rack-auth-kerberos 0.1.0

data/CHANGES

@@ -0,0 +1,2 @@
+= 0.1.0 - ???
+* Initial release

data/MANIFEST

@@ -0,0 +1,7 @@
+CHANGES
+MANIFEST
+README
+Rakefile
+rack-kerberos.gemspec
+lib/rack/auth/kerberos.rb
+test/test_rack_kerberos.rb

data/README

@@ -0,0 +1,31 @@
+= Description
+The rack-kerberos library is a Rack library that uses Kerberos to authenicate
+users against your Kerberos server.
+
+= Prerequisites
+rack 1.0.0 or later
+krb5-auth 0.7 or later
+
+= Usage
+use "Rack::Auth::Kerberos", "user_field", "password_field", "YOUR.REALM_NAME"
+
+= Default Fields
+The default user field is "username".
+The default password field is "password".
+The default realm is whatever you've got set in your krb5.conf file.
+
+= Details
+This rack library only handles requests that contain a username and password
+parameter. If both are not present, the request is forwarded normally.
+
+If a username and password are detected, then they're authenicated against
+your Kerberos server. If valid, then env['AUTH_USER'] is set to the username
+and env['AUTH_FAIL'] is deleted. If invalid, then env['AUTH_USER'] is deleted
+and env['AUTH_FAIL'] is set to an error message explaining what went wrong.
+
+Note that if env['AUTH_USER'] or env['AUTH_FAIL'] are already set, then the
+request is forwarded normally.
+
+= Authors
+Daniel Berger
+Charlie O'Keefe

data/Rakefile

@@ -0,0 +1,54 @@
+require 'rake'
+require 'rake/testtask'
+require 'rbconfig'
+ 
+desc 'Install the rack-auth-kerberos library (non-gem)'
+task :install do
+  dir = File.join(CONFIG['sitelibdir'], 'rack', 'auth')
+  FileUtils.mkdir_p(dir) unless File.exists?(dir)
+  file = 'lib/rack/auth/kerberos.rb'
+  FileUtils.cp_r(file, dir, :verbose => true)
+end
+ 
+desc 'Build the gem'
+task :gem do
+  spec = eval(IO.read('rack-auth-kerberos.gemspec'))
+  Gem::Builder.new(spec).build
+end
+ 
+desc 'Install the rack-auth-kerberos library as a gem'
+task :install_gem => [:gem] do
+   file = Dir["*.gem"].first
+   sh "gem install #{file}"
+end
+ 
+desc 'Export the git archive to a .zip, .gz and .bz2 file in your home directory'
+task :export, :output_file do |t, args|
+  file = args[:output_file]
+ 
+  sh "git archive --prefix #{file}/ --output #{ENV['HOME']}/#{file}.tar master"
+ 
+  Dir.chdir(ENV['HOME']) do
+    sh "gzip -f #{ENV['HOME']}/#{file}.tar"
+  end
+ 
+  sh "git archive --prefix #{file}/ --output #{ENV['HOME']}/#{file}.tar master"
+ 
+  Dir.chdir(ENV['HOME']) do
+    sh "bzip2 -f #{ENV['HOME']}/#{file}.tar"
+  end
+  
+  sh "git archive --prefix #{file}/ --output #{ENV['HOME']}/#{file}.zip --format zip master"
+ 
+  Dir.chdir(ENV['HOME']) do
+    sh "unzip #{file}.zip"
+    Dir.chdir(file) do
+      sh "rake gem"
+    end
+  end
+end
+ 
+Rake::TestTask.new do |t|
+   t.verbose = true
+   t.warning = true
+end

data/lib/rack/auth/kerberos.rb

@@ -0,0 +1,94 @@
+require 'krb5_auth'
+
+module Rack
+  module Auth
+    class Kerberos
+      # The version of the rack-auth-kerberos library.
+      VERSION = '0.1.0'
+
+      # Creates a new Rack::Kerberos object. The +user_field+ and +password_field+
+      # are the params looked for in the call method. The defaults are 'username'
+      # and 'password', respectively.
+      #
+      # If the optional +realm+ parameter is supplied it will override the
+      # default realm specified in your krb5.conf file.
+      #
+      # The realm is automatically appended to the username if not already
+      # present. This makes it easier for application developers, i.e. they can
+      # supply a username with or without a realm and it will Just Work (TM).
+      #
+      def initialize(app, user_field = 'username', password_field = 'password', realm = nil)
+        @app = app
+        @user_field = user_field
+        @password_field = password_field
+        @kerberos = Krb5Auth::Krb5.new
+
+        if realm
+          @realm = realm
+        else
+          @realm = @kerberos.get_default_realm
+        end
+      end
+
+      # The call method we've defined first checks to see if the AUTH_USER
+      # environment variable is set. If it is, we assume that the user has
+      # already been authenticated and move on.
+      #
+      # If AUTH_USER is not set, and AUTH_FAIL is not set, we then attempt
+      # to authenticate the user against the Kerberos server. If successful
+      # then AUTH_USER is set to the username.
+      #
+      # If unsuccessful then AUTH_USER is set to nil and AUTH_FAIL is
+      # set to an appropriate error message.
+      #
+      # It is then up to the application to check for the presence of AUTH_USER
+      # and/or AUTH_FAIL and act as necessary.
+      #
+      def call(env)
+        request = Rack::Request.new(env)
+
+        user = request.params[@user_field]
+        password = request.params[@password_field]
+
+        # Only authenticate user if both the username and password fields are present
+        unless user && password
+          return @app.call(env)
+        end
+
+        # Automatically append the realm if not already present
+        user_with_realm = user.dup
+        user_with_realm += "@#{@realm}" unless user.include?('@')
+
+        # Do not authenticate if either one of these is set
+        if env['AUTH_USER'] || env['AUTH_FAIL']
+          return @app.call(env)
+        end
+
+        begin
+          @kerberos.get_init_creds_password(user_with_realm, password)
+          env['AUTH_USER'] = user
+          env.delete('AUTH_FAIL')
+        rescue Krb5Auth::Krb5::Exception => err
+          case err.message
+            when /client not found/i
+              msg = "Invalid userid '#{user}'"
+            when /integrity check failed/i
+              msg = "Invalid password for '#{user}'"
+            else
+              msg = "Error attempting to validate userid and password"
+          end
+
+          env.delete('AUTH_USER')
+          env['AUTH_FAIL'] = msg
+        rescue => err
+          env.delete('AUTH_USER')
+          env['AUTH_FAIL'] = "Unexpected failure during Kerberos authentication"
+        ensure
+          @kerberos.close
+        end
+
+        @app.call(env)
+      end
+    end
+  end
+end

data/rack-auth-kerberos.gemspec

@@ -0,0 +1,22 @@
+require 'rubygems'
+
+Gem::Specification.new do |gem|
+  gem.name      = 'rack-auth-kerberos'
+  gem.version   = '0.1.0'
+  gem.authors   = ["Daniel Berger", "Charlie O'Keefe"]
+  gem.email     = 'dberger@globe.gov'
+  gem.homepage  = 'http://www.github.com/rack-kerberos'
+  gem.summary   = 'A Rack library that authenticates people using Kerberos'
+  gem.test_file = 'test/test_rack_auth_kerberos.rb'
+  gem.files     = Dir['**/*'].delete_if{ |item| item.include?('git') } 
+
+  gem.extra_rdoc_files = ['CHANGES', 'README', 'MANIFEST']
+
+  gem.add_dependency('rack', '>= 1.0.0')
+  gem.add_dependency('krb5-auth', '>= 0.7')
+  
+  gem.description = <<-EOF
+    The rack-kerberos library provides a Rack middleware interface for
+    authenticating users against a Kerberos server.
+  EOF
+end

data/test/test_rack_auth_kerberos.rb

@@ -0,0 +1,22 @@
+require 'test/unit'
+require 'rack/auth/kerberos'
+
+class TC_Rack_Auth_Kerberos < Test::Unit::TestCase
+  def setup
+    @app  = 1 # Placeholder
+    @env  = 1 # Placeholder
+    @rack = Rack::Auth::Kerberos.new(@app)
+  end
+
+  def test_constructor_basic
+    assert_nothing_raised{ Rack::Auth::Kerberos.new(@app) }
+  end
+
+  def test_version
+    assert_equal('0.1.0', Rack::Auth::Kerberos::VERSION)
+  end
+
+  def teardown
+    @rack = nil
+  end
+end

metadata

@@ -0,0 +1,83 @@
+--- !ruby/object:Gem::Specification 
+name: rack-auth-kerberos
+version: !ruby/object:Gem::Version 
+  version: 0.1.0
+platform: ruby
+authors: 
+- Daniel Berger
+- Charlie O'Keefe
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-12-11 00:00:00 -07:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rack
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.0.0
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: krb5-auth
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0.7"
+    version: 
+description: "    The rack-kerberos library provides a Rack middleware interface for\n    authenticating users against a Kerberos server.\n"
+email: dberger@globe.gov
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- CHANGES
+- README
+- MANIFEST
+files: 
+- MANIFEST
+- test/test_rack_auth_kerberos.rb
+- Rakefile
+- CHANGES
+- README
+- lib/rack/auth/kerberos.rb
+- rack-auth-kerberos.gemspec
+has_rdoc: true
+homepage: http://www.github.com/rack-kerberos
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: A Rack library that authenticates people using Kerberos
+test_files: 
+- test/test_rack_auth_kerberos.rb