_url,
+        :enable_single_sign_out => @@cas_enable_single_sign_out
+      )
+  end
+
+  def self.cas_service_url(base_url, mapping)
+    cas_action_url(base_url, mapping, "service")
+  end
+
+  def self.cas_unregistered_url(base_url, mapping)
+    cas_action_url(base_url, mapping, "unregistered")
+  end
+
+  private
+  def self.cas_action_url(base_url, mapping, action)
+    u = URI.parse(base_url)
+    u.query = nil
+    u.path = if mapping.respond_to?(:fullpath)
+        mapping.fullpath
+      else
+        mapping.raw_path
+      end
+    u.path << "/"
+    u.path << action
+    u.to_s
+
+    return u.to_s
+  end
+
+end
+
+Devise.add_module(:cloudfuji_authenticatable,
+  :strategy => true,
+  :controller => :cas_sessions,
+  :route => :cloudfuji_authenticatable,
+  :model => 'devise_cas_authenticatable/model')

data/lib/devise_cas_authenticatable/exceptions.rb

@@ -0,0 +1,10 @@
+# Thrown when a user attempts to pass a CAS ticket that the server
+# says is invalid.
+class InvalidCasTicketException < Exception
+  attr_reader :ticket
+  
+  def initialize(ticket, msg=nil)
+    super(msg)
+    @ticket = ticket
+  end
+end

data/lib/devise_cas_authenticatable/missing_session_helpers.rb

@@ -0,0 +1,9 @@
+module MissingSessionHelpers
+  def new_session_path(resource_name, *args)
+    send "new_#{resource_name}_session_path".to_sym, *args
+  end
+  
+  def destroy_session_path(resource_name, *args)
+    send "destroy_#{resource_name}_session_path".to_sym, *args
+  end
+end

data/lib/devise_cas_authenticatable/model.rb

@@ -0,0 +1,56 @@
+module Devise
+  module Models
+    # Extends your User class with support for CAS ticket authentication.
+    module CloudfujiAuthenticatable
+      def self.included(base)
+        base.extend ClassMethods
+
+        if defined?(Mongoid)
+          base.class_eval do
+            field :ido_id  # TODO check with someone who's using Mongoid
+          end
+        end
+      end
+
+      module ClassMethods
+        # Authenticate a CAS ticket and return the resulting user object.  Behavior is as follows:
+        #
+        # * Check ticket validity using RubyCAS::Client.  Return nil if the ticket is invalid.
+        # * Find a matching user by username (will use find_for_authentication if available).
+        # * If the user does not exist, but Devise.cas_create_user is set, attempt to create the
+        #   user object in the database.  If cas_extra_attributes= is defined, this will also
+        #   pass in the ticket's extra_attributes hash.
+        # * Return the resulting user object.
+        def authenticate_with_cas_ticket(ticket)
+          ::Devise.cas_client.validate_service_ticket(ticket) unless ticket.has_been_validated?
+
+          puts "ticket = #{ticket.inspect}"
+
+          if ticket.is_valid?
+            conditions = {::Devise.cas_username_column => ticket.respond_to?(:user) ? ticket.user : ticket.response.user}
+            # We don't want to override Devise 1.1's find_for_authentication
+            resource = if respond_to?(:find_for_authentication)
+              find_for_authentication(conditions)
+            else
+              find(:first, :conditions => conditions)
+            end
+
+            resource = new(conditions) if (resource.nil? and ::Devise.cas_create_user?)
+
+            puts "found #{resource.inspect}"
+
+            return nil unless resource
+
+            if resource.respond_to? :cloudfuji_extra_attributes
+              extra_attributes = ticket.respond_to?(:extra_attributes) ? ticket.extra_attributes : ticket.response.extra_attributes
+              resource.cloudfuji_extra_attributes(extra_attributes)
+            end
+
+            resource.save
+            resource
+          end
+        end
+      end
+    end
+  end
+end

data/lib/devise_cas_authenticatable/routes.rb

@@ -0,0 +1,37 @@
+if defined?(ActionDispatch)
+  # Rails 3
+  
+  ActionDispatch::Routing::Mapper.class_eval do
+    protected
+  
+    def devise_cloudfuji_authenticatable(mapping, controllers)
+      # service endpoint for CAS server
+      get "service", :to => "#{controllers[:cas_sessions]}#service", :as => "service"
+      post "service", :to => "#{controllers[:cas_sessions]}#single_sign_out", :as => "single_sign_out"
+
+      resource :session, :only => [], :controller => controllers[:cas_sessions], :path => "" do
+        get :new, :path => mapping.path_names[:sign_in], :as => "new"
+        get :unregistered
+        post :create, :path => mapping.path_names[:sign_in]
+        match :destroy, :path => mapping.path_names[:sign_out], :as => "destroy"
+      end
+    end
+  end
+else
+
+  # Rails 2  
+  ActionController::Routing::RouteSet::Mapper.class_eval do
+    protected
+
+    def cloudfuji_authenticatable(routes, mapping)
+      routes.with_options(:controller => 'devise/cas_sessions', :name_prefix => nil) do |session|
+        session.send(:"#{mapping.name}_service", '/service', :action => 'service', :conditions => {:method => :get})
+        session.send(:"#{mapping.name}_service", '/service', :action => 'single_sign_out', :conditions => {:method => :post})
+        session.send(:"unregistered_#{mapping.name}_session", '/unregistered', :action => "unregistered", :conditions => {:method => :get})
+        session.send(:"new_#{mapping.name}_session", mapping.path_names[:sign_in], :action => 'new', :conditions => {:method => :get})
+        session.send(:"#{mapping.name}_session", mapping.path_names[:sign_in], :action => 'create', :conditions => {:method => :post})
+        session.send(:"destroy_#{mapping.name}_session", mapping.path_names[:sign_out], :action => 'destroy', :conditions => { :method => :get })
+      end
+    end
+  end
+end

data/lib/devise_cas_authenticatable/schema.rb

@@ -0,0 +1,13 @@
+require 'devise/schema'
+
+module Devise
+  module Schema
+    def cloudfuji_authenticatable
+      if respond_to? :apply_devise_schema
+        apply_devise_schema :ido_id, String
+      else
+        apply_schema :ido_id, String
+      end
+    end
+  end
+end

data/lib/devise_cas_authenticatable/single_sign_out.rb

@@ -0,0 +1,22 @@
+module DeviseCasAuthenticatable
+  module SingleSignOut
+    module SetSession
+      def set_session_with_storage(env, sid, session_data, options={})
+        if session_data['cas_last_valid_ticket_store']
+          ::DeviseCasAuthenticatable::SingleSignOut::Strategies.current_strategy.store_session_id_for_index(session_data['cas_last_valid_ticket'], sid)
+          session_data['cas_last_valid_ticket_store'] = nil
+        end
+
+        if method(:set_session_without_storage).arity == 4
+          set_session_without_storage(env, sid, session_data, options)
+        else
+          set_session_without_storage(env, sid, session_data)
+        end
+      end
+    end
+  end
+end
+
+require 'devise_cas_authenticatable/single_sign_out/strategies'
+require 'devise_cas_authenticatable/single_sign_out/strategies/base'
+require 'devise_cas_authenticatable/single_sign_out/strategies/rails_cache'

data/lib/devise_cas_authenticatable/single_sign_out/session_store/active_record.rb

@@ -0,0 +1,12 @@
+ActiveRecord::SessionStore.class_eval do
+
+  include DeviseCasAuthenticatable::SingleSignOut::SetSession
+  alias_method_chain :set_session, :storage
+
+  #def destroy_session(env, session_id, options)
+  #  if session = Session::find_by_session_id(sid)
+  #    session.destroy
+  #  end
+  #end
+
+end

data/lib/devise_cas_authenticatable/single_sign_out/session_store/redis.rb

@@ -0,0 +1,27 @@
+require "action_controller/session/redis_session_store"
+
+module DeviseCasAuthenticatable
+  module SingleSignOut
+    module RedisSessionStore
+
+      include DeviseCasAuthenticatable::SingleSignOut::SetSession
+
+      def destroy_session(sid)
+        @pool.del(sid)
+      end
+    end
+  end
+end
+
+
+if ::Redis::Store.rails3?
+  ActionDispatch::Session::RedisSessionStore.class_eval do
+    include DeviseCasAuthenticatable::SingleSignOut::RedisSessionStore
+    alias_method_chain :set_session, :storage
+  end
+else
+  ActionController::Session::RedisSessionStore.class_eval do
+    include DeviseCasAuthenticatable::SingleSignOut::RedisSessionStore
+    alias_method_chain :set_session, :storage
+  end
+end

data/lib/devise_cas_authenticatable/single_sign_out/strategies.rb

@@ -0,0 +1,58 @@
+module DeviseCasAuthenticatable
+  module SingleSignOut
+    module Strategies
+      class << self
+
+        # Add a strategy and store it in a hash.
+        def add(label, strategy, &block)
+          strategy ||= Class.new(DeviseCasAuthenticatable::SingleSignOut::Strategies::Base)
+          strategy.class_eval(&block) if block_given?
+
+          check_method(label, strategy, :store_session_id_for_index)
+          check_method(label, strategy, :find_session_id_by_index)
+          check_method(label, strategy, :delete_session_index)
+
+          unless strategy.ancestors.include?(DeviseCasAuthenticatable::SingleSignOut::Strategies::Base)
+            raise "#{label.inspect} is not a #{base}"
+          end
+
+          _strategies[label] = strategy.new()
+        end
+
+        # Update a previously given strategy.
+        def update(label, &block)
+          strategy = _strategies[label]
+          raise "Unknown strategy #{label.inspect}" unless strategy
+          add(label, strategy, &block)
+        end
+
+        # Provides access to strategies by label
+        def [](label)
+          _strategies[label]
+        end
+
+        def current_strategy
+          self[::Devise.cas_single_sign_out_mapping_strategy]
+        end
+
+        # Clears all declared.
+        def clear!
+          _strategies.clear
+        end
+
+        private
+
+        def _strategies
+          @strategies ||= {}
+        end
+
+        def check_method(label, strategy, method)
+          unless strategy.method_defined?(method)
+            raise NoMethodError, "#{method.to_s} is not declared in the #{label.inspect} strategy"
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/devise_cas_authenticatable/single_sign_out/strategies/base.rb

@@ -0,0 +1,11 @@
+module DeviseCasAuthenticatable
+  module SingleSignOut
+    module Strategies
+      class Base
+        def logger
+          @logger ||= Rails.logger
+        end
+      end
+    end
+  end
+end

data/lib/devise_cas_authenticatable/single_sign_out/strategies/rails_cache.rb

@@ -0,0 +1,31 @@
+module DeviseCasAuthenticatable
+  module SingleSignOut
+    module Strategies
+      class RailsCache < Base
+        def store_session_id_for_index(session_index, session_id)
+          logger.debug("Storing #{session_id} for index #{session_index}")
+          Rails.cache.write(cache_key(session_index), session_id)
+        end
+
+        def find_session_id_by_index(session_index)
+          sid = Rails.cache.read(cache_key(session_index))
+          logger.debug("Found session id #{sid.inspect} for index #{session_index.inspect}")
+          sid
+        end
+        
+        def delete_session_index(session_index)
+          logger.info("Deleting index #{session_index}")
+          Rails.cache.delete(cache_key(session_index))
+        end
+        
+        private
+        
+        def cache_key(session_index)
+          "devise_cas_authenticatable:#{session_index}"
+        end
+      end
+    end
+  end
+end
+
+::DeviseCasAuthenticatable::SingleSignOut::Strategies.add( :rails_cache, DeviseCasAuthenticatable::SingleSignOut::Strategies::RailsCache )

data/lib/devise_cas_authenticatable/strategy.rb

@@ -0,0 +1,56 @@
+require 'devise/strategies/base'
+require 'net/http'
+require 'uri'
+
+module Devise
+  module Strategies
+    class CasAuthenticatable < Base
+      # True if the mapping supports authenticate_with_cas_ticket.
+      def valid?
+        mapping.to.respond_to?(:authenticate_with_cas_ticket) && params[:ticket]
+      end
+      
+      # Try to authenticate a user using the CAS ticket passed in params.
+      # If the ticket is valid and the model's authenticate_with_cas_ticket method
+      # returns a user, then return success.  If the ticket is invalid, then either
+      # fail (if we're just returning from the CAS server, based on the referrer)
+      # or attempt to redirect to the CAS server's login URL.
+      def authenticate!
+        ticket = read_ticket(params)
+        fail!(:invalid) if not ticket
+        
+        if resource = mapping.to.authenticate_with_cas_ticket(ticket)
+          # Store the ticket in the session for later usage
+          if ::Devise.cas_enable_single_sign_out
+            session['cas_last_valid_ticket'] = ticket.ticket
+            session['cas_last_valid_ticket_store'] = true
+          end
+
+          success!(resource)
+        elsif ticket.is_valid?
+          ido_id = ticket.respond_to?(:user) ? ticket.user : ticket.response.user
+          redirect!(::Devise.cas_unregistered_url(request.url, mapping), :ido_id => ido_id)
+          #fail!("The user #{ticket.response.user} is not registered with this site.  Please use a different account.")
+        else
+          fail!(:invalid)
+        end
+      end
+      
+      protected
+      
+      def read_ticket(params)
+        ticket = params[:ticket]
+        return nil unless ticket
+        
+        service_url = ::Devise.cas_service_url(request.url, mapping)
+        if ticket =~ /^PT-/
+          ::CASClient::ProxyTicket.new(ticket, service_url, params[:renew])
+        else
+          ::CASClient::ServiceTicket.new(ticket, service_url, params[:renew])
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:cloudfuji_authenticatable, Devise::Strategies::CasAuthenticatable)