omniauth 0.2.4 → 0.2.5

data/oa-enterprise/Rakefile

@@ -0,0 +1,6 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new(:spec)
+task :default => :spec
+task :test => :spec

data/oa-enterprise/lib/oa-enterprise.rb

@@ -0,0 +1 @@
+require 'omniauth/enterprise'

data/oa-enterprise/lib/omniauth/enterprise.rb

@@ -0,0 +1,8 @@
+require 'omniauth/core'
+
+module OmniAuth
+  module Strategies
+    autoload :CAS, 'omniauth/strategies/cas'
+    autoload :LDAP, 'omniauth/strategies/ldap'
+  end
+end

data/oa-enterprise/lib/omniauth/strategies/cas.rb

@@ -0,0 +1,47 @@
+require 'omniauth/enterprise'
+
+module OmniAuth
+  module Strategies
+    class CAS
+      include OmniAuth::Strategy
+
+      autoload :Configuration, 'omniauth/strategies/cas/configuration'
+      autoload :ServiceTicketValidator, 'omniauth/strategies/cas/service_ticket_validator'
+
+      def initialize(app, options = {}, &block)
+        super(app, options[:name] || :cas, options.dup, &block)
+        @configuration = OmniAuth::Strategies::CAS::Configuration.new(options)
+      end
+
+      protected
+
+      def request_phase
+        [
+          302,
+          {
+            'Location' => @configuration.login_url(callback_url),
+            'Content-Type' => 'text/plain'
+          },
+          ["You are being redirected to CAS for sign-in."]
+        ]
+      end
+
+      def callback_phase
+        ticket = request.params['ticket']
+        return fail!(:no_ticket, 'No CAS Ticket') unless ticket
+        validator = ServiceTicketValidator.new(@configuration, callback_url, ticket)
+        @user_info = validator.user_info
+        return fail!(:invalid_ticket, 'Invalid CAS Ticket') if @user_info.nil? || @user_info.empty?
+        super
+      end
+
+      def auth_hash
+        OmniAuth::Utils.deep_merge(super, {
+          'uid' => @user_info.delete('user'),
+          'extra' => @user_info
+        })
+      end
+
+    end
+  end
+end

data/oa-enterprise/lib/omniauth/strategies/cas/configuration.rb

@@ -0,0 +1,98 @@
+require 'rack'
+
+module OmniAuth
+  module Strategies
+    class CAS
+      class Configuration
+
+        DEFAULT_LOGIN_URL = "%s/login"
+
+        DEFAULT_SERVICE_VALIDATE_URL = "%s/serviceValidate"
+
+        # @param [Hash] params configuration options
+        # @option params [String, nil] :cas_server the CAS server root URL; probably something like
+        #         `http://cas.mycompany.com` or `http://cas.mycompany.com/cas`; optional.
+        # @option params [String, nil] :cas_login_url (:cas_server + '/login') the URL to which to
+        #         redirect for logins; options if `:cas_server` is specified,
+        #         required otherwise.
+        # @option params [String, nil] :cas_service_validate_url (:cas_server + '/serviceValidate') the
+        #         URL to use for validating service tickets; optional if `:cas_server` is
+        #         specified, requred otherwise.
+        # @option params [Boolean, nil] :disable_ssl_verification disable verification for SSL cert,
+        #         helpful when you developing with a fake cert.
+        def initialize(params)
+          parse_params params
+        end
+
+        # Build a CAS login URL from +service+.
+        #
+        # @param [String] service the service (a.k.a. return-to) URL
+        #
+        # @return [String] a URL like `http://cas.mycompany.com/login?service=...`
+        def login_url(service)
+          append_service @login_url, service
+        end
+
+        # Build a service-validation URL from +service+ and +ticket+.
+        # If +service+ has a ticket param, first remove it. URL-encode
+        # +service+ and add it and the +ticket+ as paraemters to the
+        # CAS serviceValidate URL.
+        #
+        # @param [String] service the service (a.k.a. return-to) URL
+        # @param [String] ticket the ticket to validate
+        #
+        # @return [String] a URL like `http://cas.mycompany.com/serviceValidate?service=...&ticket=...`
+        def service_validate_url(service, ticket)
+          service = service.sub(/[?&]ticket=[^?&]+/, '')
+          url = append_service(@service_validate_url, service)
+          url << '&ticket=' << Rack::Utils.escape(ticket)
+        end
+
+        def disable_ssl_verification?
+          @disable_ssl_verification
+        end
+
+        private
+
+        def parse_params(params)
+          if params[:cas_server].nil? && params[:cas_login_url].nil?
+            raise ArgumentError.new(":cas_server or :cas_login_url MUST be provided")
+          end
+          @login_url   = params[:cas_login_url]
+          @login_url ||= DEFAULT_LOGIN_URL % params[:cas_server]
+          validate_is_url 'login URL', @login_url
+
+          if params[:cas_server].nil? && params[:cas_service_validate_url].nil?
+            raise ArgumentError.new(":cas_server or :cas_service_validate_url MUST be provided")
+          end
+          @service_validate_url   = params[:cas_service_validate_url]
+          @service_validate_url ||= DEFAULT_SERVICE_VALIDATE_URL % params[:cas_server]
+          validate_is_url 'service-validate URL', @service_validate_url
+
+          @disable_ssl_verification = params[:disable_ssl_verification]
+        end
+
+        IS_NOT_URL_ERROR_MESSAGE = "%s is not a valid URL"
+
+        def validate_is_url(name, possibly_a_url)
+          url = URI.parse(possibly_a_url) rescue nil
+          raise ArgumentError.new(IS_NOT_URL_ERROR_MESSAGE % name) unless url.kind_of?(URI::HTTP)
+        end
+
+        # Adds +service+ as an URL-escaped parameter to +base+.
+        #
+        # @param [String] base the base URL
+        # @param [String] service the service (a.k.a. return-to) URL.
+        #
+        # @return [String] the new joined URL.
+        def append_service(base, service)
+          result = base.dup
+          result << (result.include?('?') ? '&' : '?')
+          result << 'service='
+          result << Rack::Utils.escape(service)
+        end
+
+      end
+    end
+  end
+end

data/oa-enterprise/lib/omniauth/strategies/cas/service_ticket_validator.rb

@@ -0,0 +1,84 @@
+require 'net/http'
+require 'net/https'
+require 'nokogiri'
+
+module OmniAuth
+  module Strategies
+    class CAS
+      class ServiceTicketValidator
+
+        VALIDATION_REQUEST_HEADERS = { 'Accept' => '*/*' }
+
+        # Build a validator from a +configuration+, a
+        # +return_to+ URL, and a +ticket+.
+        #
+        # @param [OmniAuth::Strategies::CAS::Configuration] configuration the CAS configuration
+        # @param [String] return_to_url the URL of this CAS client service
+        # @param [String] ticket the service ticket to validate
+        def initialize(configuration, return_to_url, ticket)
+          @configuration = configuration
+          @uri = URI.parse(@configuration.service_validate_url(return_to_url, ticket))
+        end
+
+        # Request validation of the ticket from the CAS server's
+        # serviceValidate (CAS 2.0) function.
+        #
+        # Swallows all XML parsing errors (and returns +nil+ in those cases).
+        #
+        # @return [Hash, nil] a user information hash if the response is valid; +nil+ otherwise.
+        #
+        # @raise any connection errors encountered.
+        def user_info
+          parse_user_info(find_authentication_success(get_service_response_body))
+        end
+
+        private
+
+        # turns an `<cas:authenticationSuccess>` node into a Hash;
+        # returns nil if given nil
+        def parse_user_info(node)
+          return nil if node.nil?
+          node.children.inject({}) do |hash, child|
+            unless child.kind_of?(Nokogiri::XML::Text) ||
+                   child.name == 'cas:proxies' ||
+                   child.name == 'proxies'
+              hash[child.name.sub(/^cas:/, '')] = child.content
+            end
+            hash
+          end
+        end
+
+        # finds an `<cas:authenticationSuccess>` node in
+        # a `<cas:serviceResponse>` body if present; returns nil
+        # if the passed body is nil or if there is no such node.
+        def find_authentication_success(body)
+          return nil if body.nil? || body == ''
+          begin
+            doc = Nokogiri::XML(body)
+            begin
+              doc.xpath('/cas:serviceResponse/cas:authenticationSuccess')
+            rescue Nokogiri::XML::XPath::SyntaxError
+              doc.xpath('/serviceResponse/authenticationSuccess')
+            end
+          rescue Nokogiri::XML::XPath::SyntaxError
+            nil
+          end
+        end
+
+        # retrieves the `<cas:serviceResponse>` XML from the CAS server
+        def get_service_response_body
+          result = ''
+          http = ::Net::HTTP.new(@uri.host, @uri.port)
+          http.use_ssl = @uri.port == 443 || @uri.instance_of?(URI::HTTPS)
+          http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl? && @configuration.disable_ssl_verification?
+          http.start do |c|
+            response = c.get "#{@uri.path}?#{@uri.query}", VALIDATION_REQUEST_HEADERS.dup
+            result = response.body
+          end
+          result
+        end
+
+      end
+    end
+  end
+end

data/oa-enterprise/lib/omniauth/strategies/ldap.rb

@@ -0,0 +1,111 @@
+require 'omniauth/enterprise'
+require 'net/ldap'
+require 'sasl/base'
+require 'sasl'
+
+module OmniAuth
+  module Strategies
+    class LDAP
+      include OmniAuth::Strategy
+
+      autoload :Adaptor, 'omniauth/strategies/ldap/adaptor'
+      @@config   = {'name' => 'cn',
+                    'first_name' => 'givenName',
+                    'last_name' => 'sn',
+                    'email' => ['mail', "email", 'userPrincipalName'],
+					'phone' => ['telephoneNumber', 'homePhone', 'facsimileTelephoneNumber'],
+					'mobile_number' => ['mobile', 'mobileTelephoneNumber'],
+					'nickname' => ['uid', 'userid', 'sAMAccountName'],
+					'title' => 'title',
+					'location' => {"%0, %1, %2, %3 %4" => [['address', 'postalAddress', 'homePostalAddress', 'street', 'streetAddress'], ['l'], ['st'],['co'],['postOfficeBox']]},
+					'uid' => 'dn',
+					'url' => ['wwwhomepage'],
+					'image' => 'jpegPhoto',
+					'description' => 'description'}
+
+      # Initialize the LDAP Middleware
+      #
+      # @param [Rack Application] app Standard Rack middleware argument.
+      # @option options [String, 'LDAP Authentication'] :title A title for the authentication form.
+      def initialize(app, options = {}, &block)
+        super(app, options[:name] || :ldap, options.dup, &block)
+        @name_proc = (@options.delete(:name_proc) || Proc.new {|name| name})
+        @adaptor = OmniAuth::Strategies::LDAP::Adaptor.new(options)
+      end
+
+      protected
+
+      def request_phase
+        if env['REQUEST_METHOD'] == 'GET'
+          get_credentials
+        else
+          session['omniauth.ldap'] = {'username' => request['username'], 'password' => request['password']}
+          redirect callback_path
+        end
+      end
+
+  	  def get_credentials
+        OmniAuth::Form.build(:title => (options[:title] || "LDAP Authentication")) do
+          text_field 'Login', 'username'
+          password_field 'Password', 'password'
+        end.to_response
+      end
+
+      def callback_phase
+      	begin
+        creds = session['omniauth.ldap']
+        session.delete 'omniauth.ldap'
+				@ldap_user_info = {}
+        begin
+        	(@adaptor.bind(:allow_anonymous => true) unless @adaptor.bound?)
+        rescue Exception => e
+        	puts "failed to bind with the default credentials: " + e.message
+       	end
+        @ldap_user_info = @adaptor.search(:filter => Net::LDAP::Filter.eq(@adaptor.uid, @name_proc.call(creds['username'])),:limit => 1) if @adaptor.bound?
+				bind_dn = creds['username']
+				bind_dn = @ldap_user_info[:dn].to_a.first if @ldap_user_info[:dn]
+        @adaptor.bind(:bind_dn => bind_dn, :password => creds['password'])
+        @ldap_user_info = @adaptor.search(:filter => Net::LDAP::Filter.eq(@adaptor.uid, @name_proc.call(creds['username'])),:limit => 1) if @ldap_user_info.empty?
+    	  @user_info = self.class.map_user(@@config, @ldap_user_info)
+
+        @env['omniauth.auth'] = auth_hash
+
+      	rescue Exception => e
+      	  return fail!(:invalid_credentials, e)
+      	end
+	      call_app!
+      end
+
+      def auth_hash
+        OmniAuth::Utils.deep_merge(super, {
+          'uid' => @user_info["uid"],
+          'user_info' => @user_info,
+          'extra' => @ldap_user_info
+        })
+      end
+
+	  def self.map_user(mapper, object)
+		user = {}
+		mapper.each do |key, value|
+		  case value
+		  when String
+		    user[key] = object[value.downcase.to_sym].to_s if object[value.downcase.to_sym]
+		  when Array
+		    value.each {|v| (user[key] = object[v.downcase.to_sym].to_s; break;) if object[v.downcase.to_sym]}
+		  when Hash
+		    value.map do |key1, value1|
+			  pattern = key1.dup
+			  value1.each_with_index do |v,i|
+			    part = '';
+			    v.each {|v1| (part = object[v1.downcase.to_sym].to_s; break;) if object[v1.downcase.to_sym]}
+			    pattern.gsub!("%#{i}",part||'')
+			  end
+			  user[key] = pattern
+		    end
+		  end
+		end
+		user
+	  end
+    end
+  end
+end

data/oa-enterprise/lib/omniauth/strategies/ldap/adaptor.rb

@@ -0,0 +1,279 @@
+#this code boughts pieces from activeldap and net-ldap
+
+require 'rack'
+require 'net/ldap'
+require 'net/ntlm'
+require 'uri'
+
+module OmniAuth
+  module Strategies
+    class LDAP
+      class Adaptor
+        class LdapError < StandardError; end
+        class ConfigurationError < StandardError; end
+        class AuthenticationError < StandardError; end
+        class ConnectionError < StandardError; end
+
+        VALID_ADAPTER_CONFIGURATION_KEYS = [:host, :port, :method, :bind_dn, :password,
+	                                        :try_sasl, :sasl_mechanisms, :uid, :base, :allow_anonymous]
+
+        MUST_HAVE_KEYS = [:host, :port, :method, :uid, :base]
+
+        METHOD = {
+	        :ssl => :simple_tls,
+	        :tls => :start_tls,
+          :plain => nil,
+        }
+
+        attr_accessor :bind_dn, :password
+        attr_reader :connection, :uid, :base
+
+        def initialize(configuration={})
+          @connection = nil
+          @disconnected = false
+          @bound = false
+          @configuration = configuration.dup
+          @configuration[:allow_anonymous] ||= false
+          @logger = @configuration.delete(:logger)
+          message = []
+          MUST_HAVE_KEYS.each do |name|
+              message << name if configuration[name].nil?
+          end
+          raise ArgumentError.new(message.join(",") +" MUST be provided") unless message.empty?
+          VALID_ADAPTER_CONFIGURATION_KEYS.each do |name|
+            instance_variable_set("@#{name}", configuration[name])
+          end
+        end
+
+        def connect(options={})
+          host = options[:host] || @host
+          method = ensure_method(options[:method] || @method || :plain)
+          port = options[:port] || @port || ensure_port(method)
+          @disconnected = false
+          @bound = false
+          @bind_tried = false
+
+          config = {
+            :host => host,
+            :port => port,
+          }
+
+          config[:encryption] = {:method => method} if method
+
+          @connection, @uri, @with_start_tls = begin
+            uri = construct_uri(host, port, method == :simple_tls)
+            with_start_tls = method == :start_tls
+            puts ({:uri => uri, :with_start_tls => with_start_tls}).inspect
+            [Net::LDAP::Connection.new(config), uri, with_start_tls]
+          rescue Net::LDAP::LdapError
+            raise ConnectionError, $!.message
+          end
+        end
+
+        def unbind(options={})
+          @connection.close # Net::LDAP doesn't implement unbind.
+        end
+
+        def bind(options={})
+          connect(options) unless connecting?
+          begin
+          @bind_tried = true
+
+          bind_dn = (options[:bind_dn] || @bind_dn).to_s
+          try_sasl = options.has_key?(:try_sasl) ? options[:try_sasl] : @try_sasl
+          if options.has_key?(:allow_anonymous)
+            allow_anonymous = options[:allow_anonymous]
+          else
+            allow_anonymous = @allow_anonymous
+          end
+          # Rough bind loop:
+          # Attempt 1: SASL if available
+          # Attempt 2: SIMPLE with credentials if password block
+          # Attempt 3: SIMPLE ANONYMOUS if 1 and 2 fail and allow anonymous is set to true
+          if try_sasl and sasl_bind(bind_dn, options)
+              puts "bound with sasl"
+          elsif simple_bind(bind_dn, options)
+              puts "bound with simple"
+          elsif allow_anonymous and bind_as_anonymous(options)
+            puts "bound as anonymous"
+          else
+            message = yield if block_given?
+            message ||= ('All authentication methods for %s exhausted.') % target
+            raise AuthenticationError, message
+          end
+          @bound = true
+          rescue Net::LDAP::LdapError
+            raise AuthenticationError, $!.message
+          end
+        end
+
+        def disconnect!(options={})
+          unbind(options)
+          @connection = @uri = @with_start_tls = nil
+          @disconnected = true
+        end
+
+        def rebind(options={})
+          unbind(options) if bound?
+          connect(options)
+        end
+
+        def connecting?
+          !@connection.nil? and !@disconnected
+        end
+
+        def bound?
+          connecting? and @bound
+        end
+
+        def search(options={}, &block)
+          base = options[:base]
+          filter = options[:filter]
+          limit = options[:limit]
+
+          args = {
+            :base => @base,
+            :filter => filter,
+            :size => limit
+          }
+
+          attributes = {}
+          execute(:search, args) do |entry|
+            entry.attribute_names.each do |name|
+              attributes[name] = entry[name]
+            end
+          end
+          attributes
+        end
+
+        private
+
+        def execute(method, *args, &block)
+          result = @connection.send(method, *args, &block)
+          message = nil
+
+          if result.is_a?(Hash)
+            message = result[:errorMessage]
+            result = result[:resultCode]
+          end
+
+          unless result.zero?
+            message = [Net::LDAP.result2string(result), message].compact.join(": ")
+            raise LdapError, message
+          end
+        end
+
+        def ensure_port(method)
+          if method == :ssl
+            URI::LDAPS::DEFAULT_PORT
+          else
+            URI::LDAP::DEFAULT_PORT
+          end
+        end
+
+        def prepare_connection(options)
+        end
+
+        def ensure_method(method)
+            method ||= "plain"
+            normalized_method = method.to_s.downcase.to_sym
+            return METHOD[normalized_method] if METHOD.has_key?(normalized_method)
+
+            available_methods = METHOD.keys.collect {|m| m.inspect}.join(", ")
+            format = "%s is not one of the available connect methods: %s"
+            raise ConfigurationError, format % [method.inspect, available_methods]
+        end
+
+        def sasl_bind(bind_dn, options={})
+          sasl_mechanisms = options[:sasl_mechanisms] || @sasl_mechanisms
+            sasl_mechanisms.each do |mechanism|
+              begin
+                normalized_mechanism = mechanism.downcase.gsub(/-/, '_')
+                sasl_bind_setup = "sasl_bind_setup_#{normalized_mechanism}"
+                next unless respond_to?(sasl_bind_setup, true)
+                initial_credential, challenge_response = send(sasl_bind_setup, bind_dn, options)
+
+                args = {
+                  :method => :sasl,
+                  :initial_credential => initial_credential,
+                  :mechanism => mechanism,
+                  :challenge_response => challenge_response,
+                }
+
+                info = {
+                  :name => "bind: SASL", :dn => bind_dn, :mechanism => mechanism,
+                }
+
+                execute(:bind, args)
+                return true
+
+              rescue Exception => e
+                puts e.message
+              end
+            end
+          false
+        end
+
+        def sasl_bind_setup_digest_md5(bind_dn, options)
+          initial_credential = ""
+          challenge_response = Proc.new do |cred|
+            pref = SASL::Preferences.new :digest_uri => "ldap/#{@host}", :username => bind_dn, :has_password? => true, :password => options[:password]||@password
+            sasl = SASL.new("DIGEST-MD5", pref)
+            response = sasl.receive("challenge", cred)
+            response[1]
+          end
+          [initial_credential, challenge_response]
+        end
+
+        def sasl_bind_setup_gss_spnego(bind_dn, options)
+          puts options.inspect
+          user,psw = [bind_dn, options[:password]||@password]
+          raise LdapError.new( "invalid binding information" ) unless (user && psw)
+
+          nego = proc {|challenge|
+            t2_msg = Net::NTLM::Message.parse( challenge )
+            user, domain = user.split('\\').reverse
+            t2_msg.target_name = Net::NTLM::encode_utf16le(domain) if domain
+            t3_msg = t2_msg.response( {:user => user, :password => psw}, {:ntlmv2 => true} )
+            t3_msg.serialize
+          }
+          [Net::NTLM::Message::Type1.new.serialize, nego]
+        end
+
+        def simple_bind(bind_dn, options={})
+          args = {
+            :method => :simple,
+            :username => bind_dn,
+            :password => (options[:password]||@password).to_s,
+          }
+          begin
+            raise AuthenticationError if args[:password] == ""
+            execute(:bind, args)
+            true
+          rescue Exception
+            false
+          end
+        end
+
+        def bind_as_anonymous(options={})
+          execute(:bind, {:method => :anonymous})
+          true
+        end
+
+        def construct_uri(host, port, ssl)
+          protocol = ssl ? "ldaps" : "ldap"
+          URI.parse("#{protocol}://#{host}:#{port}").to_s
+        end
+
+        def target
+          return nil if @uri.nil?
+          if @with_start_tls
+            "#{@uri}(StartTLS)"
+          else
+            @uri
+          end
+        end
+      end
+    end
+  end
+end