jorahood-rubycas-client 2.0.99.1

data/lib/casclient/client.rb

@@ -0,0 +1,211 @@
+module CASClient
+  # The client brokers all HTTP transactions with the CAS server.
+  class Client
+    attr_reader :cas_base_url 
+    attr_reader :log, :username_session_key, :extra_attributes_session_key
+    attr_writer :login_url, :validate_url, :proxy_url, :logout_url, :service_url
+    attr_accessor :proxy_callback_url, :proxy_retrieval_url
+    
+    def initialize(conf = nil)
+      configure(conf) if conf
+    end
+    
+    def configure(conf)
+      raise ArgumentError, "Missing :cas_base_url parameter!" unless conf[:cas_base_url]
+      
+      @cas_base_url      = conf[:cas_base_url].gsub(/\/$/, '')       
+      
+      @login_url    = conf[:login_url]
+      @logout_url   = conf[:logout_url]
+      @validate_url = conf[:validate_url]
+      @proxy_url    = conf[:proxy_url]
+      @service_url  = conf[:service_url]
+      @proxy_callback_url  = conf[:proxy_callback_url]
+      @proxy_retrieval_url = conf[:proxy_retrieval_url]
+      
+      @username_session_key         = conf[:username_session_key] || :cas_user
+      @extra_attributes_session_key = conf[:extra_attributes_session_key] || :cas_extra_attributes
+      
+      @log = CASClient::LoggerWrapper.new
+      @log.set_real_logger(conf[:logger]) if conf[:logger]
+    end
+    
+    def login_url
+      @login_url || (cas_base_url + "/login")
+    end
+    
+    def validate_url
+      @validate_url || (cas_base_url + "/proxyValidate")
+    end
+    
+    # Returns the CAS server's logout url.
+    #
+    # If a logout_url has not been explicitly configured,
+    # the default is cas_base_url + "/logout".
+    #
+    # service_url:: Set this if you want the user to be
+    #               able to immediately log back in. Generally
+    #               you'll want to use something like <tt>request.referer</tt>.
+    #               Note that this only works with RubyCAS-Server.
+    # back_url:: This satisfies section 2.3.1 of the CAS protocol spec.
+    #            See http://www.ja-sig.org/products/cas/overview/protocol
+    def logout_url(service_url = nil, back_url = nil)
+      url = @logout_url || (cas_base_url + "/logout")
+      
+      if service_url || back_url
+        uri = URI.parse(url)
+        h = uri.query ? query_to_hash(uri.query) : {}
+        h['service'] = service_url if service_url
+        h['url'] = back_url if back_url
+        uri.query = hash_to_query(h)
+        uri.to_s
+      else
+        url
+      end
+    end
+    
+    def proxy_url
+      @proxy_url || (cas_base_url + "/proxy")
+    end
+    
+    def validate_service_ticket(st)
+      uri = URI.parse(validate_url)
+      h = uri.query ? query_to_hash(uri.query) : {}
+      h['casurl'] = st.service
+      h['casticket'] = st.ticket
+      h['renew'] = 1 if st.renew
+      h['pgtUrl'] = proxy_callback_url if proxy_callback_url
+      uri.query = hash_to_query(h)
+      
+      st.response = request_cas_response(uri, ValidationResponse)
+      
+      return st
+    end
+    alias validate_proxy_ticket validate_service_ticket
+    
+    # Requests a login using the given credentials for the given service; 
+    # returns a LoginResponse object.
+    def login_to_service(credentials, service)
+      lt = request_login_ticket
+      
+      data = credentials.merge(
+        :lt => lt,
+        :service => service 
+      )
+      
+      res = submit_data_to_cas(login_url, data)
+      CASClient::LoginResponse.new(res)
+    end
+  
+    # Requests a login ticket from the CAS server for use in a login request;
+    # returns a LoginTicket object.
+    #
+    # This only works with RubyCAS-Server, since obtaining login
+    # tickets in this manner is not part of the official CAS spec.
+    def request_login_ticket
+      uri = URI.parse(login_url+'Ticket')
+      https = Net::HTTP.new(uri.host, uri.port)
+      https.use_ssl = (uri.scheme == 'https')
+      res = https.post(uri.path, ';')
+      
+      raise CASException, res.body unless res.kind_of? Net::HTTPSuccess
+      
+      res.body.strip
+    end
+    
+    # Requests a proxy ticket from the CAS server for the given service
+    # using the given pgt (proxy granting ticket); returns a ProxyTicket 
+    # object.
+    #
+    # The pgt required to request a proxy ticket is obtained as part of
+    # a ValidationResponse.
+    def request_proxy_ticket(pgt, target_service)
+      uri = URI.parse(proxy_url)
+      h = uri.query ? query_to_hash(uri.query) : {}
+      h['pgt'] = pgt.ticket
+      h['targetService'] = target_service
+      uri.query = hash_to_query(h)
+      
+      pr = request_cas_response(uri, ProxyResponse)
+      
+      pt = ProxyTicket.new(pr.proxy_ticket, target_service)
+      pt.response = pr
+      
+      return pt
+    end
+    
+    def retrieve_proxy_granting_ticket(pgt_iou)
+      uri = URI.parse(proxy_retrieval_url)
+      uri.query = (uri.query ? uri.query + "&" : "") + "pgtIou=#{CGI.escape(pgt_iou)}"
+      retrieve_url = uri.to_s
+      
+      log.debug "Retrieving PGT for PGT IOU #{pgt_iou.inspect} from #{retrieve_url.inspect}"
+      
+#      https = Net::HTTP.new(uri.host, uri.port)
+#      https.use_ssl = (uri.scheme == 'https')
+#      res = https.post(uri.path, ';')
+      uri = URI.parse(uri) unless uri.kind_of? URI
+      https = Net::HTTP.new(uri.host, uri.port)
+      https.use_ssl = (uri.scheme == 'https')
+      res = https.start do |conn|
+        conn.get("#{uri.path}?#{uri.query}")
+      end
+      
+      
+      raise CASException, res.body unless res.kind_of? Net::HTTPSuccess
+      
+      ProxyGrantingTicket.new(res.body.strip, pgt_iou)
+    end
+    
+    def add_service_to_login_url(service_url)
+      uri = URI.parse(login_url)
+      # IU's CAS server can't deal with escaped redirects, and the param has to be named "casurl" not "service"
+      uri.query = (uri.query ? uri.query + "&" : "") + "casurl=#{service_url}"
+      uri.to_s
+    end
+    
+    private
+    # Fetches a CAS response of the given type from the given URI.
+    # Type should be either ValidationResponse or ProxyResponse.
+    def request_cas_response(uri, type)
+      log.debug "Requesting CAS response form URI #{uri.inspect}"
+      
+      uri = URI.parse(uri) unless uri.kind_of? URI
+      https = Net::HTTP.new(uri.host, uri.port)
+      https.use_ssl = (uri.scheme == 'https')
+      raw_res = https.start do |conn|
+        conn.get("#{uri.path}?#{uri.query}")
+      end
+      
+      #TODO: check to make sure that response code is 200 and handle errors otherwise
+      
+      log.debug "CAS Responded with #{raw_res.inspect}:\n#{raw_res.body}"
+      
+      type.new(raw_res.body)
+    end
+    
+    # Submits some data to the given URI and returns a Net::HTTPResponse.
+    def submit_data_to_cas(uri, data)
+      uri = URI.parse(uri) unless uri.kind_of? URI
+      req = Net::HTTP::Post.new(uri.path)
+      req.set_form_data(data, ';')
+      https = Net::HTTP.new(uri.host, uri.port)
+      https.use_ssl = (uri.scheme == 'https')
+      https.start {|conn| conn.request(req) }
+    end
+    
+    def query_to_hash(query)
+      CGI.parse(query)
+    end
+      
+    def hash_to_query(hash)
+      pairs = []
+      hash.each do |k, vals|
+        vals = [vals] unless vals.kind_of? Array
+        # IU's CAS server doesn't accept escaped service URLs
+        vals.each {|v| pairs << "#{CGI.escape(k)}=#{v}"}
+      end
+      pairs.join("&")
+    end
+  end
+end

data/lib/casclient/frameworks/merb/strategy.rb

@@ -0,0 +1,110 @@
+# The 'cas' strategy attempts to login users based on the CAS protocol 
+# http://www.ja-sig.org/products/cas/overview/background/index.html
+# 
+# install the rubycas-client gem
+# http://rubyforge.org/projects/rubycas-client/
+#
+require 'casclient'
+class Merb::Authentication
+  module Strategies
+    class CAS < Merb::Authentication::Strategy
+
+      include CASClient
+
+      def run!
+        @client ||= Client.new(config)
+
+        service_ticket = read_ticket
+
+        cas_login_url = @client.add_service_to_login_url(service_url)
+
+        last_service_ticket = session[:cas_last_valid_ticket]
+        if (service_ticket && last_service_ticket && 
+            last_service_ticket.ticket == service_ticket.ticket && 
+            last_service_ticket.service == service_ticket.service)
+
+          # warn() rather than info() because we really shouldn't be re-validating the same ticket. 
+          # The only time when this is acceptable is if the user manually does a refresh and the ticket
+          # happens to be in the URL.
+          log.warn("Reusing previously validated ticket since the new ticket and service are the same.")
+          service_ticket = last_service_ticket
+        elsif last_service_ticket &&
+          !config[:authenticate_on_every_request] && 
+          session[@client.username_session_key]
+          # Re-use the previous ticket if the user already has a local CAS session (i.e. if they were already
+          # previously authenticated for this service). This is to prevent redirection to the CAS server on every
+          # request.
+          # This behaviour can be disabled (so that every request is routed through the CAS server) by setting
+          # the :authenticate_on_every_request config option to false. 
+          log.debug "Existing local CAS session detected for #{session[@client.username_session_key].inspect}. "+
+                  "Previous ticket #{last_service_ticket.ticket.inspect} will be re-used."
+                  service_ticket = last_service_ticket
+        end
+
+        if service_ticket
+          @client.validate_service_ticket(service_ticket) unless service_ticket.has_been_validated?
+          validation_response = service_ticket.response
+
+          if service_ticket.is_valid?
+            log.info("Ticket #{service_ticket.inspect} for service #{service_ticket.service.inspect} " + 
+                    "belonging to user #{validation_response.user.inspect} is VALID.")
+
+            session[@client.username_session_key] = validation_response.user
+            session[@client.extra_attributes_session_key] = validation_response.extra_attributes
+
+            # Store the ticket in the session to avoid re-validating the same service
+            # ticket with the CAS server.
+            session[:cas_last_valid_ticket] = service_ticket
+            return true
+          else  
+            log.warn("Ticket #{service_ticket.ticket.inspect} failed validation -- " + 
+                    "#{validation_response.failure_code}: #{validation_response.failure_message}")
+            redirect!(cas_login_url)
+            return false
+          end
+        else
+          log.warn("No ticket -- redirecting to #{cas_login_url}")
+          redirect!(cas_login_url)
+          return false
+        end
+      end
+
+      def read_ticket
+        ticket = request.params[:ticket]
+
+        return nil unless ticket
+
+        log.debug("Request contains ticket #{ticket.inspect}.")
+
+        if ticket =~ /^PT-/
+          ProxyTicket.new(ticket, service_url, request.params[:renew])
+        else
+          ServiceTicket.new(ticket, service_url, request.params[:renew])
+        end
+      end
+
+      def service_url
+        if config[:service_url]
+          log.debug("Using explicitly set service url: #{config[:service_url]}")
+          return config[:service_url]
+        end
+
+        params = request.params.dup
+        params.delete(:ticket)
+        service_url = "#{request.protocol}://#{request.host}" + request.path
+        log.debug("Guessed service url: #{service_url.inspect}")
+        return service_url
+      end
+
+      def config
+        ::Merb::Plugins.config[:"rubycas-client"]
+      end
+
+      def log
+        ::Merb.logger
+      end
+
+    end # CAS
+  end # Strategies
+end
+

data/lib/casclient/frameworks/rails/cas_proxy_callback_controller.rb

@@ -0,0 +1,76 @@
+require 'pstore'
+
+# Rails controller that responds to proxy generating ticket callbacks from the CAS server and allows
+# for retrieval of those PGTs.
+class CasProxyCallbackController < ActionController::Base
+
+  # Receives a proxy granting ticket from the CAS server and stores it in the database.
+  # Note that this action should ALWAYS be called via https, otherwise you have a gaping security hole.
+  # In fact, the JA-SIG implementation of the CAS server will refuse to send PGTs to non-https URLs.
+  def receive_pgt
+	#FIXME: these checks don't work because REMOTE_HOST doesn't work consistently under all web servers (for example it doesn't work at all under mongrel)
+	#				... need to find a reliable way to check if the request came through from a reverse HTTPS proxy -- until then I'm disabling this check
+    #render_error "PGTs can be received only via HTTPS or local connections." and return unless
+    #  request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
+
+    pgtIou = params['pgtIou']
+    
+    # CAS Protocol spec says that the argument should be called 'pgt', but the JA-SIG CAS server seems to use pgtId.
+    # To accomodate this, we check for both parameters, although 'pgt' takes precedence over 'pgtId'.
+    pgtId = params['pgt'] || params['pgtId']
+    
+    # We need to render a response with HTTP status code 200 when no pgtIou/pgtId is specified because CAS seems first
+    # call the action without any parameters (maybe to check if the server responds correctly)
+    render :text => "Okay, the server is up, but please specify a pgtIou and pgtId." and return unless pgtIou and pgtId
+    
+    # TODO: pstore contents should probably be encrypted...
+    pstore = open_pstore
+    
+    pstore.transaction do
+      pstore[pgtIou] = pgtId
+    end
+    
+    render :text => "PGT received. Thank you!" and return
+  end
+  
+  # Retreives a proxy granting ticket, sends it to output, and deletes the pgt from session storage.
+  # Note that this action should ALWAYS be called via https, otherwise you have a gaping security hole --
+  # in fact, the action will not work if the request is not made via SSL or is not local (we allow for local
+  # non-SSL requests since this allows for the use of reverse HTTPS proxies like Pound).
+  def retrieve_pgt
+    #render_error "You can only retrieve PGTs via HTTPS or local connections." and return unless
+    #  request.ssl? or request.env['REMOTE_HOST'] == "127.0.0.1"
+    
+    pgtIou = params['pgtIou']
+    
+    render_error "No pgtIou specified. Cannot retreive the pgtId." and return unless pgtIou
+  
+    pstore = open_pstore
+  
+    pgt = nil
+    pstore.transaction do
+      pgt = pstore[pgtIou]
+    end
+    
+    if not pgt
+      render_error "Invalid pgtIou specified. Perhaps this pgt has already been retrieved?" and return
+    end
+    
+    render :text => pgt
+    
+    # TODO: need to periodically clean the storage, otherwise it will just keep growing
+    pstore.transaction do
+      pstore.delete pgtIou
+    end
+  end
+  
+  private
+    def render_error(msg)
+      # Note that the error messages are mostly just for debugging, since the CAS server never reads them.
+      render :text => msg, :status => 500
+    end
+    
+    def open_pstore
+      PStore.new("#{RAILS_ROOT}/tmp/cas_pgt.pstore")
+    end
+end

data/lib/casclient/frameworks/rails/filter.rb

@@ -0,0 +1,195 @@
+module CASClient
+  module Frameworks
+    module Rails
+      class Filter
+        cattr_reader :config, :log, :client
+        
+        # These are initialized when you call configure.
+        @@config = nil
+        @@client = nil
+        @@log = nil
+        
+        class << self
+          def filter(controller)
+            raise "Cannot use the CASClient filter because it has not yet been configured." if config.nil?
+
+            st = read_ticket(controller)
+            
+            lst = controller.session[:cas_last_valid_ticket]
+            
+            if st && lst && lst.ticket == st.ticket && lst.service == st.service
+              # warn() rather than info() because we really shouldn't be re-validating the same ticket. 
+              # The only time when this is acceptable is if the user manually does a refresh and the ticket
+              # happens to be in the URL.
+              log.warn("Re-using previously validated ticket since the new ticket and service are the same.")
+              st = lst
+            end
+            
+            if st
+              client.validate_service_ticket(st) unless st.has_been_validated?
+              vr = st.response
+              
+              if st.is_valid?
+                log.info("Ticket #{st.ticket.inspect} for service #{st.service.inspect} belonging to user #{vr.user.inspect} is VALID.")
+                controller.session[client.username_session_key] = vr.user
+                controller.session[client.extra_attributes_session_key] = vr.extra_attributes
+                
+                # RubyCAS-Client 1.x used :casfilteruser as it's username session key,
+                # so we need to set this here to ensure compatibility with configurations
+                # built around the old client.
+                controller.session[:casfilteruser] = vr.user
+                
+                # Store the ticket in the session to avoid re-validating the same service
+                # ticket with the CAS server.
+                controller.session[:cas_last_valid_ticket] = st
+                
+                if vr.pgt_iou
+                  log.info("Receipt has a proxy-granting ticket IOU. Attempting to retrieve the proxy-granting ticket...")
+                  pgt = client.retrieve_proxy_granting_ticket(vr.pgt_iou)
+                  if pgt
+                    log.debug("Got PGT #{pgt.ticket.inspect} for PGT IOU #{pgt.iou.inspect}. This will be stored in the session.")
+                    controller.session[:cas_pgt] = pgt
+                    # For backwards compatibility with RubyCAS-Client 1.x configurations...
+                    controller.session[:casfilterpgt] = pgt
+                  else
+                    log.error("Failed to retrieve a PGT for PGT IOU #{vr.pgt_iou}!")
+                  end
+                end
+                
+                return true
+              else
+                log.warn("Ticket #{st.ticket.inspect} failed validation -- #{vr.failure_code}: #{vr.failure_message}")
+                redirect_to_cas_for_authentication(controller)
+                return false
+              end
+            elsif !config[:authenticate_on_every_request] && controller.session[client.username_session_key]
+              # Don't re-authenticate with the CAS server if we already previously authenticated and the
+              # :authenticate_on_every_request option is disabled (it's disabled by default).
+              log.debug "Existing local CAS session detected for #{controller.session[client.username_session_key].inspect}. "+
+                "User will not be re-authenticated."
+              return true
+            else
+              if returning_from_gateway?(controller)
+                log.info "Returning from CAS gateway without authentication."
+                
+                if use_gatewaying?
+                  log.info "This CAS client is configured to use gatewaying, so we will permit the user to continue without authentication."
+                  return true
+                else
+                  log.warn "The CAS client is NOT configured to allow gatewaying, yet this request was gatewayed. Something is not right!"
+                end
+              end
+              
+              redirect_to_cas_for_authentication(controller)
+              return false
+            end
+          end
+          
+          def configure(config)
+            @@config = config
+            @@config[:logger] = RAILS_DEFAULT_LOGGER unless @@config[:logger]
+            @@client = CASClient::Client.new(config)
+            @@log = client.log
+          end
+          
+          def use_gatewaying?
+            @@config[:use_gatewaying]
+          end
+          
+          def returning_from_gateway?(controller)
+            controller.session[:cas_sent_to_gateway]
+          end
+          
+          def redirect_to_cas_for_authentication(controller)
+            service_url = read_service_url(controller)
+            redirect_url = client.add_service_to_login_url(service_url)
+            
+            if use_gatewaying?
+              controller.session[:cas_sent_to_gateway] = true
+              redirect_url << "&gateway=true"
+            else
+              controller.session[:cas_sent_to_gateway] = false
+            end
+            
+            log.debug("Redirecting to #{redirect_url.inspect}")
+            controller.send(:redirect_to, redirect_url)
+          end
+          
+          private
+          def read_ticket(controller)
+            ticket = controller.params[:casticket]
+            
+            return nil unless ticket
+            
+            log.debug("Request contains ticket #{ticket.inspect}.")
+            
+            if ticket =~ /^PT-/
+              ProxyTicket.new(ticket, read_service_url(controller), controller.params[:renew])
+            else
+              ServiceTicket.new(ticket, read_service_url(controller), controller.params[:renew])
+            end
+          end
+          
+          def read_service_url(controller)
+            if config[:service_url]
+              log.debug("Using explicitly set service url: #{config[:service_url]}")
+              return config[:service_url]
+            end
+            
+            params = controller.params.dup
+            params.delete(:casticket)
+            service_url = controller.url_for(params)
+            log.debug("Guessed service url: #{service_url.inspect}")
+            return service_url
+          end
+          
+          # Creates a file in tmp/sessions linking a SessionTicket
+          # with the local Rails session id. The file is named
+          # cas_sess.<session ticket> and its text contents is the corresponding 
+          # Rails session id.
+          # Returns the filename of the lookup file created.
+          def store_service_session_lookup(st, sid)
+            st = st.ticket if st.kind_of? ServiceTicket
+            f = File.new(filename_of_service_session_lookup(st), 'w')
+            f.write(sid)
+            f.close
+            return f.path
+          end
+          
+          # Returns the local Rails session ID corresponding to the given
+          # ServiceTicket. This is done by reading the contents of the
+          # cas_sess.<session ticket> file created in a prior call to 
+          # #store_service_session_lookup.
+          def read_service_session_lookup(st)
+            st = st.ticket if st.kind_of? ServiceTicket
+            ssl_filename = filename_of_service_session_lookup(st)
+            return File.exists?(ssl_filename) && IO.read(ssl_filename)
+          end
+          
+          # Removes a stored relationship between a ServiceTicket and a local
+          # Rails session id. This should be called when the session is being
+          # closed.
+          #
+          # See #store_service_session_lookup.
+          def delete_service_session_lookup(st)
+            st = st.ticket if st.kind_of? ServiceTicket
+            ssl_filename = filename_of_service_session_lookup(st)
+            File.delete(ssl_filename) if File.exists?(ssl_filename)
+          end
+          
+          # Returns the path and filename of the service session lookup file.
+          def filename_of_service_session_lookup(st)
+            st = st.ticket if st.kind_of? ServiceTicket
+            return "#{RAILS_ROOT}/tmp/sessions/cas_sess.#{st}"
+          end
+        end
+      end
+    
+      class GatewayFilter < Filter
+        def self.use_gatewaying?
+          return true unless @@config[:use_gatewaying] == false
+        end
+      end
+    end
+  end
+end