factorylabs-casrack_the_authenticator 1.6.0

data/.gitignore

@@ -0,0 +1,3 @@
+doc/rdoc
+.yardoc
+pkg

data/README.rdoc

@@ -0,0 +1,87 @@
+Casrack the Authenticator is a
+Rack[http://github.com/chneukirchen/rack] middleware
+that provides CAS[http://www.jasig.org/cas] support.
+
+As of the current version, Casrack the Authenticator only supports the most basic
+of CAS scenarios: it requires CAS authentication if it receives a 401 Unauthorized
+response from lower-down in the Rack stack, and it stores the authentication token
+in the session (so logout happens when users close their browers).  Casrack the Authenticator
+is a very open-minded beast, though, so please contribute (well-tested) additions to do
+proxy-authentication and single-sign-out, or for anything else you desire.
+
+=== How-To
+
+==== 1: install
+
+  [sudo] gem install casrack_the_authenticator
+
+==== 2: set up the middleware:
+
+  # in your rackup:
+  use CasrackTheAuthenticator::Simple, :cas_server => "http://cas.mycompany.com/cas"
+  # or "config.middleware.use" if you're on Rails
+  
+See CasrackTheAuthenticator::Configuration for specifics on that Hash argument.
+
+==== 3: optionally install CasrackTheAuthenticator::RequireCAS if you want _every_ request to require CAS authentication:
+   
+  # in your rackup:
+  use CasrackTheAuthenticator::Simple, :cas_server => ...
+  use CasrackTheAuthenticator::RequireCAS
+  # or "config.middleware.use" if you're on Rails
+   
+==== 4: pull the authenticated CAS username out of the Rack session:
+
+  # in a Rack app:
+  def call(env)
+    user = cas_user(env)
+    ...
+  end
+  
+  def cas_user(env)
+    username = Rack::Request.new(env).session[CasrackTheAuthenticator::USERNAME_PARAM]
+    User.find_by_username(username)
+  end
+  
+  # or, in a Rails controller:
+  
+  def cas_user
+    username = Rack::Request.new(request.env).session[CasrackTheAuthenticator::USERNAME_PARAM]
+    User.find_by_username(username)
+  end
+
+=== Disconnected (Fake) Mode
+
+I've often found myself working on a CAS-ified project while away from the office
+and unable to access the CAS server. To support this type of disconnected development,
+just substitute in the CasrackTheAuthenticator::Fake middleware. It acts like
+CasrackTheAuthenticator::Simple, but it uses HTTP Basic authentication against a
+preset list of usernames.
+
+A common pattern for Rails apps is to create a disconnected environment:
+
+==== 1: set up <tt>[rails_root]/config/database.yml</tt>
+
+  development: &DEV
+    adapter: sqlite3
+    database: db/development.sqlite3
+    pool: 5
+    timeout: 5000
+
+  # development mode when disconnected from MITRE
+  disconnected:
+    <<: *DEV
+    
+==== 2: set up <tt>[rails_root]/config/disconnected.rb</tt>:
+
+  load './development.rb'
+  config.middleware.swap 'CasrackTheAuthenticator::Simple', CasrackTheAuthenticator::Fake, 'jimbob', 'sueann'
+  
+==== 3: run in disconnected mode:
+
+  script/server -e disconnected
+  
+==== 4: login as 'jimbob' or 'sueann'
+
+Passwords are ignored.
+  

data/Rakefile

@@ -0,0 +1,7 @@
+require 'rake'
+
+CASRACK_PROJECT_ROOT = File.expand_path(File.dirname(__FILE__))
+Dir['developer_tasks/*.rake'].each { |f| load(f) }
+
+desc "Default: run all tests, including features"
+task :default => ['test']

data/VERSION

@@ -0,0 +1 @@
+1.6.0

data/casrack_the_authenticator.gemspec

@@ -0,0 +1,83 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE
+# Instead, edit Jeweler::Tasks in Rakefile, and run `rake gemspec`
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{casrack_the_authenticator}
+  s.version = "1.6.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["James Rosen"]
+  s.date = %q{2009-09-23}
+  s.description = %q{CAS Authentication via Rack Middleware}
+  s.email = %q{james.a.rosen@gmail.com}
+  s.extra_rdoc_files = [
+    "README.rdoc"
+  ]
+  s.files = [
+    ".gitignore",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "casrack_the_authenticator.gemspec",
+     "developer_tasks/doc.rake",
+     "developer_tasks/gem.rake",
+     "developer_tasks/test.rake",
+     "features/fake.feature",
+     "features/require_cas.feature",
+     "features/simple.feature",
+     "features/step_definitions/fake_cas_steps.rb",
+     "features/step_definitions/rack_steps.rb",
+     "features/support/assertions.rb",
+     "features/support/rack_support.rb",
+     "lib/casrack_the_authenticator.rb",
+     "lib/casrack_the_authenticator/configuration.rb",
+     "lib/casrack_the_authenticator/fake.rb",
+     "lib/casrack_the_authenticator/require_cas.rb",
+     "lib/casrack_the_authenticator/service_ticket_validator.rb",
+     "lib/casrack_the_authenticator/simple.rb",
+     "test/configuration_test.rb",
+     "test/fake_test.rb",
+     "test/service_ticket_validator_test.rb",
+     "test/simple_test.rb",
+     "test/test_helper.rb"
+  ]
+  s.homepage = %q{http://github.com/gcnovus/casrack_the_authenticator}
+  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Casrack the Authenticator: RDoc", "--charset", "utf-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.3}
+  s.summary = %q{CAS Authentication via Rack Middleware}
+  s.test_files = [
+    "test/configuration_test.rb",
+     "test/fake_test.rb",
+     "test/service_ticket_validator_test.rb",
+     "test/simple_test.rb",
+     "test/test_helper.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<nokogiri>, ["~> 1.3.2"])
+      s.add_development_dependency(%q<thoughtbot-shoulda>, ["~> 2.10.2"])
+      s.add_development_dependency(%q<jferris-mocha>, ["~> 0.9.7"])
+      s.add_development_dependency(%q<redgreen>, ["~> 1.2.2"])
+      s.add_development_dependency(%q<rack>, ["~> 1.0.0"])
+    else
+      s.add_dependency(%q<nokogiri>, ["~> 1.3.2"])
+      s.add_dependency(%q<thoughtbot-shoulda>, ["~> 2.10.2"])
+      s.add_dependency(%q<jferris-mocha>, ["~> 0.9.7"])
+      s.add_dependency(%q<redgreen>, ["~> 1.2.2"])
+      s.add_dependency(%q<rack>, ["~> 1.0.0"])
+    end
+  else
+    s.add_dependency(%q<nokogiri>, ["~> 1.3.2"])
+    s.add_dependency(%q<thoughtbot-shoulda>, ["~> 2.10.2"])
+    s.add_dependency(%q<jferris-mocha>, ["~> 0.9.7"])
+    s.add_dependency(%q<redgreen>, ["~> 1.2.2"])
+    s.add_dependency(%q<rack>, ["~> 1.0.0"])
+  end
+end

data/developer_tasks/doc.rake

@@ -0,0 +1,22 @@
+require 'yard'
+require 'yard/rake/yardoc_task'
+
+desc "Generate RDoc"
+task :doc => ['doc:generate']
+
+namespace :doc do
+  
+  doc_dir = File.join(CASRACK_PROJECT_ROOT, 'doc', 'rdoc')
+  
+  YARD::Rake::YardocTask.new(:generate) do |yt|
+    yt.files   = Dir.glob(File.join(CASRACK_PROJECT_ROOT, 'lib', '**', '*.rb')) + 
+                 [ File.join(CASRACK_PROJECT_ROOT, 'README.rdoc') ]
+    yt.options = ['--output-dir', doc_dir, '--readme', 'README.rdoc']
+  end
+  
+  desc "Remove generated documenation"
+  task :clean do
+    rm_r doc_dir if File.exists?(doc_dir)
+  end
+  
+end

data/developer_tasks/gem.rake

@@ -0,0 +1,20 @@
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "factorylabs-casrack_the_authenticator"
+    gemspec.summary = "CAS Authentication via Rack Middleware"
+    gemspec.description = gemspec.summary
+    gemspec.email = "james.a.rosen@gmail.com"
+    gemspec.homepage = "http://github.com/gcnovus/casrack_the_authenticator"
+    gemspec.authors = ["James Rosen"]
+    gemspec.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Casrack the Authenticator: RDoc", "--charset", "utf-8"]
+    gemspec.platform = Gem::Platform::RUBY
+    gemspec.add_dependency 'nokogiri', '~> 1.4.1'
+    gemspec.add_development_dependency 'thoughtbot-shoulda', '~> 2.10.2'
+    gemspec.add_development_dependency 'jferris-mocha', '~> 0.9.7'
+    gemspec.add_development_dependency 'redgreen', '~> 1.2.2'
+    gemspec.add_development_dependency 'rack', '~> 1.0.0'
+  end
+rescue LoadError
+  puts "Jeweler not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+end

data/developer_tasks/test.rake

@@ -0,0 +1,24 @@
+require 'cucumber'
+require 'cucumber/rake/task'
+require 'rake/testtask'
+
+Cucumber::Rake::Task.new(:features) do |t|
+  t.cucumber_opts = "features --format pretty"
+end
+
+LIB_DIRECTORIES = FileList.new do |fl|
+  fl.include "#{CASRACK_PROJECT_ROOT}/lib"
+  fl.include "#{CASRACK_PROJECT_ROOT}/test/lib"
+end
+ 
+TEST_FILES = FileList.new do |fl|
+  fl.include "#{CASRACK_PROJECT_ROOT}/test/**/*_test.rb"
+  fl.exclude "#{CASRACK_PROJECT_ROOT}/test/test_helper.rb"
+  fl.exclude "#{CASRACK_PROJECT_ROOT}/test/lib/**/*.rb"
+end
+
+Rake::TestTask.new(:test) do |t|
+  t.libs = LIB_DIRECTORIES
+  t.test_files = TEST_FILES
+  t.verbose = true
+end

data/features/fake.feature

@@ -0,0 +1,34 @@
+Feature: Fake CAS Authentication
+  In order to support developers who work away from the office
+  Casrack the Authenticator provides a Fake middleware.
+  
+  Background:
+    Given a Rack application exists
+    And the fake Casrack middleware is installed with user "missy"
+    
+  Scenario: not-signed-in user makes a request to a public area
+    Given the underlying Rack application returns [200, {}, "Public Information"]
+    When I make a request
+    Then the response should be successful
+    And the response body should include "Public Information"
+    And the CAS user should be nil
+    
+  Scenario: not-signed-in user makes a request to a private area
+    Given the underlying Rack application returns [401, {}, 'Restricted. Go away.']
+    When I make a request
+    Then I should be presented with a HTTP Basic authentication request
+    And the CAS user should be nil
+  
+  Scenario: user presenting invalid credentials makes a request to a private area
+    Given the underlying Rack application returns [401, {}, 'Restricted. Go away.']
+    When I make a request as "thomas"
+    Then I should be presented with a HTTP Basic authentication request
+    And the CAS user should be nil
+    
+  Scenario: user presenting credentials makes a request to a private area
+    Given the underlying Rack application returns [200, {}, 'Restricted. Shh.']
+    When I make a request as "missy"
+    Then the response should be successful
+    And the response body should include "Restricted. Shh."
+    And the CAS user should be "missy"
+    

data/features/require_cas.feature

@@ -0,0 +1,19 @@
+Feature: Required CAS Authentication
+  In order make it dead-simple for users to implement a CAS-login requirement
+  Casrack the Authenticator provides a RequireCAS middleware.
+  
+  Background:
+    Given a Rack application exists
+    And the RequireCAS middleware is installed
+    And the simple version of Casrack the Authenticator is installed
+    And the underlying Rack application returns [200, {}, "Public Information"]
+    
+  Scenario: not-signed-in user makes a request
+    When I make a request
+    Then I should be redirected to CAS
+    And the "Content-Type" header should be "text/plain"
+    
+  Scenario: signed-in-user makes a request
+    When I return to "http://myapp.org/bar" with a valid CAS ticket for "tperon"
+    Then the response should be successful
+    And the response body should include "Public Information"

data/features/simple.feature

@@ -0,0 +1,32 @@
+Feature: Simple CAS Authentication
+  In order to maintain privacy and accountability while keeping IT costs low
+  "Upper Management" wants to use CAS authentication
+  
+  Background:
+    Given a Rack application exists
+    And the simple version of Casrack the Authenticator is installed
+  
+  Scenario: not-signed-in user accesses public material
+    Given the underlying Rack application returns [200, {}, "Public Information"]
+    When I make a request
+    Then the response should be successful
+    And the response body should include "Public Information"
+    
+  Scenario: not-signed-in user accesses restricted material
+    Given the underlying Rack application returns [401, {}, "Restricted!"]
+    When I make a request to "http://myapp.com/foo?bar=baz"
+    Then I should be redirected to CAS
+    And the "Content-Type" header should be "text/plain"
+    And CAS should return me to "http://myapp.com/foo?bar=baz"
+    
+  Scenario: returning from a successful CAS sign-in
+    Given the underlying Rack application returns [200, {}, "Information for jswanson"]
+    When I return to "http://myapp.org/bar" with a valid CAS ticket for "jswanson"
+    Then the CAS user should be "jswanson"
+    And the response should be successful
+    And the response body should include "Information for jswanson"
+    
+  Scenario: returning from an unsuccessful CAS sign-in
+    Given the underlying Rack application returns [401, {}, "Restricted!"]
+    When I return to "http://myapp.org/bar" with an invalid CAS ticket
+    Then the CAS user should be nil

data/features/step_definitions/fake_cas_steps.rb

@@ -0,0 +1,14 @@
+Given /^the fake Casrack middleware is installed with user "([^\"]*)"$/ do |user|
+  self.app = CasrackTheAuthenticator::Fake.new(app, user)
+end
+
+Then /^I should be presented with a HTTP Basic authentication request$/ do
+  assert_equal 401, response.status
+  assert_equal 'text/plain', response.headers['Content-Type']
+  assert_equal '0', response.headers['Content-Length']
+  assert_equal 'Basic realm="CasrackTheAuthenticator::Fake"', response.headers['WWW-Authenticate']
+end
+
+When /^I make a request as "([^\"]*)"$/ do |username|
+  get '/', { 'HTTP_AUTHORIZATION' => 'Basic ' + ["#{username}:sekret"].pack("m*") }
+end

data/features/step_definitions/rack_steps.rb

@@ -0,0 +1,69 @@
+require File.join(File.dirname(__FILE__), '..', '..', 'test', 'test_helper.rb')
+require 'rack/mock'
+
+Given /^a Rack application exists$/ do
+  self.underlying_app = lambda { |env| nil }
+  self.app = underlying_app
+end
+
+Given /^the simple version of Casrack the Authenticator is installed$/ do
+  self.app = CasrackTheAuthenticator::Simple.new(app, :cas_server => 'http://cas.test/cas')
+end
+
+Given /^the RequireCAS middleware is installed$/ do
+  self.app = CasrackTheAuthenticator::RequireCAS.new(app)
+end
+
+Given /^the underlying Rack application returns (.+)$/ do |response|
+  underlying_app.stubs(:call).returns(eval(response))
+end
+
+When /^I make a request$/ do
+  get '/'
+end
+
+When /^I make a request to "([^\"]*)"$/ do |url|
+  get url
+end
+
+When /^I return to "([^\"]*)" with a valid CAS ticket for "([^\"]*)"$/ do |url, user|
+  http_request_returns_valid_cas_user user
+  url << (url.include?('?') ? '&' : '?') << 'ticket=ST-123455'
+  When "I make a request to \"#{url}\""
+end
+
+When /^I return to "([^\"]*)" with an invalid CAS ticket$/ do |url|
+  http_request_returns_error
+  url << (url.include?('?') ? '&' : '?') << 'ticket=ST-not-a-valid-ticket'
+  When "I make a request to \"#{url}\""
+end
+
+Then /^the CAS user should be nil$/ do
+  assert_equal nil, session[:cas_user]
+end
+
+Then /^the CAS user should be "([^\"]*)"$/ do |username|
+  assert_equal username, session[:cas_user]
+end
+
+Then /^the response should be successful$/ do
+  assert((200..299).include?(response.status), "Expected success, but was #{response.status}")
+end
+
+Then /^the response body should include "([^\"]*)"$/ do |text|
+  assert response.body.include?(text)
+end
+
+Then /^I should be redirected to CAS$/ do
+  assert((300..399).include?(response.status), "Expected redirect, but was #{response.status}")
+  assert !redirected_to.nil?
+  assert redirected_to.to_s =~ /cas/i
+end
+
+Then /^CAS should return me to "([^\"]*)"$/ do |return_to|
+  assert_equal return_to, service_url
+end
+
+Then /^the "([^\"]*)" header should be "([^\"]*)"$/ do |header, value|
+  assert_equal value, response.headers[header]
+end

data/features/support/assertions.rb

@@ -0,0 +1,3 @@
+require 'test/unit/assertions'
+
+World(Test::Unit::Assertions)

data/features/support/rack_support.rb

@@ -0,0 +1,89 @@
+require 'rack'
+require 'rack/mock'
+Rack::MockRequest.class_eval do
+  
+  class <<self
+    def env_for_with_hook(*args)
+      return ::RackSupport.current_env unless ::RackSupport.current_env.nil?
+      env = env_for_without_hook(*args)
+      ::RackSupport.current_env = env
+      env
+    end
+    alias_method :env_for_without_hook, :env_for
+    alias_method :env_for, :env_for_with_hook
+  end
+  
+end
+
+module RackSupport
+  
+  VALID_CAS_USER_XML = <<-EOX
+<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
+  <cas:authenticationSuccess>
+    <cas:user>%s</cas:user>
+  </cas:authenticationSuccess>
+</cas:serviceResponse>
+EOX
+  
+  @@current_env = nil
+  
+  def self.current_env
+    @@current_env
+  end
+  
+  def self.current_env=(env)
+    @@current_env = env
+  end
+  
+  attr_accessor :underlying_app, :app, :response, :session
+  
+  def cleanup_rack_variables
+    ::RackSupport.current_env = nil
+    self.underlying_app = self.app = self.session = self.response = nil
+  end
+  
+  def get(url, headers = {})
+    env = RackSupport.current_env = Rack::MockRequest.env_for(url, headers)
+    if session
+      env['rack.session'] = session
+    else
+      self.session = Rack::Request.new(env).session
+    end
+    self.response = Rack::MockRequest.new(app).get url, headers
+  end
+  
+  def redirected_to
+    return nil if response.headers['Location'].nil?
+    URI::parse(response.headers['Location'])
+  end
+  
+  def service_url
+    return nil if redirected_to.nil?
+    Rack::Utils.parse_nested_query(redirected_to.query)['service']
+  end
+  
+  def http_request_returns_valid_cas_user(username)
+    http_request_returns VALID_CAS_USER_XML % username
+  end
+  
+  def http_request_returns_error
+    http_request_returns "this is not a valid CAS service-ticket-validation response!"
+  end
+  
+  def http_request_returns(content)
+    server = Object.new
+    connection = Object.new
+    response = Object.new
+    Net::HTTP.stubs(:new).returns(server)
+    server.stubs(:start).yields(connection)
+    connection.stubs(:get).returns(response)
+    response.stubs(:body).returns(content)
+  end
+  
+end
+
+After do
+  cleanup_rack_variables
+end
+
+World(RackSupport)