rack-cas 0.1.0 → 0.2.0

data/README.markdown

@@ -11,10 +11,12 @@ Works with but doesn't depend on Rails, Sinatra, etc.
 Current gem dependencies are [rack](http://rubygems.org/gems/rack), [addressable](http://rubygems.org/gems/addressable) and [nokogiri](http://rubygems.org/gems/nokogiri).
 * __Supports CAS extra attributes__  
 Extra attributes are a mess though. So let me know if your brand of CAS server isn't supported.
+* __Single sign out__  
+One of the included session stores must be used.
 
 Coming Soon
 ===========
-* __Single sign out__
+* __Single sign out compatible session store for Active Record__
 
 Requirements
 ============
@@ -35,6 +37,28 @@ Then in your `config.ru` file add
     require 'rack/cas'
     use Rack::CAS, server_url: 'https://login.example.com/cas'
 
+Single Sign Out
+---------------
+Support for [single sign out](https://wiki.jasig.org/display/CASUM/Single+Sign+Out) requires the use of one of the included session stores listed below.
+
+* Mongoid
+
+To use the session store with Rails add the following to your `config/initializers/session_store.rb` file:
+
+    require 'rack-cas/session_store/rails/mongoid'
+    YourApp::Application.config.session_store :mongoid_store
+
+For other Rack-compatible frameworks, add the following to your config.ru file:
+
+    requre 'rack-cas/sessions_store/rack/mongoid'
+    use Rack::Session::MongoidStore
+
+Then tell the RackCAS where to find your sessions:
+
+    require 'rack/cas'
+    require 'rack-cas/session_store/mongoid'
+    use Rack::CAS server_url: 'http://login.example.com/cas', session_store: RackCAS:MongoidStore
+
 Integration
 ===========
 Your app should __return a [401 status](http://httpstatus.es/401)__ whenever a request is made that requires authentication. Rack-CAS will catch these responses and attempt to authenticate via your CAS server.
@@ -44,4 +68,31 @@ Once authentication with the CAS server has completed, Rack-CAS will set the fol
     request.session['cas']['user'] #=> johndoe
     request.session['cas']['extra_attributes'] #=> { 'first_name' => 'John', 'last_name' => ... }
 
-__NOTE:__ `extra_attributes` will be an empty hash unless they've been [configured on your CAS server](http://code.google.com/p/rubycas-server/wiki/HowToSendExtraUserAttributes).
+__NOTE:__ `extra_attributes` will be an empty hash unless they've been [configured on your CAS server](http://code.google.com/p/rubycas-server/wiki/HowToSendExtraUserAttributes).
+
+Testing
+=======
+
+Controller Tests
+----------------
+Testing your controllers and such should be as simple as setting the session variables manually in a helper.
+
+    def set_current_user(user)
+      session['cas'] = { 'user' => user.username, 'extra_attributes' => {} }
+    end
+
+Integration Tests
+-----------------
+Integration testing using something like [Capybara](http://jnicklas.github.com/capybara/) is a bit trickier because the session can't be manipulated directly. So for integration tests, I recommend using the provided `Rack::FakeCAS` middleware instead of `Rack::CAS`.
+
+    require 'rack/fake_cas'
+    use Rack::FakeCAS
+
+Then you can simply do the following in your integration tests in order to log in.
+
+    visit '/restricted_path'
+    fill_in 'username', with: 'johndoe'
+    fill_in 'password', with: 'any password'
+    click_button 'Login'
+
+__NOTE:__ The FakeCAS middleware will authenticate any username with any password and so should never be used in production.

data/lib/rack/cas.rb

@@ -1,6 +1,7 @@
 require 'rack'
 require 'addressable/uri'
 require 'rack-cas/server'
+require 'rack-cas/cas_request'
 
 class Rack::CAS
   attr_accessor :server_url
@@ -8,29 +9,47 @@ class Rack::CAS
   def initialize(app, config={})
     @app = app
     @server_url = config.delete(:server_url)
+    @session_store = config.delete(:session_store)
     @config = config
 
     raise ArgumentError, 'server_url is required' if @server_url.nil?
+    if @session_store && !@session_store.respond_to?(:destroy_session_by_cas_ticket)
+      raise ArgumentError, 'session_store does not support single-sign-out'
+    end
   end
 
   def call(env)
     request = Rack::Request.new(env)
+    cas_request = CASRequest.new(request)
+
+    if cas_request.ticket_validation?
+      log env, 'rack-cas: Intercepting ticket validation request.'
 
-    if ticket_validation_request?(request)
-      user, extra_attrs = get_user(request)
+      user, extra_attrs = get_user(request.url, cas_request.ticket)
 
-      store_session request, user, extra_attrs
-      return redirect_to ticketless_url(request)
+      store_session request, user, cas_request.ticket, extra_attrs
+      return redirect_to cas_request.service_url
     end
 
-    if logout_request?(request)
+    if cas_request.logout?
+      log env, 'rack-cas: Intercepting logout request.'
+
       request.session.clear
       return redirect_to server.logout_url.to_s
     end
 
+    if cas_request.single_sign_out? && @session_store
+      log env, 'rack-cas: Intercepting single-sign-out request.'
+
+      @session_store.destroy_session_by_cas_ticket(cas_request.ticket)
+      return [200, {'Content-Type' => 'text/plain'}, ['CAS Single-Sign-Out request intercepted.']]
+    end
+
     response = @app.call(env)
 
-    if access_denied_response?(response)
+    if response[0] == 401 # access denied
+      log env, 'rack-cas: Intercepting 401 access denied response. Redirecting to CAS login.'
+
       redirect_to server.login_url(request.url).to_s
     else
       response
@@ -43,37 +62,23 @@ class Rack::CAS
     @server ||= RackCAS::Server.new(@server_url)
   end
 
-  def logout_request?(request)
-    request.path_info == '/logout'
-  end
-
-  def ticket_validation_request?(request)
-    !get_ticket(request).nil?
-  end
-
-  def access_denied_response?(response)
-    response[0] == 401
+  def get_user(service_url, ticket)
+    server.validate_service(service_url, ticket)
   end
 
-  def ticketless_url(request)
-    RackCAS::URL.parse(request.url).remove_param('ticket').to_s
-  end
-
-  def get_ticket(request)
-    request.params['ticket']
-  end
-
-  def get_user(request)
-    server.validate_service(request.url, get_ticket(request))
-  end
-
-  def store_session(request, user, extra_attrs = {})
-    request.session['cas'] = {}
-    request.session['cas']['user'] = user
-    request.session['cas']['extra_attributes'] = extra_attrs
+  def store_session(request, user, ticket, extra_attrs = {})
+    request.session['cas'] = { 'user' => user, 'ticket' => ticket, 'extra_attributes' => extra_attrs }
   end
 
   def redirect_to(url, status=302)
     [ status, { 'Location' => url, 'Content-Type' => 'text/plain' }, ["Redirecting you to #{url}"] ]
   end
+
+  def log(env, message, level = :info)
+    if env['rack.logger']
+      env['rack-logger'].send(level, message)
+    else
+      env['rack.errors'].write(message)
+    end
+  end
 end

data/lib/rack/fake_cas.rb

@@ -0,0 +1,61 @@
+require 'rack'
+
+class Rack::FakeCAS
+  def initialize(app, config={})
+    @app = app
+    @config = config
+  end
+
+  def call(env)
+    @request = Rack::Request.new(env)
+    
+    case @request.path_info
+    when '/login'
+      @request.session['cas'] = {}
+      @request.session['cas']['user'] = @request.params['username']
+      @request.session['cas']['extra_attributes'] = {}
+      redirect_to @request.params['service']
+
+    when '/logout'
+      @request.session.clear
+      redirect_to "#{@request.script_name}/"
+
+    else
+      response = @app.call(env)
+
+      if response[0] == 401 # access denied
+        [ 200, { 'Content-Type' => 'text/html' }, [login_page] ]
+      else
+        response
+      end
+    end
+  end
+
+  protected
+
+  def login_page
+    <<-EOS
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8"/>
+    <title>Fake CAS</title>
+  </head>
+  <body>
+    <form action="#{@request.script_name}/login" method="post">
+      <input type="hidden" name="service" value="#{@request.url}"/>
+      <label for="username">Username</label>
+      <input id="username" name="username" type="text"/>
+      <label for="password">Password</label>
+      <input id="password" name="password" type="password"/>
+      <input type="submit" value="Login"/>
+    </form>
+  </body>
+</html>
+    EOS
+  end
+
+  def redirect_to(url)
+    [ 302, { 'Content-Type' => 'text/plain', 'Location' => url }, ['Redirecting you...'] ]
+  end
+end

data/lib/rack-cas/cas_request.rb

@@ -0,0 +1,35 @@
+require 'nokogiri'
+
+class CASRequest
+  def initialize(request)
+    @request = request
+  end
+
+  def ticket
+    @ticket ||= if single_sign_out?
+      xml = Nokogiri::XML(@request.params['logoutRequest']).tap do |xml|
+        xml.remove_namespaces!
+      end
+      node = xml.at('/LogoutRequest/SessionIndex')
+      node.text unless node.nil?
+    else
+      @request.params['ticket']
+    end
+  end
+
+  def service_url
+    RackCAS::URL.parse(@request.url).remove_param('ticket').to_s
+  end
+
+  def logout?
+    @request.path_info == '/logout'
+  end
+
+  def single_sign_out?
+    !!@request.params['logoutRequest']
+  end
+
+  def ticket_validation?
+    !!@request.params['ticket']
+  end
+end

data/lib/rack-cas/session_store/mongo.rb

@@ -0,0 +1,45 @@
+module RackCAS
+  module MongoStore
+    def collection
+      @collection
+    end
+
+    def initialize(app, options = {})
+      require 'mongo'
+
+      unless options[:collection]
+        raise "To avoid creating multiple connections to MongoDB, " +
+              "the Mongo Session Store will not create it's own connection " +
+              "to MongoDB - you must pass in a collection with the :collection option"
+      end
+
+      @collection = options[:collection].respond_to?(:call) ? options[:collection].call : options[:collection]
+
+      super
+    end
+
+    private
+    def get_session(env, sid)
+      sid ||= generate_sid
+      session = collection.find(_id: sid).first || {}
+      [sid, unpack(session['data'])]
+    end
+
+    def set_session(env, sid, session_data, options = {})
+      sid ||= generate_sid
+      collection.update({'_id' => sid},
+                        {'_id' => sid, 'data' => pack(session_data), 'updated_at' => Time.now},
+                        upsert: true)
+      sid # TODO: return boolean, right?
+    end
+
+    def pack(data)
+      [Marshal.dump(data)].pack('m*')
+    end
+
+    def unpack(packed)
+      return nil unless packed
+      Marshal.load(packed.unpack('m*').first)
+    end
+  end
+end

data/lib/rack-cas/session_store/mongoid.rb

@@ -0,0 +1,57 @@
+module RackCAS
+  module MongoidStore
+    class Session
+      include Mongoid::Document
+      include Mongoid::Timestamps
+
+      field :_id, type: String
+      field :data, type: Moped::BSON::Binary, :default => Moped::BSON::Binary.new(:generic,Marshal.dump({}))
+      field :cas_ticket, type: String
+
+      attr_accessible :_id, :data, :cas_ticket
+    end
+
+    def self.destroy_session_by_cas_ticket(cas_ticket)
+      affected = Session.where(cas_ticket: cas_ticket).delete
+      affected == 1
+    end
+
+    private
+
+    def get_session(env, sid)
+      if sid.nil?
+        sid = generate_sid
+        data = nil
+      else
+        session = Session.where(_id: sid).first || {}
+        data = unpack(session['data'])
+      end
+
+      [sid, data]
+    end
+
+    def set_session(env, sid, session_data, options)
+      cas_ticket = (session_data['cas']['ticket'] unless session_data['cas'].nil?)
+
+      session = Session.find_or_initialize_by(_id: sid)
+      success = session.update_attributes(data: pack(session_data), cas_ticket: cas_ticket)
+
+      success ? session.id : false
+    end
+
+    def destroy_session(env, sid, options)
+      session = Session.where(_id: sid).delete
+      
+      options[:drop] ? nil : generate_sid
+    end
+
+    def pack(data)
+      Moped::BSON::Binary.new(:generic,Marshal.dump(data))
+    end
+
+    def unpack(packed)
+      return nil unless packed
+      Marshal.load(StringIO.new(packed.to_s))
+    end
+  end
+end

data/lib/rack-cas/session_store/rack/mongo.rb

@@ -0,0 +1,10 @@
+require 'rack-cas/session_store/mongo'
+require 'rack/session/abstract/id'
+
+module Rack
+  module Session
+    class MongoStore < Rack::Session::Abstract::ID
+      include RackCAS::MongoStore
+    end
+  end
+end

data/lib/rack-cas/session_store/rack/mongoid.rb

@@ -0,0 +1,10 @@
+require 'rack-cas/session_store/mongoid'
+require 'rack/session/abstract/id'
+
+module Rack
+  module Session
+    class MongoidStore < Rack::Session::Abstract::ID
+      include RackCAS::MongoidStore
+    end
+  end
+end

data/lib/rack-cas/session_store/rails/mongo.rb

@@ -0,0 +1,10 @@
+require 'rack-cas/session_store/mongo'
+require 'action_dispatch/middleware/session/abstract_store'
+
+module ActionDispatch
+  module Session
+    class MongoStore < AbstractStore
+      include RackCAS::MongoStore
+    end
+  end
+end

data/lib/rack-cas/session_store/rails/mongoid.rb

@@ -0,0 +1,10 @@
+require 'rack-cas/session_store/mongoid'
+require 'action_dispatch/middleware/session/abstract_store'
+
+module ActionDispatch
+  module Session
+    class MongoidStore < AbstractStore
+      include RackCAS::MongoidStore
+    end
+  end
+end

data/lib/rack-cas/version.rb

@@ -1,3 +1,3 @@
 module RackCAS
-  VERSION = '0.1.0'
-end
+  VERSION = '0.2.0'
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-cas
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-10-11 00:00:00.000000000 Z
+date: 2012-10-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -70,8 +70,16 @@ files:
 - lib/rack-cas.rb
 - lib/rack-cas/url.rb
 - lib/rack-cas/version.rb
+- lib/rack-cas/session_store/rails/mongo.rb
+- lib/rack-cas/session_store/rails/mongoid.rb
+- lib/rack-cas/session_store/mongo.rb
+- lib/rack-cas/session_store/rack/mongo.rb
+- lib/rack-cas/session_store/rack/mongoid.rb
+- lib/rack-cas/session_store/mongoid.rb
 - lib/rack-cas/service_validation_response.rb
 - lib/rack-cas/server.rb
+- lib/rack-cas/cas_request.rb
+- lib/rack/fake_cas.rb
 - lib/rack/cas.rb
 homepage: https://github.com/biola/rack-cas
 licenses: []