rack-auth-krb 0.0.8

data/.gitignore

@@ -0,0 +1,19 @@
+*.gem
+*.rbc
+.bundle
+.config
+coverage
+InstalledFiles
+lib/bundler/man
+vendor/
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/

data/Gemfile

@@ -0,0 +1,3 @@
+source :rubygems
+gemspec
+

data/Gemfile.lock

@@ -0,0 +1,68 @@
+PATH
+  remote: .
+  specs:
+    rack-auth-krb (0.0.2)
+      gssapi
+      rkerberos
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    async-rack (0.5.1)
+      rack (~> 1.1)
+    diff-lcs (1.1.3)
+    em-synchrony (1.0.1)
+      eventmachine (>= 1.0.0.beta.1)
+    eventmachine (1.0.0.beta.4)
+    ffi (1.0.11)
+    goliath (0.9.4)
+      async-rack
+      em-synchrony (>= 1.0.0)
+      eventmachine (>= 1.0.0.beta.3)
+      http_parser.rb
+      http_router (~> 0.9.0)
+      log4r
+      multi_json
+      rack (>= 1.2.2)
+      rack-contrib
+      rack-respond_to
+    gssapi (1.1.1)
+      ffi (>= 1.0.1)
+    http_parser.rb (0.5.3)
+    http_router (0.9.7)
+      rack (>= 1.0.0)
+      url_mount (~> 0.2.1)
+    log4r (1.1.10)
+    multi_json (1.3.4)
+    puma (1.3.0)
+      rack (~> 1.2)
+    rack (1.4.1)
+    rack-accept-media-types (0.9)
+    rack-contrib (1.1.0)
+      rack (>= 0.9.1)
+    rack-respond_to (0.9.8)
+      rack-accept-media-types (>= 0.6)
+    rake (0.9.2.2)
+    rake-compiler (0.8.1)
+      rake
+    rkerberos (0.1.0)
+      rake-compiler
+    rspec (2.9.0)
+      rspec-core (~> 2.9.0)
+      rspec-expectations (~> 2.9.0)
+      rspec-mocks (~> 2.9.0)
+    rspec-core (2.9.0)
+    rspec-expectations (2.9.1)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.9.0)
+    url_mount (0.2.1)
+      rack
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  goliath
+  puma
+  rack-auth-krb!
+  rspec (~> 2.0)

data/README.md

@@ -0,0 +1,57 @@
+rack-auth-krb
+=============
+
+Kerberos/GSSAPI authentication (Basic and Negotiate) rack middleware.
+
+Actually this middleware should (hopefully) work for standard Rack
+application and as a Goliath middleware.
+
+Dependencies
+============
+Kerberos should be installed and configured on the server. 
+
+If you do want to share the authentication through your application,
+you'll need to have a Rack::Session middleware inserted before you in
+the loop.
+
+Rack applications
+=================
+
+```ruby
+require 'rack/auth/krb/basic_and_nego'
+
+infinity = Proc.new {|env| [200, {"Content-Type" => "text/html"}, ["Hello #{env['REMOTE_USER']}"]]}
+
+use Rack::Session::Cookie
+use Rack::Logger, ::Logger::DEBUG
+use Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab'
+
+map '/' do
+  run infinity
+end
+```
+
+
+Goliath applications
+====================
+
+```ruby
+require 'rack/session/cookie'
+require 'goliath'
+require 'goliath/rack/auth/krb/basic_and_nego'
+
+class DumpHeaders < Goliath::API
+  # Must be placed *before* BasicAndNego if we want it to use sessions !
+  use Rack::Session::Cookie
+  use Goliath::Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab'
+
+  def on_headers(env, headers)
+    env.logger.info 'received headers: ' + headers.inspect
+  end
+
+  def response(env)
+    [200, {}, "Hello #{env['REMOTE_USER']}"]
+  end
+end
+```
+

data/lib/basic_and_nego/auth/base.rb

@@ -0,0 +1,20 @@
+require 'basic_and_nego/auth/responses'
+
+module BasicAndNego
+  module Auth
+    class Base
+      include Responses
+
+      attr_reader :response, :client_name, :headers
+
+      def initialize(request, logger, realm, keytab, service)
+        @request = request
+        @logger = logger
+        @realm = realm
+        @keytab = keytab
+        @service = service
+      end
+
+    end
+  end
+end

data/lib/basic_and_nego/auth/basic.rb

@@ -0,0 +1,31 @@
+require 'basic_and_nego/auth/base'
+require 'basic_and_nego/auth/krb'
+
+module BasicAndNego
+  module Auth
+    class Basic < Base
+
+      def initialize(request, logger, realm, keytab, service)
+        super
+        @krb = BasicAndNego::Auth::Krb.new(@logger, @realm, @keytab)
+      end
+
+      def process
+        @logger.debug "Basic scheme proposed by client"
+        user, password = @request.credentials
+        authenticate(user, password)
+        @client_name = user unless @response
+      end
+
+      private
+
+      def authenticate(user, password)
+        unless @krb.authenticate(user, password)
+          @logger.debug "Unable to authenticate (401)"
+          @response = unauthorized
+        end
+      end
+
+    end
+  end
+end

data/lib/basic_and_nego/auth/gss.rb

@@ -0,0 +1,36 @@
+require 'gssapi'
+
+module BasicAndNego
+  module Auth
+    class GSS
+      attr_reader :gssapi, :logger
+
+      #
+      # Can raise GSSAPI::GssApiError
+      #
+      def initialize(logger, service, realm, keytab)
+        @logger = logger
+        @service = service
+        @realm = realm
+        @keytab = keytab
+        @gssapi = GSSAPI::Simple.new(@realm, @service, @keytab)
+
+        gssapi.acquire_credentials
+      end
+
+      #
+      #  Attempt to authenticate the furnished token against gssapi
+      #
+      # It return nil (in case of error) or the token sent back
+      # by the gssapi if the authentication is successfull
+      #
+      def authenticate(token)
+        return gssapi.accept_context(token)
+      end
+
+      def display_name
+        return gssapi.display_name
+      end
+    end
+  end
+end

data/lib/basic_and_nego/auth/krb.rb

@@ -0,0 +1,28 @@
+require "rkerberos"
+
+module BasicAndNego
+  module Auth
+    class Krb
+      attr_reader :realm, :keytab, :logger
+
+      def initialize(logger, realm, keytab)
+        @logger = logger
+        @realm = realm
+        @keytab = keytab
+      end
+
+      def authenticate(user, passwd)
+        successfull = false
+        Kerberos::Krb5.new do |krb5|
+          begin
+            krb5.get_init_creds_password(user, passwd)
+            successfull = true
+          rescue Kerberos::Krb5::Exception => e
+            logger.error "Failed to authenticate user '#{user}': #{e.message}"
+          end
+        end
+        successfull
+      end
+    end
+  end
+end

data/lib/basic_and_nego/auth/negotiate.rb

@@ -0,0 +1,53 @@
+require 'basic_and_nego/auth/base'
+require 'basic_and_nego/auth/gss'
+require 'base64'
+
+module BasicAndNego
+  module Auth
+    class Negotiate < Base
+
+      def initialize(request, logger, realm, keytab, service)
+        super
+        setup_gss
+      end
+
+      def process
+        @logger.debug "Negotiate scheme proposed by client"
+        authenticate unless @response
+        verify_token unless @response
+        set_headers unless @response
+      end
+
+      private
+
+      def setup_gss
+        @gss = BasicAndNego::Auth::GSS.new(@logger, @service, @realm, @keytab)
+      rescue GSSAPI::GssApiError => e
+        @logger.error "Unable to setup GSSAPI: #{e.message}"
+        @response = error
+      end
+
+      def authenticate
+        token = ::Base64.strict_decode64(@request.params)
+        @out_tok = @gss.authenticate(token)
+      rescue GSSAPI::GssApiError => e
+        @logger.error "Unable to authenticate: #{e.message}"
+        @response = unauthorized
+      end
+
+      def verify_token
+        if !@out_tok
+          @logger.debug "Unable to authenticate (401)"
+          @response = unauthorized
+        end
+      end
+
+      def set_headers
+        tok_b64 = ::Base64.strict_encode64(@out_tok)
+        @headers = {'WWW-Authenticate' => "Negotiate #{tok_b64}"}
+        @client_name = @gss.display_name
+      end
+
+    end
+  end
+end

data/lib/basic_and_nego/auth/none.rb

@@ -0,0 +1,14 @@
+require 'basic_and_nego/auth/base'
+
+module BasicAndNego
+  module Auth
+    class None < Base
+
+      def process
+        @logger.debug "No authorization key provided: asking for one (401)"
+        @response = unauthorized
+      end
+
+    end
+  end
+end

data/lib/basic_and_nego/auth/responses.rb

@@ -0,0 +1,36 @@
+module BasicAndNego
+  module Auth
+    module Responses
+
+      def challenge
+        ["Negotiate", "Basic"]
+      end
+
+      def unauthorized
+        [ 401,
+          { 'Content-Type' => 'text/plain',
+            'Content-Length' => '0',
+            'WWW-Authenticate' => challenge },
+            []
+        ]
+      end
+
+      def bad_request
+        [ 400,
+          { 'Content-Type' => 'text/plain',
+            'Content-Length' => '0' },
+            []
+        ]
+      end
+
+      def error
+        [ 500,
+          { 'Content-Type' => 'text/plain',
+            'Content-Length' => '0' },
+            []
+        ]
+      end
+
+    end
+  end
+end

data/lib/basic_and_nego/auth/unsupported.rb

@@ -0,0 +1,14 @@
+require 'basic_and_nego/auth/base'
+
+module BasicAndNego
+  module Auth
+    class Unsupported < Base
+
+      def process
+        @logger.debug "Unsupported authentication type"
+        @response = bad_request
+      end
+
+    end
+  end
+end

data/lib/basic_and_nego/auth.rb

@@ -0,0 +1,4 @@
+require 'basic_and_nego/auth/none'
+require 'basic_and_nego/auth/basic'
+require 'basic_and_nego/auth/negotiate'
+require 'basic_and_nego/auth/unsupported'

data/lib/basic_and_nego/nulllogger.rb

@@ -0,0 +1,10 @@
+module BasicAndNego
+  class NullLogger
+    def info(progname = nil, &block);  end
+    def debug(progname = nil, &block); end
+    def warn(progname = nil, &block);  end
+    def error(progname = nil, &block); end
+    def fatal(progname = nil, &block); end
+  end
+end
+

data/lib/basic_and_nego/processor.rb

@@ -0,0 +1,59 @@
+require 'socket'
+require 'basic_and_nego/request'
+require 'basic_and_nego/auth'
+
+module BasicAndNego
+  class Processor
+    DEFAULT_SERVICE = "http@#{Socket::gethostname}"
+
+    def initialize(env, logger, realm, keytab, service)
+      @env = env
+      @logger = logger
+      @realm = realm
+      @keytab = keytab
+      @service = service || DEFAULT_SERVICE
+
+      @request = BasicAndNego::Request.new(@env)
+      @authenticator = @request.authenticator.new(@request, @logger, @realm, @keytab, @service)
+      @session = @env['rack.session']
+    end
+
+    def process_request
+      if authenticated
+        @logger.debug "User #{@session['REMOTE_USER']} already authenticated"
+        @env['REMOTE_USER'] = @session['REMOTE_USER']
+      else
+        @logger.debug "User not authenticated : delegate to authenticator"
+
+        if authenticate
+          @env['REMOTE_USER'] = client_name
+          @session['REMOTE_USER'] = client_name if @session
+        end
+      end
+    end
+
+    def client_name
+      @authenticator.client_name
+    end
+
+    def headers
+      @authenticator.headers || {}
+    end
+
+    def response
+      @authenticator.response
+    end
+
+    private
+
+    def authenticated
+      @session && @session['REMOTE_USER']
+    end
+
+    def authenticate
+      @authenticator.process
+      @authenticator.response.nil?
+    end
+
+  end
+end

data/lib/basic_and_nego/request.rb

@@ -0,0 +1,30 @@
+require 'rack/auth/abstract/request'
+module BasicAndNego
+  class Request < Rack::Auth::AbstractRequest
+    attr_reader :credentials
+
+    def authenticator
+      if !provided?
+        BasicAndNego::Auth::None
+      elsif supported_auth?
+        BasicAndNego::Auth.const_get(scheme.to_s.capitalize)
+      else
+        BasicAndNego::Auth::Unsupported
+      end
+    end
+
+    def credentials
+      @credentials ||= params.unpack("m*").first.split(/:/, 2)
+    end
+
+    def username
+      credentials.first
+    end 
+
+    private
+
+    def supported_auth?
+      [:basic, :negotiate].include? scheme
+    end
+  end
+end

data/lib/goliath/rack/auth/krb/basic_and_nego.rb

@@ -0,0 +1,36 @@
+require 'goliath'
+require 'basic_and_nego/request'
+require 'basic_and_nego/processor'
+
+module Goliath
+  module Rack
+    module Auth
+      module Krb
+        class BasicAndNego
+          include Goliath::Rack::AsyncMiddleware
+
+          def initialize(app, realm, keytab, service=nil)
+            @app = app
+            @realm = realm
+            @keytab = keytab
+            @service = service
+          end
+
+          def call(env)
+            a = ::BasicAndNego::Processor.new(env, env.logger, @realm, @keytab, @service)
+            a.process_request
+
+            return a.response if a.response
+
+            super(env, a.headers)
+          end
+
+          def post_process(env, status, headers, body, additional_headers)
+            [status, headers.merge(additional_headers), body]
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/rack/auth/krb/basic_and_nego.rb

@@ -0,0 +1,29 @@
+require 'basic_and_nego/request'
+require 'basic_and_nego/processor'
+
+module Rack
+  module Auth
+    module Krb
+      class BasicAndNego
+
+        def initialize(app, realm, keytab, service=nil)
+          @app = app
+          @realm = realm
+          @keytab = keytab
+          @service = service
+        end
+
+        def call(env)
+          a = ::BasicAndNego::Processor.new(env, env['rack.logger'], @realm, @keytab, @service)
+          a.process_request
+
+          return a.response if a.response
+
+          status, headers, body = @app.call(env)
+
+          [status, headers.merge(a.headers), body]
+        end
+      end
+    end
+  end
+end

data/misc/goliath_dump_headers.rb

@@ -0,0 +1,20 @@
+#!/usr/bin/env ruby
+
+require 'bundler/setup'
+require 'rack/session/cookie'
+require 'goliath'
+require 'goliath/rack/auth/krb/basic_and_nego'
+
+class DumpHeaders < Goliath::API
+  # Must be placed *before* BasicAndNego if we want it to use sessions !
+  use Rack::Session::Cookie
+  use Goliath::Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab'
+
+  def on_headers(env, headers)
+    env.logger.info 'received headers: ' + headers.inspect
+  end
+
+  def response(env)
+    [200, {}, "Hello #{env['REMOTE_USER']}"]
+  end
+end

data/misc/rack_dump_headers.ru

@@ -0,0 +1,12 @@
+require 'rack/auth/krb/basic_and_nego'
+
+infinity = Proc.new {|env| [200, {"Content-Type" => "text/html"}, ["Hello #{env['REMOTE_USER']}"]]}
+
+use Rack::Session::Cookie
+use Rack::Logger, ::Logger::DEBUG
+use Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab'
+
+map '/' do
+  run infinity
+end
+

data/misc/start_goliath_srv.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+LD_LIBRARY_PATH=/usr/lib ruby -Ilib misc/goliath_dump_headers.rb -s -v -p 9090

data/misc/start_puma_srv.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+LD_LIBRARY_PATH=/usr/lib bundle exec puma -Ilib misc/rack_dump_headers.ru

data/rack-auth-krb.gemspec

@@ -0,0 +1,27 @@
+require 'rubygems'
+
+Gem::Specification.new do |gem|
+  gem.name      = 'rack-auth-krb'
+  gem.version   = '0.0.8'
+  gem.authors   = ["Frederick Ros"]
+  gem.email     = 'frederick.ros@gmail.com'
+  gem.homepage  = 'https://github.com/sleeper/rack-auth-krb'
+  gem.summary   = 'Kerberos/GSSAPI authentication (Basic and Negotiate) Rack library'
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- spec/*`.split("\n")
+
+  gem.add_dependency "rack"
+  gem.add_dependency "gssapi"
+  gem.add_dependency "rkerberos"
+
+  gem.add_development_dependency "rspec", "~> 2.0"
+  gem.add_development_dependency "goliath"
+  gem.add_development_dependency "puma"
+
+  gem.extra_rdoc_files = ['README.md']
+
+  gem.description = <<-EOF
+  This library allows Kerberos/GSSAPI authentication using either Basic method
+  or Negotiate (i.e. authentication without the need of user/password combo).
+  EOF
+end

data/spec/basic_and_nego/auth/basic_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper'
+require 'basic_and_nego/auth/basic'
+require 'basic_and_nego/nulllogger'
+require 'basic_and_nego/request'
+require 'base64'
+
+describe BasicAndNego::Auth::Basic do
+
+  before(:each) do 
+    env = {'HTTP_AUTHORIZATION' => "Basic #{::Base64.encode64('fred:pass')}"}
+    @realm = "my realm"
+    @keytab = "my keytab"
+    @service = "http/hostname"
+    @logger = BasicAndNego::NullLogger.new
+    @request = BasicAndNego::Request.new(env)
+    @request.should_receive(:credentials).and_return(['fred', 'pass'])
+    @krb = double('kerberos').as_null_object
+    BasicAndNego::Auth::Krb.should_receive(:new).with(@logger, @realm, @keytab).and_return(@krb)
+    @a = BasicAndNego::Auth::Basic.new(@request, @logger, @realm, @keytab, @service)
+  end
+
+  it "should try authentication against Kerberos in case of Basic" do
+    @krb.should_receive(:authenticate).with("fred", "pass").and_return(true)
+    @a.process
+  end
+
+  it "should return 'unauthorized' if authentication fails" do 
+    @krb.should_receive(:authenticate).and_return(false)
+    @a.process
+    @a.response.should_not be_nil
+    @a.response[0].should == 401
+  end
+
+  it "should return true if authentication worked" do
+    @krb.should_receive(:authenticate).and_return(true)
+    @a.process
+    @a.response.should be_nil
+  end
+
+  it "should set client's name if authentication worked" do
+    @krb.should_receive(:authenticate).and_return(true)
+    @a.process
+    @a.client_name.should == "fred"
+  end
+
+end

data/spec/basic_and_nego/auth/gss_spec.rb

@@ -0,0 +1,26 @@
+require 'spec_helper'
+require 'basic_and_nego/auth/gss'
+
+describe BasicAndNego::Auth::GSS do
+  let(:realm) { "my realm"}
+  let(:service) { "foo" }
+  let(:keytab) { "my keytab" }
+  let(:gssapi) { double("gss api").as_null_object }
+  let(:logger) { double('logger').as_null_object }
+  let(:good_request) { BasicAndNego::Request.new({'HTTP_AUTHORIZATION' => "Negotiate VGhpcyBpcyBteSB0b2tlbg=="})}
+
+  it "should initialize and deal with gssapi" do
+    gssapi.should_receive(:acquire_credentials)
+    GSSAPI::Simple.should_receive(:new).with(realm, service, keytab).and_return(gssapi)
+    g = BasicAndNego::Auth::GSS.new(logger, service, realm, keytab)
+  end
+
+  it "should authenticate request" do
+    gssapi.should_receive(:acquire_credentials)
+    gssapi.should_receive(:accept_context).and_return("Granted")
+    GSSAPI::Simple.should_receive(:new).with(realm, service, keytab).and_return(gssapi)
+    g = BasicAndNego::Auth::GSS.new(logger, service, realm, keytab)
+    g.authenticate("My token").should == "Granted"
+  end
+
+end

data/spec/basic_and_nego/auth/krb_spec.rb

@@ -0,0 +1,48 @@
+require 'spec_helper'
+require 'basic_and_nego/auth/krb'
+
+describe BasicAndNego::Auth::Krb do
+  let(:logger) { double('logger').as_null_object }
+  let(:realm) {"my realm"}
+  let(:keytab) {"my keytab"}
+
+  it "should initialize" do
+    krb = BasicAndNego::Auth::Krb.new(logger, realm, keytab)
+    krb.realm.should == realm
+  end
+
+  it "should authenticate user/password" do
+    user = "fred"
+    passwd = "passwd"
+    k = double("rkerberos").as_null_object
+    k.should_receive(:get_init_creds_password).with(user, passwd).and_return(true)
+    Kerberos::Krb5.should_receive(:new).and_yield(k)
+    krb = BasicAndNego::Auth::Krb.new(logger, realm, keytab)
+    authenticated = krb.authenticate(user, passwd)
+    authenticated.should be_a(TrueClass)
+    authenticated.should be_true
+  end
+
+
+  it "should not-authenticate user if kerberos does not agree" do
+    user = "fred"
+    passwd = "passwd"
+    k = double("rkerberos").as_null_object
+    k.should_receive(:get_init_creds_password).with(user, passwd).and_raise(Kerberos::Krb5::Exception)
+    Kerberos::Krb5.should_receive(:new).and_yield(k)
+    krb = BasicAndNego::Auth::Krb.new(logger, realm, keytab)
+    authenticated = krb.authenticate(user, passwd)
+    authenticated.should be_a(FalseClass)
+    authenticated.should be_false
+  end
+
+  it "should catch exception from underlying system" do
+    user = "fred"
+    passwd = "passwd"
+    k = double("rkerberos").as_null_object
+    k.should_receive(:get_init_creds_password).with(user, passwd).and_raise(Kerberos::Krb5::Exception)
+    Kerberos::Krb5.should_receive(:new).and_yield(k)
+    krb = BasicAndNego::Auth::Krb.new(logger, realm, keytab)
+    krb.authenticate(user, passwd).should be_false
+  end
+end

data/spec/basic_and_nego/auth/negotiate_spec.rb

@@ -0,0 +1,80 @@
+require 'spec_helper'
+require 'basic_and_nego/auth/negotiate'
+require 'basic_and_nego/nulllogger'
+require 'basic_and_nego/request'
+require 'base64'
+
+describe BasicAndNego::Auth::Negotiate do
+
+  before(:each) do 
+    env = {'HTTP_AUTHORIZATION' => "Negotiate VGhpcyBpcyBteSB0b2tlbg=="}
+    @realm = "my realm"
+    @keytab = "my keytab"
+    @service = "http/hostname"
+    @logger = BasicAndNego::NullLogger.new
+    @request = BasicAndNego::Request.new(env)
+    @gss = double('gss').as_null_object
+  end
+
+  it "should try authentication against GSS in case of Negotiate" do
+    BasicAndNego::Auth::GSS.should_receive(:new).with(@logger, @service, @realm, @keytab).and_return(@gss)
+    @a = BasicAndNego::Auth::Negotiate.new(@request, @logger, @realm, @keytab, @service)
+    @gss.should_receive(:authenticate).and_return("Granted")
+    @gss.should_receive(:display_name).and_return("fred")
+    @a.process
+  end
+
+  it "should return 'unauthorized' if authentication fails" do 
+    BasicAndNego::Auth::GSS.should_receive(:new).with(@logger, @service, @realm, @keytab).and_return(@gss)
+    @a = BasicAndNego::Auth::Negotiate.new(@request, @logger, @realm, @keytab, @service)
+    @gss.should_receive(:authenticate).and_return(nil)
+    @a.process
+    @a.response.should_not be_nil
+    @a.response[0].should == 401
+  end
+
+  it "should return true if authentication worked" do
+    BasicAndNego::Auth::GSS.should_receive(:new).with(@logger, @service, @realm, @keytab).and_return(@gss)
+    @a = BasicAndNego::Auth::Negotiate.new(@request, @logger, @realm, @keytab, @service)
+    @gss.should_receive(:authenticate).and_return("Granted")
+    @a.process
+    @a.response.should be_nil
+  end
+
+  it "should set client's name if authentication worked" do
+    BasicAndNego::Auth::GSS.should_receive(:new).with(@logger, @service, @realm, @keytab).and_return(@gss)
+    @a = BasicAndNego::Auth::Negotiate.new(@request, @logger, @realm, @keytab, @service)
+    @gss.should_receive(:authenticate).and_return("Granted")
+    @gss.should_receive(:display_name).and_return("fred")
+    @a.process
+    @a.client_name.should == "fred"
+  end
+
+  it "should set header to returned token if authentication worked" do
+    BasicAndNego::Auth::GSS.should_receive(:new).with(@logger, @service, @realm, @keytab).and_return(@gss)
+    @a = BasicAndNego::Auth::Negotiate.new(@request, @logger, @realm, @keytab, @service)
+    @gss.should_receive(:authenticate).and_return("Granted")
+    @gss.should_receive(:display_name).and_return("fred")
+    @a.process
+    @a.client_name.should == "fred"
+    @a.headers['WWW-Authenticate'].should == "Negotiate #{::Base64.strict_encode64('Granted')}"
+  end
+
+  it "should catch GSSAPI exceptions in getting credentials" do
+    BasicAndNego::Auth::GSS.should_receive(:new).with(@logger, @service, @realm, @keytab).and_raise(GSSAPI::GssApiError)
+    @a = BasicAndNego::Auth::Negotiate.new(@request, @logger, @realm, @keytab, @service)
+    @a.process
+    @a.response.should_not be_nil
+    @a.response[0].should == 500
+  end
+
+  it "should catch GSSAPI exceptions in authenticating token" do
+    BasicAndNego::Auth::GSS.should_receive(:new).with(@logger, @service, @realm, @keytab).and_return(@gss)
+    @a = BasicAndNego::Auth::Negotiate.new(@request, @logger, @realm, @keytab, @service)
+    @gss.should_receive(:authenticate).and_raise(GSSAPI::GssApiError)
+    @a.process
+    @a.response.should_not be_nil
+    @a.response[0].should == 401
+  end
+
+end

data/spec/basic_and_nego/processor_spec.rb

@@ -0,0 +1,60 @@
+require 'spec_helper'
+require 'basic_and_nego/processor'
+require 'basic_and_nego/nulllogger'
+
+describe BasicAndNego::Processor do
+  it "should not re-authenticate user" do
+    env = {}
+    env['rack.session'] = {}
+    env['rack.session']['REMOTE_USER'] = 'fred'
+    a = BasicAndNego::Processor.new(env, BasicAndNego::NullLogger.new, 'my realm', 'my keytab file', nil)
+    a.process_request
+    a.response.should be_nil
+    a.headers.should be_empty
+  end
+
+  it "should try to authenticate if there's no session" do
+    env = {}
+    a = BasicAndNego::Processor.new(env, BasicAndNego::NullLogger.new, 'my realm', 'my keytab file', nil)
+    a.should_receive(:authenticate)
+    a.process_request
+  end
+
+  it "should set REMOTE_USER if user authenticated" do
+    env = {}
+    a = BasicAndNego::Processor.new(env, BasicAndNego::NullLogger.new, 'my realm', 'my keytab file', nil)
+    a.should_receive(:authenticate).and_return(true)
+    a.should_receive(:client_name).and_return("fred")
+    a.process_request
+    env['REMOTE_USER'].should == "fred"
+  end
+
+  it "should update the session if user authenticated" do
+    env = {}
+    env['rack.session'] = {}
+    a = BasicAndNego::Processor.new(env, BasicAndNego::NullLogger.new, 'my realm', 'my keytab file', nil)
+    a.should_receive(:authenticate).and_return(true)
+    a.should_receive(:client_name).twice.and_return("fred")
+    a.process_request
+    env['REMOTE_USER'].should == "fred"
+    env['rack.session']['REMOTE_USER'].should == 'fred'
+  end
+
+  it "should try to authenticate if user is not yet authenticated" do
+    env = {}
+    env['rack.session'] = {}
+    a = BasicAndNego::Processor.new(env, BasicAndNego::NullLogger.new, 'my realm', 'my keytab file', nil)
+    a.should_receive(:authenticate)
+    a.process_request
+  end
+
+  it "should ask for an authorization key if none is provided" do
+    env = {}
+    env['rack.session'] = {}
+    a = BasicAndNego::Processor.new(env, BasicAndNego::NullLogger.new, 'my realm', 'my keytab file', nil)
+    a.process_request
+    a.response.should_not be_nil
+    a.response[0].should == 401
+  end
+
+end

data/spec/basic_and_nego/request_spec.rb

@@ -0,0 +1,37 @@
+require 'spec_helper'
+require 'basic_and_nego/request'
+require 'base64'
+
+describe BasicAndNego::Request do
+
+  it "should be able to detect a no auth" do
+    r = BasicAndNego::Request.new({})
+    r.authenticator.should == BasicAndNego::Auth::None
+  end
+
+  it "should be able to detect a 'basic' scheme" do
+    r = BasicAndNego::Request.new({'HTTP_AUTHORIZATION' => "Basic #{Base64.encode64('fred:pass')}"})
+    r.authenticator.should == BasicAndNego::Auth::Basic
+  end
+
+  it "should be able to detect a 'negotiate' scheme" do
+    r = BasicAndNego::Request.new({'HTTP_AUTHORIZATION' => "Negotiate #{Base64.encode64('fred:pass')}"})
+    r.authenticator.should == BasicAndNego::Auth::Negotiate
+  end
+
+  it "should be able to detect an unsupported auth" do
+    r = BasicAndNego::Request.new({'HTTP_AUTHORIZATION' => "Digest #{Base64.encode64('fred:pass')}"})
+    r.authenticator.should == BasicAndNego::Auth::Unsupported
+  end
+
+  it "should decode credentials" do
+    r = BasicAndNego::Request.new({'HTTP_AUTHORIZATION' => "Basic #{Base64.encode64('fred:pass')}"})
+    r.credentials.should =~ ["fred", "pass"]
+  end
+
+  it "should return username" do
+    r = BasicAndNego::Request.new({'HTTP_AUTHORIZATION' => "Basic #{Base64.encode64('fred:pass')}"})
+    r.username.should == "fred"
+  end
+
+end

data/spec/goliath/goliath_krb_spec.rb

@@ -0,0 +1,48 @@
+require 'spec_helper'
+require 'goliath/rack/auth/krb/basic_and_nego'
+
+describe Goliath::Rack::Auth::Krb::BasicAndNego do
+  it 'accepts an app' do
+    lambda { Goliath::Rack::Auth::Krb::BasicAndNego.new('my app', 'my realm', 'my keytab') }.should_not raise_error
+  end
+
+  describe 'with middleware' do
+    before(:each) do
+      @app = mock('app').as_null_object
+      @env = Goliath::Env.new
+      @env['CONTENT_TYPE'] = 'application/x-www-form-urlencoded; charset=utf-8'
+      @auth = Goliath::Rack::Auth::Krb::BasicAndNego.new(@app, 'my realm', 'my keytab')
+    end
+
+
+    it 'returns status, headers and body from the app' do
+      app_headers = {'Content-Type' => 'hash'}
+      app_body = {:a => 1, :b => 2}
+      p = double("processor").as_null_object
+      p.should_receive(:response).and_return(nil)
+      add_headers = {"fred" => "foo"}
+      p.should_receive(:headers).and_return(add_headers)
+      ::BasicAndNego::Processor.should_receive(:new).and_return(p)
+      p.should_receive(:process_request)
+      @app.should_receive(:call).and_return([200, app_headers, app_body])
+
+      status, headers, body = @auth.call(@env)
+      status.should == 200
+      headers['fred'].should == "foo"
+      body.should == app_body
+    end
+
+    it "returns error in case of failing authentication" do
+      app_headers = {'Content-Type' => 'hash'}
+      app_body = {:a => 1, :b => 2}
+      p = double("processor").as_null_object
+      r = [401, {}, "foo"]
+      p.should_receive(:response).twice.and_return(r)
+      p.should_receive(:process_request)
+      ::BasicAndNego::Processor.should_receive(:new).and_return(p)
+
+      response = @auth.call(@env)
+      response.should =~ r
+    end
+  end
+end

data/spec/rack/rack_krb_spec.rb

@@ -0,0 +1,40 @@
+require 'spec_helper'
+require 'rack/auth/krb/basic_and_nego'
+require 'basic_and_nego/nulllogger'
+
+class SessionAuthentified
+  attr_accessor :app
+  def initialize(app,configs = {})
+    @app = app
+  end
+
+  def call(e)
+    e['rack.session'] ||= {}
+    e['rack.session']['REMOTE_USER'] = "fred"
+    @app.call(e)
+  end
+end # session
+
+describe "Rack::Auth::Krb::BasicAndNego" do
+
+  before(:each) do
+    @basic_app = lambda{|env| [200,{'Content-Type' => 'text/plain'},'OK']}
+    @env = env_with_params("/", {}, {'rack.logger' => BasicAndNego::NullLogger.new})
+  end
+
+  it "should return a 401 if authentication failed" do
+    app = setup_rack(@basic_app)
+    p = double("processor").as_null_object
+    p.should_receive(:response).twice.and_return(not_authorized_response)
+    p.should_receive(:process_request)
+    ::BasicAndNego::Processor.should_receive(:new).and_return(p)
+
+    app.call(@env).first.should == 401
+  end
+
+  it "should not ask for authentication if client is already authenticated" do
+    app = setup_rack(@basic_app, {:session => SessionAuthentified})
+    app.call(@env).first.should == 200
+
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,30 @@
+$:.unshift File.expand_path(File.dirname(__FILE__) + '/../lib')
+$:.unshift File.expand_path(File.dirname(__FILE__))
+
+require 'rspec'
+require 'rack'
+
+def env_with_params(path = "/", params = {}, env = {})
+  method = params.delete(:method) || "GET"
+  env = { 'HTTP_VERSION' => '1.1', 'REQUEST_METHOD' => "#{method}" }.merge(env)
+  Rack::MockRequest.env_for("#{path}?#{Rack::Utils.build_query(params)}", env)
+end
+
+def setup_rack(app = nil, opts={}, &block)
+  app ||= block if block_given?
+
+  Rack::Builder.new do
+    use opts[:session] if opts[:session]
+    use Rack::Auth::Krb::BasicAndNego, 'my realm', 'my keytab'
+    run app
+  end
+end
+
+def not_authorized_response
+  [ 401,
+    { 'Content-Type' => 'text/plain',
+      'Content-Length' => '0',
+      'WWW-Authenticate' => ["Negotiate", "Basic"]},
+      []
+  ]
+end

metadata

@@ -0,0 +1,184 @@
+--- !ruby/object:Gem::Specification
+name: rack-auth-krb
+version: !ruby/object:Gem::Version
+  version: 0.0.8
+  prerelease: 
+platform: ruby
+authors:
+- Frederick Ros
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-06-13 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: gssapi
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rkerberos
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: goliath
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: puma
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: ! "  This library allows Kerberos/GSSAPI authentication using either
+  Basic method\n  or Negotiate (i.e. authentication without the need of user/password
+  combo).\n"
+email: frederick.ros@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files:
+- README.md
+files:
+- .gitignore
+- Gemfile
+- Gemfile.lock
+- README.md
+- lib/basic_and_nego/auth.rb
+- lib/basic_and_nego/auth/base.rb
+- lib/basic_and_nego/auth/basic.rb
+- lib/basic_and_nego/auth/gss.rb
+- lib/basic_and_nego/auth/krb.rb
+- lib/basic_and_nego/auth/negotiate.rb
+- lib/basic_and_nego/auth/none.rb
+- lib/basic_and_nego/auth/responses.rb
+- lib/basic_and_nego/auth/unsupported.rb
+- lib/basic_and_nego/nulllogger.rb
+- lib/basic_and_nego/processor.rb
+- lib/basic_and_nego/request.rb
+- lib/goliath/rack/auth/krb/basic_and_nego.rb
+- lib/rack/auth/krb/basic_and_nego.rb
+- misc/goliath_dump_headers.rb
+- misc/rack_dump_headers.ru
+- misc/start_goliath_srv.sh
+- misc/start_puma_srv.sh
+- rack-auth-krb.gemspec
+- spec/basic_and_nego/auth/basic_spec.rb
+- spec/basic_and_nego/auth/gss_spec.rb
+- spec/basic_and_nego/auth/krb_spec.rb
+- spec/basic_and_nego/auth/negotiate_spec.rb
+- spec/basic_and_nego/processor_spec.rb
+- spec/basic_and_nego/request_spec.rb
+- spec/goliath/goliath_krb_spec.rb
+- spec/rack/rack_krb_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/sleeper/rack-auth-krb
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Kerberos/GSSAPI authentication (Basic and Negotiate) Rack library
+test_files:
+- spec/basic_and_nego/auth/basic_spec.rb
+- spec/basic_and_nego/auth/gss_spec.rb
+- spec/basic_and_nego/auth/krb_spec.rb
+- spec/basic_and_nego/auth/negotiate_spec.rb
+- spec/basic_and_nego/processor_spec.rb
+- spec/basic_and_nego/request_spec.rb
+- spec/goliath/goliath_krb_spec.rb
+- spec/rack/rack_krb_spec.rb
+- spec/spec_helper.rb